cissp all in one 中文-4
《CISSP公共知识体系学习指南(中文版)》
基于特征(生物测定学,行为)
令牌(token) 门票(ticket) 一次口令
基于令牌(智能卡,密钥卡) 管理 单点登录(Single Sign On,SSO) 访问控制方法论和实现 集中/远程鉴别式的访问控制
RADIUS
TACACS 分散式的访问控制(Decentralized Access Control)
准,规程和方针的开发,文档化和实现。使用管理工具(如数据分级,风险评估和风险分析) 来识别威胁,分级资产,鉴定脆弱性的等级以实现有效的安全控制。
风险管理是对不确定事件和风险相关损失的识别,度量,控制和最小化。它包括全面的 安全评审,风险分析;安全措施的选择和评估,费用收获分析,管理决策,安全措施实现和 有效性评审。
关键知识域 可计帐性 访问控制技术 自由访问控制(Discretionary Access Control) 强制访问控制(Mandatory Access Control) 基于格的访问控制(Lattice-based Access Control) 基于规则的访问控制(Rule-based Access Control) 基于角色的访问控制(Role-based Access Control) 访问控制列表(Access Control Lists) 访问控制管理 帐户管理 帐户,日志和日记监控(Journal Monitoring) 访问权和许可 建立(授权) 文件和数据拥有者,管理人和用户 最小特权准则(Principle of Least Privilege) 责任和义务分离(Segregation of Duties and Responsibilities) 维护 撤消 访问控制模型
国际注册信息系统安全专家CISSP认证手册2011版
国际注册信息系统安全专家CISSP认证手册作者:剑胆琴心 2011更新版本 一、CISSP认证介绍CISSP是(Certified information System Security Professional 国际注册信息系统安全认证专家)的缩写,一种反映信息系统安全从业人员水平的证书,CISSP可以证明证书持有者具备了符合国际标准要求的信息安全知识和经验能力,目前已经得到了全世界广泛的认可,CISSP (Certified Information System Security Professional信息系统安全认证专业人员)是一种反映信息系统安全从业人员资质水平的证书,它可为从事信息安全领域工作的人士提高专业资历提供新的机会和更大便利。
CISSP认证考试由(ISC)2组织与管理,参加CISSP认证的人员需要遵守CISSP 道德规范(Code of Ethics),同时要有在信息系统安全通用知识框架(CBK)的十个领域之中的一个或一个以上领域中具有最少3年的直接工作经验。
ISC2公布截止到2010年8月中国大陆地区通过CISSP人员为:472人参考:/read.php?tid-9100.html二、CISSP认证机构(ISC)2介绍(ISC)2是信息安全领域的顶级认证机构之一,成立于1989年,到现在已经给超过120个国家的五万多名安全专家授予了相关认证。
(ISC)2目前提供如下6种认证:SSCP(SystemSecurityCertificatedPractitioner)认证系统安全实践者CAP(CertificationandAccreditationProfessional)认证和评估专家CISSP(CertificatedInformationSystemSecurityProfessional) 认证信息系统安全专家CISSP-ISSAP(InformationSystemSecurityArchitectureProfessional) 信息系统安全架构专家CISSP-ISSMP(InformationSystemSecurityManagementProfessional)信息系统安全管理专家CISSP-ISSEP(InformationSystemSecurityEngineeringProfessional)信息系统安全工程专家(ISC)2同时也向公众提供信息安全方面的教育和咨询服务。
CISSP备考中文详解(超详细的中文备考资料)
在 CISSP 考试的复习过程中做些模拟题是必须的,但因为 CISSP 考试出题相当灵活,如果考生想靠猜题、押题来通过 CI SSP 考试,恐怕只会换来一个失败的结果。J0ker 的建议是,CISSP 考试说到底是考察考生的能力和经验,如果考生有条件的 话,对掌握不好,平时也没有机会接触的内容自己做个模拟环境来实践一下,比如 Telecommunication and Network security、 Operational Security 等 CBK,都可以自己实验一下。另外,考生可以精选 1 到 2 个模拟题库,时不时对自己的复习情况进行 检查,做错的题目应该记录起来,重新对涉及到的 CBK 内容进行复习。
CISSP 备考资料中文详解
目录
1. 复习流程及资源.............................................................................................................................................................2 2. 复习信息安全管理.........................................................................................................................................................3 3. 复习信息安全管理.........................................................................................................................................................6 4. 复习信息安全管理.........................................................................................................................................................8 5. 复习信息安全管理.......................................................................................................................................................11 6. 安全意识教育介绍.......................................................................................................................................................13 7. 安全架构和设计...........................................................................................................................................................15 8. 安全架构和设计之安全模型.......................................................................................................................................17 9. 系统架构和设计之保护机制.......................................................................................................................................21 10. 系统架构和设计之安全标准 ...................................................................................................................................25 11. 复习访问控制(一) ...............................................................................................................................................30 12. 复习访问控制(二) ...............................................................................................................................................31 13. 详述网络威胁类型 ...................................................................................................................................................34 14. 详述安全威胁控制手段 ...........................................................................................................................................38
CISSP_十分全面的介绍
First CISSP简要介绍编者序言:网络圈中的工程师大概都知道思科的CCIE认证。
如果有谁说自己没听过CCIE,那就好象在说自己是外星人一样。
同样,在信息安全圈中,也有权威的国际认证,那就是CISSP“Certified Information System Security Professional”(信息系统安全认证专家)。
关于《怎样成为一名CISSP》的初衷本文作者J0ker是在安全圈中混迹多年的安全专家,他将自己求学CISSP的亲身经历整理成《CISSP的成长之路》系列文章,用J0ker的话说,出文章的目的最主要是想把自己的经验与广大网友分享,同时也纪念自己从业以来的一些经历。
J0ker 的话很精练,之前在安全频道推出了自己的很多文章,现在安全频道的每周信息安全要闻回顾栏目就是他主持的,我想J0ker出《CISSP的成长之路》系列,也是对他自己的另一种鞭策。
《CISSP的成长之路》将由15到20篇文章组成。
其中详细的介绍了CISSP的相关知识、认证备考经过和心得,另外J0 ker还会从CISSP的角度,向大家简单介绍信息安全的组成。
希望《CISSP的成长之路》能给大家都带来帮助。
最后引用一句J0ker常说的话:你们的支持就是我不断努力向前的动力:)正文作为《CISSP的成长之路》系列的第一篇文章,J0ker打算先简要向读者介绍一下CISSP的背景知识,下面我们先来看C ISSP认证的颁发机构(ISC)2:(ISC)2是信息安全领域的顶级认证机构之一,成立于1989年,到现在已经给超过120个国家的五万多名安全专家授予了相关认证。
(ISC)2目前提供如下6种认证:SSCP(SystemSecurityCertificatedPractitioner)认证系统安全实践者CAP(CertificationandAccreditationProfessional)认证和评估专家CISSP(CertificatedInformationSystemSecurityProfessional) 认证信息系统安全专家CISSP的升级版本CISSP-ISSAP(InformationSystemSecurityArchitectureProfessional) 信息系统安全架构专家CISSP-ISSMP(InformationSystemSecurityManagementProfessional)信息系统安全管理专家CISSP-ISSEP(InformationSystemSecurityEngineeringProfessional)信息系统安全工程专家(ISC)2同时也向公众提供信息安全方面的教育和咨询服务。
CISSP ALL in One 生词汇总
CISSP ALL in One 生词汇总speculation n. 思索interpret v.解释,说明,口译,mitigation n. 缓解、减轻、平静methodology n.方法学synthesize v.合成,综合surveillance n.监视iris 【物】(锁)光圈, 可变光阑[光圈]innocent v.无知的;清白的prerequisite n.先决条件;adj.首要必备的subsequent adj.后来的,并发的preventive adj.预防的stability n.稳定性after-the-factcost of qualitydeviation n.背离deviate v.偏离,背离facilitate v.使方便specialist n.专家coaches n.长途汽车;教练v.训练,指导rigid adj.刚硬的,严格的senior adj.高级的approve v.赞成,满意;批准,通过interpersonal adj.人际间的subordinate adj.次要的;n.下属;v.服从briefing n.简报memorandum n.备忘录periodically adv.周期的,定时的overlap v.与…..交迭enforcement n.执行,强制appraisal n.评估,估价,鉴定sensitivity n.敏感criteria n.标准presentationconvincesophisticatetailored adj.剪裁讲究的residual risk 残留风险potential adj.潜在的,可能的n.潜能,潜力,电压encroachment n.侵蚀,侵犯collusion n.共谋,勾结contingency n.偶然,可能性;意外事故vague adj.含糊的,不清楚的proprietary n.所有者,所有权adj.所有的,私有的consortia n.协会,公会,银行团auspice n.预兆,前兆De facto standard n.事实上De jure standardSpeculation n.思索, 做投机买卖rationale n.基本原则consensus n.一致同意,舆论scenario n.想定,特定情节comparison n.比较, 对照, 比喻, 比较关系expectancy n.期望catastrophic adj.悲惨的,灾难的actual adj.实际的,真实的,现行的,目前的undesirable adj.不受欢迎的,不合需要的,令人不不快的monetary adj.金钱的prudent adj.谨慎的mitigation n.减轻,缓解,平静prioritization n.优先次序reputation n.名誉,声望inventory n.存货清单riot n.暴乱, 骚动, (植物, 疾病等)蔓延, 放荡, 暴动v.骚乱, 放纵, 挥霍, 参加骚动disruption 分[碎, 断]裂, 破裂[溃, 坏]爆炸, 中断.击穿.瓦解disgruntle adj.不满的,不高兴的sabotage n/v.阴谋破坏,怠工equipment n.装备,设备,器材,固定资产adequate adj.适当的,足够的labeling n.标签vt.贴标签,分类accreditation n.委派,信赖,鉴定合格spectrum n.光谱,频谱tolerate v.