text (9K)

Information Security Professional
(CISSP Preparation)

Texas State Working Connections
Mon, July 12 - Fri, July 16, Frisco, TX
Sam Bowne

Schedule · Lecture Notes · Projects · Links · Home Page

 

Class Description

Covers information security thoroughly, including access control, application security, business continuity, cryptography, risk management, legal issues, physical security, and telecommunications and network security. This class helps to prepare students for the Certified Information Systems Security Professional (CISSP) credential, which is essential for high-level information security professionals. Students are strongly encouraged to practice with the Transcender prep tests before taking the exam, and access to those tests will be included in the class.

There will be many hands-on projects, but they will not be typical artificial homework assignments. Instead, the class will work in small teams, led by students selected to be managers. Each team will have different projects, and we will all work together as a company to perform a real security audit of a real network. Students will be required to sign and honor a non-disclosure agreement, because we will be finding real security problems, violations, and confidential data. Our tasks will involve using technical skills to locate and analyze problems, and also using social, business, and communication skills to help the network's administrators understand and fix problems.

Students who are not willing to be bound by a non-disclosure agreement should not take this class, and they should not be pursuing a career in information security, either. The reason the CISSP certification is so highly valued is that certified professionals can be trusted--they are technically competent, responsible, and aware of their role and their limitations. This class provides both academic training and real-world experience to help develop those virtues.

Prerequsites: Students should have Network+ and Security+ level understanding of networking and security. Previous experience of hacking is helpful but not required.

Upon successful completion of this course, the student will be able to:

  1. Explain security and risk management.
  2. Define and implement access controls.
  3. Assess application security.
  4. Plan for business continuity and disaster recovery.
  5. Apply cryptography correctly to protect information.
  6. Explain legal regulations and ensure compliance.
  7. Perform investigations, preserve evidence, and cooperate with law enforcement authorities.
  8. Explain codes of conduct and ethical issues.
  9. Maintain security of operations.
  10. Assess physical and environmental security.
  11. Design security architecture.
  12. Explain telecommunications and network security.

Textbook

CISSP Guide to Security Essentials, 1st Edition, by Peter Gregory ISBN-10: 1435428196 Buy from Amazon


Schedule

Date Topic
Mon, July 12  Ch 1: Information Security and Risk Management
Ch 2: Access controls
Tue, July 13  Ch 3: Application Security
OWASP's Top Ten Web Application Risks
Ch 4: Business Continuity and Disaster Recovery Planning
Wed, July 14  Ch 5: Cryptography
Ch 6: Legal, Regulations, Compliance and Investigations
Wardriving
Thu, July 15  Ch 7: Operations Security
Ch 8: Physical and Environmental Security
Ch 9: Security Architecture and Design
Fri, July 16  Ch 10: Telecommunications and Network Security




Lecture Notes

Policy
Student Agreement
Introduction to CNIT 125
Encrypted email setup guide
 
1: Information Security and Risk Management    PowerPoint    PowerPoint with iClicker Questions
2: Access controls    PowerPoint    PowerPoint with iClicker Questions
3: Application Security    PowerPoint    PowerPoint with iClicker Questions
   OWASP's Top Ten Web Application Risks
4: Business Continuity and Disaster Recovery Planning    PowerPoint    PowerPoint with iClicker Questions
5: Cryptography    PowerPoint    PowerPoint with iClicker Questions
6: Legal, Regulations, Compliance and Investigations    PowerPoint    PowerPoint with iClicker Questions
7: Operations Security    PowerPoint    PowerPoint with iClicker Questions
8: Physical and Environmental Security    PowerPoint    PowerPoint with iClicker Questions
9: Security Architecture and Design    PowerPoint    PowerPoint with iClicker Questions
10: Telecommunications and Network Security    PowerPoint    PowerPoint with iClicker Questions
The lectures are in Word and PowerPoint formats.
If you do not have Word or PowerPoint you will need to install the
Free Word Viewer 2003 and/or the Free PowerPoint Viewer 2003.


