CNIT 125: Information Security Professional (CISSP Preparation)

Spring 2010 Sam Bowne

Scores posted 3-3-10

Schedule · Lecture Notes · Projects · Links · Home Page


CNIT 125 39694 501 WED 6-9 meets in SCIE 108 6:00-7-30, then moves to 
SCIE 215 & 214

Catalog Description

Covers information security in depth, including access control, application security, business continuity, cryptography, risk management, legal issues, physical security, and telecommunications and network security. This class helps to prepare students for the Certified Information Systems Security Professional (CISSP) credential, which is essential for high-level information security professionals.

Advisory: Students should have taken CNIT 123, or hold the Certified Ethical Hacker credential, or have equivalent knowedge of basic security.

Upon successful completion of this course, the student will be able to:

Explain security and risk management.
Define and implement access controls.
Assess application security.
Plan for business continuity and disaster recovery.
Apply cryptography correctly to protect information.
Explain legal regulations and ensure compliance.
Perform investigations, preserve evidence, and cooperate with law enforcement authorities.
Explain codes of conduct and ethical issues.
Maintain security of operations.
Assess physical and environmental security.
Design security architecture.
Explain telecommunications and network security.

Textbook

CISSP Guide to Security Essentials, 1st Edition, by Peter Gregory ISBN-10: 1435428196 Buy from Amazon

Schedule
Date	Quiz	Topic
Wed 1-20		Ch 1: Information Security and Risk Management
Wed 1-27		Ch 1: Information Security and Risk Management
Wed 2-3		Ch 2: Access controls
*Fri 2-5*	*Last Day to Add Classes*
Wed 2-10	Quiz on Ch 1	Ch 2: Access controls
Wed 2-17	Quiz on Ch 2	Ch 3: Application Security
*Mon 2-22*	*Last Day to Request Pass/No Pass Grading*
Wed 2-24		Ch 3: Application Security Training
Wed 3-3	Quiz on Ch 3	LOCKDOWN Ch 4: Business Continuity and Disaster Recovery Planning
Wed 3-10	No Quiz Email keys must be published by 8 PM	Karin Nelson: Resume Writing Workshop
Wed 3-17	Class Cancelled
Wed 3-24	Quiz on Ch 4 & 5 Resume due	Ch 6: Legal, Regulations, Compliance and Investigations
*Wed 3-31*	*Holiday - No Class*
*Tue 4-6*	*Mid-Term Grades Due*
Wed 4-7	Quiz on Ch 6	Ch 7: Operations Security
Wed 4-14	Quiz on Ch 7	Ch 8: Physical and Environmental Security
*Fri 4-17*	*Last Day to Withdraw*
Wed 4-21	No Quiz	Guest Speaker: To Be Announced
Wed 4-28	Quiz on Ch 8	Ch 9: Security Architecture and Design
Wed 5-5	Quiz on Ch 9	Ch 10: Telecommunications and Network Security
Wed 5-12		Ch 10: Telecommunications and Network Security
Wed 5-19		Last Class: Review
Wed 5-26		*Final Exam: 9 am Room 215*

Lecture Notes
Policy
Student Agreement
Introduction to CNIT 125
Encrypted email setup guide

1: Information Security and Risk Management PowerPoint
2: Access controls PowerPoint
3: Application Security PowerPoint
OWASP's Top Ten Web Application Risks
4: Business Continuity and Disaster Recovery Planning PowerPoint
5: Cryptography PowerPoint
6: Legal, Regulations, Compliance and Investigations.
7: Operations Security
8: Physical and Environmental Security
9: Security Architecture and Design
10: Telecommunications and Network Security
The lectures are in Word and PowerPoint formats. If you do not have Word or PowerPoint you will need to install the Free Word Viewer 2003 and/or the Free PowerPoint Viewer 2003.

Back to Top

Projects
Instead of the usual homework assignments, students will all work together in teams, led by student managers, to perform real security audits of real information systems. Every student will be required to sign a non-disclosure agreement. The security issues we find will be held in confidence, and we will contact the administrators of the vulnerable systems and try to convince them to amend the problems. Students are required to prepare professional resumes, and encouraged to include their participation in this class as work experience.

Projects

Instead of the usual homework assignments, students will all work together in teams, led by student managers, to perform real security audits of real information systems. Every student will be required to sign a non-disclosure agreement. The security issues we find will be held in confidence, and we will contact the administrators of the vulnerable systems and try to convince them to amend the problems.

Students are required to prepare professional resumes, and encouraged to include their participation in this class as work experience.

