v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
An introduction to the
CISSP certification for
self-study groups
Tomas Ericsson, CISSP-ISSAP
Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: [email protected]
Twitter: @tomas_ericsson
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Agenda
• Why become a CISSP?
• About (ISC)²
• The Credentialing Process
• The 10 CBK Domains
• Study Resources
• Tips on the way
• Questions and answers
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Why become a CISSP?
• The world changes with growing needs for security
• Prove that you meet predefined standard of knowledge and experience
• Broaden your knowledge of security concepts and practices
• Become more marketable in a competitive workforce
• Show your dedication to the security discipline
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
About (ISC)²
• A global not-for-profit organization
• Formed in 1989 – First public certification available in 1995
• Sole purposes – certification and education in information security
• First information security credential accredited by ANSI ISO/IEC Standard 17024
• Certified thousands of information security practitioners in over twenty-seven countries
International Information Systems
Security Certification Consortium
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
(ISC)² Certifications
• CISSP
• Certified Information Systems Security
Professional
• CISSP Concentrations
• Information Systems Security Architecture
Professional (ISSAP)
• Information Systems Security Engineering
Professional (ISSEP)
• Information Systems Security Management
Professional (ISSMP)
• CSSLP
• Certified Secure Software Lifecycle Professional
• SSCP
• Systems Security Certified Practitioner
• CAP
• Certified Authorization Professional
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Number of certified professionals
per July 2011*• CISSP
• In Sweden: 350
• World-Wide: 75 000
• CISSP-ISSAP
• In Sweden: 4
• World-Wide: 998
• CISSP-ISSEP
• In Sweden: 0
• World-Wide: 726
• CISSP-ISSMP
• In Sweden: 4
• World-Wide: 720
*Source: (ISC)² web site member resources .
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
(ISC)² Credentialing Process
• Required Experience• Minimum of five years full-time working experience in any combination of
two of the CBK domains. Four years if holding a bachelor or masters
degree, or another approved certificate .
• Application• Validating your education and/or experience
• CISSP Examination• Passing the exam
• Code of Ethics• Committing to principles and guidelines set forth by (ISC)2
• Endorsement Process• Attesting to your eligibility requirements
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Code of Ethics
• Safety of the commonwealth requires that we adhere to the highest ethical standards of behavior
• Therefore, strict adherence to this code is a condition of certification
• Certificate holders will:
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
The Exam
• “An inch deep and a mile wide”
• 250 multiple choice questions
• 25 for research purposes
• Some scenario based
• Up to 6 hours to complete and a score of
minimum 70% to pass (700 out of 1000 points).
• Information Security Concepts
• Vendor and product independent
• Measures habitual knowledge, not skill
• Standard English dictionaries are ok to use
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
The long wait…
• Finally you receive a mail telling that you have
passed the exam (you will not know the score).
Congratulations!
• If you fail to pass the exam you will receive a mail
with your score. Domains are listed with ranking
from weakest to strongest.
• A small sample group of candidates will be audited
after passing the exam.
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
The Endorsement Process
• Next step after passing the exam
• Another CISSP (in good standing)
verifies that you have the
experience you claim to have
• After approval from the (ISC)²
board of directors you will receive
your certificate.
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Maintaining your CISSP certificate
in good standing• The CISSP certification is valid for
three years
• Remain in Good Standing by:
• Being compliant with (ISC)² Code of ethics
• Earn 120 Professional Education Credits (CPEs) during the three year period
• Pay Annual Maintenance Fees (AMFs)
• This will qualify you for an exam-free recertification
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
How you earn CPE credits
• Attending educational courses or
seminars
• Attending security conferences
• Being a member of an association
chapter and attending meetings
• Serving on the board for a
professional security organization
• Volunteering for a government, public
sector and other charitable
organizations, including (ISC)2
volunteer committees
1 CPE = Approx. 1
hour
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
How you earn CPE credits (cont.)
• Completing higher academic courses
• Providing security training
• Publishing security articles or books
• Participating in self-study courses,
computer-based training or Web casts
• Reading an information security book or
subscribing to an information security
magazine
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Two types of CPE credits
• Group A
• Access Control
• Application Security
• Business Continuity and Disaster
Recovery Planning
•Cryptography
• Information Security and Risk
Management
• Legal, Regulations, Compliance and
Investigations
•Operations Security Team
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network
Security
• Group B
•Organizational Behavior
• Strategic Planning
• Programming Languages &
Techniques
• Tools and Techniques
• Interpersonal Communications
Skills
• Interviewing Techniques
•Development Skills
• Project Management Skills
In a three year period you need a
minimum of 120 credits of which at
least 80 need to be Group A credits.
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK – Common Body of
Knowledge• A collection of topics relevant to
information security professionals around the world
• Establishes a common framework of information security terms and principles
• Review Committee consisting of leading information security specialists, educators and practitioners.
