This course is provided by Wintrac. Wintrac provides one stop shopping for all your IT
training needs. Wintrac’s course catalog of over two thousand courses includes courses on Security Training
Overview
The CISSP/CISSO is a premier security certification and one of the most difficult certifications to achieve, making training an important part of exam preparation. This 5-day course is designed to ensure a solid understanding of the popular 10 Security Domains areas of the Common Body of Knowledge (CBK). Students will learn about security policy development, secure software development procedures, network vulnerabilities, attack types and corresponding countermeasures, cryptography concepts and their uses, disaster recovery plans and procedures, risk analysis, crucial laws and regulations, forensics basics, computer crime investigation procedures, and physical security. Mile2's “in-depth” course focuses on the preparation of passing both mile2's CISSO and ISC2's CISSP exam. Upon completion, the student will be fully prepared to take and successfully pass the CISSP/CISSO exam.
Audience:
Individuals interested in pursuing the CISSP/CISSO examination.
Prerequisites
(ISC)2 requires exam candidates to have a minimum of five years of relevant work experience in two or more of the ten domains, four years of work experience with an applicable college degree, or a credential from the (ISC)2-approved list.
Course duration
5 days
Course outline
Building a Successful Security Infrastructure
- Defending a Changing Business
- Responsible Roles for Security
- The Security Domains
- Security Infrastructure
- Security Challenges
- The Evolution
- Access Control
- Cryptography
- Physical Security
- Security Architecture
- Business Continuity Planning and Risk Management
- Telecommunications and Network Security
- Application and System Development
- Operations Security
- Law, Investigation and Ethics
- Security Services
- Security Strategies
- Policy Compliance
- Security Model
- Top 10 Security Strategies
- 4APIN
- D-PAST
- SHANK
- Security Stoplight Chart
Information Security and Risk Management
- Components of the CBK
- CBK Key Concepts
- Confidentiality
- Integrity
- Availability
- A.A.D. – Disclosure, Alteration and Destruction
- Authorization, Identification, authentication, Accountability and Privacy
- Due Care, Due Diligence, Separation of Duties and Rotation of Duties
- Baselines, Procedures, and Safeguards
- Relationships Between Different Security Components
- Risk Analysis and Assessment
- Risk Management, Threat, Exposure, Vulnerability and Risk Mitigation
- Information Asset, Qualitative, Quantitative, Risk Analysis and Risk Assessment
- Resistance to Risk Management
- Risk Management Steps
- Value of Information Assets
- Risk Management Tools
- Risk Analysis and Assessment
- Threats, Vulnerabilities and Risks
- Risk Management Metrics
- EF, SLE, ARO, and ALE
- Single Loss Expectance (SLE)
- Annualized Rate of Occurrence (ARO)
- Annualized Loss Expectancy (ALE)
- Safeguard Cost Analysis
- Information Classification
- Data Classification
- Objectives of Classification Scheme
- Criteria by Which Data is Classified
- Commercial Data Classification
- Government Data Classification
- Roles and Responsibilities
- Senior Management
- Security Management
- Organizational Position
- Policies, Procedures, Standards, Baselines and Guidelines
- Written Guidance
- Policies and Standards – Policy Elements and Policy Creation Guidelines
- Management Responsibilities and Policy Enforcement
- Standards
- Procedures
- Guidelines
- Employment Policies
- Hiring Practices
- Background Check
- Termination Policies
- Job Descriptions
- Employee Education Programs
- Security Awareness
- Training
- Knowledge of a Threat
- Change Management
- Change Control
- Total Quality Management
- ISO-9000
- Best Management Practices
Access Control
- General Concepts
- Pillars of Information Assurance
- Controls
- Data Ownership
- Identification
- Authentication
- Access Control
- Access Control Principles
- Access Control Types
- Access Control Categories
- Access Control Techniques
- Discretionary Access Control
- Mandatory Access Control
- Role Based Access Control
- Lattice Based Access Control
- Rule Based Access Control
- Access Control Lists
- Access Control Models
- State Machine Model
- Bell-Lapadula Model
- Criticisms of the Bell-Lapadula Model
- Bida Model
- Clark and Wilson Model
- Non-Interference Model
- Access Matrix Model
- Information Flow Model
- Authentication Methods
- Password
- Password Attacks
- Problems with Passwords
- Pass Phrase
- One-Time Password
- Token Devices
- One-Time Password Attacks
- Smart Card
- Smart Card Issues
- Order of Effectiveness
- Order of Acceptance
- Issues with Characteristics Based Authentication
- Multi-Factor Authentication
- Access Control Systems
- Single Sign On
- Kerberos
- Sesame
- Access Administration
- Centralized
- Decentralized
- Hybrid
- Radius
- Object Reuse Issues
- Monitoring
- Accountability
- Intrusion Detection Systems
- Attack Signatures
- Anomaly Identification
- Intrusion Response
- Databases
- Database Monitoring
- Best Practices
Cryptography
- Defining Cryptography
- How Does it Work?
