人生の一発逆転は勉強しかない

健康で社会的に生き、専門知識を勉強して、仕事に生かして社会の階層を駆け上がる

CISSP ランドスケープ

CISSP(第3階層までの目次を作るだけでだいたい習うべきことの全体像、規模感、場所感が把握できる例。この時点でもう手中に納めた感が出る。どうせ受かる。)

    1. Security and Risk Management
      • Cornerstone Information security concepts
      • Legal and regulatory issues
        • Compliance with laws and regulations
        • Major legal system
        • Criminal, civil, and Administrative law
        • Liability
        • Due care
        • Due diligence
        • Legal aspects of investigation
        • Intellectual property
      • Security and 3rd party
        • Service provider contractual security
        • Procurement
        • Vendor governance
        • Acquisitions
        • Divestitures
      • Ethics
        • The ISC2 code of ethics
      • Information security governance
        • Security policy and related documents
        • Personnel security
      • Access control defensive categories and types
        • Preventive : Lock mantrap, firewall, drug screening
        • Detective : CCTV light, IDS, Post-employment random drug tests
        • Corrective
        • Recovery
        • Deterrent : Sign light, Warning banner, Sanction policy
        • Compensating
      • Risk analysis
        • Assets
        • Threats and vulnerabilities
        • Risk = Threat * Vulnerability
        • Risk analysis matrix
        • Calculating annualized loss expectancy : (AV*EF)*ARO=ALE
        • Total cost of ownership
        • Return on investment
        • Budget and Metrics
        • Risk choices
        • Quantitative and qualitative risk analysis
        • Risk management process (9-step)
      • Types of attackers

     

    1. Asset Security
      • Classifying data
        • Labels: Top Secret, Secret, Confidential
        • Security compartments: Sensitive compartmented information
        • Clearance:
        • Formal access approval
        • Need to know
        • Sensitive information/media security
      • Ownership
        • Business or mission owner
        • Data owners
        • System owner
        • Custodian
        • Users
        • Data controllers and data processors
        • Data collection limitation
      • Memory and remanence残留磁気
        • Data remanence
        • Memory
      • Data destruction
        • Overwriting
        • Degaussing
        • Destruction
        • Shredding
      • Determining data security controls
        • Certification and Accreditation認証評価
        • Standards and control framework
        • Scoping and tailoring
        • Protecting data in motion and data at rest

     

    1. Security Engineering
      • Security models
        • Reading down and writing up
        • State machine model
        • Bell-LaPadula model
        • Lattice-based access controls
        • Integrity models
        • Information flow model
        • Chinese wall model
        • Noninterference
        • Take-grant
        • Access control matrix
        • Zachman framework for enterprise architecture
        • Graham-Denning model
        • Harrison-Ruzzo-Ullman model
        • Modes of operation
      • Evaluation methods, certification and accreditation
        • The orange book
        • ITSEC
        • The international common criteria
      • Secure system design concepts
        • Layering
        • Abstraction
        • Security domains
        • The ring model
        • Open and closed system
      • Secure hardware architecture
        • The system unit and motherboard
        • The computer bus
        • The CPU
        • Trusted platform module(TPM)
        • Data execution prevention(DEP) and address space layout randomization(ASLR)
      • Secure operating system and software architecture
        • The kernel
        • Users and file permissions
      • Virtualization and distributed computing
        • Virtualization
        • Cloud computing
        • Large-scale parallel data systems
        • Peer to peer
        • Thin clients
        • The internet of things(IOT)
      • System vulnerabilities, threats and countermeasures
        • Emanations
        • Covert channels
        • Backdoors
        • Malicious code(Malware)
        • Server-side attacks
        • Client-side attacks
        • Web architecture and attacks
        • Database security
        • Countermeasures
        • Mobile device attacks
      • Cornerstone cryptography concepts
        • CIA and non-repudiation
        • Confusion, diffusion, substitution and permutation
        • Cryptographic strength
        • Monoalphabetic and polyalphabetic ciphers
        • Modular math
        • Exclusive Or (XOR)
        • Data at rest and data in motion
        • Protocol governance
      • History of cryptography
        • Egyptian hieroglyphics
        • Spartan scytale
        • Caesar cipher and other rotation ciphers
        • Vigenere cipher
        • Cipher disk
        • Book cipher and running-key cipher
        • Codebooks
        • One-time pad
        • Hebern machines and purple
        • Cryptography laws
      • Types of cryptography
        • Symmetric encryption
        • Asymmetric encryption
        • Hash functions
      • Cryptographic attacks
        • Brute force
        • Social engineering
        • Rainbow tables
        • Known plaintext
        • Chosen plaintext and adaptive chosen plaintext
        • Chosen ciphertext and adaptive chosen ciphertext
        • Meet-in-the-Middle attack
        • Known key
        • Differential cryptanalysis
        • Linear cryptanalysis
        • Side-channel attacks
        • Implementation attacks
        • Birthday attack
        • Key clustering
      • Implementing cryptography
        • Digital signatures
        • Message authenticate code
        • HMAC
        • Public key infrastructure
        • SSL and TLS
        • IPsec
        • PGP
        • S/MIME
        • Escrowed encryption
        • Steganography
        • Digital watermarks

