1 / 55

CISSP Overview

CISSP Overview. 목 차. Introduction CISSP 의 의미와 시험준비방법 CBK 소개. 1.Introduction. 1.1 ISC2 ?. (ISC) 2 = International Information Systems Security Certifications Consortium, Inc. (ISC) 2 is a global, not-for-profit organization dedicated to:

vicki
Télécharger la présentation

CISSP Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISSP Overview

  2. 목 차 • Introduction • CISSP의 의미와 시험준비방법 • CBK 소개

  3. 1.Introduction 1.1 ISC2 ? • (ISC)2 = International Information Systems Security Certifications Consortium, Inc. • (ISC)2 is a global, not-for-profit organization dedicated to: • Maintaining a Common Body of Knowledge for Information Security [IS]. • Certifying industry professionals and practitioners in an international IS standard • Administering training and certification examinations. • Ensuring credentials are maintained, primarily through continuing education. • Governments, corporations, centers of higher learning and organizations worldwide demand a common platform for and proficiency in mastering the dynamic nature of information security. (ISC)2 helps fulfill these needs. • Thousands of IS professionals in over 35 countries worldwide have attained certification in one of the two designations administered by (ISC)2: • Certified Information Systems Security Professional [CISSP] • System Security Certified Practitioner [SSCP] • Both credentials indicate those certified have demonstrated experience in the field of information security, passed a rigorous examination, subscribe to a Code of Ethics and maintain certification with continuing education.

  4. 1.Introduction 1.2 Why choose certification? • Information security [IS] professionals invest substantially in information assets, including technology, architecture and process. • But how can protection of these assets be ensured? Only through the strengths of the professionals in charge. • Industry standards, ethics and certification of IS professionals and practitioners becomes critical to ensuring a higher standard for security is achieved. (ISC)2, as the only not-for-profit consortium charged with maintaining, administering and certifying IS professionals in the Common Body of Knowledge [CBK], is the premier resource for IS professionals worldwide. • Benefits of (ISC)2 Certification to the Enterprise • Establishes best practices • Provides a solutions-orientation, not specialization, particularly with the broader understanding of the IS CBK • Access to a network of global industry and subject matter/domain experts • Resource for broad-based security information • Adds to credibility with the rigor and regimen of the certification examinations • Provides a business and technology orientation to risk management • Benefits of (ISC)2 Certification to the Professional • Confirms a working knowledge of information security • Confirms passing of a rigorous examination • Career differentiator, with peer networking and added IS credibility • Broadening expectation of credentials

  5. 1.Introduction 1.3 How to become certified? • Determine which type of certification you are best qualified for: • CISSP [Certified Information Systems Security Professional] ?Tailored for IS professionals with a minimum of 3 years cumulative experience in one or more of the ten CBK domains • Understand and accept the principles stated in the (ISC)2 Certification Code of Ethics, which all certified individuals are required to adhere to. • Broaden your IS understanding of the Common Body of Knowledge [CBK], usually achieved through personal study guides [which can be downloaded online], taking of CBK Review Seminars, keeping abreast of industry news, and familiarity with examination reference materials. • Taking and passing of the appropriate certification examination. • Upon passing the certification examination, continuing to keep your credential vital with continuing professional education, recertification every three years and other requirements to stay in good standing.

  6. 1.Introduction 1.4 Code of Ethics Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification. Canons • Protect society, the commonwealth, and the infrastructure. • Act honorably, honestly, justly, responsibly, and legally. • Provide diligent and competent service to principals. • Advance and protect the profession.

  7. 1.Introduction 1.5 CISSP Exam Structure • The CISSP Certification examination consists of 250 multiple-choice questions. Candidates have up to 6 hours to complete the examination. Ten CISSP information systems security test domains are covered in the examination pertaining to the Common Body of Knowledge: • Access Control Systems & Methodology • Applications & Systems Development • Business Continuity & Disaster Recovery Planning • Cryptography • Law, Investigation & Ethics • Operations Security (Computer) • Physical Security • Security Architecture & Models • Security Management Practices • Telecommunications & Network Security ?I & II