- Defining Algorithms
- What are Keys?
- Crypto Terms
- One-Time Pad
- Cryptanalysis Terms
- Services Provided by Cryptography
- Symmetric Encryption
- Block and Stream Ciphers
- Common Algorithms for Symmetric Keys
- AES – Blowfish
- Symmetric Encryption Strengths and Weaknesses
- What is a Hash Function?
- Rainbow Crack
- Common Hash Algorithms
- Asymmetric Encryption
- Digital Signatures
- Asymmetric Encryption Strengths and Weaknesses
- Hybrid Encryption
- Hybrid Decryption
- PKI
- X.509 Certificate
- The TCP-IP Stack
- IPSEC Protocols
- SSL
- SSH
- PGP
- Cracking Techniques
- Hackability of Wireless
- Sniffling, snooping and Eavesdropping
Physical Security
- What Does Physical Security Include?
- Environmental Protection
- External Threats
- Liability Concerns
- Program Goals
- Risks and Countermeasures
- Physical Security Program
- Crime Prevention
- Site Design and Configuration Considerations
- Boundary Protection
- Data Center Controls
- Computing Facility Requirements – Walls and Doors
- Windows/Opening and Computer and Equipment Room
- Electrical Power
- Preventative Steps
- Dedicated Circuits, Controlled Access
- Backup Power
- Air Conditioning
- Humidity Controls, Air Quality and Water Protection
- Positive Pressurization
- Fire Prevention
- Fire Suppression
- Fire Extinguishing Systems
- Fire Classes and Combustibles
- Carbon Dioxide
- Halon
- Secure Storage Areas
- Media Protection
- Protecting Wiring
- Personnel Access Control
- Locks
- Tokens
- Types of Access Cards
- Biometrics
- Distributed Processing – Threats
- Office Area Controls
Security Architecture and Design
- Computer Organization
- Abstract Levels of Modern Computer Systems
- Computer Hardware
- CPU Models and Protection Rings
- Computer Hardware
- Computer Software
- Memory Management
- System Recovery
- Single Processor System
- Multi-Processor System
- Types of Data Storage
- Information Security Architecture
- Execution Domain, Least Privilege
- Protections Mechanisms, Process Isolation and Resource Access Control
- Process Isolation
- Open and Closed Systems
- Access Control Techniques
- Access Controls
- Architectural Foundation
- Modes of Operation
- Information Security Structures
- Certification and Accreditation
- ITSEC Standard
- TCSEC Standard
- Common Criteria
- Criteria Comparison
- Bell Lapadula
- Bida
- Security Models
- Clark and Wilson
- Common Flaws
- Covert Channels
Business Continuity and Disaster Recovery Planning
- Who is Really Ready?
