CISSP

1. ISC2

1.1. Comment se certifier ?

1.2. Candidate Information Bulletins

1.3. Enregistrement

2. Examen

2.1. Jour

2.1.1. Samedi

2.2. Questions

2.2.1. 250 QCM

2.3. Cout

2.4. Tests

2.4.1. Cccure.org

2.4.2. FreePracticeTests

3. CBK

3.1. Information Security and Risk Management

3.1.1. Identify and Classify Assets

3.1.1.1. CIA

3.1.1.1.1. Definition

3.1.1.1.2. Well with

3.1.1.2. AAAA

3.1.1.2.1. Authenticate

3.1.1.2.2. Authorize

3.1.1.2.3. Accounting

3.1.1.2.4. Audit

3.1.2. Manage Risk

3.1.2.1. Management Concepts

3.1.2.2. Personnel Organization

3.1.2.2.1. Best Practices

3.1.2.2.2. Roles and Responsabilities

3.1.2.2.3. Role Review

3.1.2.2.4. Training

3.1.2.3. Legislative Drivers

3.1.2.3.1. FISMA

3.1.2.3.2. NIST CS

3.1.2.3.3. OECD Guidelines

3.1.2.4. Risk Management

3.1.2.4.1. Manage and Assess

3.1.2.4.2. Controls reduce the impact

3.1.2.4.3. Types of Risk

3.1.2.4.4. Probability of a Loss

3.1.2.4.5. Quantitative Analysis

3.1.2.4.6. Qualitative Analysis

3.1.2.4.7. Information Classification

3.1.2.4.8. Applying Controls

3.1.3. Develop Security Policies

3.1.3.1. Policies, Standards, Guidelines

3.1.3.1.1. Policies

3.1.3.1.2. Standards

3.1.3.1.3. Guidelines

3.1.3.1.4. Procedures

3.1.3.2. Provide the foundation for a secure infrastructure

3.1.3.3. Created by Senior Management

3.1.3.4. Some policies are required by Law

3.1.4. Enforce Security Policies

3.2. Access Control

3.2.1. Method control refers to your method of identifying who user is

3.2.2. Primary Controls

3.2.2.1. Administrative

3.2.2.1.1. Build Policies and procedures

3.2.2.2. Technical

3.2.2.2.1. Routers

3.2.2.2.2. Encryption

3.2.2.2.3. IDS

3.2.2.2.4. Antivirus

3.2.2.2.5. Firewalls

3.2.2.3. Physical

3.2.2.3.1. Network Segregation

3.2.2.3.2. Perimeter Security

3.2.2.3.3. Computer Controls

3.2.2.3.4. Work area separation

3.2.2.3.5. Data Backups

3.2.2.3.6. Locks on doors !

3.2.3. Operational Controls

3.2.3.1. Detective

3.2.3.2. Preventative

3.2.3.3. Deterrent

3.2.3.4. Corrective

3.2.3.5. Recovery

3.2.3.6. Compensatory

3.2.4. Access Control Models

3.2.4.1. Bell-LaPadula (Confidentiality)

3.2.4.1.1. Simple: Subject cannot read up

3.2.4.1.2. Star : Subject cannot write down

3.2.4.1.3. Strong: Subject with read and write cannot go up or down

3.2.4.2. Biba (Integrity)

3.2.4.2.1. Subject cannot read down

3.2.4.2.2. Subject cannot write up

3.2.4.3. Clark-Wilson (Integrity)

