CISSP Certification

CISSP Certification

Audience

This course is for any and all IT staff seeking CISSP Certification. CISSP certification is considered one of the most actively pursued activities with IT/IS Security arena across the globe.

Prerequisites

Students should have a fundamental understanding of local area networks as well as the functions of the seven layers in the open interconnect (OSI) reference model.

Duration

5 days.

This course is available on site only. Please call for details.

Course Objectives

This intensive CISSP course aims to enable delegates to pass the CISSP certification examination. The course is based on the revised Official (ISC) 2 Guide to the CISSP CBK, Third edition book, 2013 (CRC Press & Authors, Harold F. Tipton; Steven Hernandez). The course format is presentation with subject discussion, followed by a sample test, based around the domain subject covered, to help reinforce the delegate's understanding of the material. There is a final across-domains test at the end of the course to help prepare the students in understanding the format for examinations and to help feedback knowledge base.

Course Content

Domain 1: Access Control
Access Control – Introduction, Definitions and Concepts:
• Authentication and Identity Management/ Authorisation/ Accountability.
Pillars of Security – CIA TRIAD.
Access Control Objectives:
• Preventive/Administrative, Logical (Technical), Physical.
• Detective/Administrative, Logical (Technical), Physical.
Types and Category of Access controls.
Access controls techniques:
• Mandatory Access Control (MAC) / Discretionary Access Control (DAC).
• Role- Based Access Control/ Rule- Based Access Control (RBAC).
Memory Cards.
Biometric Based Access Control.
Password management.
Kerberos Cryptosystem:
• Kerberos Components. 
• Kerberos Process.
SESAME.
Federated Management.
Single Sign-on (SSO).
Directory Technologies.
Intrusion Detection Systems (IDS).
Security Information and Event Management (SEIM).
Threats:
• Malicious Software/ Virus/ Trap Door / Logic Bomb.
• Blaster Worm, Denial of Service SYN Attack.
Threat Modelling.
Threat Evaluation.
Risk Analysis:
• Quantitative & Qualitative Risk Assessment.
Penetration testing:
• Zero Knowledge.
• Partial Knowledge.
• Full Knowledge.
Review and questions.

Domain 2: Telecommunications & Network Security
Telecommunications and Network Securit.
Intrusion Detection Systems:
• Network-based ID systems.
• Host-based ID systems.
• Knowledge-based ID Systems.
• Behaviour-based ID Systems.
Open Systems Interconnection (OSI) 7 layer model:
• OSI 7 layer model components.
• TCP/IP protocol Stack, Ethernet Frame.
• IP Address and Classes.
• Subnetting or classless addressing.
• IPv6.
• RIP and RIP II, OSPF.
• Link-State Vector Algorithm.
Port Numbers; Sockets; Ranges.
Supervisory Control and Data Acquisition (SCADA):
• SCADA security.
• SCADA Protocols.
• Security-Enhanced Protocols.
Firewalls:
• IPSec.
• SOCKS Gateway.
• Network Address Translation (NAT), Virtual Private Network (VPN).
• Layer 2 Tunnelling Protocol (L2TP).
• Point-to-Point Tunnelling Protocol (PPTP).
• Secure Socket, Secure Shell (SSH-2).
Network Components.
Network Topologies:
• Wireless Security WPA versus WEP.
• Inherent Weakness in Wireless (RF) Technology.
• Carrier Sense Multiple Access, Collision Detection (CSMA/CD).
• Multiprotocol Label Switching (MPLS).
VOICE Communication:
• Session Initiation Protocol (SIP).
• Peer to Peer (P2P), Instant Messaging (IM).
Integrated Services Digital Network (ISDN):
• Basic and primary Rate Interface.
• Narrowband and Broadband ISDN.
ISDN Network Components:
• Digital Subscriber Line (DSL).
• Interfaces: X.21, V.35, Frame relay.
• Asynchronous Transfer Mode (ATM).
Network Attacks:
• Defence In Depth (external perimeter).
• Layer Defence (internal IT asset).
• SIEM is Security Information and Event Management (SEIM).
Review and questions.

