Beruflich Dokumente
Kultur Dokumente
CISSP Skillset
General Skillset
Access Controls
Business Continuity and Disaster Recovery
Planning
Cryptography
Information Security Governance and Risk
Management
Law, Regulations, Compliance and
Investigations
Physical and Environmental Security
Security Architecture and Design
Security Operations
Software Development Security
Telecommunications and Network Security
understanding of the various types of access control methodologies and when each is
appropriate.
understanding of the importance of continuity planning and how to develop disaster
recovery and continuity plans.
understanding of the role cryptography and cryptosystems play in securing the
enterprise environment.
an understanding of the critical components of information security and risk that are
needed in order to manage security in an enterprise environment.
understanding of the roles played by laws and ethical standards and handling incident
investigations.
understanding of the importance of physical and environmental security in an
enterprise environment.
understanding of how to properly design and implement a secure enterprise
environment.
understanding of the managerial, administrative, operational aspects of information
security.
understanding of the key security principles related to secure application development.
discuss major concepts associated with network defense and telecommunications
security.
Domain I Overview
Domain 1 - Information security governance and
risk management
Concept
security governance
information security strategies
standards | baselines
guidelines
documentation
data classification
security awareness training
Domain I detail
Domain 1
General Skills
Information Security
Governance and Risk
Management
expectation
Skills
Details Skills
Tools
biometrics
DATA CLASSIFICATION
data classification
top secret
secret
confidential
sensitive but unclassified (SBU)
unclassified
public
official use only
internal use only
company proprietary
value
token
smart
card
badge
biometric
s
GPS
age
useful life
personal association
data classification process
distribution of classified
information
court order
government contracts
senior-level approval
data owner
custodian
NDA
executive | manager of an organization
final corporate responsibility of data
protection
running regular backups and routine
perform data restoration from the backup
maintaining those retained records in
accordance with the established
information classification policy
application owner
manager
user
administrator
analyst
auditor
data classification
responsibility
rotation of duties
POLICY
Policy
Define a policy
Content of a Policy
establishment of an organization's
computer security programs and goals
priorities to support the mission of the
organization
person responsible should be changed on a
regular basis
prevent someone from becoming
"comfortable" in a position
helps to detect and minimize fraud
reduce collusion when used with
separation of duties
senior management directives
program policy
issue-specific policy
system-specific policy
purpose
related document
cancellation
background
scope
policy statement
action
responsibility
ownership
levels of policy
checkpoint: procedure
guidance
PROCEDURE
definition and issues
BASELINE
definition and issues
GUIDELINE
definition and issues
DOCUMENTATION
organizational
specified uniform use of specific
technologies or parameters
compulsory
usually refers to specific hardware and software
specific implementation of a standard
suggestions
Policy
Standard
baseline
procedure
guidelines
SECURITY CONTROLs
Objective
Goal
Defining Risk
Threat Model
risk choices
Risk
Threat
Vulnerability
Threat
Vulnerability
compromise
qualitative
quantitative
knowledge-based
best practices
acceptance
mitigation
transference
exposure factor (EF)
single loss expectancy (SLE)
annualized rate of occurrence (ARO)
annualized loss expectancy (ALE)
risk requires uncertainty
risk management questions
Risk management
identify
assess
attacks
data misuse
data loss
application error
asset identification
threat analysis
vulnerability analysis
preliminary risk evaluation
interim report
risk acceptance criteria
risk mitigation measures
ROI analysis
final report
operation and maintenance
SLE
asset value
exposure factor
policy
training
awareness
key threat
ALE
ARO
TCO
Controlling your
environment
SECURITY AWARENESS
Solution
Security training
Outsourcing
Ethical Standards
reminders
implementation
targets an audience
motivates management and employees
maintains programs
evaluates program
training for specific groups or department
monitoring
coding
offshoring
contractual arrangement
internet activities board IAB
computer ethic institute
association for computing machinery
Australian computer society
IEEE
ISACA
ISC^2
software piracy
data security
individual privacy
data integrity
Not to do list
ten commandments
10
completeness
effectiveness
Domain 2 general
Domain 2: Access Controls
Agenda
Expectations
Domain 2 detail
Domain 2
Skills
Access Control
AC System and methodology
organizational control
Skills
Details Skills
who are the individual
what are your resources?