     

    • Perimeter(防御線) defenses
      • Fences
      • Gates
      • Bollards
      • Lights
      • CCTV
      • Locks
      • Smart cards and magnetic stripe cards
      • Tailgating/Piggybacking
      • Mantraps and turnstiles
      • Contraband checks
      • Motion detectors and other perimeter alarms
      • Doors and windows
      • Walls, floors, and ceiling
      • Guards
      • Dogs
      • Restricted work areas and escorts
    • Site selection, design and configuration
      • Site selection issues
      • Site design and configuration issues
    • System defenses
      • Asset tracking
      • Port controls
    • Environmental controls
      • Electricity
      • HVAC
      • Heat, flame and smoke detectors
      • Personnel safety, training and awareness
      • ABCD fires and suppression
      • Types of fire suppression agents

     

    1. Communication and Network Security
      • Network architecture and design
        • Network defense-in-depth
        • Fundamental network concepts
        • The OSI model
        • The TCP/IP model
        • Encapsulation
        • Network access, internet and transport layer protocols and concepts
        • Application layer TCP/IP protocols and concepts
        • Layer1 network cabling
        • LAN technologies and protocols
        • LAN physical network topologies
        • WAN technologies and protocols
        • Converged protocols
        • Software-defined networks
        • Wireless local area networks
        • RFID
      • Secure network devices and protocols
        • Repeaters and hubs
        • Bridges
        • Switches
        • Network taps
        • Routers
        • Firewalls
        • Modem
        • DTE/DCE and CSU/DSU
      • Secure communications
        • Authentication protocols and frameworks
        • VPN
        • Remote access

     

    1. Identity and Access Management
      • Authentication methods
        • Type1 authentication : Something you know
        • Type2 authentication : Something you have
        • Type3 authentication : Something you are
        • Someplace you are
      • Access control technologies
        • Centralized access control
        • Decentralized access control
        • Single sign-on (SSO)
        • Access provisioning lifecycle
        • Federated identity management
        • Identity as a service (IDaaS)
        • Credential management system
        • Integrating third-party identity services
        • LDAP
        • Kerberos
        • SESAME
        • Access control protocols and frameworks
      • Access control models

     

    1. Security Assessment and Testing
      • Assessing access control
        • Penetration testing
        • Vulnerability testing
        • Security audits
        • Security assessments
        • Internal and third party audits
        • Log views
      • Software testing methods
        • Static and dynamic testing
        • Traceability matrix
        • Synthetic transaction
        • Software testing levels
        • Fuzzing
        • Combinatorial software testing
        • Misuse case testing
        • Test coverage analysis
        • Interface testing
        • Analyze and report test outputs

     

    1. Security Operations
      • Administrative security
      • Forensics
      • Incident response management
      • Operational preventive and detective controls
      • Asset management
      • Continuity of operations
      • BCP and DRP overview and process
      • Developing a BCP/DRP
      • Backups and availability
      • DRP testing, Training and awareness
      • Continued BCP/DRP maintenance
      • Specific BCP/DRP frameworks
      • Summary of exam objectives

     

    1. Software Development Security
      • Programming concepts
      • Application development methods
      • Database
      • Object-oriented design and programming
      • Assessing the effectiveness of software security
      • Artificial intelligence