Back to Top

Projects


Instead of the usual homework assignments, students will all work together in teams, led by student managers, to perform real security audits of real information systems. Every student will be required to sign a non-disclosure agreement. The security issues we find will be held in confidence, and we will contact the administrators of the vulnerable systems and try to convince them to amend the problems.

Students are required to prepare professional resumes, and encouraged to include their participation in this class as work experience.

New for Summer 2010

Encrypted email with Gnu & Thuinderbird

From Spring 2010

Encrypted Email Setup
Backing up a Private Key
NDA from Spring 2010
Back to Top

Links

Introduction to CISSP and CNIT 125
CISSP 1: CISSP Education & Certification
CISSP 2: (ISC)2 | Certified Information Security Education
CISSP 3: CISSP was the third highest salaried certification in 2009
CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees
CISSP 5: CISSP exam prices
CISSP 6: (ISC)2 Code of Ethics
CISSP 7: Associate of (ISC)˛ Certification
CISSP 8: SSCP Education & Certification
CISSP 9: Exam Prices (pdf)
CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam
CISSP 11: How to get continuing education credit for CISSP certification holders

7 Types of Hard CISSP Exam Questions and How To Approach Them
How I Prepared for the CISSP Exam--Sam Bowne
A CISSP Study Plan Memoir
CISSP Practice Test

Links for Chapter Lectures
Ch 0a: How Dan Kaminsky broke and fixed DNS
Ch 0b: The Most Dangerous Man in Cyberspace
Ch 0c: JadedSecurity » What the CISSP won*quot*t teach you
Ch 0d: Modern Day Witch Hunting by CISSP Members Minus The Ergot
Ch 0e: My Canons on (ISC)˛ Ethics - Such as They Are
Ch 0f: Dan Kaminsky & Kevin Mitnick Hacked
Ch 0g: How Byron Sonne\'s obsession with the G20 security apparatus cost him everything
Ch0h: Anonymous hacker quits, calls group\'s members hypocrites and its efforts fruitless
Byron Sonne, G20 \"Bomber\", Was a CISSP--Certification Suspended (2010-06-25)

Ch 1a: CCSF Catalog Mission Statement
Ch 1b: Mission statement - Wikipedia, the free encyclopedia
Ch 1c: Objective(Goal) - Wikipedia
Ch 1d: Objective Definition | Definition of Objective at Dictionary.com
Ch 1e: NIST 800-30:Risk Management Guide for Information Technology Systems
Ch 1f: ISO27k infosec management standards
Ch 1g: ISO/IEC 27001 - Wikipedia
Ch 1h: Assessing risk of IE 0day vulnerability
Ch 1i: Information Security Governance (pdf)
Ch 1j: SANS: Information Security Policy Templates
Ch 1k: Sarbanes-Oxley Act - Wikipedia
Ch 1l: The Sarbanes-Oxley Act 2002
Ch 1m: Operation Aurora - Wikipedia

Ch 2a: Active Directory\'s LDAP Compliance

Ch 3a: OWASP
Ch 3b: Vulnerability scanners miss 49% of the vulns they are looking for (see figure near bottom of article)
Ch 3c: Memory Parsing Vulnerability being used to steal credit card numbers (pdf)
Ch 3d: OWASP Top Ten Web Application Vulnerabilities
Ch 3e: Object Oriented Database Management Systems

Ch 5a: Substitution cipher - Wikipedia
Ch 5b: Transposition cipher - Wikipedia
Ch 5c: Running key cipher - Wikipedia
Ch 5d: NIST Recommendation for Block Cipher Modes of Operation (pdf)
Ch 5e: NIST Cryptographic Algorithms and Key Sizes (1024-bit RSA no longer recommended)
Ch 5f: US-CERT Vulnerability Note VU#836068--MD5 vulnerable to collision attacks
Ch 5g1: NIST.gov - Federal agencies should stop using SHA-1

Ch 6a: Differences between Civil and Criminal Law in the USA
Ch 6b: NET Act - Wikipedia
Ch 6c: The technique of computer matching
Ch 6d: Privacy Act Overview, 2010 Edition: Computer Matching

