CISSP Study Notes from CISSP Prep GuideSecond Edition.docx
《CISSP Study Notes from CISSP Prep GuideSecond Edition.docx》由会员分享,可在线阅读,更多相关《CISSP Study Notes from CISSP Prep GuideSecond Edition.docx(176页珍藏版)》请在冰点文库上搜索。
CISSPStudyNotesfromCISSPPrepGuideSecondEdition
CISSPStudyNotesfromCISSPPrepGuide(SecondEdition)
ThesenoteswerepreparedfromtheTheCISSPPrepGuide2010(SecondEdition):
MasteringtheTenDomainsofComputerSecuritybyRonaldL.Krutz,RussellDeanVines,EdwardM.Strozandarenotintendedtobeareplacementtothebook.
InadditiontotheCISSPPrepGuideIusedthefollowingresourcestopreparefortheexam:
nTheInformationSecurityManagementHandbook,FourthEditionbyMickiKrauseandHaroldF.Tipton
nTherevisedMichaelOverlynotes
nTheBosonQuestions#2and#3
nLotsofmisc.websites
nAndofcoursewww.cccure.org
GoodLuck!
JWG,CISSP
CISSPStudyNotesfromCISSPPrepGuide1
Domain1–SecurityManagementPractices2
Domain2–AccessControlSystems7
Domain3–TelecomandNetworkSecurity13
Domain4–Cryptography34
Domain5–SecurityArchitectureandModels46
Domain6–OperationsSecurity56
Domain7–ApplicationsandSystemDevelopment63
Domain8–BusinessContinuityandDisasterRecoveryPlanning70
Domain9–Law,InvestigationandEthics78
Domain10–PhysicalSecurity87
Domain1–SecurityManagementPractices
TheBigThree-C.I.A.
nConfidentiality–Preventdisclosureofdata
nIntegrity–Preventmodificationofdata
nAvailability–Ensurereliabletimelyaccesstodata
OtherImportantConcepts
nIdentification–MeansinwhichuserclaimsIdentity
nAuthentication–EstablishestheusersIdentity
nAccountability–Systemsabilitytodetermineactionsofusers
nAuthorization–rightsandpermissionsgrantedtoanindividual
nPrivacy–Levelofconfidentialitythatauserisgiven
ObjectiveofSecurityistoreduceeffectsofthreatsandvulnerabilitiestoatolerablelevel.
RiskAnalysis
Assessthefollowing:
nImpactofthethreat
nRiskofthethreatoccurring(likelihood)
Controlsreduceboththeimpactofthethreatandthelikelihoodofthethreat,importantincostbenefitofcontrols.
DataClassification
nDataclassificationhashighlevelenterprisewidebenefit
nDemonstratesorganizationscommitmenttosecurity
nHelpsidentifysensitiveandvitalinformation
nSupportsC.I.A.
nMayberequiredforlegalregulatoryreasons
Dataownersareresponsiblefordefiningthesensitivitylevelofthedata.
GovernmentClassificationTerms:
nUnclassified–Neithersensitivenorclassified,publicreleaseisacceptable
nSensitiveButUnclassified(SBU)–Minorsecret,noseriousdamageifdisclosed
nConfidential–disclosurecouldcausedamagetoNationalSecurity
nSecret-disclosurecouldcauseseriousdamagetoNationalSecurity
nTopSecret–HighestLevel-disclosurecouldcauseexponentiallygravedamagetoNationalSecurity
InadditionmusthaveaNeedtoKnow–justbecauseyouhave“secret”clearancedoesnotmeanall“secret”datajustdatawithaneedtoknow.
AdditionalPublicClassificationTerms
nPublic–similartounclassified,shouldnotbedisclosedbutisnotaproblemifitis
nSensitive–dataprotectedfromlossofConfidentialityandintegrity
nPrivate–datathatispersonalinnatureandforcompanyuseonly
nConfidential–verysensitiveforinternaluseonly-couldseriouslynegativelyimpactthecompany
ClassificationCriteria
nValue-numberonecriteria,ifitisvaluableitshouldbeprotected
nAge–valueofdatalowersovertime,automaticde-classification
nUsefulLife–Iftheinformationismadeobsoleteitcanoftenbede-classified
nPersonalAssociation–Ifthedatacontainspersonalinformationitshouldremainclassified
Distributionmayberequiredintheeventofthefollowing:
nCourtOrder–mayberequiredbycourtorder
nGovernmentContracts–governmentcontractorsmayneedtodiscloseclassifiedinformation
nSeniorLevelApproval–seniorexecutivesmayapproverelease
InformationClassificationRoles
Owner
nMaybeexecutiveormanager
nOwnerhasfinalcorporateresponsibilityofthedataprotection
nMakesdeterminationofclassificationlevel
nReviewsclassificationlevelregularlyforappropriateness
nDelegatesresponsibilityofdataprotectiontotheCustodian
Custodian
nGenerallyITsystemspersonnel
nRunningregularbackupsandtestingrecovery
nPerformsrestorationwhenrequired
nMaintainsrecordsinaccordancewiththeclassificationpolicy
User
nAnyonetheroutinelyusesthedata
nMustfollowoperatingprocedures
nMusttakeduecaretoprotect
nMustusecomputingresourcesofthecompanyforcompanypurposesonly
PoliciesStandards,GuidelinesandProcedures
nPoliciesarethehighestlevelofdocumentation
nStandards,GuidelinesandProceduresderivedfrompolicies
nShouldbecreatedfirst,butarenomoreimportantthantherest
SeniorManagementStatement–generalhigh-levelstatement
nAcknowledgmentofimportanceofcomputingresources
nStatementofSupportforinformationsecurity
nCommitmenttoauthorizelowerlevelStandards,GuidelinesandProcedures
RegulatoryPolicies–companyisrequiredtoimplementduetolegalorregulatoryrequirements
nUsuallyverydetailedandspecifictotheindustryoftheorganization
nTwomainpurposes
nToensurethecompanyisfollowingindustrystandardprocedures
nTogivethecompanyconfidencetheyarefollowingindustrystandardprocedures
AdvisoryPolices–notmandatedbutstronglysuggested.
