text (9K)

CNIT 125: Information Security Professional (CISSP Preparation)

Spring 2010 Sam Bowne

Scores posted 6-6-10

Schedule · Lecture Notes · Projects · Links · Home Page

 

CNIT 125 39694 501 WED 6-9 meets in SCIE 108 6:00-7-30, then moves to SCIE 215 & 214

Catalog Description

Covers information security in depth, including access control, application security, business continuity, cryptography, risk management, legal issues, physical security, and telecommunications and network security. This class helps to prepare students for the Certified Information Systems Security Professional (CISSP) credential, which is essential for high-level information security professionals.

Advisory: Students should have taken CNIT 123, or hold the Certified Ethical Hacker credential, or have equivalent knowedge of basic security.

Upon successful completion of this course, the student will be able to:
  1. Explain security and risk management.
  2. Define and implement access controls.
  3. Assess application security.
  4. Plan for business continuity and disaster recovery.
  5. Apply cryptography correctly to protect information.
  6. Explain legal regulations and ensure compliance.
  7. Perform investigations, preserve evidence, and cooperate with law enforcement authorities.
  8. Explain codes of conduct and ethical issues.
  9. Maintain security of operations.
  10. Assess physical and environmental security.
  11. Design security architecture.
  12. Explain telecommunications and network security.

Textbook

CISSP Guide to Security Essentials, 1st Edition, by Peter Gregory ISBN-10: 1435428196 Buy from Amazon


Schedule

DateQuizTopic
Wed 1-20  Ch 1: Information Security and Risk Management
Wed 1-27  Ch 1: Information Security and Risk Management
Wed 2-3 Ch 2: Access controls
Fri 2-5 Last Day to Add Classes
Wed 2-10Quiz on Ch 1 Ch 2: Access controls
Wed 2-17Quiz on Ch 2  Ch 3: Application Security
Mon 2-22 Last Day to Request Pass/No Pass Grading
Wed 2-24 Ch 3: Application Security
Training
Wed 3-3Quiz on Ch 3  LOCKDOWN
Ch 4: Business Continuity and Disaster Recovery Planning
Wed 3-10No Quiz
Email keys must be published by 8 PM 		 Karin Nelson: Resume Writing Workshop
Wed 3-17Class Cancelled
Wed 3-24Quiz on Ch 4
Resume due 		Ch 5: Cryptography
Wed 3-31 Holiday - No Class
Tue 4-6 Mid-Term Grades Due
Wed 4-7Quiz on Ch 5 Ch 6: Legal, Regulations, Compliance and Investigations
Wed 4-14Quiz on Ch 6 Ch 7: Operations Security
Fri 4-17 Last Day to Withdraw
Wed 4-21Quiz on Ch 7
1st practice test due		 Ch 8: Physical and Environmental Security
Wed 4-28No Quiz
2nd practice test due		 Ch 9: Security Architecture and Design
Wed 5-5Quiz on Ch 8 Ch 10: Telecommunications and Network Security
Wed 5-12Quiz in Ch 9
3rd practice test due		 Ch 10: Telecommunications and Network Security
Wed 5-19  Last Class: Review
Wed 5-26  Final Exam: 6 pm Room Science 108




Lecture Notes

Policy
Student Agreement
Introduction to CNIT 125
Encrypted email setup guide
 
1: Information Security and Risk Management    PowerPoint
2: Access controls    PowerPoint
3: Application Security    PowerPoint
   OWASP's Top Ten Web Application Risks
4: Business Continuity and Disaster Recovery Planning    PowerPoint
5: Cryptography    PowerPoint
6: Legal, Regulations, Compliance and Investigations    PowerPoint
7: Operations Security    PowerPoint
8: Physical and Environmental Security    PowerPoint
9: Security Architecture and Design    PowerPoint
10: Telecommunications and Network Security    PowerPoint
The lectures are in Word and PowerPoint formats.
If you do not have Word or PowerPoint you will need to install the
Free Word Viewer 2003 and/or the Free PowerPoint Viewer 2003.