忍受,容忍intrinsic adj.固有的,内在的,本质的acquisition n.获得,获得物issue-specificabsolute assuranceimproper adj.不适当的custodian n.管理人predictable adj.可预言的premise n.前提v.假定,作出前提hierarchical adj.分等级的omission n.冗长ascertain v.确定,探知morale-boosting 振奋士气slogan n.口号,标语exhort v.劝戒,忠告accredit v.信任,授权,归于accredit ation n.委派,信任,鉴定合格constraint n.约束,强制,局促competitive positio adj.易犯错的mandatory adj.命令的,强制的sufficient adj.充分的,足够的penalty n.处罚tangible adj.切实的intangible adj.无形的,不切实的procurement n.获得,取得periodic adj.周期的flux n.涨潮,变迁v.熔化,流出redesign v/n.重新设计foster v.养育,培养,鼓励,报(希望)n.抚养者,鼓励者disseminate v.散布realistic adj.现实(主义)的tactical adj.战术的summary n.摘要,概要revenue n.收入align v.排列,结盟empowerment n.授权perpetuate v.使永存,使不朽sensitivity n.敏感,灵敏度renegotiate v.重新谈判proximity n.接近,亲近impede v.阻止magnetic adj.磁的, 有磁性的, 有吸引力的granularity n.间隔尺寸, 粒度compulsory adj.必须的,被强迫的mandatory adj.强制的,命令的modular adj.模的vague adj.含糊的,暧昧的,不清楚的spell out 清楚的说明negligence n.疏忽diligence n.勤奋ramification n.分支,衍生pornographic adj.色情的gauge n.标准尺,规格v.测量sophisticate n.久经世故的人, 老油条, 精于...之道的人vt.篡改, 曲解, 使变得世故, 掺合, 弄复杂vi.诡辩hiring n.租金, 工钱, 租用, 雇用vt.雇请, 出租vi.受雇holistic adj.整体的, 全盘的espionage n.间谍, 侦探collusion n.共谋, 勾结caliber n.口径, 才干, 器量nondisclosure agreement 保密协议Job rotation n.工作轮换vengeful adj.复仇心重的, (利于)报复的lash out v.猛击, 急速甩动tangible adj.切实的explicit adj.外在的, 清楚的, 直率的, (租金等)直接付款的liaison n.联络, (语音)连音sabotage n.(不满的职工或敌特等的)阴谋破坏, 怠工, 破坏vi.从事破坏活动vt.对...采取破坏行动, 妨害, 破坏stifle vt.使窒息, 抑制vi.窒息, 闷死intangible adj.难以明了的, 无形的intangible asset n.无形资产regulatory adj.调整的violation n.违反, 违背, 妨碍, 侵害, [体]违例, 强奸incentive n.动机adj.激励的custodian n.管理人verbatim adj.逐字的be doable 可做的, 可行的enforceable adj.可强行的, 可强迫的,可实施的phase in v.逐步采用humidity n.湿度terrorist n.恐怖分子circumstance n.环境,详情,境况environmental adj.周围的, 环境的n.环境论circumvent vt.围绕, 包围, 智取tornado n.龙卷风avalanche n/v.雪崩liquid leakage 液体泄漏ego n.自我violation n.违反, 违背, 妨碍, 侵害rebellion n.谋反, 叛乱, 反抗, 不服从magnitude n.大小, 数量, 巨大, 广大, 量级questionnaire n.调查表, 问卷blackmail n.勒索, 勒索所得之款vt.勒索alteration n.变更, 改造fraudulent adj.欺诈的, 欺骗性的, 骗得的bribery n.行贿, 受贿, 贿赂revenge n.报仇, 复仇vt.替...报仇, 复仇espionage n.间谍, 侦探curiosity n.好奇心disgruntle vt.使不高兴negligent adj.疏忽的, 粗心大意的falsify v.伪造herein adv.于此, 在这里statutory adj.法令的, 法定的ballot n.选举票, 投票, 票数vi.投票custody 监管监管的行为或权利,尤指由法庭授予的监护权:warrant 授权给予(某人)授权或批准;授权或给予权力allegation n断言;宣称指控substantiate vt.使实体化, 证实revision n.修订, 修改, 修正, 修订本participate vi.参与, 参加, 分享, 分担criteria n.pl.标准observation n.观察, 观测, [pl.] 观察资料(或报告)critical adj.评论的, 鉴定的, 批评的, 危急的, 临界的sensitive adj.敏感的, 灵敏的, 感光的criticality n.危险程度sensitivity n.敏感, 灵敏(度), 灵敏性restrain vt.抑制, 制止journal n.日报,杂志;日志revocation n.撤回revoke vt.撤回, 废除, 宣告无效vi.n.有牌不跟encompass v.包围, 环绕, 包含或包括某事物facsimile n.摹写, 传真eavesdrop v.偷听n.屋檐水jargon n.行话volatile adj.飞行的, 挥发性的, 可变的, 不稳定的, 轻快的, 爆炸性的sequential adj.连续的, 相续的, 有继的, 有顺序的, 结果的hoax v.愚弄n.愚弄phreak 盗用电话线路cram v.填满disguise v.假装, 伪装, 掩饰n.伪装algorithm n.[数]运算法则hierarchical adj.分等级的hierarchy n.层次electro-magneticretention 保持力due caredue diligencepornography n.色情文学, 色情描写harassment n.折磨espionage n.间谍, 侦探breach n.违背, 破坏, 破裂, 裂口vt.打破, 突破partial adj.部分的, 局部的, 偏袒的, 偏爱的n.泛音vaulting n.拱形圆顶, 圆屋顶adj.跳的, 跳过的, 夸大的electronic vaultingreciprocal adj.互惠的, 相应的, 倒数的, 彼此相反的n.倒数, 互相起作用的事物logistics n.后勤学, 后勤vital adj.生死攸关的, 重大的, 生命的, 生机的, 至关重要的, 所必需的appropriate adj.适当的mitigation n.缓解, 减轻, 平静spill n.溢出, 溅出, 摔下, 木片, 小塞子, 暴跌, 溢出量vt.使溢出, 使散落, 洒, 使流出, 使摔下, 倒出vi.溢出, 涌流, 充满dilemmas n.进退两难的局面, 困难的选择forensics n.辩论练习, 辩论术privacy n.独处而不受干扰, 秘密confiscate vt.没收, 充公, 查抄, 征用adj.被没收的liability n.责任, 义务, 倾向, 债务, 负债, 与assets相对interrogation n.审问, 问号escort n.护卫(队), 护送, 陪同(人员), 护卫队v.护卫, 护送, 陪同mantrap n.(给入侵私人领地者设的)捕人陷阱turnstile n.十字转门volcano n.火山sabotage 怠工,破坏行动vandal 文化艺术的破坏者,野蛮人vandalism n.故意破坏艺术的行为toxic adj.有毒的, 中毒的suppression n.镇压, 抑制tempest n.暴风雨, 骚乱, 动乱vt.使狂怒, 扰乱, 使激动vi.起大风暴, 小题大作propagate v.繁殖, 传播, 宣传ignition n.点火, 点燃succinct adj.简洁的, 紧身的, 压缩在小范围内的badge n.徽章,像章;标志crux n.症结nomenclature n.命名法, 术语kerberizesurveillance n.监视, 监督ultimate adj.最后的, 最终的, 根本的n.最终anonymity n.匿名, 作者不明(或不详)affiliation n.联系, 从属关系emanation n.散发, 发出remnance n.残余, 剩余, 零料, 残迹adj.剩余的, 残留的degauss vt.消磁, 消除(船)四周磁场以防御磁雷reveal vt.展现, 显示, 揭示, 暴露buddy n.<美口>;密友, 伙伴lucifer n.魔鬼, 撒旦rijndaelinrush current n.涌入trap door n.[建]地板或屋顶上的活门preset vt.事先调整n.边框形式gossip n.闲话, 闲谈inconsistent adj.不一致的, 不协调的, 矛盾的veracity n.说真实话, 老实, 诚实, (感觉, 衡量等)准确性, 精确性triad n.三个一组, 三幅一组, [音]三和音tamper vi.干预, 玩弄, 贿赂, 损害, 削弱, 篡改vt.篡改n.捣棒, 夯, 填塞者ness n.海角arithmetic n.算术, 算法ciphony n.[电信]密码电话学crypto-cipher- n.密码vt, vi用密码书写(把电文等)译成密码(亦作:cypher)clipper chipencipher vt.把(电文)译成密码, 编码elliptic curve cryptosystem(ECC) 椭圆曲线密码系统systematically adv.系统地, 有系统地computationally infeasible 计算上的不可行symmetric adj.相称性的, 均衡的asymmetric adj.不均匀的, 不对称的repudiation 否认steganography 信息与档案室alphabet n.字母表monoalphabetic 单码代替,单一字母替换法polyalphabetic (密码学用语)多码代替,多字母替换法substitution n.代替, 取代作用, 代入法, 置换transposition n.调换, 变换, [数学] 移项scytaleenigma n.谜, 不可思议的东西permutation n.改变, 交换, [数]排列, 置换scramble n.爬行, 攀缘, 抢夺, 混乱vi.攀缘, 杂乱蔓延, 争夺, 拼凑, 匆忙vt.攀登, 搅乱, 使混杂concealment n.隐藏, 隐蔽, 隐蔽处escrow n.由第三者保存附带条件委付盖印的契约diffusion n.扩散, 传播, 漫射confusion n.混乱, 混淆logarithm n.[数] 对数synonymous adj.同义的permutationlarge prime numberfinite fieldcurvessusceptible adj.易受影响的, 易感动的, 容许...的n.(因缺乏免疫力而)易得病的人infeasible adj.不可实行的arbitrary adj.任意的, 武断的, 独裁的, 专断的conventional adj.惯例的, 常规的, 习俗的, 传统的repository n.贮藏室, 智囊团, 知识库, 仓库participate vi.参与, 参加, 分享, 分担tuple 元组,数组(row)attribute n.属性,数据库中包含有某个实体信息的字段(column)schema n.模式semantic adj.[语]语义的meta datapoly n.多(聚)instantiation n.实例化,例示anomaly n.不规则(变态,近点角.距平)aggregation n.集合, 集合体, 聚合inference n.推论n.推理(结论,论断axiom n.[数]公理reference n.提及, 涉及, 参考, 参考书目, 证明书(人), 介绍信(人)abductivedeductiveexplicitly adv.明白地, 明确地cell suppressionpartition n.分割, 划分, 瓜分, 分开, 隔离物vt.区分, 隔开, 分割noise and perturbation n.动摇, 混乱accumulate v.积聚, 堆积portray v.描绘distractible adj.易于分心的, 不专心的scavenge v.打扫, 以(腐肉)为食, 从废物中提取experience n.vt.经验, 体验, 经历, 阅历autonomous adj.自治的postmortem adj.死后的, 死后发生的n.尸体检查, 验尸miscellaneous adj.各色各样混在一起, 混杂的, 多才多艺的nomenclature n.命名法, 术语Slackn.松弛, 静止, 淡季, 闲散, 家常裤adj.松弛的, 不流畅的, 疏忽的, 软弱的, 漏水的, 呆滞的, 懒散的adv.马虎地, 缓慢地vt.使松弛, 使缓慢, 马虎从事vi.松懈, 减弱, 松驰obligation n.义务, 职责, 债务egocentric adj.自我中心的, 利己主义的n.利己主义者ideological adj.意识形态的psychotic adj.精神病的n.精神病患者preliminary adj.预备的, 初步的forensic adj.法院的, 适于法庭的, 公开辩论的n.辩论术obfuscate vt.使模糊, 使迷乱dynamic adj.动力的, 动力学的, 动态的polymorphic adj.多形的, 多态的, 多形态的permeability n.渗透性devastate vt.毁坏infrastructure n.下部构造, 基础下部组织collateral adj.间接的propagate v.繁殖, 传播, 宣传saturation n.饱和(状态), 浸润, 浸透.饱和度reconnaissance n.侦察, 搜索, 勘测mitigate v.减轻asynchronous adj.不同时的,[电]异步的blackoutdeception n.欺骗, 诡计jamperpetrator n.犯罪者, 作恶者conjunctionradiationacronym n.只取首字母的缩写词spurious adj.伪造的, 假造的, 欺骗的emanation n.散发, 发出clearance 证明书无过失、可靠或称职的官方证明dedicate 专门用于dictate v.口述, 口授, 使听写, 指令, 指示, 命令, 规定n.指示(指理智,变心) indicate vt.指出, 显示, 象征, 预示, 需要, 简要地说明clipping levelrotationkick offbogus adj.<美>;假的, 伪造的deviation n.背离recalibratefacsimile n.摹写, 传真preamble n.导言canon n.教规inevitable adj.不可避免的, 必然的dilemmas n.进退两难的局面, 困难的选择mentor 贤明的顾问, 导师, 指导者unwarranted adj.无根据的, 未获保证的, 无保证的, 未获承认的reassurance n.放心consent vi.同意, 赞成, 答应n.同意, 赞成, 允诺amateur n.业余爱好者, 业余艺术家prudent adj.谨慎的jurisdiction n.权限render vt.呈递, 归还, 着色, 汇报, 致使, 放弃, 表演, 实施vi.