  8. 1.Introduction 1.6 CISSP Exam 행정사항 • 가. 시험장소 및 일시: Seoul, Korea • December 08, 2001 • Dongguk University • 나. 시험비용: Fee : 450$ 다. 응시요령 • (ISC)2 의 홈페이지에서 응시원서를 신청 • 자신이 응시할 날짜와 지역 등을 표기한 응시원서를 (ISC)2에 제출 • 일단 접수가 되면 시험장소와 날짜에 대한 확인편지가 응시자에게 발송 라. 시험결과 • 시험일로부터 약 6-8주가 지난 후 시험결과(합격/불합격) 통보 • 예상합격선 : 70%이상 득점 • 불합격 시 최소 3개월 간은 재응시 불가

  9. 2. CISSP의 의미와 시험준비방법 2.1 CISSP 시험의 Positioning 가. 정보보호 전문가를 입증하는 시험이 아니라 입문의 시험임. 나. 정보보호 전문가가 가져야 할 기본 공통 Knowledge를 점검하는 시험임. 다. 보안의 관점을 넓히는 계기가 될 수 있는 시험임. 라. 한국자격시험과 미국자격시험의 관점의 차이가 존재함. 정보보안의 General Common Sense 네트웍보안 암호화 인증 보안관리 보안 메카니즘 OS 보안 참고:http://www.danam21.co.kr/sjs1234

  10. 2. CISSP의 의미와 시험준비방법 2.2 왜 CISSP 자격이 필요한가? 가. 현실의 매너리즘에서 탈피하여 작은 도전과 성취의 기회 나. 전반적인 정보보호관련 내용들을 정리해 볼 수 있는 기회 다. 남들이 취득하니… 라. 자신의 전문성을 입증할 여타 정보가 없는 상황에서 남들에게 자신을 드러낼 수 있는 좋은 방법 참고:http://www.danam21.co.kr/sjs1234

  11. 2. CISSP의 의미와 시험준비방법 2.3 CISSP 자격을 취득하면? 가. 포럼에 가입하여 전세계 CISSP들과 정보공유 나. 국내활동에 참여하여 교류 및 정보공유 다. 자격은 잊어버리고 진짜 실력의 배양 라. 후학의 양성 참고:http://www.danam21.co.kr/sjs1234

  12. 2. CISSP의 의미와 시험준비방법 2.4 CISSP 와 CISA 가. 범위: 10, 7 나. 자격: 3년, 3년 다. 활동분야: Security, Auditor 라. 합격선: 70, 75 마. 합격률: 30%, 30-50% 바. 난이도 사. 시험시기: 2-3/년, 1/년 아. 전문성 자. 우선순위는? 개인적인 생각: CISSP가 CISA되기가 CISA가 CISSP되기 보다 쉬움… 참고:http://www.danam21.co.kr/sjs1234

  13. 2. CISSP의 의미와 시험준비방법 2.5 CISSP 시험 준비방법 Adrien de Beaupr의 Tips&Tricks to help you in your studies 에서 발췌 • 가. 아래의 책을 봐라. • Information Security Management Handbook, Tipton & Krause • CISSP Examination Textbook, Rao • 나. Hal Tipton의 자료를 봐라 • 다. ISC2의 Study Guide를 봐라 • 라. Ben Rothke의 PPT 를 봐라 • 마. 매일 한시간씩 읽어라 • 바. 최소 한달은 집중 공부해라. • 사. 자신의 Study note를 만들어라 • 아. 시험 2주전에는 문제를 풀어봐라 • 자. 한주전에는 열심히 복습을 하라 • 차. Study group을 만들어서 서로 정보를 공유하라 • 카. 아래의 Site를 북마크하고 자주 들르라 • - www.cccure.org, www.isc2.org, www.sans.org, • www.cissps.com

  14. 2. CISSP의 의미와 시험준비방법 2.5 CISSP 시험 준비방법 Adrien de Beaupr의 Tips&Tricks to help you in your studies 에서 발췌 타. 시험장에서는 마실것과 먹을것을 가져가고 휴식을 취해라. 파. 답을 쓰기전에 문제를 최소 2번이상은 열심히 읽어라. 하. 10개의 도메인에 전문가가 될 필요는 없고 중요한 개념을 잡아라. 거. 시험을 치기 위해 그 분야의 경험이 꼭 있을 필요는 없다. ** 추가 가. 영어사전을 가지고 가라. 나. 시간이 제한된 경우 너무 파고 들어가지 말라. 다. 시험시간을 잘 활용해라.

