Domains of CISSP CBK

advertisement
About the Course
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Objectives
INFOSEC
CISSP CBK
Pedagogy
DHS EBK
IST 515
Objectives
This module will familiarize you with the following:
• Current trend of computer crime and security.
• Why information security is not just a technical
problem?
• The common body of knowledge in information
security proposed by (ISC)2.
• The essential body of knowledge in security
suggested by Department of Homeland Security.
• The purposes, coverage and policy of the course.
• Concept of “Defense in depth (DID)” in security.
Reading List

SANS 2008 Salary and Certification Survey.
http://www.sans.org/resources/salary_survey_2008.pdf
 Robert Richardson, “2009 CSI Computer Crime & Security Survey.”
(Required)
 Wikipedia, “Certified Information Systems Security Professional
(CISSP).”
http://en.wikipedia.org/wiki/Certified_Information_Systems_Security
_Professional
 Department of Homeland Security, “Information Technology Security
Essential Body of Knowledge,” 2007.
 ISACA, Information Security career Progression.
http://www.isaca.org/ContentManagement/ContentDisplay.cfm?Conte
ntID=42042
 Wikipedia, “Defense in Depth (computing).”
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
Sun Tzu's Art of War
• If you know your enemies and know yourself,
you can win a hundred battles without a single
loss (知彼知己,百戰不殆).
• If you only know yourself, but not your opponent,
you may win or may lose (不知彼而知己, 一勝
一負).
• If you know neither yourself nor
your enemy, you will always
endanger yourself (不知彼,不知己,
每戰必殆).
(http://en.wikipedia.org/wiki/The_Art_of_War)
SANS Security Salary Survey (2008)
• Salaries for information security professionals are high.
Only 1.65% of respondents earn less than US $40,000
per year and over 38% earn US $100,000 or more per
year.
• 81% of respondents with hiring responsibilities consider
certification a factor in their hiring decisions.
• 41% of the respondents said their organizations use
certifications as a factor when determining salary
increases.
• Digital forensics, intrusion detection, and penetration
testing are the technical topics respondents are most
interested in learning in 2009.
2010 IT Skills and Salary Report
(http://www.examland.com/it-certification/1865/1865/)
Security Certifications
Mean
Median Responses
CCNA (Cisco Certificated Network Associate)
Security
$89,911
$80,500
110
CCSA – Check Point Certified Security Administrator
$99,512
$93,000
49
CCSE – Check Point Certified Security Expert
$98,254
$91,000
30
CEH – Certified Ethical Hacker
$92,794
$86,500
76
CISA – Certified Information Systems Auditor
$100,855
$94,500
78
CISM – Certified Information Security Manager
$113,846
$96,250
64
CISSP – Certified Information Systems Security
Professional
$99,928
$96,000
373
Security+ – CompTIA Security+
$76,844
$73,000
417
2008 CSI Security Survey