给予补偿n.交纳, 粉刷, 打底reputation n.名誉, 名声fiduciary adj.基于信用的, 信托的, 受信托的n.被信托者, 受托人disrupt v.使中断, 使分裂, 使瓦解, 使陷于混乱, 破坏negligence n.疏忽grudge v.不给予pertinent adj.有关的, 相干的, 中肯的dissemination n.分发garble vt.断章取义, 混淆replicate n.复制品encapsulation 包装,封装polymorphism n.多形性, 多态现象instantiation n.实例化,例示neural adj.神经系统的, 神经中枢的, 背的mainframe n.大型机garbage n.垃圾,污物,废料vigilance n.警戒, 警惕, 失眠症, 警惕性prudent adj.谨慎的burnt-out adj.(=burned-out)竭尽的, 因过度使用而损坏的evidence n.明显, 显著, 明白, 迹象, 根据, [物]证据, 证物purge n.净化, 清除, 泻药v.(使)净化, 清除, 肃清, (使)通便tapuncover vt.揭开, 揭露v.揭示transparency n.透明, 透明度, 幻灯片, 有图案的玻璃coercive adj.强制的, 强迫的dumpster 垃圾罐accreditation n.委派, 信赖, 鉴定合格certification n.证明pertain v.适合, 属于cross-examine examine grill question quiz test cohesion n.结合, 凝聚, [物理]内聚力coupling n.联结, 接合, 耦合collusionfurniture n.家具, 设备, 储藏物punitive adj.刑罚的, 惩罚性的inherit vt.继承inheritance 继承hiding n.隐匿, 隐藏之事, 痛打, 隐匿之所hierarchical adj.分等级的hierarchy n.层次drastically adv.激烈地, 彻底地prototype n.原型;模型;典型;榜样embedding n.嵌入wrapprevalent adj.普遍的, 流行的schema n.计划mimic adj.模仿的, 假装的, [生]拟态的n.效颦者, 模仿者, 小丑, 仿制品vt.模仿, 摹拟negatively adv.否定地, 消极地overhead 用于系统操作而不是用于用户作业的时间或操作。
CISSP培训笔记教学内容
C I S S P培训笔记CISSP 最新学习笔记此文是我班2014年高分考生袁同学在准备CISSP考试过程中的边看书边整理的一个学习笔记,整理的非常细致到位,特借此供各位备考学员参考。
第1章节到第10章节主要是学习all in one第六版资料时笔记;第11章到18章节主要是在学习完all in one后做cccure网站上面练习题后,补充的知识点;第19章到25章节为学习officeial guide教材后补充的知识点;最后第26章是总复习时作actual练习题时补充的知识点。
在看书3遍all in one后,主要补充学习了pre guide的学习笔记,cccure练习题和official guide进行知识点的补充,最后总复习阶段(1周左右)以本复习笔记为基础,配合actual练习题进行。
目录一. Chapter 3:Security management practices (6)1.1 安全管理 (6)1.2 风险管理 (7)1.3 Policies、standards、baselines、guidelines、procedures (10)1.4 Classification (12)1.5 employee (12)二. chapter 4:Access Control (13)2.1 Identification, Authentication(= Validating), and Authorization(标识、认证、授权) (13)2.2 Access Control Models(访问控制模型) (17)2.3 Access Control Techniques and Technologies(方法和技术) (18)2.4 Access Control Administration(访问控制管理) (19)2.5 Access Control Methods(访问控制方法) (20)2.6 Access Control Type (21)2.7 access control practices (22)2.8 Access Control Monitoring (23)2.9 A few threats to access control (24)三. Chapter 5:Security Models and Architecture (25)3.1 Computer Architecture (25)3.2 Operation System Architecture (30)3.3 System architecture (31)3.4 安全模型 (32)3.5 运行的安全模式security modes of operation (36)3.6 Systems Evaluation Methods (36)3.7 A Few Threats to Security Models and Architectures (38)四. Chapter 6:Physical Security (40)4.1 Planning process (41)4.2 Protecting assets (44)4.3 Internal Support Systems (45)4.4 Environmental issues (46)4.5 Perimeter security (48)五. Chapter 7:T elecommunications and Networking Security (51)5.1 开放系统模型 (52)5.2 TCP/IP (53)5.3 Type of transmission (54)5.4 LAN Networking (55)5.5 介质访问技术Media access technology (57)5.6 LAN Protocols (58)5.7 Networking Device (59)5.8 Networking services and protocols (62)5.9 MAN、WAN (65)5.10 远程访问remote access (69)5.11 wireless technologies (72)六. Chapter 8:Cryptography (78)6.1 加密方法methods of encryption (80)6.2 对称算法的类型Type of symmetric methods (82)6.3 非对称算法的类型 (84)6.4 Message Integrity hash MD5 SHA (86)6.5 PKI-Public Key infrastructure (90)6.6 链路加密和端到端加密 (90)6.7 E-mail标准 (91)6.8 Internet security (91)6.9 Attack (92)七. Chapter 9:Business Continuity Planning (94)7.1 Make BCP Part of the Security Policy and Program (95)7.2 业务连续性计划的需求 (96)7.3 Recovery Strategies恢复策略 (97)7.4 Developing Goals for the Plans (99)7.5 testing and revising the plan测试和修改计划 (100)八. Chapter 10:Law, investigation and Ethics (102)8.1 Computer Crime Investigations (103)九. Chapter 11:Application and system development (107)9.1 Database Management (108)9.2 System Development (110)9.3 Application Development Methodology (113)9.4 攻击 (115)十. Chapter 12:Operation Security (117)10.1 Security Operations and Product Evaluation (118)10.2 Network and Resource Availability (119)10.3 Email security (120)10.4 Hack and Attack Methods (120)十一. Cccure security management (123)十二. Cccure AC (125)十三. Cccure CPU (127)十四. Cccure AP (130)十五. Cccure encryption (132)十六. Cccure telecommunication (134)十七. Cccure OS运行安全 (135)十八. Cccure 法律 (138)十九. official guide 法律 (140)二十. official guide BCP (141)二十一. official guide 安全管理 (141)二十二. official guide AP (142)二十三. official guide密码 (145)二十四. official guide Network (146)二十五. official guide OS (148)25.1 Information Protection Environment (148)二十六. Actual (150)26.1 One day (150)26.2 two (155)26.3 three (161)一.Chapter 3:Security management practices记住几个公式P65ARO是年发生概率,10年发生一次,则ARO=1*0.1SLE是发生一次造成的损失,如37500,那么ALE=0.1*37500=3750EF(暴露因素)*sset value = SLESLE*ARO=ALE(年损失期望)Data owner等多种角色的职责商业公司和政府的集中分级(4、5)1.1 安全管理1. 安全管理需要自顶向下(Top-Down approach)的来进行,高层引起足够的重视,提供足够的支持、资金、时间和资源。
CISSP一次通过指南(文末附福利)
CISSP⼀次通过指南(⽂末附福利)2017年12⽉19⽇,在上海黄浦区汉⼝路亚洲⼤厦17层通过了CISSP认证考试,拖拉了⼀年,终于成绩还算令⼈满意,为攒⼈品将⾃⼰⼀年多的复习⼼得和⼤家分享,希望能够帮到需要考证的朋友。
先简单介绍下本⼈专业背景吧,本科和硕⼠专业都是,算得上科班出⽣,只是学校⾥的课程没学扎实,基础⼀般,毕业后在某⼤型⾦融机构做安全,渗透、漏扫、SOC建设⼤概做了4年,⽇常的⼯作和安全技术还是结合得⽐较紧密,平时也混迹在各⼤src,打打ctf,动⼿能⼒还⾏,是⼴⼤安全从业⼈员中的普通⼀员。
CISSP 英⽂全称:“ Certified Information Systems Security Professional”,中⽂全称:“(ISC)²注册信息专家”,由(ISC)²组织和管理,是⽬前全球范围内最权威,最专业,最系统的信息安全认证。
CISSP的含⾦量和认可度还是很⾼的,考试费⽤也不菲,599⼑,涉及的内容⾮常⼴泛,号称安全界的“百科全书”,不过虽然涉及的范围⼴,但很多都是点到为⽌, “⼀英⾥宽,⼀英⼨深”,这是CISSP最⼤的特点。
为什么考CISSP?⽤我们领导的话说,可以迅速建⽴起个⼈对安全体系的知识框架,认证+读⾏业标准是最有效的⽅法。
决定了考CISSP之后就要尽快的解决战⽃,拖的时间越长越对⽣活有影响,最好在半年内完成复习和考试,本⼈这次因为种种原因,拖了⼀年,深刻感受到战线过长的痛苦。
我的复习材料:All in One的第六版中⽂版+OSG官⽅学习指南中⽂版+官⽅习题英⽂版All in one前前后后看了3遍,OSG看了2遍,这两本教材内容基本差不太多,all in one讲的⽐较细,⽐较啰嗦,OSG和考纲结合得⽐较紧,内容也⽐较紧凑,建议⼤家直接看OSG即可,但务必要多读⼏遍,对书中的知识点都要弄懂。
CISSP现在最新的考纲包括8个CBK:•安全与风险管理 (安全、风险、合规、法律、法规、业务连续性)•资产安全 (保护资产的安全性)•安全⼯程 (安全⼯程与管理)•通信与 (设计和保护⽹络安全 )•⾝份与访问管理 (访问控制和⾝份管理 )•安全评估与测试 (设计、执⾏和分析安全测试)•安全运营 (基本概念、调查、事件管理、灾难恢复)•软件开发安全 (理解、应⽤、和实施)之所以称之为安全界的“百科全书”,是因为上述8个领域基本涵盖了安全⼯作中的所有⽅⾯,个⼈在安全评估与测试、安全运营这两个领域有⼀些实际的经验,其他的领域接触得还不深,所以在复习的时候,针对不熟悉的领域花更多的时间去理解,不懂的多去百度,有的时候百度讲的⽐教材⾥更清楚。
CISSP学习笔记(中文)
注:此文档为我第一次看完all in one整理出来的,没什么框架,仅仅是一些知识点,里面很大部分内容来源于书中章节结尾的“快速提示”和文中的关键术语。
望各位大大勿喷,有错误的地方还望包涵,谢谢!第二章信息安全治理与风险管理1.安全的目标是对数据和资源提供可用性,完整性和机密性保护2.脆弱性指的是缺少防护措施或防护措施存在能够被利用的缺陷3.威胁时某人或某物有意或无意地利用某种脆弱性并导致资产损失的可能性4.风险是威胁主体利用脆弱性的可能性及相应的潜在损失5.对策,也叫防护措施或者控制措施,能够缓解风险6.控制可以是行政性的,技术性的或物理性的,能够提供威慑性,防御性,检测性,纠正性或恢复性保护7.补偿控制室由于经济或业务功能性原因而采用的备选控制8.CobiT是控制目标架构,允许IT治理9.ISO/IEC2701是建立,实施,控制和改进信息安全管理体系的标准10.ISO/IEC27000系列源自BS7799,是国际上有关如何开发和维护安全计划的最佳实践11.企业架构框架用来为特定开发架构和呈现视图信息12.信息安全管理体系(ISMS)是一套策略,流程和系统的集合,用来管理ISO/IEC27001中列出的信息资产所面临的风险13.企业安全架构是企业结构的额子集,描述当前和未来的安全过程,体系和子单元,以确保战略一致性14.蓝图是把技术集成进入业务流程的功能性定义15.企业架构框架用来构建最符合组织需求和业务驱动力的单一架构16.Zachman是企业架构框架,SABSA是安全企业架构框架17.COSO是治理模型,用来防止公司环境内出现欺诈18.ITIL是一套IF服务管理的最佳实践19.六格西玛用来识别进程中的缺陷,从而对进程进行改进20.企业安全架构应该配合战略调整,业务启用,流程改进和安全有效性等21.NIST800-53的控制类别分为:技术性的,管理性的和操作性的22.OCTAVE是团队型的,通过研讨会而管理风险的方法,通常用于商业部门23.安全管理应该由顶而下进行(从高级管理层向下至普通职员)24.风险可以转移,规避,缓解和接受25.威胁X脆弱性X资产价值=总风险26.总风险X控制间隙=剩余风险27.风险分析有下列4个主要目标:1、确定资产及其价值;2、识别脆弱性和威胁;3、量化潜在威胁的肯呢关系与业务影响;4、在威胁的影响和对策的成本之间达到预算的平衡28.失效模式及影响分析(Failure Modes and Effect Analysis,FMEA)是一种确定功能,标识功能失效以及通过结构化过程评估失效原因和失效影响的方法29.故障树分析是一种有用的方法,用于检测复杂环境和系统中可能发生的故障30.定量风险分析会尝试为分析中的各个组件指派货币价值31.纯粹的定量风险分析是不可能的,因为定性项无法被精确量化32.在执行风险分析时,了解不确定性程度非常重要,因为它表明团队和管理层对于分析数据的信任程度33.自动化风险分析工具可以减少风险分析中的手动工作量。
信息技术导论简介-PKU-SQN-XXXX(1)
A n y
Questions?