3.2.4.3.1. Subject can only access oject through authorized program

3.2.4.3.2. Enforces segregation of duties by authorized subjects

3.2.4.3.3. Requires auditing

3.2.4.4. Take

3.2.4.5. Brewer & Nash

3.2.5. Types of Access Rules

3.2.5.1. Mandatory (MAC)

3.2.5.2. Discretionary (DAC)

3.2.5.3. Non-Discretionary (NDAC)

3.2.5.4. Role-based (RBAC)

3.2.5.5. Content Dependent

3.2.6. Authentication / Passwords

3.2.6.1. Verification is done by testing

3.2.6.1.1. Who you are

3.2.6.1.2. What you know

3.2.6.1.3. What you have

3.2.6.1.4. What you do

3.2.7. SSO

3.2.7.1. Kerberos

3.2.7.2. SESAME

3.2.8. Biometrics

3.2.8.1. Types

3.2.8.1.1. Fingerprint/Palm/Face

3.2.8.1.2. Retina

3.2.8.1.3. Voice

3.2.8.2. Tools

3.2.8.2.1. Finger scanner

3.2.8.2.2. Palm scanner

3.2.8.2.3. Retina and iris scanner

3.2.8.3. Issues

3.2.8.3.1. Enrollment Time

3.2.8.3.2. Throughput Time

3.2.8.3.3. Acceptability Issues

3.2.8.3.4. False Rejection Rate (FRR) - Type I error

3.2.8.3.5. False Acceptance Rate (FAR) - Type II error

3.2.8.3.6. Crossover Error Rate (CER)

3.2.9. Authorization / Accountability

3.2.9.1. Authorization

3.2.9.1.1. granted privileges

3.2.9.2. Accountability

3.2.10. Managing Access Control

3.2.10.1. Scripting

3.2.10.2. Directory services

3.2.10.3. Centralized

3.2.10.3.1. Radius

3.2.10.3.2. TACACS

3.2.10.3.3. TACACS+

3.2.10.3.4. Diameter

3.2.10.4. CHAP

3.2.10.5. Decentralized

3.2.10.5.1. Database

3.2.11. Network Security Testing

3.2.11.1. NIST Publication 800-42

3.3. Telecommunications and Network Security

3.3.1. OSI / TCP Model

3.3.1.1. OSI OSI (Open Systems Interconnect)

3.3.1.1.1. Layer 7 : Application

3.3.1.1.2. Layer 6 : Presentation

3.3.1.1.3. Layer 5 : Session

3.3.1.1.4. Layer 4 : Transport

3.3.1.1.5. Layer 3 : Network

3.3.1.1.6. Layer 2 : Data

3.3.1.1.7. Layer 1 : Physical

3.3.1.2. TCP/IP

3.3.1.2.1. Application

3.3.1.2.2. Host-to-host (Transport)

3.3.1.2.3. Internet (Network)

3.3.1.2.4. Network Interface (data/physical)

3.3.2. Media / Topologies

3.3.2.1. Typical Media

3.3.2.1.1. 10Base2

3.3.2.1.2. 10Base5

3.3.2.1.3. Coax

3.3.2.1.4. UTP/STP

3.3.2.1.5. Fiber

3.3.2.1.6. Wireless

3.3.2.2. Topologies

3.3.2.2.1. Bus

3.3.2.2.2. Ring

3.3.2.2.3. Star

3.3.2.2.4. Tree

3.3.2.2.5. Mesh

3.3.3. Lan Protocols / Standards

3.3.3.1. ARP / RARP

3.3.3.2. 802.3 (CSMA/CD)

3.3.3.2.1. Ethernet

3.3.3.3. 802.5 (Token Ring)

3.3.3.4. 802.11 (Wireless)

3.3.3.5. 802.16 (WiMax)

3.3.3.6. 802.20 (Mobile WiMax)