confidentiality
integrity
availability
reducing risk
centralized control
decentralized control
identify risk
controls map to individual business units
Tools
11
controlling access
AC MODEL
Terminology
least privilege
separation of duties
subjects: active
objects: passive
rules: filters
labels: sensitivity
interaction
Mandatory AC
Define
Strength
Weaknesses
Discretionary AC
Define
security label
data classification
entity
access level
controlled by the system
not be overridden
no subject to user error
need to know
static | dynamic
collusion
identify user, process or device, active entity
identify files, directories, pipes, devices
sockets, ports.
each rule a security attribute
Unix: read | write | execute
Windows : Read | write | execute | no access
what are the business rules?
how will be business rules be enforced?
define users
define objects
12
file of object
Strength
Weaknesses
AC MODELS
Models
New implementation
AC MEASURE
Types of controls
convenient
flexibility
ownership concept
simple to understand
software personification
fail to recognize the differences between users and programs
Role-based access control
Non-RBAC
Limited RBAC
Hybrid RBAC
Full RBAC
firewall
packet filtering
stateful
proxy
detective
IDS
pattern matching
anomaly detection
corrective
physical
Control combination
preventive | administrative
preventive | technical
security laptops
security magnetic media
protection of cable
locks
13
Implemented across
preventive | physical
detective | technical
detective | physical
administrative
technical
MONITOR
Step
Methods
Types
Analysis
Auditing
CONTROL CATEGORIES
Control
review
watch
take action
real-time
adhoc
passsive
auditing
keystroke
illegal software
traffic analysis
trend analysis
establish clipping levels
compliance checks
internal and external
frequency of review
standard of due care
Deterrent
compensating
corrective
background checks
policies and procedures
encryption
smart cards
vulnerability checkers
file integrity
network sniffers
log consolidation tools
monitoring and looking for change
hardware
software
monitoring
14
Control combination
recovery
preventive | administrative
Preventive | physical
Detective | technical
Detective | physical
IDS
IDS goals
15
Types
Method of operation
IDENTITY
AA
Network based
host based
pattern matching
anomaly detection
protocol behavior
true positive
true negative
false positive
false negative
authentication
passive
active
signature detection
authorization
Identity
BIOMETRICs
Access control
fingerprint
palm scan
hand geometry
voice print
retina pattern
iris scan
facial recognition
16
Requirements
performance
PASSWORDs
PASSWORDs
keystroke dynamics
signature dynamics
resistance to counterfeiting
data storage requirements
acceptability to users
password cracking
privacy
invasiveness
psychological comfort
physical comfort
practical consideration
user picked
system generated
one time
passphrase
lifetime
dictionary attack
hydrid attack
brute force attack
rainbow Crack
TOKEN
smart cards
one time passwords OTP
smart cards
contact
contactless
counter based
time based
17
Kerberos
SEASAME
vulnerabilities
symmetric and asymmetric
encryption
network vulnerability
scanner
vulnerability assessment VA
penetration testing
security assessment
THREATS
Threat
KDC
session key
ticket granting ticket TGT
vul scanning
tool s
war dialing
sniffing
eavesdropping
radiation monitoring
dumpster diving
social engineering
complete list of risks against critical assets
malicious code
DOS
cramming
virus
worms
logic bombs
trojan horses
trap doors
buffer overflow
Smurf
overflow
condition
exploit on
memory stack
18
overwrite
return pointer
set return
pointer to
exploit code
spamming
flooding
brute force attack
remote maintenance
TOC | TOU
interrupts
code alteration
inference
covert channels
MiTM