The most expensive computer security incidents
were those involving financial fraud.
 Virus incidents occurred most frequently.
 Almost one in ten organizations reported they’d
had a Domain Name System incident.
 Twenty-seven percent of those responding to a
question regarding “targeted attacks.”
 The vast majority of respondents (68 percent)
said their organizations had a formal information
security policy.
Summary of Key Types of Incident
Key Types of Incident
2004
2005
2006
2007
2008
2009
Virus / Malware Infection
78%
74%
65%
52%
50%
64%
Insider Abuse
59%
48%
42%
59%
44%
30%
Laptop Theft
49%
48%
47%
50%
42%
42%
Unauthorized Access
37%
32%
32%
25%
29%
Denial of Service
39%
32%
25%
25%
21%
29%
Instant Messaging Abuse
25%
21%
8%
Bots
21%
20%
23%
Theft/loss of Customer Data
17%
17%
Abuse of Wireless Network
15%
16%
14%
17%
14%
8%
System Penetration
17%
14%
15%
13%
13%
14%
Financial Fraud
8%
7%
9%
12%
12%
20%
Misuse of Web Application
10%
5%
6%
9%
11%
Theft/loss of proprietary Info
10%
9%
9%
8%
9%
Password Sniffing
10%
9%
17%
DNS Attacks
6%
8%
7%
14%
Web Site defacement
7%
5%
6%
10%
6%
Telecom Fraud
10%
10%
8%
5%
5%
Sabotage
5%
2%
3%
4%
2%
Trends of Key Incidents
Security Technologies Used (2008)
Technologies
Percentage
Anti-virus software
97%
Firewalls
94%
Virtual Private Network (VPN)
85%
Anti-spyware software
80%
Encryption of data in transit
71%
Intrusion detection systems
69%
Vulnerability / patch management tools
65%
Web / URL filtering
61%
Intrusion prevention systems
54%
Application-level firewalls
53%
Encryption of data at rest (in storage)
53%
Test Your Understanding
• What percentage of corporations experienced at least one
security incident?
• Name the two highest-prevalence threats, which are
experienced by a majority of firms?
• Describe trends for the three traditional hacker attacks.
• Describe trends in the three low-prevalence, high-impact
attacks.
• Why do you think companies may have a difficult time
planning for low-prevalence, high-impact attacks?
• Describe trends for wiretapping, telecommunications
eavesdropping, and telecommunications fraud.
• Does media coverage typically mirror the importance of
threats?
CSI Security Survey 2009
• Big jumps in incidence of password sniffing, financial fraud,
and malware infection.
• One-third of respondents' organizations were fraudulently
represented as the sender of a phishing message.
• Average losses due to security incidents are down again this
year (from $289,000 per respondent to $234,244 per
respondent), though they are still above 2006 figures.
• Twenty-five percent felt that over 60 percent of their financial
losses were due to non-malicious actions by insiders.
• Respondents were satisfied, though not overjoyed, with all
security technologies.
CSI Security Survey 2009
• Investment in end-user security awareness training was
inadequate, but investments in other components of their
security program were adequate.
• Actions Taken: 22 percent - notified individuals whose
personal information was breached and 17 percent - provided
new security services to users or customers.
• Security Solutions: Use tools that would improve their
visibility - better log management, security information and
event management, security data visualization, security
dashboards and the like.
• Regulatory compliance efforts have had a positive effect on
their organization's security programs.
Types of Attack
Let us Talk
• What kind of knowledge and skills are needed
to succeed in information security career?
- CBK vs. EBK
- Similarities and differences
• What professionals have to say about the field?
- Hard vs. soft skills
• How about IST 515?
• How about your degree?
CISSP CBK
Common Body of Knowledge
Information Systems Security
• Information security and
risk management
• Telecommunications and
network security
• Access control
• Application security
• Cryptography basics
• Operations security
• Physical (environmental)
security
• Business continuity and
disaster recovery planning
• Security architecture and
design
• Legal, regulations, compliance
and investigations
Roles and Competencies (EBK)


Strategic Management
IT Security Training & Awareness
 Risk Management
 Data Security
 Physical & Environmental
Security
 System & Application Security
 IT Systems Operations &
Maintenance
 Procurement; Personnel Security
 Enterprise Continuity
 Incident Management
 Regulatory & Standards
Compliance
 Digital Forensics
 Network Security & Telecom.
Ten Most Common Activities Performed
Rank
Current Position
%
Prior Position
%
1
Risk Management
76.6 Data Security
56.6
2
Security Program Management
74.0 Risk Management
54.8
3
Data Security
70.7 Network Security
53.5
4
Policy Creation and Maintenance
65.3 Security Program Management
49.0
5
Regulatory Compliance
63.4 Policy Creation and Maintenance
48.8
6
Security Project Management
59.6
7
Incident Management
58.5 System and Application Security
45.2
8
Network Security
57.3 Security Architecture
45.1
9
Business Continuity/Disaster
Recovery
56.1 Incident Management
44.8
10
Security Architecture
55.9 Security Project Management
44.8
Business Continuity/Disaster
Recovery
45.8
Critical Skills Necessary for Advancement*
Areas
Writing ability
Verbal communication ability
Technical knowledge
Critical thinking and judgment
Teamwork and collaboration
Ability to lead change
Business knowledge
Cross-functional influence
Influence
Facilitation
Mentoring and coaching
Strategic business planning
Very
Not
Important
Important
Important
69%
68%
66%
69%
52%
52%
40%
35%
33%
24%
19%
22%
* SANS Information Security Survey, 2007
28%
29%
31%
26%
42%
39%
50%
50%
52%
56%
57%
48%
0%
0%
2%
2%
3%
5%
6%
7%
8%
11%
17%
21%
No
Opinion
1%
1%
1%
3%
3%
4%
3%
9%
7%
10%
7%
10%
IST 515 covers the interdisciplinary
theoretical, conceptual, methodological, and
practical foundations of information security
and assurance, with emphases on
information systems security, security and
risk management, economic aspects of
security, trust management, human factors in
security, and enterprise security.
Course Coverage

Common Body of Knowledge (CBK) – CISSP and
Essential Body of Knowledge (EBK) – DHS.