• Focus on Confidentiality, integrity and availability (CIA), and attempts to balance the three across ten areas of interest called CBK domains.
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
The 10 CISSP CBK Domains
• Access Control
• Application Development Security
• Business Continuity and Disaster Recovery
Planning
• Cryptography
• Information Security Governance and Risk
Management
• Legal, Regulations, Investigations and
Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #1Access Control
• Authentication methods, models, and technologies
• Access Control Models
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Non-discretionary Access Control
• Identity Management Solutions• Directories
• Web Access Management
• Password Management
• SSO
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #1 (cont.)Access Control
• Intrusion detection systems
• Network vs. Host-based
• Behavior vs. Signature-based
• Threats to access control practices and
technologies
• Race condition
• Brute Force
• Dictionary
• Social
• Rainbow tables
• Accountability, monitoring, and auditing
practices
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #1Access Control
• Which access control method is user-directed?
A. Non-discretionary
B. Mandatory
C. Identity-based
D. Discretionary
• Which item is not part of a Kerberos authentication implementation?
A. Message Authentication Code
B. Ticket granting service
C. Authentication service
D. Users, programs, and services
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #2Application Development Security
• Various types of software controls and
implementation
• Database concepts and security issues
• Database views
• Aggregation
• Inference
• Software life-cycle development
processes
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #2 (cont.)Application Development Security
Web Security
• Threats
• Safeguards
• Malicious Software
• Viruses
• Worms
• Trojan horses
• Logic bombs
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #2Application Development Security
• Which of the following replicates itself by attaching to other programs?
A. A worm
B. A virus
C. A Trojan horse
D. Malware
• Database views provide what type of security control?
A. Detective
B. Corrective
C. Preventive
D. Administrative
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #3Business Continuity and Disaster Recovery Planning
• Project initiation steps
• Business Impact Analysis (BIA)
• Recovery strategy
• Recovery plan
• Implementing, testing and maintaining the plan
• Recovery and continuity planning requirements
• Backup alternatives
• Full backup
• Incremental
• Differential
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #3 (cont.)Business Continuity and Disaster Recovery Planning
• Backup and offsite facilities
• Hot
• Warm
• Cold
• Reciprocal agreements
• Offsite backups
• Remote journaling
• Electronic vaulting
• Types of drills and tests
• Walk through
• Checklist
• Simulation
• Full Interuption
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #3Business Continuity and Disaster Recovery Planning
• What is one of the first steps in developing a business continuity plan?
A. Identify backup solution
B. Decide whether the company needs to perform a walk-through, parallel, or
simulation test
C. Perform a business impact analysis
D. Develop a business resumption plan
• Which best describes a hot-site facility versus a warm- or cold-site
facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air, and raised flooring
D. A mobile site that can be brought to the company’s parking lot
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #4Cryptography
• History of cryptography
• Cryptography components and their relationships
• Government involvement in cryptography
• Symmetric and asymmetric key algorithms
• Public key infrastructure (PKI) concepts and mechanisms
• Digital Signatures
• Certificates
• Certificate Authority (CA)
• Registration Authority (RA)
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #4 (cont.)Cryptography
• Hashing algorithms and uses
• md2, md4, md5
• SHA-1, SHA-2
• Types of attacks on cryptosystems
• Cipher attack
• Cryptoanalysis
• Known-Plaintext
• Replay
• …and more
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #4Cryptography
• How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16
• If different keys generate the same cipher text for the same message,
what is this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #5Information Security Governance and Risk Management
• Security management responsibilities
• Difference between administrative,
technical, and physical controls
• Three main security principles
• Confidentiality
• Availability
• Integrity
• Risk management and risk analysis
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #5 (cont.)Information Security Governance and Risk Management
• Information Security Standards
• ISO 17799
• ISO 27001
• Security policies
• Information classification
• Security awareness training
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #5Information Security Governance and Risk Management
• What are security policies?
A. Step-by-step directions on how to accomplish security tasks
B. General guidelines used to accomplish a specific security level
C. Broad, high-level statements from the management
D. Detailed documents explaining how security incidents should be handled
• Which is the most valuable technique when determining if a specific
security control should be implemented?
A. Risk analysis
B. Cost/ benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #6Legal, Regulations, Investigations and Compliance
• Computer crimes and computer laws
• Criminal law
• Civil law
• Intellectual Property Laws
• Computer crime laws
• Privacy Laws (EU)
• Regulations
• SOX
• HIPAA
• GLBA
• BASEL II
• PCI DSS
• Motives and profiles of attackers
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #6 (cont.)Legal, Regulations, Investigations and Compliance
• Computer crime investigation process
and evidence collection
• Best evidence
• Secondary evidence
• Circumstantial evidence
• Hearsay evidence
• Incident-handling procedures
• Ethics pertaining to information security
professionals and best practices (Code
of Ethics)
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #6Legal, Regulations, Investigations and Compliance
• Which of the following would be a violation to (ISC)² code of ethics, and
could cause the candidate to loose his or her certification?