3.3.4. WAN Technologies

3.3.4.1. Dedicated lines

3.3.4.2. Circuit Switched

3.3.4.2.1. SDH/SONET

3.3.4.2.2. DTM

3.3.4.3. Packet Switched

3.3.4.3.1. ATM

3.3.4.3.2. Gigabit Ethernet

3.3.4.3.3. x25

3.3.4.4. Token Ring

3.3.4.5. FDDI

3.3.5. The PBX

3.3.6. Remote Connectivity

3.3.6.1. PPP/SLIP

3.3.6.2. PPPOE

3.3.6.3. PAP/CHAP

3.3.6.4. Securing

3.3.6.4.1. IPSEC

3.3.6.4.2. VPNs

3.3.6.4.3. SSL

3.3.6.4.4. NAT

3.3.6.4.5. swIPe

3.3.7. Networking Cables

3.3.7.1. Coaxial Cable

3.3.7.2. Twisted Pair

3.3.7.3. Fiber-Optic Cable

3.3.7.3.1. Core

3.3.7.3.2. Cladding

3.3.7.3.3. Jacket

3.3.7.4. Cable Vulnerabilities

3.3.7.5. Cable failure Terms

3.3.7.5.1. Attenuation

3.3.7.5.2. Crosstalk

3.3.7.5.3. Noise

3.3.8. Networking Devices

3.3.8.1. Repeater

3.3.8.2. Bridge

3.3.8.3. Switch

3.3.8.4. Router

3.3.8.5. Proxies

3.3.8.6. Gateway

3.3.8.7. LAN Extender

3.3.8.8. Screened-Host Firewall

3.3.8.9. Dual-Homed Host Firewall

3.3.8.10. Screened-Subnet Firewall

3.3.8.11. SOCKS

3.3.9. Wireless

3.3.9.1. IEEE Standards

3.3.9.1.1. 802.11a -> 802.11n

3.3.9.1.2. 802.1x

3.3.9.1.3. 802.3af

3.3.9.1.4. 802.16 (WiMax)

3.3.9.1.5. 802.15 (Bluetooth)

