1 Security Management Practices
Objective 1.01 Management Responsibilities
Objective 1.02 Risk Management
Risk Analysis
Objective 1.03 Possible Threats
Objective 1.04 Security Control Types
Objective 1.05 Calculating Risk
Quantitative Versus Qualitative Approaches
Dealing with Risk
Countermeasure Selection
Objective 1.06 Security Policies and their Supporting
Counterparts
Security Policy
Standards
Baselines
Procedures
Guidelines
Objective 1.07 Roles and Responsibilities
Data Owner
Data Custodian
User
Security Auditor
Objective 1.08 Information Classification
Military Versus Commercial Classifications
Objective 1.09 Employee Management
Operational Administrative Controls
CHECKPOINT
Review Questions
Review Answers
2 Access Control
Objective 2.01 Identification and Authentication
Definitions
Three Steps to Access Control
Authentication
Biometrics
Passwords
Cognitive Password
One-Time Password
Cryptographic keys
Passphrase
Memory Cards
Smart Cards
Authorization
Objective 2.02 Single Sign-On Technologies
Directory Services
Kerberos
SESAME
Thin Clients
Objective 2.03 Access Control Models and Techniques
DAC
MAC
RBAC
Access Control Techniques
Restricted Interfaces
Capability Table and ACLs
Content-Dependent Access Control
Other Access Techniques
Objective 2.04 Access Control Administration
Centralized Access Control Administration
RADIUS
TACACS
Diameter
Decentralized Access Control Administration
Objective 2.05 Intrusion Detection System
Network-Based and Host-Based
Signature-Based and Behavior-Based
Downfalls of IDS
Objective 2.06 Unauthorized Access Control and Attacks
Unatuthorized Disclosure of Information
Emanation Security
Attack Types
Penetration Testing
CHECKPOINT
Review Questions
Review Answers
3 Security Models and Architecture
Objective 3.01 System Components
Central Processing Unit
Storage and Memory Types
Virtual Memory
Data Access Storage
Processing Instructions
Operating States
Objective 3.02 Operation System Security Mechanisms
Process Isolation
Protection Rings
virtual Machine
Trusted Computing Base
Reference Monitor and Security Kernel
Objective 3.03 Security Models
The Different Models
State Machine Models
Bell-LaPadula Model
Biba
Clark-Wilson Model
Non-Interference Model
Access Control Matrix Model
Information Flow Model
Brewer and nash model
Graham-Denning and Harrison-Ruzzo-Ullman MModle
Objective 3.04 Security Evaluation Criteria
Security Evaluations
Trusted Computer System Evaluation Criteria
Rainbow Series
Information Technology Security Evaluation Clritera
Common Critecria
Certification Versus Accreditation
CHECKPOINT
Review Question
Rview Answers
4 Physical Security
Objective 4.01 Controls Pertaining to Physical Security
Facility Location
Facility Construction
Computing Area
Hardware Backups
Objective 4.02 Electrical Power and Environmental Issues
UPS
Power Interference
Environmental Considerations
Ventilation
Water,Steam,and Gas
Objective 4.03 Fire Detection and Suppression
Fire Prevention
Fire Detection
Fire Types
Fire Suppression
Halon
Fire Extinguishing Issues
Water Sprinklers
Emergency Response
Objective 4.04 Perimeter Security
Lock Types
Facility Access
Entrance Protection
Fencing
Lighting
Surveillance Devices
Intrusion Detection Systems
CHECKPOINT
Review Question
Review Answers
5 Telecommunications and Networking Security
Objective 5.01 TCP/IP Suite
Internet Protocol(IP)
Networks
Intranets and Extranets
Objective 5.02 Cabling and Data Transmission Types
Coaxial Cable
Twisted-Pair Cable
Fiber
Cable Issues
Fire Ratings
Broadband and Baseband
Signals
Asynchronous and Synchronous
Transmission Methods
Objective 5.03 LAN Technoogies
Network Topologies
Media Access Technologies
Ethernet
Token Passing
Polling
Protocols
Address Resolution Protocol(ARP)
Reverse Address Resolution Protocol(RARP)
Boot Protocol
Internet Control Message Protocol(ICMP)
Other TCP/IP Protocols
Objective 5.04 Networking Devices and Services
Repeater
Bridge
Switches
VLAN
Router
Brouters
Gateway
Summary of Devices
Firewalls
Packet Filtering
Proxy Firewalls
Stateful Firewalls
Firewall Architecture
Firewall Administration
Remote Connectivity
PPP
SLIP
PAP
CHAP
EAP
VPN
PPTP
L2TP
IPSec
Network Services
DNS
NAT
Objective 5.05 Telecommunications Protocols and Devices
FDDI
SONET
Dedicated Link
CSU/DSU
S/WAN
ISDN
DSL
Cable Modems
WAN Switching
Frame Relay
X.25
ATM
Quality of Service
SMDS
SDLC
HDLC
Multiservice Access Technologies
Objective 5.06 Remote Access Methods and Technologies
Remote Access
Wireless Technology
Spread Spectrum
WAP
Access Points
SSID
OSA and SKA
Cell Phone Cloning
PBX Threats
Objective 5.07 Fault Tolerance Mechanisms
RAID
Clustering
Backing Up
CHECKPOINT
Review Questions
Review Answers
6 Cryptography
Objective 6.01 Cryptography Definitions
Definitions
Keys and Text
Keyspace
Strength of Cryptosystem
Attacks
Spy-Like Ciphers
Steganography
Objective 6.02 Cipher Types
Kerckhoff's Principle
Key Escrow
Substitution Cipher
Transposition Cipher
Block Cipher
Stream Cipher
Symmetric Cryptography
Asymmetric Cryptography
Objective 6.03 Hybrid Approach
Key Management
Data Encryption
Security Goals
Types of Symmetric Algorithms
DES