remote maintenance
emanations
browsing
dumpster diving
traffic analysis
shoulder surfing
object reuse
masquerading
replay attack
spoofing
backdoor
default passwords
information leaving a system
protected with TEMPEST
similar to virtual shoulder surfing
data mining
defeat with shredding
passive threat
allocation or reallocation of system
resources to another subject
DDoS
impersonation
active threat
SYN Flood
file level
kernel level
19
data remanence
social engineering
threat to AC
Domain 3 General
Domain 3 - Cryptography
Agenda
Expectations
Domain 3 Detail
Domain 3
Skills
Cryptography
TERMS
Cryptography
Skills
cryptography
cryptology
codes
cryptanalysis
cryptographic algorithm
block cipher
cipher
cipher text or cryptogram
clustering
Details Skills
Tools
20
Encryption techniques
plaintext
cryptosystem
exclusive OR
one time Pad
work function
secret writing
spartan scytable
caesar sipher
UNIX ROT 13
polyalphabetic cipher
battista cipher disk
cryptanalysis
jeffersib disk
stafford
enigma
hebern machines
japanese red and purpose machines
american sigaba
vernam cipher
book or running key cipher
COCOM
Wassenaar arrangement
european union controls
united state controls
confidentiality
authentication
data integrity
non-reputation
substitution
Cryptosystems
permutation
hybrid
symmetric
History
Goals
arbitrary
rotation
secret keys
21
asymmetric
hash
Kerberos
advanced encryption
standard
secret-key protocol
distributed service for 3rd party authentication
confidentiality
DES CBC mode
integrity
authentication
non-reputation
Kerberos operations
Mode
ECB
CBC
CFB
OFB
CTR
Weakness
MiTM attack 2DES
2DES
3DES
AES
MARS
RC6
Rijndael
Serpent
22
basic functions
2fish
Addroundkey
SubBytes
ShiftRows
Mixcolumns
asymetric encryption
IDEA
SAFER
Blowfish
twofish
RC5
el gamel encryption and signature
schemes
diffie hellman key agreement scheme
Schnorr signature scheme
NIST's digital signature algorithm DSA
Elliptic curve El Gamal encryption and signature schemes
implementation
checksums
hashing
digest algorithm
Haval
RIPEMD-160
MAC
brute force
MiTM
Known plaintext
ciphertext only
chosen plaintext
23
cryptographic attack
cryptanalysis
PKI
include
Escrowed encryption
key management
define
components
fair cryptosystems
protection
procedures
certification authorities CA
organizational registration authorities ORA
certificate holder
clients
repositories
digital certificates
certificate authority
registration authorities
policies and procedures
certification revocation
non-repudiation support
cross certification
against modification
against unauthorized disclosure
key generation
distribution
storage
entry
use
recovery
destruction
24
issue
PGP
IPSec
Steganography
confidentiality
integrity
authentication
non-repudiation
AH
ESP
SA
data hiding
how steganography works
types
Domain 4 General
Domain 4
Objectives
expectations
Physical Security
personnel safety
authorized access
equipment protection
information protection
availability
understand types of threats and sources
archiving
key notarization
key recovery
key storage
key retirement | destruction
key change
key generation
key theft
frequency of key use
CAST
IDEA
3DES
MD5
private key
digital signature
injection
substitution
generate new file
25
Skills
Physical Security
Types of System
Details Skills
Misc
Static systems
mobile systems
portable systems
Counter examples
authentication
encryption
redundancy
deterrent
detective
preventive
Administrative control
personnel controls
personnel screening prior to
employment
prior employment
references
education
criminal record
general background checks
employee checks
security clearances
performance rating
supervision
password
two factor
disk encryption
local system backup
weapon
CCTV
locks
26
post-employment procedures
exit interviews
termination of computer accounts