Domain 3: Information Security Governance & Risk Management
Information Security Management.
Security Governance Organisations:
• National Institute of Standards and Technology (NIST).
• IT Governance Institute (ITGI).
• IT Governance Institute (ITGI) and Sarbanes-Oxley Act.
• Control Objectives for Information and Related Technology (COBIT).
• COBIT – 5 Guiding principles.
• COBIT – 7 categories of enablers.
• Committee of Sponsoring Organizations of Treadway Commission (COSO).
• COSO Principles.
• Information Technology Infrastructure Library (ITIL).
• ISO 27001: 2005.
• ISO 27001: 2013.
Security Roles and Responsibilities:
• Due Care, Due Diligence and The Sarbanes-Oxley Act (SOX).
Developing and Implementing a Security Policy:
• Types of Security Policies.
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE).
• Security Officers Management and Analysis Project (SOMAP).
Value at Risk (VAR):
• Common Vulnerabilities and Exposures (CVE).
Threats and Threat Categories:
• Risk Management Process.
• Risk Management Steps.
• Risk Assessment.
• Risk Evaluation – EF, SLE, ARO and ALE Definitions.
• Risk Assessment Analysis.
• Risk Likelihood Descriptors.
• Risk Avoidance, Transfer or Mitigation.
• Risk Acceptance or Assignment.
Intangible Asset Evaluation:
• Trademarks.
• Patents.
• Copyright.
• Business Processes.
• Brand recognition.
• Intellectual property.
Personnel Security Controls.
Review and questions.

Domain 4: Software Development Security
Security in the development Life cycle:
• Development Life cycle.
• Functional requirements. 
• Design Specifications.
• Development and Implementation.
• Controls.
Security and Software Development Life Cycle Concepts:
• Software Engineering.
• Software Issues.
• Security Software Life Cycle Issues.
SDLC Requirements Phase:
• SDLC Design Phase.
• Testing Phase.
• Deployment Phase.
• Maintenance.
• Sources of Risk in an Integration System.
Security Controls in SDLC Environments:
• Waterfall Model.
• Spiral Model.
• Agile Models.
• Clean room/ Clean environment approach.
Threat Modelling Steps:
• Threat Trees.
Secure Coding Standards:
• Secure Coding Practices.
• Open and Closed Source Programs.
Software Maintenance Phase and Change Control Process:
• Configuration Management.
• Software Capability Maturity Model (CMM).
• Change Management and Issues.
• Configuration Management.
• System Build.
Bluetooth devices:
• Bluetooth Architecture and Risks.
Prototype Modelling:
• Rapid Application development.
• Joint Application Development.
Object Oriented Organisations:
• Object Oriented Systems.
• Artificial Intelligence.
Software Security:
• Sandbox.
• Java Security.
• BYOD Security.
• Covert Channels.
Database Vulnerabilities.
Summary and Questions.

Domain 5: Chryptography
Cryptography - Definitions and Concepts:
• Cryptosystems Security Services.
• Keys (Master Key, Shared Key, Secret Key).
Types of Ciphers:
• Substitution Ciphers.
• Transposition Ciphers.
• Key Derivation Functions.
• One-Time Pad.
• Steganography.
Symmetric vs. Asymmetric Algorithms:
• Symmetric and Asymmetric Cryptography.
• Asymmetric algorithms.
Block and Stream Ciphers and DES:
• Block Ciphers.
• Cipher Block Chaining.
• Stream Ciphers.
• Cipher Feedback (CFB) Mode.
• OUTPUT Feedback (CFB) Mode.
• COUNTER (CTR) MODE.
Hybrid Cryptography Using Symmetric & Asymmetric Systems:
• Algorithmic Systems.
• Triple-DES (TDEA—Triple Data Encryption Algorithm).
• Electronic Code Book (ECB) Mode ECB.
• Advanced Encryption Standard.
• International Data Encryption Algorithm (IDEA).
• RSA, RC4, RC5, RC6 variants.
• Public Key Cryptography v Public Key Infrastructures.
• Diffie–Hellman and D-H key exchange mechanism.
• El Gamal and Elliptic Curve Cryptosystems.
• Cyclic Redundancy Check (CRC) & Message authentication code (MAC).
• Public Key Infrastructure.
• Key Management Rules.
Multipurpose Internet Mail Extension (MIME):
• HTTP, S/HTTP and TPM.
Attacks:
• Passive attack, Active attack.
• Ciphertext-only attack, Chosen-ciphertext attack.
• Known-plaintext attack, Chosen-plaintext attack.
• Replay attack.
• Side-channel attack.
• Algebraic attack, Analytic attack, Statistical attack.
• Meet-in-the-middle attack.
• Differential cryptanalysis, Linear cryptanalysis.
Review and Questions.