  15. 2. CISSP의 의미와 시험준비방법 2.6 CISSP 시험 준비 교육의 의미 가. 전반적인 영역의 이해 나. 핵심 개념의 파악 다. 수강생간의 상호 교류 라. 기타 세부사항 파악 및 문제풀이는 스스로 공부

  16. 3.CBK 소개 3.1 CBK Overview (1) Access control Systems & Methodology (3) Security Management Practices (6) Security Architecture & Model (9) Laws, Investigations and Ethics (4) Applications & System development Security (2) Telecommunications & Network Security (5) Cryptography (7) Operations Security (10) Physical Security (8) Business continuity planning & DRP

  17. 3.CBK 소개 3.2 Access Control Systems & Methodology • Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use & content of a system. In permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. • Accountability • Access control technique • Access control Administration • Access control model • Identification & Authentication Techniques • Access control methodologies & Implementation • File & Data ownership & custodianship • Methods of Attack • Monitoring • Penetration Testing 참고: CISSP Study Guide , ISC2

  18. 3.CBK 소개 3.2 Access Control Systems & Methodology • 이해필요사항…. • Access control concepts, methodologies and implementation within centralized & decentralized environments across the enterprises’ computer system • Access control techniques, detective and corrective measures should be studied to understands the potential risks, vulnerabilities, and exposures. 참고: CISSP Study Guide , ISC2

  19. 3.CBK 소개 3.2 Access Control Systems & Methodology Functions of an access control mechanism (1) Identification process User X Access control mechanism Identification data User X Identified user authentication data Name, Account no. authorization data Technique? (2) Authentication process User X Access control mechanism Identification data User X authentication data Remembered info Possessed objects Personal characteristics Valid/invalid user authorization data Trojan horse 문제 – Public-Key systems

  20. 3.CBK 소개 3.2 Access Control Systems & Methodology Functions of an access control mechanism Object (3) Authorization process Reference monitor User X Subject Access request Access control mechanism Identification data User X authentication data Object resources Action requests Permitted/denied actions authorization data Model? Technique? Implementation? Administration? Monitoring? * Security Policy: which rules decide who gets access to your data? - capture the security requirement of an enterprise or describe the steps that have to be taken to achieve security * Security Model: capture policies for confidentiality(BLP)… - formalisation of security policy Attack? • * Resource • HW • SW • Commodities(processor time, disc space …) • Data • * Action privileges • READ(direct read, statistical or aggregate data read only) • ADD(insert, append) • Modify(write)

  21. 3.CBK 소개 3.2 Access Control Systems & Methodology 1. The Computer Security Policy Model the Orange Book is based on is: the Bell-LaPadula Model the Data Encryption Standard (DES) Kerberos Tempest 2. Which of the following is needed for System Accountability? audit mechanisms documented design as laid out in the Common Criteria authorization Formal verification of system design

  22. 3.CBK 소개 3.3 Telecommunications & Network Security • Telecommunication & Network Security domain encompasses the structures, transmission methods, transport formats, & security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private & public communications networks and media. • ISO/OSI Layers and characteristics • Communication Network Security • Internet/Intranet/Extranet • Firewalls, Routers, Switches, Gateways, Proxies • Protocols, Services, Security techniques • E-mail Security • Facsimile Security • Secure Voice Communications • Security boundaries and how to translate security policy to control • Network Attacks & countermeasures 참고: CISSP Study Guide , ISC2

  23. 3.CBK 소개 3.3 Telecommunications & Network Security • 이해 필요사항 • Communications & network security as it relates to voice communications • Data communications in terms of local area, wide area, and remote access • Intranet/Internet/Extranet in terms of Firewalls, Routers, & TCP/IP • Communications security management & techniques in terms of preventive, detective and corrective measures. 참고: CISSP Study Guide , ISC2

  24. 3.CBK 소개 3.3 Telecommunications & Network Security OSI 7 Layer LAN System System • Protocol • IPSEC • SSL • PPP • … Router FW… WAN Attack? PSTN Internet E-mail System Voice FAX • Service • ISDN • HDSL • … • Security technique? • VPN • NAT • Monitoring…