Back to Top

Links
Introduction to CISSP and CNIT 125 CISSP 1: CISSP Education & Certification CISSP 2: (ISC)2 \| Certified Information Security Education CISSP 3: CISSP was the third highest salaried certification in 2009 CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees CISSP 5: CISSP exam prices CISSP 6: (ISC)2 Code of Ethics CISSP 7: Associate of (ISC)² Certification CISSP 8: SSCP Education & Certification CISSP 9: Exam Prices (pdf) CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam CISSP 11How to get continuing education credit for CISSP certification holders Links for Chapter Lectures Ch 1a: CCSF Catalog Mission Statement Ch 1b: Mission statement - Wikipedia, the free encyclopedia Ch 1c: Objective(Goal) - Wikipedia Ch 1d: Objective Definition \| Definition of Objective at Dictionary.com Ch 1e: NIST 800-30:Risk Management Guide for Information Technology Systems Ch 1f: ISO27k infosec management standards Ch 1g: ISO/IEC 27001 - Wikipedia Ch 1h: Assessing risk of IE 0day vulnerability Ch 1i: Information Security Governance (pdf) Ch 1j: SANS: Information Security Policy Templates Ch 1k: Sarbanes-Oxley Act - Wikipedia Ch 1l: The Sarbanes-Oxley Act 2002 Ch 3a: OWASP Ch 3b: Vulnerability scanners miss 49% of the vulns they are looking for (see figure near bottom of article) Ch 3c: Memory Parsing Vulnerability being used to steal credit card numbers (pdf) Miscellaneous Links The 7 Psychological Principles of Scams: Protect Yourself by Learning the Techniques Exposing Network Vulnerabilities -- Campus Technology New Unsorted Links Ch 3d: OWASP Top Ten Web Application Vulnerabilities Ch 3e: Object Oriented Database Management Systems Ch 2a: Active Directory\'s LDAP Compliance The Apache Cassandra Project--highly scalable distributed database Ch 5a: Substitution cipher - Wikipedia Ch 5b: Transposition cipher - Wikipedia Ch 5c: Running key cipher - Wikipedia Ch 5d: NIST Recommendation for Block Cipher Modes of Operation (pdf) Ch 5e: NIST Cryptographic Algorithms and Key Sizes (1024-bit RSA no longer recommended) Ch 5f: US-CERT Vulnerability Note VU#836068--MD5 vulnerable to collision attacks Ch 5g1: NIST.gov - Federal agencies should stop using SHA-1

Links

Introduction to CISSP and CNIT 125
CISSP 1: CISSP Education & Certification
CISSP 2: (ISC)2 | Certified Information Security Education
CISSP 3: CISSP was the third highest salaried certification in 2009
CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees
CISSP 5: CISSP exam prices
CISSP 6: (ISC)2 Code of Ethics
CISSP 7: Associate of (ISC)² Certification
CISSP 8: SSCP Education & Certification
CISSP 9: Exam Prices (pdf)
CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam
CISSP 11How to get continuing education credit for CISSP certification holders

Links for Chapter Lectures
Ch 1a: CCSF Catalog Mission Statement
Ch 1b: Mission statement - Wikipedia, the free encyclopedia
Ch 1c: Objective(Goal) - Wikipedia
Ch 1d: Objective Definition | Definition of Objective at Dictionary.com
Ch 1e: NIST 800-30:Risk Management Guide for Information Technology Systems
Ch 1f: ISO27k infosec management standards
Ch 1g: ISO/IEC 27001 - Wikipedia
Ch 1h: Assessing risk of IE 0day vulnerability
Ch 1i: Information Security Governance (pdf)
Ch 1j: SANS: Information Security Policy Templates
Ch 1k: Sarbanes-Oxley Act - Wikipedia
Ch 1l: The Sarbanes-Oxley Act 2002

Ch 3a: OWASP
Ch 3b: Vulnerability scanners miss 49% of the vulns they are looking for (see figure near bottom of article)
Ch 3c: Memory Parsing Vulnerability being used to steal credit card numbers (pdf)

Miscellaneous Links
The 7 Psychological Principles of Scams: Protect Yourself by Learning the Techniques
Exposing Network Vulnerabilities -- Campus Technology

New Unsorted Links
Ch 3d: OWASP Top Ten Web Application Vulnerabilities
Ch 3e: Object Oriented Database Management Systems
Ch 2a: Active Directory\'s LDAP Compliance
The Apache Cassandra Project--highly scalable distributed database
Ch 5a: Substitution cipher - Wikipedia
Ch 5b: Transposition cipher - Wikipedia
Ch 5c: Running key cipher - Wikipedia
Ch 5d: NIST Recommendation for Block Cipher Modes of Operation (pdf)
Ch 5e: NIST Cryptographic Algorithms and Key Sizes (1024-bit RSA no longer recommended)
Ch 5f: US-CERT Vulnerability Note VU#836068--MD5 vulnerable to collision attacks
Ch 5g1: NIST.gov - Federal agencies should stop using SHA-1

Back to Top

Last Updated: 3-6-10 5 pm