WELCOME YOU TO SELECT THIS
SUBJECT
T H A N K S
谢谢
获奖情况:北京市优秀教师、中组部、人事部、中国科协“第五届中国青年科技奖”、电子工 业部科技进步特等奖、国家科技进步二等奖、国务院政府特殊津贴获得者、军队科技进步二等 奖、2004年北京高等教育教学成果一等奖、2005年国家级教学成果一等奖等。
北京大学软件与微电子学院信息安全系副主任 沈晴霓 博士 副教授 硕士生导师
信息技术导论简介-PKU-SQN-XXXX(1)
北京大学信息安全研究室
北京大学信息技术科学学院信息安全实验室 北京大学软件与微电子学院信息安全系
北京大学软件与微电子学院信息安全系主任
卿斯汉 教授 博士生导师
原中国科学院软件研究所信息安全工程研究中心主任。国内外著名的密码学家、信息安全专 家,国家标准委员会可信计算工作组组长。1982-1984 年曾在美国华盛顿大学计算机系任访问学 者,从事信息技术和计算机安全的研究,回国后一直在信息安全领域工作,为我国信息安全的科 研和实践做出了许多显著的贡献。
O传输、组织、管理、发布和利用为 主线介绍信息技术的全貌,为学生系统和全面地了解和掌握信息技术领 域的知识体系、技术和方法奠定坚实的基础。特定的目标包括:
➢ 理解信息、信息科学与信息技术,以及计算与计算科学的概念
➢ 掌握计算机系统组成原理,以及软件系统,包括系统软件、应用软 件、程序设计语言和软件工程的基本知识
CONTENTS 主要内容
知识模块
知识点
1* 信息技术概述
信息,信息科学与信息技术,计算与计算科学
2 信息处理机器-计算机系统 微处理器,存储系统,输入/输出设备,总线及接口标准
最新CISA认证全套中文资料完美版All In One知识点详细注解
Bussiness Continuity and Disaster Recovery本章节主要讨论以下内容:1.灾难disaster类型以及他们对公司的冲击impacts2.业务连续性和灾难恢复计划的组成部分3.BIA业务受冲击分析4.恢复目标recovery targets5.对BCP,DRP的test测试6.培训员工7.对BCP,DRP的维护8.对BCP,DRP的审计此章节占比CISA考试的14%1.BCP和DRP的primariy objective: improve the chances that the organization will survive a disaster without incurring costly or even fatal damage to its most critical activites.2.BCP,DRP适用于任何规模的公司,任何公司都要建立自己的BCP,DRP。
3.即时灾难永远不发生,公司仍然可以从BCP,DRP的开发过程中获益,BCP,DRP 的开发可带来企业运行流程和技术的提升。
Disaster 灾难业务角度,灾难是能够导致业务运行中断的unexpected and unplanned events.灾难本身的规模和所引发的冲击各不相同。
一.灾难类型1.Natural disaster 自然灾害Earthquakes 地震Volcanoes火山Landslides滑坡Avalances 雪崩,分为slad avalance/loose snow avalance/pover snow avalanceWildfires野火Tropical cyclones热带气旋:强风,大雨,storm surgeTornades龙卷风Windstorm风暴Lightning闪电Ice storm暴雪Hail冰雹Flooding洪水Tsunamis海啸Pandemic瘟疫Extraterrestrial impacts地外冲击:meteority陨星2.Man-made disasters 人为灾害Civil disturbances:protests,demonstrations,riots,strikes,work slowdowns, stoppages, looting(掠劫), curfews(宵禁),evacuations, lockdowns(一级防范禁闭)Utility outages:电力、天然气、水、供热、通讯线路等设施失效Materials shortages:原材料短缺Fires火灾:建筑物、材料、器材的失火Hazardous materials spills危险材料泄露Transportation accidents运输事故Terrorism and war恐怖活动和战争:影响局部地区,但也会间接引起材料独缺和utility outagesSecurity events安全事件:hacker攻击等真正的灾难通常是由多方面因素引发的二.灾难如何影响公司许多灾难能够直接对业务运行造成直接影响,但是其secondary effects 对业务持续运转的能力造成更大的影响。
CISSP培训笔记
CISSP 最新学习笔记此文就是我班2014年高分考生袁同学在准备CISSP考试过程中得边瞧书边整理得一个学习笔记,整理得非常细致到位,特借此供各位备考学员参考。
第1章节到第10章节主要就是学习all in one第六版资料时笔记;第11章到18章节主要就是在学习完all in one后做cccure网站上面练习题后,补充得知识点;第19章到25章节为学习officeial guide教材后补充得知识点;最后第26章就是总复习时作actual练习题时补充得知识点。
在瞧书3遍all in one后,主要补充学习了pre guide得学习笔记,cccure练习题与official guide进行知识点得补充,最后总复习阶段(1周左右)以本复习笔记为基础,配合actual 练习题进行。
目录一、Chapter 3:Security management practices (3)1、1 安全管理 (3)1、2 风险管理 (4)1、3 Policies、standards、baselines、guidelines、procedures (6)1、4 Classification (7)1、5 employee (7)二、chapter 4:Access Control (7)2、1 Identification, Authentication(= Validating), and Authorization(标识、认证、授权) (8)2、2 Access Control Models(访问控制模型) (10)2、3 Access Control Techniques and Technologies(方法与技术) (10)2、4 Access Control Administration(访问控制管理) (11)2、5 Access Control Methods(访问控制方法) (11)2、6 Access Control Type (12)2、7 access control practices (13)2、8 Access Control Monitoring (13)2、9 A few threats to access control (14)三、Chapter 5:Security Models and Architecture (14)3、1 Computer Architecture (14)3、2 Operation System Architecture (17)3、3 System architecture (17)3、4 安全模型 (18)3、5 运行得安全模式security modes of operation (20)3、6 Systems Evaluation Methods (21)3、7 A Few Threats to Security Models and Architectures (22)四、Chapter 6:Physical Security (22)4、1 Planning process (23)4、2 Protecting assets (24)4、3 Internal Support Systems (25)4、4 Environmental issues (26)4、5 Perimeter security (27)五、Chapter 7:Telecommunications and Networking Security (28)5、1 开放系统模型 (29)5、2 TCP/IP (30)5、3 Type of transmission (30)5、4 LAN Networking (31)5、5 介质访问技术Media access technology (32)5、6 LAN Protocols (32)5、7 Networking Device (33)5、8 Networking services and protocols (34)5、9 MAN、WAN (36)5、10 远程访问remote access (38)5、11 wireless technologies (40)六、Chapter 8:Cryptography (42)6、1 加密方法methods of encryption (43)6、2 对称算法得类型Type of symmetric methods (44)6、3 非对称算法得类型 (45)6、4 Message Integrity hash MD5 SHA (46)6、5 PKI-Public Key infrastructure (49)6、6 链路加密与端到端加密 (49)6、7 E-mail标准 (49)6、8 Internet security (50)6、9 Attack (51)七、Chapter 9:Business Continuity Planning (51)7、1 Make BCP Part of the Security Policy and Program (52)7、2 业务连续性计划得需求 (53)7、3 Recovery Strategies恢复策略 (54)7、4 Developing Goals for the Plans (56)7、5 testing and revising the plan测试与修改计划 (56)八、Chapter 10:Law, investigation and Ethics (57)8、1 Computer Crime Investigations (58)九、Chapter 11:Application and system development (60)9、1 Database Management (61)9、2 System Development (63)9、3 Application Development Methodology (65)9、4 攻击 (67)十、Chapter 12:Operation Security (68)10、1 Security Operations and Product Evaluation (69)10、2 Network and Resource Availability (70)10、3 Email security (70)10、4 Hack and Attack Methods (71)十一、Cccure security management (72)十二、Cccure AC (73)十三、Cccure CPU (75)十四、Cccure AP (76)十五、Cccure encryption (78)十六、Cccure telecommunication (79)十七、Cccure OS运行安全 (80)十八、Cccure 法律 (82)十九、official guide 法律 (83)二十、official guide BCP (83)二十一、official guide 安全管理 (83)二十二、official guide AP (83)二十三、official guide密码 (85)二十四、official guide Network (86)二十五、official guide OS (87)25、1 Information Protection Environment (87)二十六、Actual (88)26、1 One day (88)26、2 two (92)26、3 three (96)一.Chapter 3:Security management practices记住几个公式P65ARO就是年发生概率,10年发生一次,则ARO=1*0、1SLE就是发生一次造成得损失,如37500,那么ALE=0、1*37500=3750EF(暴露因素)*sset value = SLESLE*ARO=ALE(年损失期望)Data owner等多种角色得职责商业公司与政府得集中分级(4、5)1.1 安全管理1. 安全管理需要自顶向下(T op-Down approach)得来进行,高层引起足够得重视,提供足够得支持、资金、时间与资源。
Cissp知识点
Domain 1 - Information Security and Risk ManagementInformation Security and Risk Management Mainframe DaysIn the Good Old Days –Who Knew?Today‟s EnvironmentSecurity DefinitionsVulnerabilitiesExamples of Some Vulnerabilities that Are Not Always ObviousRisk – What Does It Really Mean?RelationshipsWho Deals with Risk?Overall Business RiskWho?AIC TriadAvailabilityIntegrityConfidentialityWho Is Watching?Social EngineeringWhat Security People Are Really ThinkingSecurity ConceptsSecurity?The Bad Guys Are MotivatedIf Not Obscurity – Then What?Open StandardsCommon Open StandardsWithout Standards“Soft” ControlsLogical ControlsPhysical ControlsAre There Gaps?Understanding DriversHolistic SecurityNot Always So EasyWhat Is First?Different Types of LawHow Is Liability Determined?Examples of Due DiligenceExamples of Due CarePrudent Person RulePrudent PersonTaking the Right StepsRegulationsWhy Do We Need Regulations?Risk ManagementWhy Is Risk Management Difficult?Necessary Level of Protection Is Different for Each OrganizationSecurity Team/CommitteeRisk Management ProcessPlanning Stage – TeamAnalysis ParalysisPlanning Stage – ScopePlanning Stage – Analysis MethodRisk Management ToolsDefining Acceptable LevelsAcceptable Risk LevelCollecting and Analyzing Data Methods What Is a Company Asset?Data Collection – Identify AssetsData Collection – Assigning ValuesAsset ValueData Collection – Identify ThreatsData Collection – Calculate RisksScenario Based – QualitativeRisk ApproachQualitative Analysis StepsWant Real Answers?Qualitative Risk Analysis RatingsQualitative RisksQuantitative Analysis StepsQuantitative AnalysisHow Often Will This Happen?ARO Values and Their MeaningCalculate ALEALE Value UsesRelationshipsCalculate Risks – ALE ExampleYour Turn!ALE CalculationCan a Purely Quantitative Analysis Be Accomplished? Risk TypesExamples of Types of LossesDelayed LossCost/Benefit AnalysisCost of a CountermeasureCost/Benefit Analysis Countermeasure Criteria Calculating Cost/BenefitControlsControl Selection RequirementsQuantitative AnalysisQuantitative Analysis DisadvantagesQualitative Analysis ApproachQualitative Analysis DisadvantagesCan You Get Rid of All Risk?Calculating Residual RiskUncertainty AnalysisDealing with RiskManagement‟s Response to Identified RisksRisk AcceptanceRisk Analysis Process SummaryComponents of Security ProgramA Layered ApproachIn Security, You Never Want Any Surprises Building FoundationSecurity RoadmapFunctional and Assurance RequirementsBuilding FoundationMost OrganizationsSilo Security StructureIslands of Security Needs and ToolsGet Out of a Silo ApproachSecurity Is a ProcessApproach to Security ManagementResult of Battling ManagementIndustry Best Practices StandardsISO/IEC 17799Pieces and PartsNumberingNew ISO StandardsCOBITInside of COBITCOBIT – Control Objectives MeasurementsInformation Technology Infrastructure Library Security GovernanceSecurity Program ComponentsPolicy FrameworkPolicy TypesOrganizational PolicyPolicy Approved – Now What?Issue-Specific PoliciesASP Policy ExampleSystem-Specific PoliciesStandardsStandard ExampleBaselineData Collection for MetricsGuidelinesProceduresTying Them TogetherProgram SupportEntity RelationshipsSenior Management‟s RoleSecurity RolesCustodianAuditorAccessInformation ClassificationInformation Classification ProgramData LeakageDo You Want to End Up in the News? Types of Classification LevelsData Protection LevelsClassification Program StepsInformation Classification Components Procedures and GuidelinesClassification LevelsInformation Classification CriteriaCriteria ExampleOr NotInformation Owner RequirementsClearly LabeledTesting Classification ProgramWho Is Always Causing Problems? Employee ManagementEmployee Position and ManagementHiring and Firing IssuesA Few More ItemsUnfriendly TerminationSecurity Awareness and TrainingTraining CharacteristicsAwarenessSecurity Enforcement IssuesAnswer This QuestionDomain 1 Review Domain 2 - Access Control Domain Objectives Agenda 1DefinitionsAccess Control Mechanism Examples Technical ControlsAdministrative ControlsAccess Control CharacteristicsPreventive ControlsPreventive - Administrative Controls Preventive – Physical ControlsPreventive - Technical ControlsControl CombinationsDetective - Administrative ControlDetective ExamplesAdministrating Access ControlOS, Application, DatabaseAdministrating Access ControlAuthorization CreepAccountability and Access ControlTrusted PathFake Login Pages Look ConvincingWho Are You?Identification IssuesAuthentication Mechanisms Characteristics Strong AuthenticationFraud ControlsInternal Control Tool: Separation of Duties Authentication Mechanisms in Use Today Biometrics TechnologyBiometric DevicesExampleVerification StepsWhat a Person IsWhy Use Biometrics?Biometric TypeIdentification or Authentication?Iris SamplingIrisFinger ScanHand GeometryFacial RecognitionComparisonBiometrics VerificationIssuesDownfalls to Biometric UseBiometrics Error TypesCrossover Error RateBiometric System TypesPasswordsPassword GeneratorsPassword “Shoulds”Support