3.3.9.2. Terminology

3.3.9.2.1. RADIUS

3.3.10. General Communications Vulnerabilities

3.3.10.1. Wireless exploits

3.3.10.1.1. Passive Attacks

3.3.10.1.2. Active Attacks

3.3.10.1.3. Man in the Middle Attacks

3.3.10.1.4. Jamming Attacks

3.3.10.2. Contremesures

3.3.10.2.1. IDS / IPS

3.3.10.2.2. Honeypots

3.3.10.2.3. Response Team

3.3.10.2.4. Layered Security

3.3.10.2.5. Firewalls

3.3.10.2.6. Securing Voice

3.4. Security Architecture and Design

3.4.1. Trusted Computer Base (TCB)

3.4.1.1. Trusted Computer

3.4.1.1.1. Does what you tell it to

3.4.1.1.2. Only what you tell it to do

3.4.1.1.3. You kown what it's doing

3.4.1.2. Trusted System

3.4.1.2.1. Rings of security

3.4.1.3. Reference Monitor

3.4.1.4. Security Kernel

3.4.1.4.1. Isolate processes

3.4.1.4.2. Be used on every access

3.4.1.4.3. Be small enough to be easily tested

3.4.1.5. Covert Channels

3.4.1.5.1. Covert Storage Channel

3.4.1.5.2. Covert Timing Channel

3.4.2. Computer Architecture

3.4.2.1. CPU

3.4.2.1.1. RISC

3.4.2.1.2. CISC

3.4.2.2. Memory

3.4.2.2.1. Cache

3.4.2.2.2. ROM

3.4.2.2.3. RAM

3.4.2.2.4. Flash

3.4.2.2.5. Memory Addressing

3.4.2.3. Buses

3.4.2.3.1. Serial

3.4.2.3.2. Paralelle

3.4.2.4. Firmware

3.4.2.4.1. BIOS

3.4.2.4.2. Cisco IOS

3.4.2.5. Software

3.4.2.5.1. OS

3.4.2.5.2. Applications

3.4.3. Data Classification Models

3.4.3.1. Models and IT classification Frameworks

3.4.3.2. Compartmented Security Modes

3.4.3.3. Multilevel Security Mode

3.4.4. Access Control Models

3.4.4.1. Access Control

3.4.4.1.1. Identification

3.4.4.1.2. Authentication

3.4.4.1.3. Authorization

3.4.4.1.4. Terms

3.4.4.2. Databases

3.4.4.3. Access Control Techniques

3.4.5. Certification / Accreditation and Evaluation

3.4.5.1. Certification

3.4.5.2. Accreditation

3.4.5.3. Evaluation

3.4.5.3.1. TCSEC

3.4.5.3.2. ITSEC

3.4.5.3.3. TNI

3.4.5.3.4. Common Criteria

3.4.6. Compliance

3.4.6.1. ISO 17799 / BS7799

3.4.6.1.1. ISO 17799

3.4.6.1.2. BS 7799

3.4.6.2. ISO 27000 Series

3.4.6.2.1. ISO 27000

3.4.6.2.2. ISO 27001

3.4.6.2.3. ISO 27002

3.4.6.2.4. ISO 27003

3.4.6.2.5. ISO 27004

3.4.6.3. Current drivers

3.4.6.3.1. Regulation and Legislation

3.4.6.3.2. Cyberliability Insurance

3.4.6.3.3. Incident Response

3.4.6.4. Future Drivers

3.4.6.4.1. Industry Adoption and Compliance

3.4.6.4.2. Cyberterrorism

3.4.6.4.3. Information Warface

3.4.6.4.4. Personal Privacy

3.5. Business Continuity and Disaster Recovery Planning

3.5.1. Business Continuity Planning (BCP)

3.5.1.1. Why ?

3.5.1.1.1. Business Need

3.5.1.1.2. Regulatory (SoX, BASEL2, FISMA, HIPAA, etc...)

3.5.1.2. Contingency Planning

3.5.1.3. Integration BCP/CP

3.5.1.3.1. Develop the contingency planning policy statement

3.5.1.3.2. Conduct the business impact analysis (BIA)

3.5.1.3.3. Identify preventive controls

3.5.1.3.4. Develop recovery strategies

3.5.1.3.5. Develop an IT contingency plan

3.5.1.3.6. Plan testing, training, and exercices

3.5.1.3.7. Plan Maintenance

3.5.1.4. NIST's 3 Phases of Actions

3.5.1.4.1. Notification/Activation

3.5.1.4.2. Recovery

3.5.1.4.3. Reconstitution

3.5.1.5. Elements of BCP

3.5.1.5.1. Scope and plan Initiation

3.5.1.5.2. Business Impact Analysis (BIA)

3.5.1.5.3. Business Continuity Planning and Development

3.5.1.5.4. Plan approval and implementation

3.5.2. Disaster Recovery Planning (DRP)

3.5.2.1. Objectives

3.5.2.1.1. Protect the compani form major computer services failure

3.5.2.1.2. Minimize the risk from delays in providing services

3.5.2.1.3. Guarantee reliability of standby systems through testing

3.5.2.1.4. Minimize decision making required by personnel during a disaster

3.5.2.2. DRP assumes BIA has been done, now focusing on steps needed to protect the business

3.5.3. Development

3.5.4. Emergency Implementation Planning

3.5.5. Types of DR Sites

3.5.5.1. Subscription Service

3.5.5.1.1. Hot Site

3.5.5.1.2. Warm Site

3.5.5.1.3. Cold Site

3.5.5.1.4. Others

3.5.5.2. Transaction Redundancy Implementation

3.5.5.2.1. Electronic Vaulting

3.5.5.2.2. Remote Journaling

3.5.5.2.3. Database Shadowing

3.5.6. Media / Methods

3.5.6.1. Backup Storage Media

3.5.6.1.1. Tape

3.5.6.1.2. Hard Disks

3.5.6.1.3. Optical Disks

3.5.6.1.4. Solid State

3.5.6.2. Backup Methods

3.5.6.2.1. Full

3.5.6.2.2. Incremental

3.5.6.2.3. Differential

3.5.6.3. RAID

3.5.6.3.1. disk stripping (raid 0)

3.5.6.3.2. disk mirroring (raid 1)

3.5.6.3.3. disk stripping with parity (raid5)

3.5.6.3.4. raid combiné (ex: raid 01 -> grappe raid 0 + raid global 1)