Domain 6: Security Architecture And Design
Enterprise Security Architecture:
• Zachman Framework for Enterprise Architecture.
• Zachman Framework Model.
• SABSA Framework.
• SABSA Security Framework Model.
• TOGAF.
• Information Technology Infrastructure Library (ITIL).
• ITIL – Processes.
• Common Security Service Processes.
Enterprise Security Architecture:
• Computer Architecture.
• Computer Memory.
• Random Access Memory, Read Only Memory.
• Virtual memory, Swap file and Page faults.
• Memory Leaks, Memory Leaks Guarding.
• Memory Address Modes.
• Operating Systems Modes.
• Mobile Operating System.
• Thread Management.
• Input/Output Device Management.
• Application Programming Interface (API).
Types of Security Models:
• State Machine Model.
• Multilevel lattice model.
• Non interference model.
• Matrix based Models.
• Information flow models.
• Bell-LaPadula Confidentiality Model.
• Strong star model.
• Biba integrity model.
• Clark-Wilson Model.
• Lipner Model.
• Harrison - Ruzzo - Ullman Model.
• Brewner-Nash Model.
• Graham –Denning Model.
• Trusted Computer System Evaluation Criteria (TCSEC).
• TCSEC Evaluation Levels.
• Information Technology Security Evaluation Criteria (ITSEC).
• Target of Evaluation (TOE) CRITERIA.
• ITSEC ratings.
• Common Criteria for Information Technology Security Evaluation.
• Common Criteria model - Product EAL Rating.
Industry and International Security Implementation Guidelines:
• ISO 27002 – Code of Practice and Sections.
COBIT:
• Payment Card Industry Data Security Standard (PCI-DSS).
• Software and System Vulnerabilities and Threats.
Summary, Review and Questions.

Domain 7: Security Operations
Security Operations:
• Definition.
• Controls.
• C. I. A.
• Vulnerabilities, Threats and Assets.
Threat Modes:
• Covert channel.
• Lack of parameter checking.
• Maintenance hook.
• Time of Check to Time of Use (TOC/TOU) attack.
Threat Management:
• Need to Know.
• Least Privilege.
• Separation of Duties.
• Job Rotation.
• Monitoring.
Maintaining Operational Resilience:
• Scanning profiles.
• Vulnerability Scanning.
• Vulnerability Scanning (Results).
• Reporting.
• Patch Management and Remediation.
• Network and Software Auditing.
Due Care, Due Diligence and Duty:
• Records Management Controls.
• Information classification.
• Audit management.
• Security issues & audit logs.
• Retention and control of information media.
• Media Marking.
• Handling and Storage.
System Resilience and Fault Tolerance:
• Trusted Path and Fail Secure Mechanisms.
• RAID Levels (0 – 6 & , 0+1, 10).
• RAIT and RAIL.
Clustering.
Spares or Standbys:
• Hot Spares.
• Cold Spare.
• Warm Spares.
Backup Modes:
• Data destruction.
Review, Summary and Questions.

Domain 8: Business Continuity & Disaster Recovery Planning
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP):
• BCP Processes and Timeline.
• Four Prime Elements of BCP.
• BCP - Roles and Responsibilities.
Business Impact Assessment:
• Resource Requirements.
• Goals and Objectives BCP and DRP.
• BCP Services provision.
• BCP Standby Sites.
Resource Management – Fault Tolerance & Redundancy:
• BCP – Awareness Campaign.
• Software Escrow.
Five Point Disaster Recovery Plan:
• Checklist.
• Structured Walk-Through Test.
• Simulation Test.
• Parallel Test.
• Full – interruption Test.
Business Disruption Classification:
• Recovery Objectives.
• Recovery Time Objective (RTO).
• RPO – Recovery Point Objective.
• Recovery Time Term.
Review, Summary and Questions.

Domain 9: Legal, Regulation, Investigation & Compliance
Law, Investigation and Ethics.
Types of Laws:
• Comparison: Common Law versus Civil Law Systems.
• Legal Systems of the World.
• Intellectual Property And Privacy Laws.
• Information Privacy Laws.
Types Of Computer Crimes:
• Import/Export Trans-border Data flow and Privacy.
Professional Ethics:
• HIPPA - US Privacy.
• Sarbanes-Oxley Act.
• Computer Fraud and Abuse Act.
Declaration of Integrity:
• (ICS)2 - CISSP Code of Ethics Canons & Objectives for Guidance.
Incident Management.
Incident Response Procedures:
• Supporting Investigations.
• Digital Forensic Science.
• Forensic Preservation and Extraction.
• Analysis and Factual Reporting.
Cybercrime in the Public and Private Sectors.
Review, Summary and Questions.

Domain 10: Physical Security
Physical Controls.
Environemental Influences.
Target Identification.
Threat Matrix:
• Threat Probability Ranking.
• Crime Prevention through Environmental Design.
Choice of Secure Site:
• Designing a Secure Site.
• Emergency Procedures.
Types of Security related Glass:
• Fire retardant equipment.
• Operational Perimeter Security (Defence in Depth).
Physical Access Control:
• Physical Intrusion Detection Systems.
• Physical and Biometric Access Control Systems.
Audit Trails.
Evidence Gathering:
• IT Forensic Investigators.
• Forensic Science.
• Forensics Field Kit.
• Documentation.
• Evidence: Mechanical tools.
• Evidence: Packaging and Transportation.
• Evidence Relevance.
• Evidences Strength.
Review, Summary and questions.

On-Site Courses

Can't attend one of our public classes? Booking for multiple people?

All our courses are available on your site! Delivered for your staff, at your premises.

Contact us to find out more...