CISSP

1
CISSP

• Certified Information Systems Security
  Professional

???? ????? ???? ????? ????? 86
2
CISSP

• ????? ? ???? ??? ?????? CISSP ???? Certified
  Information Systems Security Professional ?????
  ?? ???? (ISC) ²
• The International Information Systems Security
  Certification Consortium, Inc
• ?? ????. ??? ????  ?? ??? 1989 ?? ????? ??
  ???????? ??? ??????? ?? ??????? ???? ? ?? ???
  ???? ????? ??? ?????? ?? ????? ????? ??????? ??
  ?? ??? ? ?????? ???? ?? ??? ????.

3

• ??? ????? ( (ISC) ² ) ?????" ?? ??? ???? ?
  ??????? ?? ?????? ????? ????? ??? ?? ??? ?????
  ?????
• U.S. (NSA) National Security Agency
• ????? ??? ??? ???? ?? ???? ?????????
• ISO/IEC Standard 170242003,
• ??? ????? . ?? ???? ?? ??? ?????
• U.S. Department of Defense (DoD)
• ??? ????? ??? ??? .
• ISO/IEC 170242003 specifies requirements for a
  body certifying persons against specific
  requirements, including the development and
  maintenance of a certification scheme for
  personnel
• The United States Department of Defense (DOD or
  DoD) is the federal department charged with
  coordinating and supervising all agencies and
  functions of the government relating directly to
  national security and the military. The
  organization and functions of the DOD are set
  forth in Title 10 of the United States Code

4

• ?????? ??????? ?? ??? ???? ?? ?????? ? ??????? ?
  ????? ?? ?????? ??????? ????? ??????? ? ????
  ??? ????
• ???????? ??? ????? ????? ?? ????? ?? ?????.
• ???????? ?? ?? ???? ????? ?? ??? ????? ?????? ??
  ?? ????? ????? ?????? ???? ????????
• ??? ?? ???? ?? ????? ??? ????? ???? ? ???? ?????
  ???? ????? ?????
• ?? ????? ????? ???? ? ????? ?? ?? 4 ??? ??? ?????
  ? ??? ????? ?? ?? ??? ?? ???? ? ????? ??? ?? ??
  ????? ??????.

5

• ????? ????? ??? ????? ?? ???? ??? ???
• Certified Information Systems Security
  Professional (CISSP)CISSP
• Information Systems Security Architecture
  Professional (ISSAP )
• Information Systems Security Management
  Professional (ISSMP )
• Information Systems Security Engineering
  Professional (ISSEP )
• Certification and Accreditation Professional (CAP
  CM)
• Systems Security Certified Practitioner (SSCP )

6
Certified Information Systems Security
Professional (CISSP)
7
Domains of CISSP
(1) Access control Systems Methodology
(3) Security Management Practices
(6) Security Architecture Model
(9) Laws, Investigations and Ethics
(4) Applications System development Security
(2) Telecommunications Network Security
(5) Cryptography
(7) Operations Security
(10) Physical Security
(8) Business continuity planning DRP
8
Access Control Systems
Domain 1
9
Access Control Systems Methodology

• ??? ????? ?? ??? ?? ???? ????? ? ????? ? ??????
  ??? ?????? ?? ?????? . ?? ??? ??? ???? ????????
  ?????
• ?? ?????? ??????? ?????? ??? ?
• ?? ??????? ????? ???? ?
• ?????? ????? ????? ??? ?
• ?? ????? ?????? ?? ????? ??? ?
• ????? ?????? ??? ?????? ? ??????? ???? ?

10
Access Control Systems Methodology
??? ????? ???? ????? ??? ????? ???
Accountability Access control technique Access
control Administration Access control
model Identification Authentication
Techniques Access control methodologies
Implementation File Data ownership
custodianship Methods of Attack Monitoring Penetra
tion Testing
11
Telecommunications Network Security
Domain 2
12
Telecommunications Network Security

• ISO/OSI Layers and characteristics
• Communication Network Security
• Internet/Intranet/Extranet
• Firewalls, Routers, Switches, Gateways, Proxies
• Protocols, Services, Security techniques
• E-mail Security
• Facsimile Security
• Secure Voice Communications
• Security boundaries and how to translate security
  policy to control
• Network Attacks countermeasures

13
Telecommunications Network Security

• Communications network security as it relates
  to voice communications
• Data communications in terms of local area, wide
  area, and remote access
• Intranet/Internet/Extranet in terms of Firewalls,
  Routers, TCP/IP
• Communications security management techniques
  in terms of preventive, detective and corrective
  measures.