3.5.6.3.5. RAB Classification

3.5.7. Testing COOP / DRP

3.5.7.1. Checklist

3.5.7.2. Structured walk through

3.5.7.3. Simulation

3.5.7.4. Parallel

3.5.7.5. Full interruption

3.5.8. Standards

3.5.8.1. BS 25999

3.5.8.2. ISO 22399

3.5.8.3. ISO 24762

3.5.8.4. ISO 27001

3.5.9. Links

3.5.9.1. thebci

3.5.9.2. disasterrecoverytemplates

3.6. Application Security

3.6.1. Goals

3.6.1.1. Software should perform its intended tasks - nothing more, nothing less

3.6.1.2. Develop software and systems in budget and on schedule

3.6.2. Open Source vs. Proprietary Code

3.6.3. A TCB depends on Trusted Software

3.6.4. Overview of programming languages

3.6.4.1. 1st generation: Machine or Binary code

3.6.4.2. 2nd generation : ASM

3.6.4.3. 3rd generation : Spoken language

3.6.4.4. Compiled / Interpreted / Hybrid

3.6.5. Principles of Programming

3.6.5.1. Modularity

3.6.5.2. Top-down design

3.6.5.3. Limited control structures

3.6.5.4. Limited scope of variables

3.6.6. Methodologies

3.6.6.1. Structured Programming

3.6.6.2. Object-Oriented Programming

3.6.6.3. Computer-Aided Software Engineering (CASE) tools

3.6.7. Good Coding Practices

3.6.7.1. Least privileges

3.6.7.2. Hiding secrets

3.6.7.3. Layered defense

3.6.7.4. Weakest link

3.6.8. Development Models

3.6.8.1. Software Engineering Models

3.6.8.1.1. Simplistic Model

3.6.8.1.2. Waterfall Model

3.6.8.1.3. Spiral Model

3.6.8.1.4. Cost Estimation Techniques

3.6.8.1.5. Rapid Application Development (RAD)

3.6.8.1.6. Cleanroom Model

3.6.8.1.7. Iterative Development Method

3.6.8.1.8. Prototyping Model

3.6.8.1.9. System Development Life Cycle (SDLC)

3.6.8.1.10. The Software Capability Maturity Model

3.6.8.1.11. IDEAL Model

3.6.9. Object Oriented Programming

3.6.9.1. Object Oriented Concepts

3.6.9.1.1. Class

3.6.9.1.2. Data Abstraction

3.6.9.1.3. Inheritance

3.6.9.1.4. Polymorphism

3.6.9.1.5. Polyinstantiation

3.6.9.2. Phases of Development for Object Oriented Orientation (OOO)

3.6.9.2.1. Object Oriented Requirements Analysis (OORA)

3.6.9.2.2. Object Oriented Analysis (OOA)

3.6.9.2.3. Domain Analysis (DA)

3.6.9.2.4. Object Oriented Design (OOD)

3.6.9.2.5. Object Oriented Programming( OOP)

3.6.10. Tools and Languages

3.6.10.1. JAVA

3.6.10.2. ActiveX

3.6.10.3. Dynamic Data Exchange (DDE)

3.6.10.4. Object Linking and Embedding (OLE)

3.6.10.5. Component Object Model (COM) & Distributed Component Object Model (DCOM)

3.6.10.6. Common Object Request Broker Architecture (CORBA)

3.6.10.7. Expert Systems

3.6.11. Databases

3.6.11.1. Types

3.6.11.1.1. File-based

3.6.11.1.2. Hierarchical

3.6.11.1.3. Network

3.6.11.1.4. Object-Oriented

3.6.11.1.5. Relational

3.6.11.2. Terms

3.6.11.2.1. Database Management System

3.6.11.2.2. Data Definition Language

3.6.11.2.3. Primary Key

3.6.11.2.4. Foreign Key

3.6.11.2.5. SELECT Command

3.6.11.2.6. Normalization

3.6.11.2.7. Bind variable

