Beruflich Dokumente
Kultur Dokumente
AbouttheNewCISSPExam
DougLandoll
CEO
Lantego www.lantego.com
April25,2015 (512)6338405
dlandoll@lantego.com
@NTXISSA
SessionAgenda
CBK&QuesOonDepth
2015CBK
NewTestQuesOonFormats
StudyStrategies
TestTakingStrategies
@NTXISSA
CommonBodyofKnowledge
Milewideandaninchdeep
Lotsofvocabulary
Minimalnumbersandform
Noport#s,NoRFC#s
Knowyourhistory
ClassicdeniOons
Oldcriteria(e.g.OrangeBook)
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 3
PreparaAonProcess
LearningroupsandrelaOonships
LookforrelaOonshipbetweentermsand
principles,acrossdomains,andinpracOce.
Learnandbuildmnemonics
Usememorydevicessuchasanagrams,
drawings,andphrases.
Manyofthesewillbepresentedinclass
Compilingthesetogetherisreferredtoas
creaOngyourdatadumpsheet
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 4
DataDumpSheetExample
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 5
2015CommonBodyofKnowledge
2015CBK
SecurityandRiskManagement Legal,
RiskManagement
AssetSecurity Cryptography
PhysicalSecurity
SecurityEngineering SecurityArchitecture
CommunicaOonandNetworkSecurity TelecommunicaOons
IdenOtyandAccessManagement AccessControl
SecurityAssessmentandTesOng
SecurityOperaOons BCP
So`wareDevelopmentSecurity OperaOons
8Domainsvs.10DomainsWhoCares!
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 6
2015CBK:WhatsNew:Topics
3rdPartyRiskManagement
BYODRisks
IoT
So`wareDenedNetworks
CloudIdenOtyServices(OAuth2.0)
Maybe+4%
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 7
AccessControl
MostlyVocabulary
Passwords:StaOc,Dynamic,CogniOve,vs.
Passphrases,Hashes,Thresholds
Biometrics:EecOve:RIP;Accepted:VSHK
StrongAuth
IdM:Ident,Authent,Auth(x.500,LDAP,XML,
SPML,SAML,SOAP)
Policies:DAC,MAC,RBAC
SS:Kerberos,KryptoKnight,SESAME
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 8
Architecture
ComputerArchitecture
CPU
OperaOngSystem
SystemArchitecture
Systemboundaries
Securitypolicymodels
ModesofoperaOon
SystemEvaluaOon&AccreditaOon
SystemEvaluaOon
CerOcaOon&AccreditaOon
EnterpriseArchitecture
ArchitectureThreats
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 9
Architecture:Models
Model ATributes Policy Comments
AccessMatrix S,O,accesses C:DAC Rows:CLs
Columns:ACLs
BLP S,O,a;noreadup,no C:DAC,MAC
writedown
Biba S,O,a;noreaddown I:Authchanges FlipsBLP
nowriteup
ClarkWilson S,O,a;noreaddown I:Authchanges, WellformedtransacOons,
nowriteup nomistakes,data separaOonofduty
consistency
Non Inputs(cmds), I:Authchanges UsefulinCCA
Interference Outputs(views) C:MAC Notlakce
InformaOon Objects,infoow I:Authchanges UsefulinCCA
Flow C:MAC Notlakce
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 10
Cryptography
SYMMETRIC
DES,TDES,AES,IDEA
Blowsh,RCx,CAST,
SAFER,Serpent
KEYEDHASH
HYBRID
MAC,HMAC
HASH ASYMMETRIC
MD5,RIPEMD,SHAx DH,RSA,ElGamal,ECC,
LUC,Knapsack
DIGITALSIGNATURE
DSS,RSADS,DSA
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 11
TelecommunicaAons
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 12
Legal
Type IPProtected Term Issues
Patent InvenOon 20years 1sttolevsinvent
Patent&Trade <1yearof1stPublicUse
Oce
Copyright Worksofauthorship Life+70;95yrs FairUse
LibraryofCongress InternaOonal
DMCA
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 13
OperaAons
Newsgroups
(Learning)Discovery Domainnameregistries
Pingsweep,trashINT
EnumeraOon PortScanning
OSngerprinOng
VulnerabilityMapping VulnerabilityScanning
Casing
ExploitvulnerabiliOes
ExploitaOon SocialEngineer
Escalateprivileges
LEVEROR Reportto
DEnVER Management
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 14
NewTestQuesAonFormats
Majority:MulOpleChoice,4candidate
ansers,pickone
NewQuesOons:
Scenario
DragandDrop
HotBox
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 15
ScenarioQuesAons
DescripOon:
SituaOonal:12paragraphsdescribingan
environment,resultsofanaudit,etc.