change of passwords
return of laptop
safety
impact
evacuation
procedures
roles
personnel safety
authorized access
equipment protection
information protection
availability
evacuation routes
meeting point
posting
practice
safety warden
meeting point leader
employee
Threat
smoke and fire
toxins
water | flood
temperature extremes
structural failure
power failure
human actions
intentional or unintentional
fire and related contaminants
explosions
loss of utilities
toxic materials
earthquakes
27
weather
malicious acts
sabotage
strike
source of physical loss
temperature
gases
liquids
organisms
projectiles
movement
energy anomalies
extreme variations
war gases
commercial vapors
humidity
dry air
suspended particles
water
chemicals
viruses
bacteria
people
animals
insects
tangible objects
collapse
shearing
shaking
vibration
liquefaction
flows
waves
separation
slides
electric surges
failures
magnetism
static electricity
aging circuitry
28
smoke detectors
heat sensors
flame detector
suppressive
evacuation
Fire classes
suppression method
Methods
Types
radiation
sound
light
radio
microwave
electromagnetic
atomic waves
light beam with optical sensor
change in ionization
detect room temp
sense the pulsation of the
flame
sense the IR energy produced
by the flame
sprinklers
fire extinguishers
chemical | H20
ABC | halon
A common combustibles
B liquid
C electrical
D combustible
wood product
zones of coverage
time-release
HVAC off before activation
wet pipe
dry pipe
metals
29
pre-action
deluge
gas discharge
portable extinguisher
other consideration
halon
Floods (water)
detective
detectors
3rd party
corrective
earthquakes
detective
corrective
restricted area
definition
lock
moisture
humidity
news
emergency
warning system
bilge pumps
evacuation
structural assessment
sudden impact
structural reinforcement
evacuation
restricted visitor
non-restricted visitor
motion detector to sense activity
escort from restricted area
perimeter of restricted area
inspected quarterly
employee
guard
space
time
30
type
locker components
Analyzed factor
Mantrap
CCTV
Cameras CCTV level
primary components
ward
wafer or disc
pin tumbler
replacement core
cipherlock
combination lock
smart card
smart code with passcode
biometric
body
strike
cylinders
key
master lock
construction and mechanism
range of possible key and
uniqueness
association with individual
copying
distribution
initial cost and re-keying cost
physical control
entrance path protected by 2 doors
intruder confined between doors
detection
recognition
identification
camera
transmission media
monitor
low
medium
high
31
secondary components
types
camera lens
key design factor
Contraband checks
component
Protection mechanism
Intruder detection
manual
automatic
facility control
32
gates
security guards
badges
lights
outside lighting
consideration
motion detector
technologies
dogs
badges
lights
motion detectors
sensors
alarms
security guard
class I - residential gate
class II - commercial gate
class III - industrial gate
class IV - restricted access
availability
reliability
training
cost
photo image
digitally encoded
prison
airport
dumb card
smart card
floodlights
streetlights
Fresnel lenses
gaseous discharge
continuous lighting
trip lighting
standby lighting
emergency lighting
photometric system
motion detection system
sonic
ultrasonic
microwave
33
facility design
IS IT construction standard
floor slab
raised flooring
walls
enclosed areas
door
light frame
heavy frame
fire rated
loading
fire rating
grounded
nonconductor surface
floor slab to ceiling stab
fire rating
adjacencies/exterior
paper | record | tape storage
floor
wall
ceiling
interior | exterior
directional opening
forcible entry
fire rating equal to walls
34
windows
HVAC
emergency egress
monitored and alarmed
emergency exit
hollow and solid core
panic bars