IssuesPassword AttacksAttack StepsMany Tools to Break Your PasswordRainbow TablePasswords Should NOT Contain…What‟s Left?Countermeasures for Password Cracking Cognitive PasswordsOne-Time Password Authentication Synchronous TokenOne Type of SolutionSynchronous StepsAdministrator ConfiguresChallenge Response Authentication Asynchronous Token DeviceAsynchronous StepsChallenge Response Authentication Cryptographic KeysPassphrase AuthenticationKey ProtectionMemory CardsMemory Card CharacteristicsSmart CardCharacteristicsCard TypesSmart Card AttacksSoftware AttackSide Channel AttackSide Channel Data CollectionMicroprobingIdentity ManagementHow Are These Entities Controlled?Some Current IssuesManagementTypical ChaosDifferent IdentitiesIdentity Management TechnologiesDirectory ComponentEnterprise DirectoryDirectory ResponsibilitiesAuthoritative SourcesMeta DirectoryDirectory InteractionsWeb Access ManagementWeb AccessPassword ManagementLegacy Single Sign-OnAccount Management SystemsProvisioning ComponentProvisioningNot Just ComputersProfile UpdateWorking TogetherEnterprise DirectoryIdentity Management Solution Components Right for Your CompanyWhat you need to knowFederated IdentityIdentity TheftFake Login ToolsHow Do These Attacks Work?Attempts to Get Your CredentialsHow Do These Work?Instructional EmailsKnowing What You Are Disposing of Is Important Other ExamplesAnother Danger to Be Aware of… SpywareIs Someone Watching You? What Does This Have to Do with My Computer? Sometimes You Know that Software Is Installing on Your SystemNew Spyware Is Being Identified Every Week Spyware Comes in Many Different FormsHow to Prevent SpywareDifferent TechnologiesSingle Sign-on TechnologySingle Sign-onDirectory Services as a Single Sign-on Technology Active DirectorySome Technologies Can Combine Services Security DomainDomains of TrustDomain IllustrationThin ClientsExampleKerberos as a Single Sign-on Technology Kerberos Components Working TogetherPieces and PartsMore Components of KerberosKDC ComponentsKerberos StepsTicketsTicket ComponentsAuthenticatorsSteps of ValidationKerberos SecurityWhy Go Through All of this Trouble?Issues Pertaining to KerberosKerberos IssuesSESAME as a Single Sign-on Technology SESAME Steps for AuthenticationComboModels for AccessAccess Control ModelsDiscretionary Access Control ModelACL AccessFile PermissionsEnforcing a DAC PolicySecurity IssuesMandatory Access Control ModelMAC Enforcement Mechanism – LabelsFormal ModelSoftware and HardwareSoftware and Hardware GuardsWhere Are They Used?SELinuxMAC Versus DACRole-Based Access ControlRBAC HierarchyRBAC and SoDAcquiring Rights and PermissionsRule-Based Access ControlFirewall ExampleAccess Control MatrixCapability TablesUser Capability TablesTemporal Access ControlAccess Control AdministrationAccess Control MethodsCentralized ApproachRemote Centralized AdministrationRADIUSRADIUS StepsRADIUS CharacteristicsTACACS+ CharacteristicsDiameter CharacteristicsDiameter ProtocolMobile IPDiameter ArchitectureTwo PiecesAVPDecentralized Access Control Administration Controlling Access to Sensitive Data Protecting Access to System Logs Accountability = Auditing EventsAgenda 2IDSIDS StepsNetwork IDS SensorsHost IDSCombinationTypes of IDSsSignature-Based ExampleBehavior-Based IDSStatistical AnomalyStatistical IDSProtocol AnomalyWhat Is a Protocol Anomaly?Protocol Anomaly IssuesTraffic AnomalyIDS Response MechanismsResponses to AttacksIDS IssuesIntrusion Prevention SystemDifferencesVulnerable IDSTrapping an IntruderDomain 2 ReviewDomain 3 - Cryptography Objectives Services Provided by Cryptography Cryptographic DefinitionsCipherCryptanalysisA Few More DefinitionsNeed Some More Definitions?Now This Would be Hard WorkSymmetric Cryptography – Use of Secret Keys Historical Uses of Symmetric Cryptography –HieroglyphicsScytale CipherSubstitution CiphersSimple Substitution Cipher AtbashSimple Substitution Cipher Caesar Cipher Caesar Cipher ExampleSimple Substitution Cipher ROT13 Historical UsesPolyalphabetic Cipher – Vigenere Cipher Polyalphabetic SubstitutionVigenere AlgorithmEnigma MachineU-Boats had Enigma MachinesCode BookHistorical Uses of Symmetric Cryptography – Running Key and ConcealmentAgenda 1Transposition CiphersKey and Algorithm RelationshipDoes Size Really Matter?It Does with Key SizesKey spaceWays of Breaking Cryptosystems – Brute ForceBrute Force ComponentsWays of Breaking Cryptosystems – Frequency Analysis Strength of a CryptosystemDo You Know What You are Doing?Developing Cryptographic Solutions In-House Characteristics of Strong AlgorithmsOpen or Closed More Secure?Agenda 2Types of Ciphers Used TodayType of Symmetric Cipher – Block CipherS-Boxes Used in Block CiphersBinary Mathematical Function 1Type of Symmetric Cipher – Stream Cipher Symmetric CharacteristicsInitialization VectorsSecurity HolesStrength of a Stream CipherLet‟s Dive in DeeperSymmetric Key CryptographyOut-of-Band TransmissionSymmetric Key Management IssueSymmetric Algorithm ExamplesSymmetric DownfallsWhy?Asymmetric CryptographyKey FunctionsPublic Key Cryptography AdvantagesAsymmetric Algorithm DisadvantagesConfusing NamesSymmetric versus AsymmetricAsymmetric Algorithm ExamplesQuestions 1When to Use Which KeyUsing the Algorithm Types TogetherEncryption StepsReceiver's Public Key Is Used to Encrypt the Symmetric KeyReceiver‟s Private Key Is Used to Decrypt the Symmetric KeyDigital EnvelopeE-mail SecuritySecret versus Session KeysAsymmetric Algorithms We Will Dive Into Asymmetric Algorithm – Diffie-HellmanDiffie-HellmanKey Agreement SchemesAsymmetric Algorithm – RSA Factoring Large NumbersRSA OperationsRSA Key SizeEl GamalECCECC BenefitsAsymmetric MathematicsAsymmetric SecurityMathematicsSymmetric Ciphers We Will Dive Into Symmetric Algorithms – DESBlock CipherDouble DESEvolution of DESModes of 3DESEncryption ModesBlock Cipher Modes – CBCIV and CBCCBC ExampleDifferent Modes of Block Ciphers –ECB ECB versus CBCBlock Cipher Modes – CFB and OFB CFB and OFB ModesCounter ModeModes SummarySymmetric Cipher – AESIDEARC4RC5Agenda 3Data IntegrityHashing StepsProtecting the Integrity of DataHashing AlgorithmsData Integrity MechanismsHashing StrengthQuestion 1Weakness in Using Only Hash Algorithms More Protection in Data IntegrityMACHMAC – SenderHMAC – ReceiverAnother LookWhat ServicesAuthentication TypesCBC-MACMAC Using Block CiphersIntegrity?What Services?Question 2Digital SignaturesOne More Look 1U.S. Government StandardWhat is…Not Giving up the FarmZero Knowledge ProofMessage Integrity ControlsSecurity Issues in HashingExample of a Birthday Attack Birthday Attack IssuesKey ManagementKey BackupKey Management (Cont.)Key UsageCryptoperiodM-of-NKey TypesAgenda 4Why Do We Need a PKI?PKI and Its ComponentsComponents of PKIPKIPKI StepsRA RolesCALet‟s Walk Through an ExampleDigital CertificatesCertificateSigning the CertificateVerifying the CertificateTrusted CA‟sNon-Trusted CAOne More Look 2What Do You Do with a Certificate?Components of PKI, Repository, and CRLs Revoked?CRL ProcessDifferent Uses for CertificatesLifecycle of a CertificateCross CertificationPKI and TrustAgenda 5Historical Uses of Symmetric Cryptography – Vernam CipherBinary Mathematical Function 2One-Time Pad in ActionOne-Time Pad CharacteristicsSteganographySteganography UtilitiesDigital WatermarkingLink versus End-to-End EncryptionEnd-to-End EncryptionEncryption LocationEmail StandardsYou DecideNon-HierarchicalSecure ProtocolsSSL Connection SetupExample - SSLValidating CertificateSecure Protocols (Cont.)SSL and the OSI ModelE-CommerceHow Are You Doing?Hard the First Times ThroughSecure Email StandardAgenda 6Network Layer ProtectionIPSec Key ManagementIPSec Handshaking ProcessVPN EstablishmentSAs in UseKey Issues Within IPSecConfiguration of SA ParametersIPSec Configuration OptionsIPSec Is a Suite of ProtocolsAH and ESP ModesIPSec Modes of OperationVPN Establishment (Cont.)ReviewQuestions 2Attack TypesAttacks on CryptosystemsKnown-Plaintext AttackChosen-Plaintext AttackChosen-Ciphertext AttackAdaptive AttacksSide Channel AttacksDomain 3 ReviewDomain 4 - Physical Security Objectives Physical Security – ThreatsDifferent Types of ThreatsCategories of ThreatsWake Up CallNot Just HackingNumber One PriorityLegal IssuesPlanning PhasePhysical Security Program Goals Measurable ResultsPlanning ProcessRisk Assessment Needs to be Carried Out DeterrenceDeterrence OptionsDelayAnother Delay ApproachLayered Defense ModelLayers of DefenseDetectionAssessmentResponseWeak Link in the ChainPart of the Overall Security ProgramControls with the Same GoalsAgenda 1Threat CategoriesCrime Prevention through Environmental Design Crux of ApproachProtection Built InCPTED ExamplesNatural Access ControlAccess ControlCPTED Main StrategiesTarget HardeningAccess BarriersFacility Site SelectionUrban CamouflageFacility Construction Earthquake ProtectionConstruction MaterialsRebar Encased in ConcretePentagon with ReinforcementsFire Resistance WallsData CenterData Center ProtectionDesigning a Secure SiteLevels of ProtectionDoor TypesHollow-Core DoorsSolid Core DoorsBullet Proof DoorDoor ComponentDoor Lock TypesWindow TypesControlling AccessSensitive AreasPossible ThreatsSecurity ZonesVarious SensorsLock TypesControlling KeysSmart LocksLock PickingEntry Access ControlFacility AccessWireless Proximity DevicesDevice TypesPiggybackingEntrance ProtectionMantrapsDoor ConfigurationsExternal Boundary ProtectionPerimeter Protection – FencingDetection FencingDetecting IntrudersFencing CharacteristicsFencing IssuesGatesWhat Level of Protection is Needed? BollardsPerimeter Protection – LightingProperly Laid OutLighting IssuesPerimeter Security – Security GuardsGuard TasksSecurity GuardsMonitoringLevel of Detail that is RequiredCCTVItems to Consider about CCTVsCCTV ComponentsCCTV Lens TypesCCTV Components (Cont.)Agenda 2Types of Physical Intrusion Detection Systems Intrusion Detection CharacteristicsElectro-Mechanical SensorsVolumetric SensorsAlarm SystemsSecuring Mobile DevicesStolen Laptops (partial list..)Agenda 3HVAC AttributesEnvironmental ConsiderationsWho‟s Got Gas?Documentation of ProceduresElectrical PowerBackup PowerProblems with Steady Power CurrentPower InterferenceDisturbancesProtection Against Electromagnetic Discharge DefinitionsPower Preventive MeasuresDevice ProtectionConsistent Power FlowStatic ElectricityAgenda 4Fire PreventionNot AllowedComponents of FireFire SourcesAutomatic Detector MechanismsFire DetectionFire Suppression AgentsFire TypesEmergency Power Off SwitchEmployees Need to be TrainedFire Suppression SystemsFire ExtinguishersEmergency ProceduresDrills and TestingWater