- The DRBCP Basics
- Reasons for BCP
- BCP Components
- BCP Key Concepts
- BCP Definitions
- The Business Continuity Lifecycle
- NIST SP800-34
- BCP Phases
- Phase 1 – Project Initiation
- BIA Steps
- BIA
- Define Threats
- Categorize Events
- Maximum Tolerable Downtime
- Recovery Cost Balancing
- Recovery Strategies
- Electronic Vaulting
- Alternate Sites
- Off-Site Storage
- Alternate Site Planning
- Data Redundancy
- Raid
- Raid Levels
- System Backups
- Plan Development
- Types of Testing
- Stages of an Incident
- Integrating Security
Telecommunications and Network Security
- OSI Standards Development
- The Seven Layers
- Model Data Flow
- OSI vs. TCP/IP Mapping
- Application Layer
- Presentation Layer
- Session Layer
- Transport Layer
- TCP and UDP
- TCP Three Way Handshake
- Network Layer Protocols
- Network Layer
- IP Packets
- ARP and ARP Poisoning
- ICMP
- Data Link Layer
- Physical Layer
- LAN Topologies
- Star Topology
- Bus Topology
- Tree Topology
- Ring Topology
- LAN Access Methods
- LAN Signaling Methods
- LAN Types
- Ethernet
- Token Ring
- Fiber Distributed Data Interface
- Wireless Networks
- WEP and TKIP
- WAP
- WTLS
- LAN Physical Media Characteristics
- VLAN
- VPN and MAN
- WAN and VAN
- Network Switching
- X.25
- Frame Relay
- PVC, SVC, and CIR
- ISDN
- High Speed Serial and ATM
- Access Technologies
- Internet Protocol
- IPV4 and IPV6
- Internet, Intranet and Extranet
- Firewall Terms
- NAT
- APIPA
- Packet Filtering
- Application Filtering
- Stateful Inspection
- Proxies
- IDS
- Web Security
- Common Attacks
- Spoofing
- DOS
- Sniffing
- Session Hijacking
- IP Fragmentation
- IDS Attacks
- SYN Floods
- DNS Poisoning
- Telecom/Remote Access Security
- Telecommunications Security
- Remote Access Security
- VPN
- IETF Security Architecture
- IPSEC Protocols
- Security Association
- Email Security
- Personal Email Encryption
Applications and Systems Development
- General Security Principles
- Problems
- Databases and Data Warehousing
- Relational Database
- Relational Database Controls
- Query Language
- Object-Oriented Database
- DAC Object-Oriented Models
- MAC Object-Oriented Models
- Object-Oriented Issues
- Programming/Data Attacks
- Applications Beyond the Database
- Definitions
- Application System Development
- Controls
- Compiled vs. Interpreted
- Vulnerabilities
- Vulnerability Definition
- The Evolving Threat
- Exploit Timeline
- Potential Vulnerabilities
- Zombie
- Botnet
- Vulnerability Assessment
- Vulnerability Identification
- National Vulnerability Database
- Nessus
Operations Security
- Controls and Protections
- Categories of Controls
- Accountability
- Separation of Duties
- Trusted Recovery
- Configuration/Change Management Control
- Administrative Controls
- Least Privilege
- Due Care and Due Diligence
- Resource Protection
- Hardware Controls
- Software Controls
- Email Security
- Fax Security
- Privileged Entity Controls
- Media Security Controls
- Physical Access Controls
- Security Auditing
- Monitoring Techniques
- Audit Trails
- Event/Log Management
- Problem Management Concepts
- Threats and Vulnerabilities
- Controls Summary
- Defense In Depth
Legal, Regulations, Compliance and Investigations
- The Building Blocks of Information Security
- Ethics
- Code of Ethics
- Computer Ethics Institute
- Guidance Organization
- Laws and Legal System
- Types of Laws
- Civil Laws
- Administrative/Regulatory Concepts
- Intellectual Property Definitions
- Proprietary Rights and Obligations
- Protection for Computer Objects
- Computer Security, Privacy and Crime Laws – US
- Computer Security, Privacy and Crime Laws – Canada
- EU Privacy Principles
- Privacy Regulations
- Electronic Monitoring
- Liability
- Computer Crime Investigation
- Looking for Criminals
- Hackers Profiles
- Computer Crime
- Computer Crime Laws
- Civil Law
- International Laws
- Computer Investigation
- CI Issues
- Investigation Steps
- Computer Forensics
- Computer Forensics – Canada Law
- Evidence Admissibility
- Rules Evidence
- Exceptions to the Hearsay Rule
|