laminated glass
wired glass
solar window film
security film
glass breakage
bullet proof
explosive resistant
water | steam | gas lines
shut-off values
positive drains
dedicated | controllable
independent power
positive pressure
protected air intakes
environmental monitoring
Protection mechanism
definition
EMI
RFI
shielding
proper grounding
conditioning of power lines
care in routing of cables
fault
brownout
blackout
35
spike
sag
surge
transient
object reuse
media storage
paper printouts
data backup tapes
CDs
diskettes
hard drives
flash drives
Domain 5 General
Domain 5
Overview
Expectations
Domain 5 Detail
Domain 5
Skills
design architecture
OS
Skills
diskless workstation
thin clients
thin processing
memory management
Skills
Tools
36
OS State
OS protection
programming
languages
process management
file management
I/O management
user
privileged
layering
abstraction
process isolation
hardware segmentation
ring 3: applications and programs
ring 2: I/O drivers and utilities
ring 1: OS components that are not part of
the kernel
ring 0: OS kernel
machine
assembly
database
PDAs
computer
architecture
high level
data definition language
data manipulation language
technologies
the CPU
instruction cycle
pipelining
complex instruction set computer CISC
assembler
disassmebler
compiler
interpreter
java based
PALM operating system
Win CE
arithmetic /logic unit
control unit
primary storage memory unit
fetch phase
execute phase
37
reduced-instruction set computer RISC
interrupt
scalar processor
superscalar processor
multitasking
multiprocessing
multithreading
multiprogramming
memory
CPU execution
cache
RAM
ROM
memory addressing
storage devices
trusted computing
base
primary
secondary
virtual
Write once read memory WORM
volatile
non-volatile
access control mechanisms
reference monitor
secondary memory
sequential memory
virtual memory
memory isolation
TOC | TOU protection
direct addressing
absolute addressing
register direct addressing
register indirect addressing
DRAM
SRAM
firmware
PROM
EPROM
EEPROM
PLD
locked memory
38
kernel
protective mechanisms
monitor
security models
lattice
confidentiality: Bell-LaPadula
integrity: biba
commerical: clark wilson
state machine
models
research model
graham-denning
model
harrison-ruzzoullman
chinese wall model
enforcement
noninterference
information flow
create object
create subject
grant access right
read access right
delete object
delete subject
delete access right
transfer access right
add granular control
security kernel
reference monitor concept
process activation
process execution domain switching
memory protection
I/O operation
no read up
no write down
no read down
no write up
constrained data item are consistent
transformational procedures act validly
duties are separated
accesses are logged
unconstrained data items are validated
39
domain separation
TCSEC Classes
Orange book
reference monitor
execution rings
base address registers
segmentation descriptors
4 classes
based on
ITSEC classes
european
first common standard
main attributes
target of evaluation
functionality
assurance
A: verified protected
B: mandatory protected
C: discretionary protected
D: minimal security
security policy
object marking
subject identification
accountability
assurance
documentation
functionality
assurance
TOE
F1
F5
F6
F7
F8
F9
F10
E0
E1
E2
E3
E4
E5
E6
40
evaluation assurance level EAL
ISO 17799
security policy
security organization
assets classification and control
personnel security
physical and environmental security
computer and network management
system access control
system development and maintenance
BCP
compliance
risk based
holistic approach
Domain 6 General
Domain 6
Term
EAL 1
EAL 2
EAL 3
EAL 4
EAL 5
EAL 6
41
Domain 6 Detail
Domain 6
Skills
BCP
Business Continuity
Planning (BCP)
Skills
BCP phases
Misc
Why?