Ch 7a: Security Control Types and Operational Security

Ch 8a: Man Trap
Ch 8b: Crash gates
Ch 8c: How to Calculate HVAC Tonnage

Ch 9a: Bell-La Padula model - Wikipedia
Ch 9b: Biba Model - Wikipedia
Ch 9c: Clark-Wilson model - Wikipedia
Ch 9d: Non-interference (security) - Wikipedia
Ch 9e: Common Criteria - Wikipedia
Ch 9f: Bus (computing) - Wikipedia
Ch 9g: Ring (computer security) - Wikipedia
Ch 9h: Windows Architecture--only rings 0 and 3 are used
Ch 9i: Lock My PC backdoor password

Ch 10a: Multiprotocol Label Switching - Good explanation of why MPLS will replace ATM
Ch 10b: Verizon Wireless -and CDMA
Ch 10c: CLEAR 4G Wireless Broadband Internet Service--WIMAX
Ch 10d: How to reach maximum 802.11n speed and throughput
Ch 10e: Near Field Communication - Wikipedia
Ch 10f: Address Resolution Protocol - Could be regarded as an OSI model layer 2 or 3 protocol
Ch 10g: TCP/IP model - Wikipedia
Ch 10h: Anycast - Wikipedia
Ch 10i: Is RIP layer 3 protocol or layer 7 protocol? : layer, rip, protocol

SSL-1: Security Certificate Warnings Don\\\'t Work
SSL-2: Boffins bust web authentication with game consoles
SSL-3: VeriSign remedies massive SSL blunder (kinda, sorta)
SSL-4: MD5 Hack Interesting, But Not Threatening
SSL-5: National Software Reference Library--Md5 not recognized
SSL-6: FIPS 140-2 (2001) can be downloaded here
SSL-7: 14% of SSL certificates on the Internet potentially unsafe
SSL-8: China Internet Network Information Center accepted as a Mozilla root CA
SSL-9: Bug 549701 %u2013 Remove inactive RSA Security 1024 V3 root
SSL-10: Vulnerabilities Allow Attacker to Impersonate Any Website
SSLstrip & Slowloris & Scary SSL Attacks (ppt)
Safe--countermeasure for sslstrip attack


Miscellaneous Links
The 7 Psychological Principles of Scams: Protect Yourself by Learning the Techniques
Exposing Network Vulnerabilities -- Campus Technology
The Apache Cassandra Project--highly scalable distributed database
CISSP 12: GIAC Research in the Common Body of Knowledge -- Good white papers for the ten CISSP domains
Web Security Tools˛: skipfish and iScanner--excellent introduction to these tools
Information Security Careers Cheatsheet
Luhn Check - MOD 10 Algorithm
LOQMail--encrypted email solution, free 30-day trial
Data Encryption | First Data--End-to-end encryption to completely escape PCI Compliance requirements
Project: www.rcfl.org - /downloads/ -- directory traversal vulnerability
How To Get Your Very Own Free SSL Certificate
Tech//404 -- Calculates expected financial loss for lost records
Rainbow Series - Wikipedia, the free encyclopedia
Orange Book--Reference Monitor and Security Kernel
Security modes - The four MAC modes: Dedicated, System high security, Compartmented, Multilevel
Acosta v Byrum--very important precedent for HIPPA-based lawsuits
An Illustrated Guide to IPsec
LOMAC -- Linux method for protecting integrity of system files
Fix to save restore points in a dual-boot
DOD offers tiny, secure linux distribution -- 125 Project
Google's Web Application Security Training Resource - Jarlsberg.appspot.com -- Better than WebGoat?
Integrating Nessus with BackTrack 5's Tools -- CNIT 125 Project
The Ultimate Web App Security Scanner Comparison Published - AppScan Standard Leads the Pack <--Project ideas
Pingdom stores & transmits passwords in cleartext -- possible project
John The Ripper Hash Formats --useful for projects
More SQL injections; apparently hotels in TN -- COLD CALLS DATA
Yale Gets Google Dorked -- project idea