  25. 3.CBK 소개 3.3 Telecommunications & Network Security 10. Which one of the following benefits resulting from the use of secure gateways (firewalls) is not true: reduces the risks from malicious hackers prevents the spread of viruses reduces the threat level on internal system allow centralize management and control of services

  26. 3.CBK 소개 3.4 Security Management Practices • Security management entails the identification of an organizations’ information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, Integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented. • Security Management Concepts & Principles • Change Control/Management • Data Classification • Information/Data • Employment policies & Practices • Policies, Standards, Guideline and Procedures • Role & Responsibilities • Security Awareness Training • Security Management Planning 참고: CISSP Study Guide , ISC2

  27. 3.CBK 소개 3.4 Security Management Practices • 이해 필요사항 • The planning, organization, and roles of individuals in identifying and securing an organization’s information assets • The development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures, to support the policies • Security Awareness training • The importance of confidentiality, proprietary and private information • Employment agreement, hiring, and termination practices • Risk Management practices 참고: CISSP Study Guide , ISC2

  28. 3.CBK 소개 3.4 Security Management Practices Corporate IT Security Policy Organizational aspects of IT security Corporate Risk Analysis strategy options Baseline Approach Informal Approach Detailed Risk Analysis Combined approach IT security recommendations Risk Management IT system security policy IT security plan Implementation Security Awareness Safeguards Follow up ISO: Overview of the planning & management of IT security

  29. 3.CBK 소개 3.4 Security Management Practices 15. Which of the following is the best reason for the use of an automated risk analysis tool: much of the data gathered during the review cannot be reused for subsequent analysis's automated methodologies require minimal training and knowledge of risk analysis most software tools have user interfaces that are easy to use minimal information gathering is required due to the amount of information built into the tool

  30. 3.CBK 소개 3.5 Application & Systems Development Security • Applications and systems development security refers to the controls that are included within systems and applications software and the steps used in their development. Applications refer to agents, applets, SW, DB, DW, KB systems. • Application Issues • Database & DW • Data/Information storage • Knowledge-based Systems • System Development Controls • Malicious Code • Methods of Attack 참고: CISSP Study Guide , ISC2

  31. 3.CBK 소개 3.5 Application & Systems Development Security • 이해 필요사항 • Security & controls of System development process, system life cycle, application control, DW, DM, KB systems, program interfaces, and concepts used to ensure data and application integrity, security and availability 참고: CISSP Study Guide , ISC2

  32. 3.CBK 소개 3.5 Application & Systems Development Security Application Security request DB DW Client Application Server Application response DB Security Application Development Process Security Attack

  33. 3.CBK 소개 3.5 Application & Systems Development Security 16. Which of the following can be used as a covert channel? Storage and timing Storage and low bits Storage and permissions Storage and classification

  34. 3.CBK 소개 3.6 Cryptography • Cryptography domain addressed the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. • Use of Cryptography to achieve • Cryptographic concepts, methodologies, and practices • Private key algorithms • Public Key algorithms • PKI • System architecture for implementing cryptographic functions • Method of attack 참고: CISSP Study Guide , ISC2

  35. 3.CBK 소개 3.6 Cryptography • 이해 필요사항 • Public key and private key algorithms in terms of their applications and uses • Algorithm construction, key distribution and management, and methods of attack • The application, construction, and use of digital signatures to provide authenticity of electronic transactions, and nonrepudiation of the parties involved. 참고: CISSP Study Guide , ISC2

  36. 3.CBK 소개 3.6 Cryptography Cryptology: the science of secret codes. Cryptography: deals with systems for transforming data into codes.-Cryptographer. Cryptanalysis: deals with techniques for illegitimately recovering the critical data from cryptograms. – Cryptanalyst. Private Key algorithm Public Key algorithm Sender Receiver Receiver’s Public key Receiver’s private key Secrete Key Secrete Key Clear text Ciphertext Clear text Encipher Decipher PKI Application-SSL, IPSEC, HTTPS… Attack

  37. 3.CBK 소개 3.6 Cryptography Which one of the following statements about digital signatures is not true: it enhances authentication it makes repudiation by the sender possible it prevents non-repudiation by the receiver it makes repudiation by the sender impossible