key component
Disaster Recovery
Planning (DRP)
Skills
assess
evaluate
prepare
mitigate
respond
recover
42
build the team
create a BCP
risk analysis and impact
disaster recovery steps
plan for testing
plan for training
procedure to keep the plan up-todate
43
Process
Risk analysis
Process
Types
BIA
Process
Assessment
management phase
identify assets
what threatens those assets
how can we protect and recover those
assets
document the results
test and review
provide training and raise awareness
identify critical business system and
processes
identify the specific threats
evaluate vuln of an asset and probability
of an attack
determining protection mechanisms
calculate loss of assets vs cost of
implementation
risk avoidance
risk acceptance
risk transfer
risk reduction
determine the tolerable impact levels
your system can have
evaluate the effect of a disaster over a
period of time
business function priorities
timeframe for recovery
immediate recovery
quick recovery
same-day recovery
72 hours recovery
24 hours recovery
72+ hours recovery
44
maximum allowable
downtime
resource requirements
total time for nonfunctioning before
major financial impact
identify point of no return
derived from BIA
used to define resource requirement
vulnerability assessment
use BIA
minimum requirements
start planning for continuity
no backup, no recovery
no strategy
self-service
reciprocal agreements
alternative sites
no backup no recovery
introduction
emergency management team
emergency operation center
emergency notification procedure
frequency
availability
location
backup
mirroring
hot
warm
cold
hybrid
mobile
45
backup solution
implementation phase
developing plan
supporting information
notification | activation
recovery
reconstitution
appendices
electronic vaulting
remote journaling
database shadowing
disk duplexing
clear plan
testing and training strategies
enterprise crisis management plan
introduction
crisis management structure
locations
procedures
exercise log
revision history
purpose
applicability
scope
references | requirements
record of changes
concept of operations
system description
line of succession
responsibilities
execute temporary processing
capabilities
repair or replace
return to original operational capabilities
return to permanent facility
test system
shutdown temporary facility
contact info
short term
long term
46
type of testing
Management Phase
Mistake
Threat
47
BIA
build the plan
test and validate the plan
modify and update the plan
approve and implemented the plan
Ring
Numbering systems
Intrusion detection
star
Binary
Firewalls
Logical
Octal
Packet filtering
Ethernet
Decimal
Stateful
Token ring
Hex
Proxy
FDDI
Protocol stacks
WAN technologies
OSI
Penetration testing
VoIP
TCP/IP
Security assessment
Remote Access
Multi-layer protocols
Methods of attack
Virtual applications
Network addresses
Types of networks
Screen scraping
MAC
LANS
Multi-media applications
MANS
Network hardware
VPNS
WANS
Wiring
IPSEC
Topologies
Routers bridges
Virtual Machines
Physical
Switches
Bus
Hubs
Domain 7 Detail
48
Technologies
Intrusion detection and
response
firewall
firewall architecture
Skills
packet filtering
stateful
proxy
packet filtering
Skills
application level
circuit level
manages connection to DMZ
separate external | internal
dual-homed host
screened host firewall
screened subnet firewalls
bastion host
SOCKS
Internet | extranet | intranet
data network services
type of network
LANs
LAN transmission method
topology
file services
mail
print service
client | server services
domain name service
LANs
MANs
WANs
GANs
unicast
multicast
broadcast
physical
logical
bus
ring
star
mesh
tree
ethernet
49
token ring
FDDI
ATM
HDLC
ISDN
X.25
LAN transmission protocol
Ethernet
cable
802.11 wireless
CSMA
CSMA-CA
CSMA-CD
token passing
Polling
thinet
thicknet
unshielded twisted pair 10 base t
radio
FHSS
DSSS
802.11b
802.11a
802.11g
WAN
Device
virtual circuit
technologies
routers
multiplexers
switches
access servers
modem
switched virtual circuits SVC
permanent virtual circuits PVC
dedicated lines
frame relay
X.25
VPI
fixed data cell
size
50
HDLC and SDLC
VoIP
Integrate services digitial network
DSL and cable modems
SMDS
ATM
private circuit technologies
T1
T3
E1
E3
cable
fiber optic
cross over cable
asynchronous communication
synchronous communication
network devices
hubs
switches
bridges
routers
baseband
broadband
shielded STp
unshielded UTP
CAT1
CAT2
CAT3
CAT4
CAT5
CAT6 | 5E
51
CSU | DSU
repeaters
Protocol
Encapsulation
OSI Model
TCP/IP stack
Ipaddress class
NAT
Name resolution
