1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 378
Выбрать главу

2. Auditing and logging

3. Risk analysis and mitigation

DOMAIN 5: CRYPTOGRAPHY

Overview

The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity.

Procedures and protocols that meet some or all of the above criteria are known as cryptosystems. Cryptosystems are often thought to refer only to mathematical procedures and computer programs; however, they also include the regulation of human behavior, such as choosing hard-to-guess passwords, logging off unused systems, and not discussing sensitive procedures with outsiders.

The candidate is expected to know the basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction, use of digital signatures to provide authenticity of electronic transactions, and nonrepudiation of the parties involved; and the organization and management of the public key infrastructures (PKIs) and digital certificates distribution and management.

Key Areas of Knowledge

Understand the application and use of cryptography:

1. Data at rest (e.g., Hard drive)

2. Data in transit (e.g., On the wire)

Understand the cryptographic life cycle such as cryptographic limitations, algorithm/protocol governance.

Understand encryption concepts.

1. Foundational concepts

2. Symmetric cryptography

3. Asymmetric cryptography

4. Hybrid cryptography

5. Message digests

6. Hashing

Understand key management processes.

1. Creation/distribution

2. Storage/destruction

3. Recovery

4. Key escrow

Understand digital signatures.

Understand nonrepudiation.

Understand methods of cryptanalytic attacks.

1. Chosen plaintext

2. Social engineering for key discovery

3. Brute force such as rainbow tables, specialized/scalable architecture

4. Ciphertext only

5. Known plaintext

6. Frequency analysis

7. Chosen ciphertext

8. Implementation attacks

Use cryptography to maintain network security.

Use cryptography to maintain application security.

Understand public key infrastructure (PKI).

Understand certificate-related issues.

Understand information-hiding alternatives such as steganography and watermarking.

DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN

Overview

The security architecture and design domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization’s security processes, information security systems, personnel and organizational sub-units, so that these practices and processes align with the organization’s core goals and strategic direction.

The candidate is expected to understand security models in terms of confidentiality, integrity, information flow; system models in terms of the Common Criteria (CC); technical platforms in terms of hardware, firmware, and software; and system security techniques in terms of preventative, detective, and corrective controls.

Key Areas of Knowledge

Understand the fundamental concepts of security models (e.g., confidentiality, integrity, and multilevel models).

Understand the components of information systems security evaluation models.

1. Product evaluation models such as Common Criteria

2. Industry and international security implementation guidelines such as PCI-DSS and ISO

Understand security capabilities of information systems (e.g., memory protection, virtualization, and trusted platform module).

Understand the vulnerabilities of security architectures.

1. Systems such as covert channels, state attacks, and emanations

2. Technology and process integration such as single point of failure and service-oriented architecture (SOA)

Understand software and system vulnerabilities and threats.

1. Web-based vulnerabilities/threats such as XML, SAML, and OWASP

2. Client-based vulnerabilities/threats such as applets

3. Server-based vulnerabilities/threats such as data flow control

4. Database security such as inference, aggregation, data mining, and data warehousing

5. Distributed systems such as cloud computing, grid computing, and peer-to-peer computing

Understand countermeasure principles such as defense-in-depth.

DOMAIN 7: SECURITY OPERATIONS

Overview

Security operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.

The candidate is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice.

Key Areas of Knowledge

Understand security operations concepts.

1. Need-to-know/least privilege

2. Separation of duties and responsibilities

3. Monitor special privileges (e.g., operators and administrators)

4. Job rotation

5. Marking, handling, storing, and destroying of sensitive information

6. Record retention

Employ resource protection.

1. Media management

2. Asset management (e.g., equipment life cycle and software licensing)

Manage incident response.

1. Detection

2. Response

3. Reporting

4. Recovery

5. Remediation and review (e.g., root cause analysis)

Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, and denial-of-service).

Implement and support patch and vulnerability management.

Understand change and configuration management (e.g., versioning and base lining).

Understand system resilience and fault tolerance requirements.

DOMAIN 8: BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

Overview

The business continuity planning (BCP) and disaster recovery planning (DRP) domain addresses the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the preparation, testing, and updating of specific actions to protect critical business processes from the effect of major systems and network failures.

~ 378 ~