Triple-DES(3DES)
Advanced Encryption Standard(AES)
Other Symmetric Algorithms
Asymmetrical Algorithms
Diffie-Hellman Key Exchange
EI Gamal
Elliptic Curve Cryptosystems(ECC)
Objective 6.04 Message Integrity and Digital Signatures
Message Integrity
One-Way Hash
Attacks on Hashing Functions
Hashing Algorithms
Message Authentication Code
Electronic Signing
DSS
Objective 6.05 Cryptography Applications
Public Key Infrastructure
Certificate Authority(CA)
Registration Authority
Certificate Revocation List(CRL)
Components of PKI
PKI Steps
One-Time Pad
Encryption at Different Layers
Objective 6.06 Cryptographic Protocols
Privacy-Enhanced Mail(PEM)
Message Security Protocol(MSP)
Pretty Good Privacy(PGP)
Internet Security
Secure Hypertext Transfer Protocol(S-HTTP)
HTTPS
Secure Sockets Layer(SSL)
S/MIME
SSH2
SET
IPSec
Other Security Technologies
Objective 6.07 Attacks
Ciphertext-Only Attack
Known-plaintext Attack
Chosen-plaintext Attack
Adaptive Chosen-plaintext Attack
Chosen-Ciphertext Attack
Adaptive Chosen-Ciphertext Attack
Man-in-the-Middle Attack
Algebraic Attack
Analytic Attack
CHECKPOINT
Review Questions
Review Answers
7 Disaster Recovery and Business Comtinuity
Objective 7.01 Disaster Recovery versus
Business Continuity
Objective 7.02 Project Initiation Phase
Objective 7.03 Business Impact Analysis
Objective 7.04 Possible Threats
Objective 7.05 Backups and Off-Site Facilities
Employees and the Working Environment
Choosing a Software Backup Storage Facility
Backup Facility Alternatives
Objective 7.06 DRP and Off-Site Facilities
Emergency Response
Recovery and Restoration
Documentation
Testing and Drills
Maintenance
Phase Breakdown
Prevention
CHECKPOINT
Review Questions
Review Answers
8 Law,Investigation.and Ethics
Objective 8.01 Ethics
(ISC)平方
Computer Ethics Institute
Internet Activities Board
Objective 8.02 Hacking Methods
Characteristics of an Attacker
Problems with Prosecuting Attackers
Types of Attacks
Salami
Data Diddling
Exessive Privileges
Password Sniffing
IP Spoofing
Dumpster Diving
Wiretapping
Social Engineering
More Attack Types
Attack Categories
Phone Fraud
Objective 8.03 Organization Liabilities and Ramifications
Security Principles
Legal Liability
Privacy Issues
Privacy Act of 1974
electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act(HIPAA)
Gramm Leach Bliley Act of 1999
Employee Monitoring
Transborder Information Flow
International Issues
Objective 8.04 Types of Law
Civil Law
Criminal Law
Administrative Law
Federal Policies
Computer Fraud and Abuse Act of 1986
Economic Espionage Act of 1996
Federal Sentencing Guidelines of 1991
Intellectual Property Laws
Trade Secret
Copyright
Trademark
Patent
Software Piracy
Objective 8.05 Computer Crime Investigation
Who Should Investigate?
Incident Response Plan
Incident response Team
Incident Handling
Collecting Evidence
Search and Seizure
Forensics
Admissibility of Evidence
Evidence Types
Best Evidence
Secondary Evidence
Hearsay Evidence
Enticement and Entrapment
Trial
CHECKPOINT
Review Questions
Review Answers
9 Applications and Systems Development
Objective 9.01 Applications and Systems Development
Software Lifecycle
Software Development Models
Project Initiation
Functional Design Analysis and Planning
System Design Specifications
Software Development
Acceptance Testing/Implementation
Operations/Maintenance
Disposal
Software Development Methods
Change Control
Administrative Controls
Program Language Evolution
Objective 9.02 Object-Oriented Programming
Classes and Objects
Abstraction
Polymorphism
Polyinstantiation
Application Threats
Objective 9.03 Distributed Computing
ORB and CORBA
COM and DCOM
Enterprise Java Bean
OLE
ActiveX
Java Applets
CGI
Cookies
Objective 9.04 Databases
Relational Data Model
Data Dictionary
Database Jargon
Structured query Language
Hierarchical database Model
Network Database Management System
Distributed Data Model
Object-Oriented Database
Database Interface Languages
Concurrency Issues
Aggregation and Inference
Data Warehousing
Data Mining
Objective 9.05 Artificial Intelligence
Expert Systems
Artificial Neural Network
Objective 9.06 Malware
Virus
Worms
Logic Bomb
Trojan Horse
Denial of Service
DDoS
Smurf Attacks
Timing Attacks
CHECKPOINT
Review Questions
Review Answers
10 Operations Security
Objective 10.01 Operations Controls
Due Care
Administrative Control
Separation of Duties
Job Rotation
Least Privilege and Need-to-Know
Mandatory Vacations
Clipping Levels
Control Categories
Objective 10.02 Configuration Management and Media Control
Media Controls
Input/Output Data Controls
Objective 10.03 Reacting to Failures and Recovering
Trusted Recovery
Facsimile Security
Operational Responsibilities
Unusual or Unexplained Occurrences
Deviations from Standards
Unscheduled Initial Program Loads
Personnel Operators
Objective 10.04 Software Backups
Network Availability
RAID
Backups
Contingency Management
CHECKPOINT
Review Questions
Review Answers
A About the Free Online Practice Exam
Mike Meyers' Certification Passport FREE Online Practice Exam Instructions
System Requirements
Technical Support
B Career Flight Path
Career Paths in Security
Index