  38. 3.CBK 소개 3.7 Security Architecture & Models • The security architectures and models contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to inforce various levels of confidentiality, integrity, and availability. • Principles of common computer and network organizations, architectures and designs. • Principles of common security models(BLP…), architectures(IPSEC..), and evaluation criteria(Orange Book, ITSEC..). • Common flaw and security issues associated with system architectures and designs 참고: CISSP Study Guide , ISC2

  39. 3.CBK 소개 3.7 Security Architecture & Models • 이해 필요사항 • Security models in terms of confidentiality, integrity, information flow, commercial vs. government requirements • System models in terms of CC, ITSEC, TCSE, IETF IPSEC • Technical platforms in terms of HW, firmware, and SW • System security techniques in terms of preventative, detective, and corrective controls 참고: CISSP Study Guide , ISC2

  40. 3.CBK 소개 3.7 Security Architecture & Models 26. In Mandatory Access Control, sensitivity labels contain what information? the item's classification the item's classification and catagory set the item's classification, catagory and compartment the item's classification and it's compartment

  41. 3.CBK 소개 3.8 Operations Security • Operation Security is used to identify the controls over HW, media, and the operator with access privileges to any resources. • Administrative management • Concepts • Control Types • Operation controls • Resource Protection • Auditing • Audit trails • Monitoring • Monitoring tools and techniques • Intrusion detection • Penetrating testing techniques • Threats and countermeasures • Violation, Breaches, and reporting 참고: CISSP Study Guide , ISC2

  42. 3.CBK 소개 3.8 Operations Security • 이해 필요사항 • The resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice. 참고: CISSP Study Guide , ISC2

  43. 3.CBK 소개 3.8 Operations Security Control Type -preventive -detective…. Production Operation Systems (Resource) Resource Protection -password -library -OS -sensitive data… Auditing -review -compliance check Operation control -change management -Media control -Administration control 참고: CISSP Study Guide , ISC2

  44. 3.CBK 소개 3.8 Operations Security 32. It is a violation of the "separation of duties" principle when which of the following individuals access the security systems software: security administrator security analyst systems auditor systems programmer 참고: CISSP Study Guide , ISC2

  45. 3.CBK 소개 3.9 BCP & DRP • The BCP & DRP domain addresses the preservation of the business in the face of major disruptions to normal business operations. BCP & DRP involve the preparation, testing and updating of specific actions to protect critical business processes from the effect of major system and network failure. • BCP • DRP • Element of business continuity planning • BCP/DRP Events 참고: CISSP Study Guide , ISC2

  46. 3.CBK 소개 3.9 BCP & DRP • 이해 필요사항 • The difference of BCP & DRP • Business continuity planning in terms of project scope and planning, business impact analysis, recovery strategies, recovery plan development, and implementation. • DR in terms of recovery plan development, implementation and restoration. 참고: CISSP Study Guide , ISC2

  47. 3.CBK 소개 3.9 BCP & DRP BCP: If a man or natural event is minor & less constructive, the challenge is to recover from disruptions and continue support for critical functions. DRP: If a man or natural event is major & very constructive, the challenge is to recover from a disaster and restore critical functions to normal operations Identifying the mission or business critical functions Identifying the resources that support the critical functions Anticipating potential contingencies or disaster (likelihood, scenarios) Selecting contingency planning strategies Implementing the contingency strategies Testing & revising the strategies

  48. 3.CBK 소개 3.9 BCP & DRP 37. Which of the following *must* be at a "hot site"? Backup data, computers, climate control, cables and peripherals Computers and peripherals Computers, peripherals, and dedicated climate control systems Dedicated climate control systems

  49. 3.CBK 소개 3.10 Law, Investigations & Ethics • The Law, Investigations, and Ethics domain address computer crime laws & regulations; the investigative measures and techniques which can be used to determine if a crime has been committed, methods to gather evidence if it has, as well as the ethical issues and code of conduct for the security professional. • Laws • Major categories and types of laws • Investigations • Major categories of computer crimes • Incident handling • Ethics 참고: CISSP Study Guide , ISC2

  50. 3.CBK 소개 3.10 Law, Investigations & Ethics • 이해 필요사항 • The method for determining whether a computer crime has been committed • The law that would be applicable for the crime • Laws prohibiting specific types of computer crime • Methods to gather and preserve evidence of a computer crime, investigative methods and techniques • The way in which RFC 1087 and ISC2 code of ethics 참고: CISSP Study Guide , ISC2

More Related