app layer
presentation layer
session layer
transport layer
network layer
datalink layer'
physical layer
class A
class B
class C
broadcast address
private network addressing
one to one NAT
Pool NAT
Many to one NAT
host table
DNS
DNS def
DNS hierarchy
DNS queries
domain hijacking
IPv6
definition
fetures
addressing
header
route aggregation
improved delegation/management
autoconfiguration support
tunneling
translation
gethostbyname
gethostbyaddr
52
UDP
TCP
TCP vs UDP
ICMP
Application layer security
protocols
features
ports
header
features
header
flags
ports
code bits
Ping
Traceroute
S/MIME
SET
SSH
web security
Other protocols
Routing
Address
Protocol
Routing protocols
SSL
TLS
telnet
FTP
TFTP
SMTP
SNMP
MAC address
IP address
ARP
RARP
distance vector
link state
BGP
Caller ID
Callback
VPN
RIP
OSPF
advantages
client to site
53
RADIUS
TACACS
DIAMETER
Domains and trusts
Security Domains
Constrained user interface
CHAP
PAP
Domain 8 General
Domain 8
overview
Expectation
Application Security
application control
software life cycle development model
software process capability maturity model
object-oriented systems
artificial intelligence systems
database systems and security issues
data warehousing
data mining
principles related to secure design of information systems
security and controls to ensure data and application CIA
malicious code
software life cycle
Domain 8 Skillset
Application security
programming languages
Cobal
site to site
dial-up, async
xDSL
54
programming procedure
software enviroment
application control
input control
output control
fortran
c, C#, c++
pascal
java
Visual C
compiler
process
elements
CPU
memory
i/o request
storage devices
limit or range tests
logical checks
self-checking digits
control totals
reconciliation
physical handling procedures
authorization controls
processing controls
threat
buffer overflow
scripting | script kiddies
covert channel
transaction counts
total
cross footing
hash totals
error detection
error correction
rejection
resubmission
55
malware
object reuse
mobile code
system life cycle &
development
capability maturity model
for software
method
no customer involvement
no going back
structured
spiral
applets
cleanroom
iterative
prototyping
modified prototyping
rapid app development
joint analysis development
object oriented OOP
distributed
Java
object-oriented
56
untrusted Java applets
trusted java applets
platform independent
sandboxing
browser setting control actions of applets
JVM run checks on each object to ensure integrity
Java security
ActiveX
Rapid prototyping model
Object-oriented
development
object-oriented
ActiveX control
XP eXtreme Programming
class
object
methods
messages
Object-oriented system
Object-oriented system
black box
delegation
polymorphism
binding
polyinstantiation
encapsulation advantage
concepts
class
instance
methods
inheritance
encapsulation
code
data
multi-level database
managing complexity
managing change
protecting data
57
advantages
security aspects
OORA
polymorphism
reusability
reduce risks
model of the real world
security control for program library
communication between objects
access control by class
abstraction
data hiding
tight cohesion
loose coupling
object oriented requirement analysis
object oriented analysis
domain analysis
object-oriented degisn
object oriented programming
ORB
common object request broker architecture
common object model
distributed common object model
Application control
scope
distributed enviroment
local | non-distributed
open source
closed source
coupling
cohesion
portability
interoperability
transparency
extensibility
robustness and security
OORA
OOA
DA
OOD
OOP
CORBA
COM
DCOM
58
client-server req
accommodation of standards
meet user's functional requirement
CORBA
DCOM
DDP distributed data processing
pros
cons
fault tolerance
support
P2P
software environment
issue
open source
full disclosure
centralize
decentralize
general security principle
authorization
risk reduction
code review
separation of duties
accountability
least privilege
layered defense
multiple controls
Application control
preventive
detective
better availability
economic
increased user involvement and control
distance and location independence
privacy and security
vendor independence
hardware
disk duplexing
shadow database
fail-over
shadow database
fail-over
public development
intentional release of bugs
exploit code to force security issues
59
corrective
apply control to
form of control
security control
change control
input
processing
data hiding
interprocessing communication