35quesOonsonthescenario
TacOcs:
ReadthequesOonrst
ConsideroperaOonalissues(tradeos)
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 16
DragandDrop
Whichalgorithmsbelowareexamplesof
symmetriccryptography?
Advanced
EncrypOon
Standard
RivestShamir
Adlemann
DieHellman
ElGamal
DataEncrypOon
Standard
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 17
HotSpot
ThediagrambelowisadesignofaPublicKeyInfrastructure
tosecureinternettransacOons.Withinthedesignisa
CerOcateAuthority,aRegistraOonAuthority,anda
ValidaOonAuthority.
ClickonthelocaOonoftheregistraOonauthority.
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 18
StudyStrategies
RegisterNOW
Allowsforstudyplanning
Commitsyoutotheprocessofsuccessfullystudying
Developastudyplan
Availabledays
NumberofdaysfromnowunOltheexamdateworkand
familycommitments
Ruleof12(NowRuleof10?)
Divideyouavailabledaysby12togetstudyunits
Use1unitforeachdomain
Use2unitsforfulllengthexamsanddatadump
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 19
StudyStrategies(2)
UOlizeALLsources
CISSPStudybook(s)
QuesOonresources
BookCD,www.cccure.org,
StudISCope
Courseslidesandnotes
Takeunitandmixedunitexamso`en
Mixitup,notsamequesOonsoverandover
Aimfor80%85%inallunits
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 20
StudyStrategies(3)
Usememorydevices
Acronyms
Wordbased
DEERMRSCARBIDS
UseANAGRAMsolverstocreateyourown
Sentencebased
PleaseDoNotTakeSalesPeoplesAdvice
PlainBrownPotatoesRaisePlainThinMen
OtherMnemonics
Phrases
Readingissimple
Link(in)Tunnel
Diagrams
Concentricsquares,ACM
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 21
TestTakingStrategies
TheDayBefore
Getagoodrest
CheckoutthetesOngcenterlocaOon
TheDayof
WhattoBring WhatNOTtoBring
RegistraOonpaperwork Cellphone
Snack&Drink Digitalwatch
Jacketorsweater
@NTXISSA
TestTakingStrategies(2)
Otherpossibleissues
NoisefromnearbyconstrucOonor
weekendevent
Temperature
Dressinlayers(bringajacket)
WhiteboardandMarker
Ensureyouhaveagoodone
@NTXISSA
TestTakingStrategies(3)
DataDumpStrategy
PriortoansweringanyquesOons
Recallanddocumentdiagrams,lists,charts,
andothermnemonics
ThreePassMethod(Considerthis)
1. AnswerobviousquesOons,updatediagrams
2. AnswerallbutthemostdicultquesOons
3. CompleteallquesOons
@NTXISSA
TestTakingStrategies(4)
IndividualQuesOonStrategy
ReadquesOoncarefully
FindkeywordsandquesOons(e.g.,not,best,rst)
ReadALLcandidateanswersdonotjumptorst
goodone
Usecandidateanswersasaclue
Lookforslightdierencebetweencandidate
answers
Eliminateclearlywronganswersrst
Phases/steps:keyonobviouswronganswers(e.g.,
reportbeforeanalysis)
@NTXISSA
TestTakingStrategies(5)
IndividualQuesOonStrategy(cont.)
UseinformaOoncontainedinquesOons
andanswers
Updatediagramsandlists
Dontarguewiththetest
DecidewhatanswerISC2islookingfor
DumbitDown
@NTXISSA
TestTakingStrategies(6)
DragandDropQuesOons
EssenOallyamatchingexercise
EasierthannormalquesOons
Makesimplest/mostobviousmatchrst
ScenarioQuesOons
FindthequesOonrst.
Thengobackandgetrelevantdata
UsuallyoperaOonalquesOons
security/usabilitytradeos,
riskbaseddecisions,
applicaOonofprinciples
@NTXISSA
PearsonVUEScreen
TimeRemaining
FlagforReview
@NTXISSA
PearsonVUEScreen
ReviewSelecOon
@NTXISSA
TheCollinCollegeEngineeringDepartment
CollinCollegeStudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformaOonSystemsSecurityAssociaOon)
Thankyou
NTXISSACyberSecurityConferenceApril2425,2015 @NTXISSA 30