14
Telecommunications Network Security
OSI 7 Layer
LAN
System
System

• Protocol
• IPSEC
• SSL
• PPP

Router FW
WAN
Attack?
PSTN
Internet
E-mail
System
Voice FAX

• Service
• ISDN
• HDSL

• Security technique?
• VPN
• NAT
• Monitoring

15
Security Management Practices
Domain 3
16
????? ?????

• ?????? ????? ???? ??????? ???? ??? ????????
  ?????? ? ????? ? ????????? ? ????? ???? ????? ??
  ? ??????????? ? ???? ?? ? ?????????? ??? ?? ??
  ???? ?? ?????? ?????
• - Confidentality
• - Integrity
• - Availability

17

• ?? ??????? ?? ???????? ????? ???? ???? ???????
  ??????? ? ???? ???? ???? ??? ??????? ? ??? ????
  ????? ???? ? ????? ??? ???? ?????? ?? ?? ????
  ????? ???? ???? .
• ?????? ???? ???? ??????? ? ???? ???? ? ????? ? ??
  ????? ?????? ???????? ??? ?? ?? ????? ??
  ????????? ??????? ? ???? ?? ?? ????.

18

• ?????? ???? ???? ??????? ??? ????? ? ????? ????
  ??? ?????? ? ??????? Safeguard ??? ????? ????? ??
  ? ?????? ??????? ????? ???? Safeguard ?? ? ???? ?
  ??????? ?????? ?? ????.
• ?????? ?? ??? ?? ???? ????? ?? ?????? ? ??? ???
  ????? ?? ?? ? ????? ??? ?????? ? ??????? ??
  Guideline ?? ? ??????????? ???? ????? ?? ?????
  ?? ?????? ????? ???? ? ??????? ???? ???? ????????
  ?? ???? ??? ??? ????? ??????? ? ??????? ??? ?????
  ?? ????? ????? ?? ?? ???? ???? ?? ?????? ??? ??
  ????? ????.

19
Application System Development Security
Management
Domain 4
20
????? ?????

• Applications and systems development security
• ????????? ?? ?? ?????? ??? ??????? ???? ?????
  ????? ????? ??????.
• ????????? ?? ?? ?????? ????? ?????? ??? ???????
  ???? ????? ????? ????? ???????.
• ????? ?? Application
• Agent, Applets, Software, Database, Knowledge
  base, Data warehouses
• Application ?? ????? ????? ??? ?? ?????? ????.

21
????? ???? ?? ?????

• Application Issues
• Databases and Data Warehousing
• Data/Information Storage
• Knowledge-Based Systems

22
????? ???? ?? ?????

• System Development Life Cycle
• Security Control Architecture
• Modes of Operation
• Integration Levels
• Service Level Agreement

23
????? ???? ?? ?????

• Method of attack
• Malicous Code

24
Application Systems Development Security
3.CBK ??
Application Security
request
DB DW
Client Application
Server Application
response
DB Security
Application Development Process Security
Attack
25
Cryptography
Domain 5
??? ?????
26
3.6 Cryptography
3.CBK ??
Cryptology the science of secret
codes. Cryptography deals with systems for
transforming data into codes.-Cryptographer.
Cryptanalysis deals with techniques for
illegitimately recovering the critical data from
cryptograms. Cryptanalyst.
Private Key algorithm Public Key algorithm
Sender
Receiver
Receivers Public key
Receivers private key
Secrete Key
Secrete Key
Clear text
Ciphertext
Clear text
Encipher
Decipher
PKI Application-SSL, IPSEC, HTTPS
Attack
27
Description 

• The Cryptography domain addresses the
• principles,
• means,
• and methods
• of securing information to ensure its
• integrity,
• confidentiality,
• and authenticity.

28
Security Architectures and Models Domain
Domain 6
??? ?? ? ?????? ?????
29
??? ?? ? ?????? ?????
?????? ? ??? ??? ????? ?? ????? ???? ? ?????? ?
?????? ? ???????????? ???? ???? ????? ? ?????
???? ? ??????? ? ??? ???? ????? ??? ???? ?
??????? ???? ? ???????? ? ?????? ????? ???? ??
???? ????? ???? ????? ???????? ? ?????? ? ?????
????? ?????????.
30
??? ?? ? ?????? ?????