Penetration Testing / Ethical Hacking – EC Council

Topics to be covered (CBK):
- Information Security & Risk Management
- Access Control
- Physical & Environmental Security
- Security Architecture and Design
- Application Security
- Operation Security
- Business continuity and disaster recovery planning
- Legal, regulations, compliance and investigations
Course Objectives
• Understand the Basics of information security and
assurance.
• Understand the core technologies used in making a
networked information system secure and assured.
• Understand how to build information systems with
assurances and the role of “trust” in delivering these
assurances.
• Take an interdisciplinary approach to analyze the
security and assurance of modern information
systems.
• Understand the economic aspects of security.
• Understand the impact of human factors in security.
• Policy/Regulation
• Firewall/DMZ
• Access Control/VPN
• Qualitative models
• Quantitative models
Prevention
Prediction
Response
Recovery
Security
Defense
In Depth
Monitoring
Detection
• Scanner
• IDS
• Data mining
• Risk analysis
• Plans
Forensics
• Tracing
• Investigation
Defense In Depth of Security
Feedback
Prediction
Prevention
• Qualitative models
• Quantitative models
Detection
• Policy/Regulation
• Firewall/DMZ
• Access Control/VPN
IST 515
IST 554
•
•
•
•
•
• Scanner
• IDS
• Data mining
Forensics
Response
• Tracing
• Investigation
• Plans
• Risk analysis
SRA 868
IST 452
IST 451
IST 453
IST 456
SRA 472
IN SC 561
IST 454
IST 564
IST 451: Network Security
IST 452: Legal & Regulatory Issues
IST 453: Computer Forensics Law
IST 454: Computer & Cyber Forensics
IST 456: Security & Risk Management
•
•
•
•
•
•
IST 554: Network Management & Security
IST 515: Information Security & Assurance
IST 564: Crisis, Disaster & Risk Management
IN SC 561: Web Security & Privacy
SRA 472: Integration of Privacy & Security
SRA 868: Visual Analytics for Security
• HLS: Homeland Security
• INSC: Information Science
IST 554
Network Management
and Security
• IS: Information Sciences
• IST: Information Sciences
& Technology
• SRA: Security & Risk
Analysis
IST 451
Network
Security
IST 454
Cyber
Forensics
IST 554
Independent Studies
IST 515
Information Security
and Assurance
INSC 516
Web Sec. &
Privacy
SRA 472
Privacy &
Security
IST 594
Research Paper
IST 564
Crisis, Disaster and
Risk Management
IST 456
Security
Mgmt
SRA 868
Visual
Analytics
Required for IS & HLS
Required for HLS
Elective
Security Defense in Depth
Data Defenses
Application Defenses
Host Defenses
Network Defenses
Perimeter Defenses
Physical Security
Policies, Procedures, and Awareness
Certificate of Accomplishment
The Center for Information Assurance
at the Pennsylvania State University,
through its curricula, certify that
Student
has acquired the knowledge and skills that meet the
National Training Standard NSTISSI-4011 for the
Information Systems Security (INFOSEC) Professionals,
established by the Committee on National Security
Systems (CNSS) and the National Security Agency (NSA),
on December 201x
Dr. Hank Foley, Dean
College of Information Sciences and Technology
Dr. Chao H. Chu, Executive Director
Center for Information Assurance
INFOSEC Certificate
Required Courses (6 credits):
• IST 515. Information Security and Assurance
• IST 554. Network Management and Security
Elective Courses (Select 9 credits):
• IST 451. Network Security
• IST 454. Computer and Cyber Forensics
• IST 456. Security and Risk Management
• IST 564. Crisis, Disaster, and Risk Management
• IN SC 561. Web Security and Privacy
Thank You?
Any Question?
Download