nCompanywantsemployeestoconsiderthesemandatory.
nAdvisoryPoliciescanhaveexclusionsforcertainemployeesorjobfunctions
InformativePolicies
nExistsimplytoinformthereader
nNoimpliedorspecifiedrequirements
Standards,GuidelinesandProcedures
nContainactualdetailofthepolicy
nHowthepoliciesshouldbeimplemented
nShouldbekeptseparatefromoneanother
nDifferentAudiences
nSecurityControlsaredifferentforeachpolicytype
nUpdatingthepolicyismoremanageable
Standards-Specifyuseoftechnologyinauniformway,compulsory
Guidelines–similartostandardsbutnotcompulsory,moreflexible
Procedures–Detailedsteps,required,sometimescalled“practices”,lowestlevel
Baselines–baselinesaresimilartostandards,standardscanbedevelopedafterthebaselineisestablished
RolesandResponsibilities
nSeniorManagement–Hasultimateresponsibilityforsecurity
nInfosecOfficer–Hasthefunctionalresponsibilityforsecurity
nOwner–Determinesthedataclassification
nCustodian-PreservesC.I.A.
nUser–Performsinaccordancewithstatedpolicy
nAuditor–ExaminesSecurity
RiskManagement
Mitigate(reduce)risktoalevelacceptabletotheorganization.
IdentificationofRisk
nActualthreat
nPossibleconsequences
nProbablefrequency
nLikelyhoodofevent
RiskAnalysis
nIdentificationofrisks
nBenefit-costjustificationofcountermeasures
RiskAnalysisTerms
nAsset–Resource,product,data
nThreat–Actionwithanegativeimpact
nVulnerability–Absenceofcontrol
nSafeguard–Controlorcountermeasure
nExposureFactor
%ofassetlosscausedbythreat
nSingleLossExpectancy(SLE)–Expectedfinanciallossforsingleevent
SLE=AssetValuexExposureFactor
nAnnualizedRateofOccurrence(ARO)–representsestimatedfrequencyinwhichthreatwilloccurwithinoneyear
nAnnualizedLossExpectancy(ALE)–Annuallyexpectedfinancialloss
ALE=SLExARO
RiskAnalysis
nRiskanalysisismorecomprehensivethanaBusinessImpactAnalysis
nQuantitative–assignsobjectivenumericalvalues(dollars)
nQualitative–moreintangiblevalues(data)
nQuantitativeisamajorprojectthatrequiresadetailedprocessplan
PreliminarySecurityExamination(PSE)
nOftenconductedpriortothequantitativeanalysis.
nPSEhelpsgatherelementsthatwillbeneededforactualRA
RiskAnalysisSteps
1)Estimateofpotentialloss
2)Analyzepotentialthreats
3)DefinetheAnnualizedLossExpectancy(ALE)
CategoriesofThreats
nDataClassification–maliciouscodeorlogic
nInformationWarfare–technicallyorientedterrorism
nPersonnel–Unauthorizedsystemaccess
nApplication/Operational–ineffectivesecurityresultsindataentryerrors
nCriminal–Physicaldestruction,orvandalism
nEnvironmental–utilityoutage,naturaldisaster
nComputerInfrastructure–Hardwarefailure,programerrors
nDelayedProcessing–reducedproductivity,delayedcollectionsprocessing
AnnualizedLossExpectancy(ALE)
nRiskanalysisshouldcontainthefollowing:
nValuationofCriticalAssets
nDetailedlistingofsignificantthreats
nEachthreatslikelihood
nLosspotentialbythreat
nRecommendedremedialsafeguards
Remedies
nRiskReduction-implementationofcontrolstoalterriskposition
nRiskTransference–getinsurance,transfercostofalosstoinsurance
nRiskAcceptance–Accepttherisk,absorbloss
QualitativeScenarioProcedure
nScenarioOriented
nListthethreatandthefrequency
nCreateexposureratingscaleforeachscenario
nScenariowrittenthataddresseachmajorthreat
nScenarioreviewedbybusinessusersforrealitycheck
nRiskAnalysisteamevaluatesandrecommendssafeguards
nWorkthrougheachfinalizedscenario
nSubmitfindingstomanagement
ValueAssessment
nAssetvaluationnecessarytoperformcost/benefitanalysis
nNecessaryforinsurance
nSupportssafeguardchoices
SafeguardSelection
nPerformcost/benefitanalysis
nCostsofsafeguardsneedtobeconsideredincluding
nPurchase,developmentandlicensingcosts
nInstallationcosts
nDisruptiontoproduction
nNormaloperatingcosts
CostBenefitAnalysis
ALE(PreControl)–ALE(PostControl)=Annualizedvalueofthecontrol
Levelofmanualoperations
nTheamountofmanualinterventionrequiredtooperatethesafeguard
nShouldnotbetoodifficulttooperate
Auditabili