DetectorsFull ProgramDomain 5 - Security Architecture and Design ObjectivesAgenda 1Computer ArchitectureCentral Processing Unit (CPU)RegistersArithmetic Logic UnitControl UnitProcessing DataRegister TypesProgram Status Word (PSW)Trust LevelsProcessMemory Segment AssignmentThreadsProcess and ThreadProcess StatesAgenda 2InterruptsInterrupt MaskingProcess TableMoving InformationStacks BusesProcessor and Buses32-Bit versus 64-BitWorking TogetherMultiprocessingMultiprocessorSystem FunctionalityMultitasking TypesMultitaskingDeadlockAgenda 3Memory TypesCache TypesRead Only MemoryVirtual MemorySwappingTypes of MemoryArchitecture ComponentsMemory Manager ResponsibilitiesMemory ProtectionMemory Manager Responsibilities (Cont.) Memory AddressingBase and Limit AddressesShared MemoryMemory Protection (Cont.)Memory LeaksAgenda 4CPU and OSSystem Protection – Levels of TrustTrust Levels (Cont.)System Protection - Protection RingsWhat Does It Mean to Be in a Specific Ring? System Protection – LayeringSystem Call InterfacesAPI Application Programming InterfaceSystem Protection - Application Program Interface Process ProtectionProcess IsolationVirtual MappingProcess IDVirtual MachinesVMWareInput/Output DevicesI/O AddressingDevice TypesDevice DriversSecurity IssuesSoftware ComplexityTypes of CompromisesAgenda 5Trusted Computing BaseTCBHardened KernelExecution DomainsSimple DefinitionMain Functions of TCBProcess ActivationExecution Domain SwitchingSecurity PerimeterEvaluationSystem Protection - Reference Monitor Security Kernel RequirementsTying Concepts TogetherAgenda 6Security LevelsMAC ModesModes of OperationMAC Modes (Cont.)Agenda 7Enterprise ArchitectureObjectivesWithout an Enterprise Security Architecture Can‟t Just Wing ItJust RightBreaking Down the Components Strategic AlignmentBusiness EnablementProcess EnhancementProcess Enhancement Requires… Security FoundationSecurity EffectivenessAre We Doing it Right?Integration of ComponentsHow Do We Do All of This?Security Enterprise ArchitectureIndustry ModelSecurity RoadmapTrust ZonesInfrastructure LevelApplication LayerComponent LayerBusiness Process LayerHolistic SecurityAgenda 8Access Control ModelsPolicy versus ModelState MachineInformation FlowInformation Flow ModelBell-LaPadulaRules of Bell-LaPadulaRules ClarifiedTranquility TypesBibaDefinition of IntegrityBiba Access RulesClark-WilsonGoals of ModelClark Wilson ComponentsClark-Wilson (Cont.)Clark-Wilson ModelNon-Interference ModelLattice-Based Access ControlLattice ApproachUnderstanding LatticeAccess Control Matrix ModelAccess Control MatrixBrewer and Nash Model – Chinese Wall Brewer and NashTake-Grant Model Graham-Denning ModelAgenda 9Trusted Computer System Evaluation Criteria (TCSEC) TCSECTCSEC Rating BreakdownEvaluation Criteria - ITSECITSEC RatingsITSEC – Good and BadCommon CriteriaCommon Criteria StandardSecurity Functional RequirementsSecurity Assurance RequirementsCommon Criteria ComponentsCommon Criteria RequirementsPackage RatingsCommon Criteria OutlineCertification Versus AccreditationDomain 5 ReviewDomain 6 - Law, Investigation and Ethics Objectives Not Just Fun and GamesExamples of Computer CrimesWho Perpetrates These Crimes?Types of Motivation for AttacksA Few Attack TypesDumpster DivingTelephone FraudPrivacy of Sensitive DataPrivacy Issues – U.S. Laws as ExamplesEuropean Union Principles on PrivacyRouting Data Through Different Countries Employee Privacy IssuesAgenda 1Civil LawCriminal LawAdministrative LawU.S. Federal LawsTrade SecretCopyrightMore Intellectual Property LawsSoftware LicensingSoftware PiracyDigital Millennium Copyright ActAgenda 2Computer Crime and Its BarriersCountries Working TogetherWorldwide CybercrimeSecurity Principles for International UseDetermine if a Crime Has Indeed Been Committed Bringing in Law EnforcementCitizen versus Law Enforcement Investigation Investigation of Any CrimeRole of Evidence in a TrialEvidence RequirementsChain of CustodyHow Is Evidence Processed?Hearsay EvidenceHearsay Rule ExceptionAgenda 3Preparing for a Crime Before It HappensIncident HandlingEvidence Collection TopicsComputer ForensicsHidden SecretsTrying to Trap the Bad GuyCompanies Can Be Found LiableSets of Ethics(ISC)2Computer Ethics InstituteInternet Architecture BoardDomain 6 ReviewDomain 7 - Telecommunications and Networking Agenda 1OSI ModelOSI LayersNetworking CommunicationsAn Older ModelData EncapsulationApplication LayerOSI – Application LayerPresentation LayerOSI – Presentation LayerOSI – Session LayerClient/Server ModelClient/Server Session LayerTransport LayerTransport Layer AnalogyTransport ProtocolsOSI – Network LayerHere to ThereNetwork LayerOSI – Data LinkData LinkSublayersOSI – Physical LayerPhysical LayerLayers Working TogetherProtocols at Each LayerDevices Work at Different LayersTypes of NetworksNetwork Topologies – Physical LayerTopology Type – BusTopology Type – RingTopology Type – StarNetwork Topologies – MeshMesh TopologiesSummary of TopologiesAgenda 2LAN Media Access TechnologiesMedia AccessOne Goal of Media Access Technologies Collision DomainBack Off, BuddyCarrier Sense Multiple AccessCSMA/Collision Avoidance (CSMA/CA)Media Access Technologies – EthernetMedia Access Technologies – Token Passing Token‟s RoleOther Technologies Media Access Technologies – Polling Agenda 3Cabling Types – CoaxialCoaxialCabling Types – Twisted PairCable TypesTypes of Cabling – FiberMultimode vs. Single ModeSignal and Cable IssuesSignaling IssuesTransmission Types – Analog and Digital Transmission Types – Synchronous AsynchronousTransmission Types – Baseband Transmission Types – BroadbandCabling Issues – Plenum-Rated Transmission Types – Number of Receivers Internet Group Management Protocol MulticastingNetwork TechnologiesExtranetNetwork Technologies (Cont.)EDI EvolutionNetworking DevicesNetwork Device – RepeaterNetwork Device – HubNetworking Device – BridgeForwarding Table ExampleNetwork Devices – SwitchVirtual LANVLANInterfaces and VLANsSniffersNetworking Devices – RouterHopsRoutersBridges Compared to RoutersNetwork Devices – GatewayAgenda 4Port and Protocol RelationshipClient PortsConceptual Use of PortsTCP/IP SuiteUDP versus TCPTCP SegmentSYN FloodTeardrop AttackSource RoutingSource Routing TypesIP Address RangesIPv6ProtocolsProtocols – ARPIP to MAC MappingHow ARP WorksARP PoisoningICMP PacketsA Way Hackers Use ICMPPing StepsProtocols – SNMPSNMP in ActionSNMPSNMP OutputPOP3 and SMTPProtocols – SMTPMail RelayProtocols – FTP, TFTP, TelnetProtocols – RARP and BootPDHCP – Dynamic Host Configuration Protocol Agenda 5Networking Device – Bastion HostNetwork ConfigurationsDMZ ConfigurationsFirewall ComparisonsNetwork Devices – FirewallsFirewall Types – Packet FilteringPacket Filtering FirewallPacket Filtering Firewall WeaknessesPacket FilteringRule Set ExampleFirewall Types – Proxy FirewallsFirewall Types – Circuit-Level Proxy Firewall Circuit-Level ProxyFirewall Types – Application-Layer Proxy Application-Layer Proxy AdvantagesApplication-Layer Proxy Disadvantages Dedicated Proxy ServersFirewall Types – StatefulState TableCompareFirewall Types – Kernel ProxiesFirewall based VPN DevicesBest PracticesFirewall PlacementPacket Filtering (Cont.)Screened HostFirewall Architecture Types – Multi- or Dual-Homed Screened SubnetAgenda 6Dial-Up Protocols and Authentication Protocols Dial-Up Protocol – SLIPDial-Up Protocol – PPPPPPPPP versus SLIPAuthentication Protocols – PAPAuthentication Protocols – CHAPAuthentication Protocol – EAPData InspectionVirtual Private Network TechnologiesWhat Is a Tunneling Protocol?AnalogyExamplesTunneling Protocols – PPTPTunneling Protocols – L2TPL2TP EncapsulationTunneling Protocols – IPSecIPSec Basic FeaturesIPSec Transport ModeIPSec Tunnel ModeSecurity Associations (SAs) Combining SasIterated TunnellingAgenda 7SDLC and HDLCLayer 3 at Layer 2MPLSMultiprotocol Label SwitchingQuality of Service (QoS)QoS ServicesAutonomous SystemsRouting ProtocolsRoutingRouting Protocols (Cont.)OSPFOSPF Packet ValuesIGRPBGPRouting Protocol AttacksMetropolitan Area Network TechnologiesMAN Technologies – FDDIFDDISONET RingsMAN Technologies – SONETConnecting NetworksNetwork ServicesNetwork Service – DNSDNS Server StructureName Resolving StepsSplit DNSHost Name Resolution AttacksNetwork Service – NATTypes of NATPATNISStoring DataNIS+ AuthenticationAgenda 8WAN Technologies Are Circuit or Packet Switched PSTNConnecting to the PSTNCircuit SwitchingSteps of ConnectionsMultiplexingTypes of MultiplexingTDM ProcessStatistical Time Division MultiplexingFDMFDM ProcessPacket SwitchingCircuit versus Packet SwitchingWAN Technologies – Packet SwitchedWAN Technologies – X.25X.25WAN Technologies – Frame RelayWAN ExampleFrame RelayPVC and SVCWAN Technologies – ATMCell SwitchingWide Area Network Technologies。
CISSP国际注册信息系统安全专家
CISSP 国际注册信息系统安全专家培训介绍CISSP(Certified Information Systems Security Professional), 国际注册信息系统安全专家,是全球普遍认可的信息安全从业人员最高水平专业资质。
CBK (Common Body of Knowledge )通用安全专业知识体系是获得CISSP 注册所必修的八大领域(2015年由十大领域改为八大领域),考生须认识各个范畴的原则、实务及运作,完全掌握这八个领域的知识并理解各个领域的相互关系才有可能通过考试。
SITC 上海信息化培训中心的CISSP 培训课程是基于CBK 的阶段式阶梯培训,由通过SITC 讲师资格认定的专业讲师执教,教材依据2015年最新修订的CBK 八个知识领域以及最新版本的CISSP ALL IN ONE 4TH 制定,并依据信息安全行业发展实时更新,兼顾了信息安全工作实际运营需求和国际化的特殊需要,结合成人学习心理学最新成果精心设计。
参加CISSP 培训目的在于帮助从业人员系统理解和掌握信息安全知识领域的各种概念、原则、实务和运作,即使不报考CISSP 考试,也能够借此了解信息安全国际最新进展,健全安全知识,提高安全技能。
培训对象该课程旨在培养在信息安全领域具备相当的工作经验、知识及才能的专业人士。
该课程的对象是以信息安全为专业的人员,参加者应为负责安全管理、安全策划、安全技术等到的业内人士,包括各大企业、电信、银行证券业、系统集成与服务供应商、电子商务和电子政务的信息安全专业人员。
主要从事信息系统安全相关的咨询和管理工作,主要的职务为CIO (首席信息官)、CSO (首席安全官)、咨询顾问师、安全维护员和安全培训师等。
典型的参加者为信息安全经理及其下属、网络安全经理及负责安全管理工作的人士。
入学要求: 1 、具备2 年或者 2 年以上相关工作经验,便于更好的理解所学内容2 、具备一定的英文阅读能力3 、遵守信息安全从业人士执业道德守则课程价值企业部门:IT 相关企业:作为信息技术产品或服务提供商,IT 相关企业迫切需要大量CISSP 。
CISSP认证考试总结
CISSP 认证考试总结贾文军我通过了2002年5月18日在中国深圳举办的CISSP认证考试。
一、CISSP 认证简介CISSP 认证是由国际信息系统安全认证协会International Information Systems Security Certification Consortium(简称(ISC)2)在全世界各地所举办的考试,符合考试资格人员于通过考试后授予CISSP认证证书。
(ISC)2 成立于1989年,是一个非盈利性组织。
CISSP 目前已成为全球公认评价信息安全专业人员资质的重要参考依据,同时为了保持专业知识、技能及竞争优势,(ISC)2 要求取得CISSP认证的人员必须持续进修,在三年内累积120个CPE(进修点数,可以通过从事相关工作或研究等获得),否则必须重新参加考试,才能继续保持CISSP 资格,同时(ISC)2 在网站上公布CISSP 认证证书合格人员的基本资料,供全球查询。
【我国、香港、日本、韩国、新加坡的情况】CISSP 的考试题目为250 题单项选择题,均为英文试题,所有考题必须在6 小时之内作答完毕,其范围都与信息安全有关,包含信息安全管理、访问控制、通信及网络安全、计算机运作安全、密码学、应用程序及系统开发、信息安全架构及模型、物理安全以及业务连续性规划和灾难恢复、道德法律等共有十个领域(Domain)的专业知识。
二、CISSP 考试我参考了《SRV的考试指南》和《CISSP All in One》。
SRV套书虽然有点老(现在有第二版),但是上面的知识组织形式很不错。
练习那本书我没有时间看完,但是相信练习对实际参加考试会有很大帮助。
All in One 里面的知识比较丰富,但是有些东西很罗嗦,但我还是坚持通读了一遍。
还有一本小册子,叫做CISSP Exam Cram Book,很精练。
另外还有几个网站上提供类似Cram的东西,可以用于临阵磨枪,发现复习的遗漏点。
CISSP 考生中文真题回忆录(2018年12月版)
a、dns 服务器器收到大大量量针对 的解析请求 b、dns 服务器器对这些请求返回错误的反馈 问题 1:如果此时企业的用用户访问 ,会发生生什什么?
