CISSP ランドスケープ
CISSP(第3階層までの目次を作るだけでだいたい習うべきことの全体像、規模感、場所感が把握できる例。この時点でもう手中に納めた感が出る。どうせ受かる。)
-
- Security and Risk Management
- Cornerstone Information security concepts
- Legal and regulatory issues
- Compliance with laws and regulations
- Major legal system
- Criminal, civil, and Administrative law
- Liability
- Due care
- Due diligence
- Legal aspects of investigation
- Intellectual property
- Security and 3rd party
- Service provider contractual security
- Procurement
- Vendor governance
- Acquisitions
- Divestitures
- Ethics
- The ISC2 code of ethics
- Information security governance
- Security policy and related documents
- Personnel security
- Access control defensive categories and types
- Preventive : Lock mantrap, firewall, drug screening
- Detective : CCTV light, IDS, Post-employment random drug tests
- Corrective
- Recovery
- Deterrent : Sign light, Warning banner, Sanction policy
- Compensating
- Risk analysis
- Assets
- Threats and vulnerabilities
- Risk = Threat * Vulnerability
- Risk analysis matrix
- Calculating annualized loss expectancy : (AV*EF)*ARO=ALE
- Total cost of ownership
- Return on investment
- Budget and Metrics
- Risk choices
- Quantitative and qualitative risk analysis
- Risk management process (9-step)
- Types of attackers
- Asset Security
- Classifying data
- Labels: Top Secret, Secret, Confidential
- Security compartments: Sensitive compartmented information
- Clearance:
- Formal access approval
- Need to know
- Sensitive information/media security
- Ownership
- Business or mission owner
- Data owners
- System owner
- Custodian
- Users
- Data controllers and data processors
- Data collection limitation
- Memory and remanence残留磁気
- Data remanence
- Memory
- Data destruction
- Overwriting
- Degaussing
- Destruction
- Shredding
- Determining data security controls
- Certification and Accreditation認証評価
- Standards and control framework
- Scoping and tailoring
- Protecting data in motion and data at rest
- Classifying data
- Security Engineering
- Security models
- Reading down and writing up
- State machine model
- Bell-LaPadula model
- Lattice-based access controls
- Integrity models
- Information flow model
- Chinese wall model
- Noninterference
- Take-grant
- Access control matrix
- Zachman framework for enterprise architecture
- Graham-Denning model
- Harrison-Ruzzo-Ullman model
- Modes of operation
- Evaluation methods, certification and accreditation
- The orange book
- ITSEC
- The international common criteria
- Secure system design concepts
- Layering
- Abstraction
- Security domains
- The ring model
- Open and closed system
- Secure hardware architecture
- The system unit and motherboard
- The computer bus
- The CPU
- Trusted platform module(TPM)
- Data execution prevention(DEP) and address space layout randomization(ASLR)
- Secure operating system and software architecture
- The kernel
- Users and file permissions
- Virtualization and distributed computing
- Virtualization
- Cloud computing
- Large-scale parallel data systems
- Peer to peer
- Thin clients
- The internet of things(IOT)
- System vulnerabilities, threats and countermeasures
- Emanations
- Covert channels
- Backdoors
- Malicious code(Malware)
- Server-side attacks
- Client-side attacks
- Web architecture and attacks
- Database security
- Countermeasures
- Mobile device attacks
- Cornerstone cryptography concepts
- CIA and non-repudiation
- Confusion, diffusion, substitution and permutation
- Cryptographic strength
- Monoalphabetic and polyalphabetic ciphers
- Modular math
- Exclusive Or (XOR)
- Data at rest and data in motion
- Protocol governance
- History of cryptography
- Egyptian hieroglyphics
- Spartan scytale
- Caesar cipher and other rotation ciphers
- Vigenere cipher
- Cipher disk
- Book cipher and running-key cipher
- Codebooks
- One-time pad
- Hebern machines and purple
- Cryptography laws
- Types of cryptography
- Symmetric encryption
- Asymmetric encryption
- Hash functions
- Cryptographic attacks
- Brute force
- Social engineering
- Rainbow tables
- Known plaintext
- Chosen plaintext and adaptive chosen plaintext
- Chosen ciphertext and adaptive chosen ciphertext
- Meet-in-the-Middle attack
- Known key
- Differential cryptanalysis
- Linear cryptanalysis
- Side-channel attacks
- Implementation attacks
- Birthday attack
- Key clustering
- Implementing cryptography
- Security models
- Perimeter(防御線) defenses
- Site selection, design and configuration
- Site selection issues
- Site design and configuration issues
- System defenses
- Asset tracking
- Port controls
- Environmental controls
- Electricity
- HVAC
- Heat, flame and smoke detectors
- Personnel safety, training and awareness
- ABCD fires and suppression
- Types of fire suppression agents
- Communication and Network Security
- Network architecture and design
- Network defense-in-depth
- Fundamental network concepts
- The OSI model
- The TCP/IP model
- Encapsulation
- Network access, internet and transport layer protocols and concepts
- Application layer TCP/IP protocols and concepts
- Layer1 network cabling
- LAN technologies and protocols
- LAN physical network topologies
- WAN technologies and protocols
- Converged protocols
- Software-defined networks
- Wireless local area networks
- RFID
- Secure network devices and protocols
- Repeaters and hubs
- Bridges
- Switches
- Network taps
- Routers
- Firewalls
- Modem
- DTE/DCE and CSU/DSU
- Secure communications
- Network architecture and design
- Identity and Access Management
- Security Assessment and Testing
- Assessing access control
- Penetration testing
- Vulnerability testing
- Security audits
- Security assessments
- Internal and third party audits
- Log views
- Software testing methods
- Static and dynamic testing
- Traceability matrix
- Synthetic transaction
- Software testing levels
- Fuzzing
- Combinatorial software testing
- Misuse case testing
- Test coverage analysis
- Interface testing
- Analyze and report test outputs
- Assessing access control
- Security Operations
- Administrative security
- Forensics
- Incident response management
- Operational preventive and detective controls
- Asset management
- Continuity of operations
- BCP and DRP overview and process
- Developing a BCP/DRP
- Backups and availability
- DRP testing, Training and awareness
- Continued BCP/DRP maintenance
- Specific BCP/DRP frameworks
- Summary of exam objectives
- Software Development Security
- Programming concepts
- Application development methods
- Database
- Object-oriented design and programming
- Assessing the effectiveness of software security
- Artificial intelligence
- Security and Risk Management