New Unsorted Links
Ch 2b: Crack Password Hashes in Lion -- OS X 10.7 - Hack Mac
Ch 2c: Lockheed Says Hacker Used Stolen SecurID Data - NYTimes.com
2d: Amazon.com: Ghost in the Wires: My Adventures as the World*quot*s Most Wanted Hacker (9780316037709): Kevin Mitnick, Steve Wozniak, William L. Simon: Books
2e: Mitnick fakes way into LA Telco Central Office - YouTube
2011-09-14: EMET - Whitelisting for Windows -- Good CNIT 125 Project
Lilith -- Web Application Security Audit Tool | Darknet - PROJECT IDEA
WAVSEP -- Web Application Vulnerability Scanner Evaluation Project -- PROJECT IDEA
0-Day SCADA Exploits Released, Publicly Exposed Servers At Risk -- COLD CALLS PROJECT DATA
Windows 7 kernel ASLR research. Statistics on number of unique images addresses per 100 OS runs -- POSSIBLE PROJECT
Bypassing Chrome*quot*s Anti-XSS filter --GOOD PROJECT IDEA
Fake Twitter typosquatting page -- DO NOT LOG IN -- PROJECT IDEA -- Find more of these & take them down
Cold Calls Project Instructions
New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies -- GOOD PROJECT
NetworkMiner 1.1 - Network Forensic Analysis Tool (NFAT) Released ~
NetworkMiner 1.1 - Network Forensic Analysis Tool (NFAT) Released -- PROJECT IDEA
Free Proxy - Surf Anonymously & Hide Your IP Address - Hide My Ass! <--PROJECT IDEA
Certificate Patrol <--PROJECT IDEA
From the man who discovered Stuxnet, dire warnings one year later - CSMonitor.com
2011-09-28: Flawfinder -- source code security scanner <--PROJECT IDEA
2011-09-29: sqli1 - Pastebin.com -- More data for CNIT 125 Projects
Google tracks you. We don*quot*t. An illustrated guide.
Except for nuclear power plants, no regulations govern how to secure systems against cyber-attacks
More SCADA vulns for Cold Calls -- atvise
Interesting SCADA Security Presentation (from 2004)
2011-10-08: Securing Flash Drives within the Enterprise
2011-10-11: Bestcasuals.com Vuln Audit. _St0rm - Pastebin.com -- PROJECT DATA
Ethics Project: (ISC)˛ Ethics Complaint Procedure
Ethics Project: (ISC)2 Code of Ethics
2011-10-14: jjghui - Google Search -- MORE COLD CALLS DATA -- INFECTED WEBSITES
Mass infections from jjghui.com/urchin.js (SQL injection) <--MORE INFO FOR COLD CALLS
2011-10-15: Jadedsecurity emails re: CISSP
My Canons on (ISC)˛ Ethics - Such as They Are -- Jericho from Attrition
(ISC)^2 Code of Ethics PDF
2011-10-19: Over a million web sites affected in mass SQL injection attack -- MORE INFO FOR COLD CALLS
2011-10-28: Government websites with SQLi <--MORE FRESH COLD CALLS DATA
Sample Contact Letter for Government Cold Calls
Preventing SQL Injection in Java - OWASP --COLD CALLS INFORMATION
Huge list of vulnerable Web apps for training -- PROJECT IDEAS

Ch 10j: 3GPP Long Term Evolution - Wikipedia

Ch 10k: Frame Injection at Layer 1: 802.11 Packets in Packets

Computer Security -- Free online class at Stanford

CISSP Reloaded -- study notes
2012-02-06: Hospital appeals $250,000 fine for late breach disclosure - 19 days
2012-02-06: California law requires breach notification within 5 days (for medical data)
2012-02-06: CA Codes (civ:1798.80-1798.84) -- breach notification, see .82 (a) and (c)
2012-02-06: California Amends its Security Breach Notification Law : Workplace Privacy Counsel

CISSP Certification, Information Security and Risk Management

Finding PII with Google--COLD CALLS DATA

          

Back to Top
Last Updated: 7-13-10 8:16 am