• ???? ?????? ?????? ? ?????? ???? ?? ? ??????????
• ????? ???? ??? ??? OSI
• ????? ??? ????
• ???? ?????? ??
• ???? ??? ??? ?????
• ???? ???????? ??????? ????? ????? ??

31
??? ?? ? ?????? ?????

• ??????? ????? ?? ????? ?? ????? ? ?????? ?????
• ???? ????? ??? ????? ??? ???????/ ???? ??
• ??? ??? ?????? ???? ?? ??? ??????
• ??? ??? ?????? ??????
• ??? ??? ?????? ?? ?????? ???? ?? / ??? ???????
• ?????? ?????? ???? ?????? ????? ? ??? ?? ??
• ?????? PC ?? ? ??? ?? ??
• ???????? ?????? ?????

32
Operations Security
Domain 7
????? ??????
33
????? ???????

• ????? ?????? ?? ????? ????? ????? ??? ??? ??????
  ????? ??? ? ??????????? ?? ?? ??? ????? ??????
  ????? ??????? ?? ???.
• ?? ?????? ???? ?????? ???? ? ?? ???? ?????? ????
  ???? ???? ??? ?? ????? ??????? ????? ???
• ??????? ??? ?????? ?? ????? ????? ? ?????? ???
  ????
• ????? ?????? ??? ??????? ?? ????? ??? IT/IS
• ????? ?? ? practice??? ?????

34
????? ??

• ????? ??????? ??? ????? ??????
• ????? ?????? ???????
• ????? ?????? ????? ???????
• ????? ??? ????? ???????
• ????? ??????? ??????
• ????? ????? ??????
• ????? ? ??? ???? ??? ???? ???? ??????? ??? ??
  ?????
• ????? ?????? ?????
• ????? ? ??? ??? ????? ????? ?????
• ????? ?? ???? ??? ????? ??????

35
Business Continuity Planning
Domain 8
36

• Recovery Strategy
• Business Continuity Planning
• Disaster Recovery Planning
• Recovery Planning
• The Xi Recovery team

37

• Recovery Strategy
• Business Unit Priorities
• Alternatives
• Cold/Warm/Hot Mobile Sites
• Electronic Vaulting
• Processing Agreements
• Reciprocal/Mutual
• Recovery Plan Development
• Personnel Notification

• Emergency Response
• Backups and Off-site Storage
• Communications
• Utilities
• logistics and Supplies
• Fire and Water Protection
• Documentation
• implementation
• Testing/Maintenance

38

• Disaster Recovery Planning
• Recovery Plan Development
• Emergency Response
• Personnel Notification
• Backups and Off-site Storage
• Communications
• Utilities
• Logistics and Supplies
• Fire and Water Protection

• Documentation
• Implementation
• Recovery Techniques
• Training/Testing/Maintenance
• Restoration
• Cleaning
• Procurement
• Data Recovery
• Relocation to Primary Site

39
Law, Investigation and Ethics
Domain 9
40
Law, Investigations Ethics
3.CBK ??

• The Law, Investigations, and Ethics domain
  address computer crime laws regulations the
  investigative measures and techniques which can
  be used to determine if a crime has been
  committed, methods to gather evidence if it has,
  as well as the ethical issues and code of conduct
  for the security professional.
• Laws
• Major categories and types of laws
• Investigations
• Major categories of computer crimes
• Incident handling
• Ethics

?? CISSP Study Guide , ISC2
41
Physical security
Domain 10
42
3.11 Physical security
3.CBK ??

• The Physical security domain addresses the
  threats, vulnerabilities, and countermeasures
  that can be utilized to physically protect an
  enterprises resources and sensitive information.
  These resources include people, the facility in
  which they work, and the data, equipment, support
  system, media, and supplies they utilize.
• Facility Requirements
• Technical Controls
• Environment/Life Safety
• Physical security threats
• Elements of physical security

?? CISSP Study Guide , ISC2
43
3.11 Physical security
3.CBK ??
Environmental/Life safety -Power -water
leakage -fire detection -natural disaster
Facility -restricted area -visitor
control -Fence.. -Security guard -CCTV -Alarm,
detector
Resource
Technical controls -smart/dumb card -audit
trail -intrusion detection -biometric control
Physical security Threat -fire,
smoke -water -explosion -storm
?? CISSP Study Guide , ISC2