3.6.11.2.8. Data Warehouse

3.6.11.3. Database Security

3.6.11.3.1. Basics of Database Security

3.6.11.3.2. Discretionary vs Mandatory

3.6.11.3.3. Relational vs Object Oriented

3.6.12. Configuration & Management

3.6.13. Application Vulnérabilities

3.6.13.1. Malicious Mobile Code

3.6.13.2. DNS Hijacking

3.6.13.3. XSS

3.6.13.4. SQL Injection

3.6.13.5. DoS DDoS

3.6.13.6. Flooding

3.6.13.7. Virus

3.6.13.7.1. Trojan

3.6.13.7.2. Polymorphic

3.6.13.7.3. Stealth

3.6.13.7.4. Retro

3.6.13.7.5. Boot Sector

3.6.13.7.6. Macro

3.6.13.8. Worm

3.7. Cryptography

3.7.1. Classical Goals

3.7.1.1. Confidentiality

3.7.1.2. Integrity

3.7.1.3. Authentication

3.7.1.4. Nonrepudiation

3.7.2. History

3.7.3. Components

3.7.4. Symmetric-Key Cryptography

3.7.4.1. Symmetric Algorithms

3.7.4.1.1. DES

3.7.4.1.2. 3DES

3.7.4.1.3. AES

3.7.4.1.4. Serpent

3.7.4.1.5. Two Fish

3.7.4.1.6. RCG

3.7.4.1.7. IDEA

3.7.4.2. Modes of Operation DES

3.7.5. Asymmetric-Key Cryptography

3.7.5.1. Asymmetric Algorithms

3.7.5.1.1. RSA

3.7.5.1.2. DH

3.7.5.1.3. DSA

3.7.5.1.4. El Gamal

3.7.5.1.5. ECC

3.7.6. Hybrid Cryptography

3.7.7. Hashing

3.7.7.1. Hash Algorithms

3.7.7.1.1. MD5

3.7.7.1.2. SHA-1

3.7.8. Public Key Infrastructure

3.7.8.1. Certificate Authority or CA

3.7.8.2. Registration Authority or RA

3.7.8.3. Certificates holders

3.7.8.4. Clients that validate digital signatures

3.7.8.5. Repositories

3.7.9. Digital Signatures

3.7.9.1. Digital Signature Standard (DSS)

3.7.9.2. Types of CA Trust

3.7.9.2.1. Hierarchical

3.7.9.2.2. Cross Certification

3.7.10. Cryptography In Use

3.7.10.1. SSH

3.7.10.2. IPSEC

3.7.10.3. SSL

3.7.10.4. SET

3.7.11. Data Privacy Concerns

3.7.12. Attacks

3.8. Physical Security

3.8.1. Roles of Physical Security

3.9. Legal, Regulations, Compliance and Investigations

3.9.1. Ethics

3.9.1.1. ISC2 Code of Ethics

3.9.1.2. Internet Architecture Board (IAB)

3.9.2. Examples of Computer Crimes

3.9.2.1. Data Diddling

3.9.2.2. Salami Attacks

3.9.2.3. Social Engineering

3.9.2.4. Dumpster Diving

3.9.3. Law

3.9.3.1. The Legal Framework

3.9.3.1.1. Three sources of laws

3.9.3.2. Investigation

3.9.3.2.1. Steps

3.9.3.2.2. Terms

3.9.3.2.3. Best of Evidence

3.9.3.2.4. Forensics

3.9.3.2.5. Contracts

3.9.3.2.6. End-User Licence Adreements

3.9.3.2.7. Intellectual Property

3.9.3.2.8. Privacy

3.9.3.2.9. Accountability

3.9.3.2.10. International Laws

3.9.3.2.11. Computer Laws

3.10. Operations Security

3.10.1. Separation of Duties

3.10.1.1. Operator

3.10.1.2. Security Admin

3.10.1.3. System Admin

3.10.2. Critical Operations Controls

3.10.2.1. Ressources Protection

3.10.2.2. Hardware Controls

3.10.2.3. Software Controls

3.10.2.4. Privileged Entity Controls

3.10.2.5. Change Management Control

3.10.3. Media Protection

3.10.3.1. Records Retention

3.10.3.2. Data Remanence

3.10.3.3. Due care and due diligence

3.10.3.4. Documentation

3.10.4. Auditing