interfaces
access control
output
administrative
physical
technical
input
output
transactions
process isolation
hardware segmentation
security kernel
modes of operation
reference monitor
ensure
process
security perspective
project initiation
dedicated
system high
multi level (MAC)
approved
incorporated properly
no original functionality addected adversely
make formal request
analyze: review security implications
submit for approval
develop the change
sensibility of information
critically of system
security risks
level of protection needed
regulatory | legal | privacy issues
60
functional design
design specifications
software development
software development
field (installation and implementation)
access control
necessary data fields only
expert systems
neural networks
knowledge base
expert system operating mode
forward chaining
backward chaining mode
61
system up times
volume of transactions
production problems
software prototyping
CASE tool
software capability
maturity model (CMM)
level 1 initial
level 2 repeatable
level 3 defined
level 4 managed
level 5 optimizing
database
databases : CIA
database system
concurrency
semantic integrity
enforcer DBMS
referential integrity
commit
executes changes that were just made
2 pahse commit
rollback if commit is unsuccessful
database returns to its previous state
checkpoints
database
database management system DBMS
types of data models
data warehouse
datamining
aggregation
hierarchical
mesh
object-oriented
relational
intrusion detection
fraud detection
auditing the database
62
inference
information gathering
parameter manipulation
XSS
Domain 9 General
Security operations
Legal requirements
Privacy and protection
Configuration management and change control
Non-disclosure agreement
Sensitivity markings
Control types
Directive controls
Preventive controls
Detective controls
Corrective controls
Recovery controls
Auditing
Reporting concepts and mechanisms
Roles and responsibilities
Incident response
System resilience
Domain 9 Detail
Skills
Operation security
addresses
63
external attackers
internal malicious intruders
operators inappropriatedly accessing resources
threat
vuln
asset
OPSEC
Role
administrative management
employment agreements
individual accountability
IS IT functions
computer resources
hardware
software
information
personnel
resource protection
privileged entry control
hardware control
manager | custodian
owner
user
job requirements
background checking
separation of duties
job rotation
vacation and leave
termination
general clauses
work hours and overtimes
holiday
non competition
non solicitation
confidentiality
NDA
audits
64
audit trails
reconstruction of events
avoid threats
loss of infrastructure
operation controls
sensitive information
physical security
disaster recovery
monitoring
incident response
training and awareness
date
time
location
audit log backup
central logging
console messages
logs
correlation from multiple sources
extract data from system
erros and omissions
fraud and theft
employee sabotage
malicious attackes
malicious code
power failures
spike and brownouts
loss of communication
water outage or leaks
lack of transportaiton
fire
flood
resource protection
privileged entry control
hardware control
i/o control
media control
admin control
marking
handling
NTP server
65
control types
media security
RAID
Redundant server
intrusion detection
storage
destruction
directive
preventive
detective
deterrent
corrective
recovery
compensatory
controlling access
proper disposal
sanitizing media
RAID 0
RAID 1
RAID 2
RAID 3 and 4
RAID 5
RAID 7
server clustering
full backup
incremental backup
differential backup
identify critical information
assess the threat
assess vul of critical info to the threat
conduct risk vs benefit analysis
implement appropriate countermeasures
repeat
intrusion prevention
intrusion detection
intrusion reponse
removing data
overwriting
degaussing
destruction
before
during
after
66
Types
configuration management
change control
patch management
documentation
configuration identification
configuration control
configuration accounting
configuration audit
applying to introduce a change
cataloging the intended change
scheduling the change
implementing the change
reporting the change to the appropriate parties
identify updates when needed
obtain updates
test updates
deploy updates
verify updates
document updates
security plans
contingency plans
risk analysis
security policies and procedures
integrity checking
anomaly identification
attack signature identification