A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)²
C. Submitting comments to the board of directors regarding the test and content of the
class
D. Conducting a presentation about the CISSP certification and what the certification
means
• Protecting evidence and providing accountability for who handled it at
different steps during the investigation is referred to as what?
A. The rule of best evidence
B. Hearsay
C. Evidence safety
D. Chain of custody
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #7Operations Security
• Administrative management responsibilities
• Organisational roles
• Separation of duties
• Least privilege
• Operations department responsibilities
• Configuration management
• Trusted recovery states
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #7 (cont.)Operations Security
• Redundancy and fault-tolerant systems
• RAID
• Threats to operations security
• DoS
• Man-in-the-middle
• Mail bombing
• War dialing
• Fake login screens
• Teardrop
• Trafic Analysis
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #7Operations Security
• Which of the following best describes operations security?
A. Continual vigilance about hacker activity and possible vulnerabilities
B. Enforcing access control and physical security
C. Taking steps to make sure an environment, and the things within it, stay at a certain
level of protection
D. Doing strategy planning to develop a secure environment and then implementing it
properly
• If sensitive data are stored on a CD-ROM and are no longer needed,
which would be the proper way of disposing of the data?
A. Degaussing
B. Erasing
C. Purging
D. Physical destruction
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #8Physical (Environmental) Security
• Administrative, technical, and physical controls
• Facility location, construction, and management
• Physical security risks, threats, and countermeasures
• Natural Environmental
• Supply system
• Manmade
• Politically motivated
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #8 (cont.)Physical (Environmental) Security
• Electric power issues and countermeasures
• Fire prevention, detection and suppression
• Fire suppression
• Intrusion detection systems
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #8Physical (Environmental) Security
• When should a Class C fire extinguisher be used instead of a Class A
fire extinguisher?
A. When electrical equipment is on fire
B. When wood and paper are on fire
C. When a combustible liquid is on fire
D. When the fire is in an open area
• Which of the following answers contains a category of controls that does
not belong in a physical security program?
A. Deterrence and delaying
B. Response and detection
C. Assessment and detection
D. Delaying and lightning
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #9Security Architecture and Design
• Computer hardware and Operating Systems Architecture
• Trusted computing base and security mechanisms
• Hardware
• Software
• Firmware
• Protection mechanisms within an operating system
• Security Perimeter
• Reference Monitor
• Security Kernel
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #9 (cont.)Security Architecture and Design
• Security models• Bell-LaPadula (confidentiality)
• Biba (Integrity)
• Clark Wilson (Integrity)
• Systems Evaluation Methods
• Orange book (TCSEC/ Rainbow series)
• Common Critera
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #9Security Architecture and Design
• What is the best description of a security kernel from a security point of
view?
A. Reference monitor
B. Resource manager
C. Memory mapper
D. Security perimeter
• The trusted computing base (TCB) controls which of the following?
A. All trusted processes and software components
B. All trusted security policies and implementation mechanisms
C. All trusted software and design mechanisms
D. All trusted software and hardware components
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #10Telecommunications and Network Security
• The OSI model
• TCP/IP and many other protocols
• LAN, WAN, MAN, intranet, and extranet technologies
• Cable types and transmission types
• Communications security management
• Remote access methods and technologies
• Wireless technologies
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
CBK Domain #10Telecommunications and Network Security
• At what layer does a bridge work?
A. Session
B. Network
C. Transport
D. Data link
• Which of the following proxies cannot make access decisions on
protocol commands?
A. Application
B. Packet filtering
C. Circuit
D. Stateful
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Study Resources
• All-in-one CISSP Exam Guide
(Shon Harris)
• Including CD-ROM
• Free resources on the Net
• cccure.org
• Discussion forums and groups
• And don’t forget
• Code of ethics found at the
(ISC)² Web site
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Tips on the way
• Start studying now!
• You will probably need 2-3 months just to complete the All-in-one exam guide
• Do test exams. Get to know your weakest domains which will need your attention before taking the exam.
• Use multiple study resources e.g. books, eLearning and free test resources on the net.
• Make sure you have relevant professional experience
• Prepare for the endorsement process
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Tips on the way (cont.)
• The exam
• Be physically and mentally prepared for the 6 hours, and bring something to drink.
• Read the exam questions carefully, my personal favorite is to start by excluding the two least likely answers and the choose the correct answer from the remaining two.
• Watch the clock. With 250 questions and 6 hours maximum exam time you have an average of 90 seconds per question.
• Be aware that the exam still contains questions that you might think has been outdated in the real world.
• Take short breaks to stretch and relax.
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Summary
• Why become a CISSP?
• About (ISC)²
• The Credentialing Process
• The 10 CBK Domains
• Study Resources
• Tips on the way
v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r
Questions?
Tomas Ericsson, CISSP-ISSAP
Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: [email protected]
Twitter: @tomas_ericsson