A、浏览器器没反应 B、显示 dns 出错 C、被正确解析 D、被解析成错误的网网站 问题 2:dns 服务器器受到了了什什么攻击? A、ddos B、缓存中毒 51、使用用 SAML 至至少需要?——用用户至至少在一一个商户上注册(关注此选项,依靠 IDP) 52、公司把业务外包给云服务商,出问题造成了了损失。损失的经济方方面面谁负责?——云服 务商(关注此选项) 53、企业对于使用用云服务造成了了数据残留留的⻛风险,由谁负最终的责任?选项:数据所有者 (关注此选项)、数据处理理者、保管员 54、MTD(定义)恢复时间目目标 (RTO)\最大大容忍宕机时间 (MTD) \ 恢复点目目标 (RPO) 55、IPSEC 哪个协议提供机密性和完整性?——ESP 56、SYN FLOOD 攻击的概念 57、灾难恢复的步骤 58、恶意程序,正常应用用程序的进程?——竞争条件 59、员工工通过电脑制作了了电脑病毒并散布在企业网网络里里里,法律律人人士士第一一步做什什么?——扣 留留员工工的电脑(关注此选项)
1
BSIMM,将每一一类安全措施分成三级,在每一一级中又又包含当前级别应当实现的安全目目标, 并指出了了与之相对应的具体安全活动。根据这种分级策略略以及相应的可鉴别的分步实现目目 标,形成了了整个 BSIMM 的成熟度模型。 27001,信息安全管理理体系要求 15408,CC,通用用准则,CC 标准是信息技术安全性评估标准,用用来评估信息系统、信息产 品的安全性。CC 标准的评估分为两个方方面面:安全功能需求和安全保证需求。 SOC3,ServiceOrganizationControls,SOC3 是一一个一一般用用途的报告,只包括一一个审计师 的意⻅见,即是否达到了了服务性机构控制体系鉴证的标准。SOC3 不不包括配套的细节。SOC 报告用用于解决用用户广广泛的需求——安全、隐私和可用用性等。 15、资产分类排序题 1.记录信息资产 2.分配分类级别 3.应用用适当的安全标记 4.定期进行行行分类评审 5.信息解除分类
Physical Security
Physical SecurityYour quiz results:1.Question: 339 | Difficulty: 5/5 | Relevancy: 3/3Crime Prevention Through Environmental Design (CPTED) is adiscipline that:o Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.o Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior.o Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior.o Outlines how the proper design of the administrative controlenvironment can reduce crime by directly affecting human behavior.A. Crime Prevention Through Environmental Design (CPTED) is a discipline thatoutlines how the proper design of a physical environment can reduce crime bydirectly affecting human behavior. It provides guidance in lose and crimeprevention through proper facility contruction and evnrionmental compoents and procedufesFrom: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rdEdition, McGraw-Hill/Osborne, 2005, page 344.Contributed by Mike Young, CISSP, November 9, 2007.Comment:This is a physical security question designed to familarize the test taker with theCPTED concept. Some other sources are://Contributor: Jane E. MurleyStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Site Selection, Facility Design, and Configuration2.Question: 1199 | Difficulty: 5/5 | Relevancy: 3/3The Physical Security domain focuses on three areas that are the basis to physically protecting an enterprise's resources and sensitive information. Which of the following is not one of these areas?o Threatso Countermeasureso Vulnerabilitieso RisksB. The correct answer is:CountermeasuresCountermeasures are used to mitigate the risks, threats, and vulnerabilities and are not areas that are protected.Security is very important to organizations and their infrastructures, and physical security is no exception. Physical security encompasses a different set of threats, vulnerabilities, and risks than the other types of security that have been addressed so far. Physical security mechanisms include site design and layout,environmental components, emergency response readiness, training, accesscontrol, intrusion detection, and power andfire protection. Physical securitymechanisms protect people, data, equipment, systems, facilities, and a long list of company assets.Last modified 10/17/2007 - J. HajecThanks to crusador0407 and vijayu for providing feedback to help clarify this question.Comment:References:AIOv3 Physical Security (pages 337 - 345)OIG CBK Physical Security (pages 281 - 285)Contributor: Nick MackovskiStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topics (2):Risk management, Physical security controls3.Question: 345 | Difficulty: 1/5 | Relevancy: 3/3A prolonged complete loss of electirc power is a:o brownouto blackouto surgeo faultB. A prolonged power outage is a blackout.From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd.Edition McGraw-Hill/Osborne, 2005, page 368.Edited November 9, 2007 by Mike Young, CISSPContributor: Jane E. MurleyStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Power considerationsThis question © Copyright 2003–2006 Jane E. Murley, .4.Question: 1208 | Difficulty: 2/5 | Relevancy: 3/3The ideal operating humidity range is defined as 40 percent to 60 percent. Low humidity (less than 40 percent) can produce what type of problem on computer parts?o Static electricityo Electro-platingo Energy-platingo Element-platingA. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 333.Contributor: Nick MackovskiStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:HVAC considerationsThis question © Copyright 2003–2006 Nick Mackovski, .5.Question: 1363 | Difficulty: 1/5 | Relevancy: 3/3Which fire class can water be most appropriate for?o Class A fireso Class B fireso Class C fireso Class D firesA. Water is appropriate for class A (common combustibles) fires. Class B fires(liquid) are best handled by CO2, soda acid or Halon. Class C fires (electrical) are best handled by CO2 and Halon. Fire class D is used for combustible metals like magnesium.Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 3). Available at .Last modified 07/02/2007, Ron HehemannContributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Christian Vezina, .6.Question: 1364 | Difficulty: 3/5 | Relevancy: 3/3Critical areas should be lighted:o Eight feet high and two feet out.o Eight feet high and four feet out.o Ten feet high and four feet out.o Ten feet high and six feet out.A. Lighting should be used to discourage intruders and provide safety forpersonnel, entrances, parking areas and critical sections. Critical areas should be illuminated 8 feet high and 2 feet out.Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 4). Available at .Last modified 07/02/2007, Ron HehemannContributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Physical security controlsThis question © Copyright 2003–2006 Christian Vezina, .7.Question: 338 | Difficulty: 2/5 | Relevancy: 3/3Which of the following is not a physical control for physical security?o lightingo fenceso trainingo facility construction materialsC. Some physical controls include fences, lights, locks, and facility constructionmaterials. Some administrative controls include facility selection and construction, facility management, personnel controls, training, and emergency response and procedures.From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403.Edited August 8, 2007, Mike Young, CISSPContributors:Jane E. Murley, don murdochStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Physical security controlsThis question © Copyright 2003–2006 Jane E. Murley, .8.Question: 1206 | Difficulty: 4/5 | Relevancy: 3/3In a dry pipe system, there is no water standing in the pipe - it isbeing held back by what type of valve?o Relief valveo Emergency valveo Release valveo Clapper valveD. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 336.And: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: GOLD EDITION, John Wiley & Sons, 2002, page 471.Contributors:Nick Mackovski, Patrick TongeStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Nick Mackovski, .9.Question: 238 | Difficulty: 5/5 | Relevancy: 3/3Which of the following is NOT a type of motion detector?o photoelectric sensor.o Passive infrared sensors.o Microwave.o Ultrasonic.A. The correct answer is:photoelectric sensor.A photoelectric sensor does not directly sense motion there is a narrow beam thatwon't set off the sensor unless broken. Photoelectric sensors, along with dry contact switches, are a type of perimeter intrusion detector.All of the other answers are valid types of motion detectors.There are basically three types of sensors used in motion detectors spectrum.Passive infrared sensors, Microwave, and Ultrasonic.Last Modified 08/27/2007 J. HajecThanks to David Ellis for providing feedback to improve this question.Comment:References:/wiki/Motion_detectorContributor: Eric YandellStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Motion detectors, sensors, and alarmsThis question © Copyright 2003–2006 Eric Yandell, .10.Question: 1617 | Difficulty: 5/5 | Relevancy: 3/3To be in compliance with the Montreal Protocol, which of thefollowing options can be taken to refill a Halon flooding system in the event that Halon is fully discharged in the computer room?o Order an immediate refill with Halon 1201 from the manufacturer.o Contact a Halon recycling bank to make arrangements for a refill.o Order a different chlorofluorocarbon compound from themanufacturer.o Order an immediate refill with Halon 1301 from the manufacturer.B. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.Available at .Comment:The Montreal Protocol controls on the production of ozone-depleting substances such as HALON and restricts its production and use.References:/ozone/pdfs/Montreal-Protocol2000.pdfContributor: Hal TiptonStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Hal Tipton, .11.Question: 178 | Difficulty: 1/5 | Relevancy: 3/3Under what conditions would the use of a Class C fire extinguisher be preferable to a Class A extinguisher?o When the fire involves paper productso When the fire is caused by flammable productso When the fire involves electrical equipmento When the fire is in an enclosed areaC. Source: KRUTZ, Ronald L. & VINES, RusselD., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 335).Contributor: Donnie SaundersStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 .12.Question: 344 | Difficulty: 2/5 | Relevancy: 3/3A prolonged high voltage is a:o spikeo blackouto surgeo faultC. A prolonged high voltage is a surge.From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd.Edition McGraw-Hill/Osborne, 2005, page 368.Edited November 9, 2007 by Mike Young, CISSPContributor: Jane E. MurleyStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Power considerationsThis question © Copyright 2003–2006 Jane E. Murley, .13.Question: 1202 | Difficulty: 5/5 | Relevancy: 3/3If the floor is a concrete slab, the concerns are the physical weight it can bear and its fire rating. Known as loading, this type of floormust be capable of a live load of?o250 pounds per square footo150 pounds per square footo350 pounds per square footo450 pounds per square footB. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 329.Contributor: Nick MackovskiStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Facility RequirementsThis question © Copyright 2003–2006 Nick Mackovski, .14.Question: 1175 | Difficulty: 4/5 | Relevancy: 3/3Which of the following fire extinguishing systems is currently the most recommended water system for a computer room?o Wet pipeo Dry pipeo Delugeo PreactionD. The preaction system combines both the dry and wet pipe systems, by firstreleasing the water into the pipes when heat is detected (dry pipe), then releasing the water flow when the link is the nozzle melts (wet pipe). This allows manual intervention before a full discharge of water on the equipment occurs. This iscurrently the most recommended water system for a computer room.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 336).Contributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Christian Vezina, .15.Question: 1176 | Difficulty: 4/5 | Relevancy: 3/3What fence height will stop a determined intruder?o3' to 4' high.o6' to 7' high.o8' high and above with strands of barbed wire.o No fence can stop a determined intruder.D. Although an 8' high fence with strands of barbed wire is likely to deter mostintruders, a fence in itself cannot stop a determined intruder.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340).Contributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Physical security controlsThis question © Copyright 2003–2006 Christian Vezina, .16.Question: 348 | Difficulty: 4/5 | Relevancy: 3/3Because ordinary cable introduces a toxic hazard in the event of fire, special cabling is required in a separate area provided for aircirculation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. This area is referred to as the:o smoke boundry areao fire detection areao Plenum areao Intergen areaC. In building construction, a plenum (pronounced PLEH-nuhm, from Latinmeaning full) is a separate space provided for air circulation for heating,ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. A plenum may also be under a raised floor. In buildings with computer installations, the plenum space is often used to house connecting communication cables.Because ordinary cable introduces a toxic hazard in the event of fire, specialplenum cabling is required in plenum areas.Source:/sDefinition/0,,sid80_gci213716,00.html Contributed November 9, 2007 by Mike Young, CISSPComment:Addtional resources:HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd Edition,McGraw-Hill/Osborne, 2005, page 377.Contributors:Jane E. Murley, Scot HartmanStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Jane E. Murley, .17.Question: 342 | Difficulty: 2/5 | Relevancy: 3/3A momentary high voltage is a:o spikeo blackouto surgeo faultA. A momentary high voltage is a spike.From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd.Edition McGraw-Hill/Osborne, 2005, page 368.Edited by Mike Young, CISSPContributor: Jane E. MurleyStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Power considerationsThis question © Copyright 2003–2006 Jane E. Murley, .18.Question: 1366 | Difficulty: 4/5 | Relevancy: 3/3What static charge is able to cause disk drive data loss?o550 voltso1000 voltso1500 voltso2000 voltsC. A static charge of 1500 volts is able to cause disk drive data loss. A charge of1000 volts is likely to scramble monitor display and a charge of 2000 volts can cause a system shutdown. It should be noted that charges of up to 20,000 volts or more are possible under conditions of very low humidity with non-static-free carpeting.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical Security (page 333).Last modified 07/02/2007, Ron HehemannContributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:HVAC considerationsThis question © Copyright 2003–2006 Christian Vezina, .19.Question: 1201 | Difficulty: 3/5 | Relevancy: 3/3The environment that must be protected includes all personnel,equipment, data, communication devices, power supply and wiring.The necessary level of protection depends on the value of the data, the computer systems, and the company assets within the facility.The value of these items can be determined by what type of analysis?o Critical-channel analysiso Covert channel analysiso Critical-path analysiso Critical-conduit analysisC. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide,McGraw-Hill/Osborne, 2001, Page 281.Contributor: Nick MackovskiStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Critical path analysisThis question © Copyright 2003–2006 Nick Mackovski, .20.Question: 1200 | Difficulty: 3/5 | Relevancy: 3/3Physical security is accomplished through proper facilityconstruction, fire and water protection, anti-theft mechanisms,intrusion detection systems, and security procedures that areadhered to and enforced. Which of the following is not a component that achieves this type of security?o Administrative control mechanismso Integrity control mechanismso Technical control mechanismso Physical control mechanismsB. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide,McGraw-Hill/Osborne, 2001, Page 280.Contributors:Nick Mackovski, Don GalarowiczStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Physical security controlsThis question © Copyright 2003–2006 Nick Mackovski, .21.Question: 1055 | Difficulty: 4/5 | Relevancy: 3/3Which of the following related to physical security is not considereda technical control?o Access controlso Intrusion detectiono Fire detection and suppressiono Library Control SystemsC. All of the above are considered technical controls except for locks, which arephysical controls.Administrative, Technical, and Physical Security ControlsAdministrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization'ssensitive information. For example, policy might dictate (and procedures indicate how) that human resources conduct background checks on employees with access to sensitive information. Requiring that information be classified and the process to classify and review information classifications is another example of anadministrative control. The organization security awareness program is anadministrative control used to make employees cognizant of their security roles and responsibilities. Note that administrative security controls in the form of a policy can be enforced or verified with technical or physical security controls. For instance, security policy may state that computers without antivirus softwarecannot connect to the network, but a technical control, such as network access control software, will check for antivirus software when a computer tries to attach to the network.Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information.Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems.Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusiondetection systems (motion detector, alarm system), and physical protectionsystems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrativepolicy allowing only authorized employees access to the data center do little good without some kind of physical access control.From the websiteLast modified 10/19/2007 - J. HajecA special thanks to ukhant for providing feedback to improve this question. (notto mention crusador0407 who initially doubted the answers previously provided) Comment:References:/library/2770/resources/whitepaper/operations/207.phpContributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topics (2):Technical physical security controls, Physical securitycontrolsThis question © Copyright 2003–2006 Christian Vezina, .22.Question: 234 | Difficulty: 5/5 | Relevancy: 3/3Which of the following suppresses the fuel supply of the fire?o soda acido CO2o Halono waterA. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, page 335.It must be noted that Halon is now banned in most country or cities.Contributor: Eric YandellStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Fire and smoke detection and suppression systemsThis question © Copyright 2003–2006 Eric Yandell, .23.Question: 1429 | Difficulty: 3/5 | Relevancy: 3/3Which of the following questions is less likely to help in assessing physical and environmental protection?o Are sensitive data files encrypted on all portable systems?o Are deposits and withdrawals of tapes and other storage media from the library authorized and logged?o Are computer monitors located to eliminate viewing by unauthorized persons?o Are procedures in place to determine compliance with password policies?D. Physical security and environmental security are part of operational controls,and are measures taken to protect systems, buildings, and related supportinginfrastructures against threats associated with their physical environment.All the choices above are useful in assessing physical and environmentalprotection except for procedures regarding password policies, which areoperational controls related to data integrity.Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).Last modified 07/02/2007, Ron HehemannContributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topics (2):Humidity and environmental controls, Physical security controlsThis question © Copyright 2003–2006 Christian Vezina, .24.Question: 1529 | Difficulty: 5/5 | Relevancy: 3/3How should a doorway with automatic locks to a man-operatedinformation processing facility be configured?o It should be configured to be fail-secure.o It should be configured to be fail-safe.o It should have a door delay cipher lock.o It should not allow piggybacking.B. Access controls are meant to protect facilities and computers as well as people.In some situations, the objectives of physical access controls and the protection of people's lives may come into conflict. In theses situations, a person's life always takes precedence. Many physical security controls make entry into and out of a facility hard, if not impossible. However, special consideration needs to be taken when this could affect lives. In an information processing facility, different types of locks can be used and piggybacking should be prevented, but the issue here with automatic locks is that they can either be configured as fail-safe or fail-secure. Since there should only be one access door to an information processing facility, the automatic lock to the only door to a man-operated room must beconfigured to allow people out in case of emergency, hence to be fail-safe(sometimes called fail-open), meaning that upon fire alarm activation or electric power failure, the locking device unlocks. This is because the solinoid thatmaintains power to the lock to keep it in a locked state fails and thus opens or unlocks the electronic lock. Fail Secure works just the other way. The lock device is in a locked or secure state with no power applied. Upon authorized entry, a solinoid unlocks the lock temporarily. Thus in a Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure mode.Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical Security (pages 318, 330).Contributors:Christian Vezina, Roy MellingerStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topics (2):Facility Requirements, Physical security controlsThis question © Copyright 2003–2006 Christian Vezina, .25.Question: 1178 | Difficulty: 3/5 | Relevancy: 3/3Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall roomsecurity monitoring?o Wave pattern motion detectorso Capacitance detectorso Field-powered deviceso Audio detectorsB. Capacitance detectors monitor an electrical field surrounding the object beingmonitored. They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors.Penetration of this field changes the electrical capacitance of the field enough to generate and alarm. Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver. Field-powered devices are a type of personnel access control devices.Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an alarm.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 344).Contributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) SecurityCovered topic:Motion detectors, sensors, and alarmsThis question © Copyright 2003–2006 Christian Vezina, .26.Question: 1530 | Difficulty: 3/5 | Relevancy: 3/3Which of the following is a proximity identification device that does not require action by the user and works by responding with anaccess code to signals transmitted by a reader?o A passive system sensing deviceo A transpondero A card swipeo A smart cardB. A transponder is a proximity identification device that does not require actionby the user. The reader transmits signals to the device and the device responds with an access code. These transponder devices contain a radio receiver andtransmitter, a storage place for the access code, control logic, and a battery. A passive device only uses the power from the reader to detect the presence of the card. Card swipes and smart cards are not proximity identification devices.Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical Security (page 323).Contributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topic:Technical physical security controlsThis question © Copyright 2003–2006 Christian Vezina, .27.Question: 1365 | Difficulty: 4/5 | Relevancy: 3/3At which temperature does damage start occurring to magneticmedia?o100 degrees Fahrenheito125 degrees Fahrenheito150 degrees Fahrenheito175 degrees FahrenheitA. Magnetic media are affected from 100 degrees Fahrenheit. Disks are damagedat 150 degrees Fahrenheit, computer equipment at 175 degrees Fahrenheit, and paper products at 350 degrees Fahrenheit.Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 10.Available at .Last modified 07/02/2007, Ron HehemannLast modified 09/23/2007 - J. HajecThanks to Robert Frink for providing feedback to improve the quality of thisquestion.Contributor: Christian VezinaStudy area:CISSP CBK domain #10 - Physical (Environmental) Security Covered topics (2):Fire and smoke detection and suppression systems, Sensitive information and media handlingThis question © Copyright 2003–2006 Christian Vezina, .28.Question: 1207 | Difficulty: 3/5 | Relevancy: 3/3The National Institute of Standards and Technology (NIST)standard pertaining to perimeter protection states that critical areas should be illuminated up to?。
Cissp考试 AllInOne全书重点笔记
对称加密:DES标准-DEA加密算法:64位:56位加密,8位奇偶校验,16轮计算1.ECB电子密码本:最快捷,一般用来加密数据库,短小的引用加密,容错,长消息会发生重复导致破解难度下降2.CFB密文反馈:前一组加密结果作为下一组加密的IV3.CBC密码分组链接(很重要):前一组加密结果与下一组明文进行异或,然后再加密4.OFB输出反馈:用于加密下一组明文的值来自于密钥流3DES:48轮加密,时间比DES长3倍EEE3:3个密码,加密,加密,加密EEE2:2个密码,加密,加密,加密(1,3用同一个密码)EDE2:2个密码,加密,解密,加密(1,3用同一个密码)AES标准-Rijndeal算法128位-10轮计算192位-12轮计算256位-14轮计算blowfish分组加密RC4最常用的流密码(目前已被破解)用于SSLRC5分组加密RC5-32/12/16 64位分组,12轮运算,128位密码(16个字节)非对称加密:Diffie-hellman 主要用于密钥交换有限域内离散对数RSA 加密,数字签名,密钥交换分解大因数为原始大质数的难度ELGamal 加密,数字签名,密钥交换有限域内计算离散对数ECC 椭圆曲线,同等密钥长度下效率最高,消息完整性散列算法:MAC:1.HMAC(用消息+对称秘钥一起做MAC),只有拥有对称秘钥的接收方才能正确计算出同样的MAC2.CBC-MAC(用密码分组链接加密的最后一组结果作为MAC)散列算法:MD4 128位散列MD5 128散列,比MD4复杂SHA 160位散列,应用在DSA数字签名算法内DSA:非对称加密,只用作数字签名DSS数字签名标准(美国)SHA生成160位散列,然后用(DSA,RSA,ECC)加密,加密以后的结果用作数字签名PKI公钥基础设施:一般用户生成公钥+私钥,向RA请求验证用户身份,RA验证用户身份以后提交给CA,CA创建公钥证书(证书包含用户公钥以及身份,证书时间戳等信息)以及签名发送给请求者ca发放的证书用ca自身的私钥加密,用户用ca的公钥(任何人都可以得到)解密,用来验证证书发放机构ca的身份,从而验证证书的有效性+完整性。