Back to Top

Projects


Instead of the usual homework assignments, students will all work together in teams, led by student managers, to perform real security audits of real information systems. Every student will be required to sign a non-disclosure agreement. The security issues we find will be held in confidence, and we will contact the administrators of the vulnerable systems and try to convince them to amend the problems.

Students are required to prepare professional resumes, and encouraged to include their participation in this class as work experience.

Back to Top

Links

Introduction to CISSP and CNIT 125
CISSP 1: CISSP Education & Certification
CISSP 2: (ISC)2 | Certified Information Security Education
CISSP 3: CISSP was the third highest salaried certification in 2009
CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees
CISSP 5: CISSP exam prices
CISSP 6: (ISC)2 Code of Ethics
CISSP 7: Associate of (ISC)˛ Certification
CISSP 8: SSCP Education & Certification
CISSP 9: Exam Prices (pdf)
CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam
CISSP 11How to get continuing education credit for CISSP certification holders

Links for Chapter Lectures
Ch 1a: CCSF Catalog Mission Statement
Ch 1b: Mission statement - Wikipedia, the free encyclopedia
Ch 1c: Objective(Goal) - Wikipedia
Ch 1d: Objective Definition | Definition of Objective at Dictionary.com
Ch 1e: NIST 800-30:Risk Management Guide for Information Technology Systems
Ch 1f: ISO27k infosec management standards
Ch 1g: ISO/IEC 27001 - Wikipedia
Ch 1h: Assessing risk of IE 0day vulnerability
Ch 1i: Information Security Governance (pdf)
Ch 1j: SANS: Information Security Policy Templates
Ch 1k: Sarbanes-Oxley Act - Wikipedia
Ch 1l: The Sarbanes-Oxley Act 2002

Ch 3a: OWASP
Ch 3b: Vulnerability scanners miss 49% of the vulns they are looking for (see figure near bottom of article)
Ch 3c: Memory Parsing Vulnerability being used to steal credit card numbers (pdf)

Miscellaneous Links
The 7 Psychological Principles of Scams: Protect Yourself by Learning the Techniques
Exposing Network Vulnerabilities -- Campus Technology

New Unsorted Links
Ch 3d: OWASP Top Ten Web Application Vulnerabilities
Ch 3e: Object Oriented Database Management Systems
Ch 2a: Active Directory\'s LDAP Compliance
The Apache Cassandra Project--highly scalable distributed database
Ch 5a: Substitution cipher - Wikipedia
Ch 5b: Transposition cipher - Wikipedia
Ch 5c: Running key cipher - Wikipedia
Ch 5d: NIST Recommendation for Block Cipher Modes of Operation (pdf)
Ch 5e: NIST Cryptographic Algorithms and Key Sizes (1024-bit RSA no longer recommended)
Ch 5f: US-CERT Vulnerability Note VU#836068--MD5 vulnerable to collision attacks
Ch 5g1: NIST.gov - Federal agencies should stop using SHA-1
Ch 6a: Differences between Civil and Criminal Law in the USA
Ch 6b: NET Act - Wikipedia
Ch 6c: The technique of computer matching
Ch 6d: Privacy Act Overview, 2010 Edition: Computer Matching
Ch 7a: Security Control Types and Operational Security
CISSP 12: GIAC Research in the Common Body of Knowledge -- Good white papers for the ten CISSP domains
Ch 8a: Man Trap
Ch 8b: Crash gates
Ch 8c: How to Calculate HVAC Tonnage
Ch 9a: Bell-La Padula model - Wikipedia
Ch 9b: Biba Model - Wikipedia
Ch 9c: Clark-Wilson model - Wikipedia
Ch 9d: Non-interference (security) - Wikipedia
Ch 9e: Common Criteria - Wikipedia
Ch 9f: Bus (computing) - Wikipedia
Ch 9g: Ring (computer security) - Wikipedia
Ch 9h: Windows Architecture--only rings 0 and 3 are used
Ch 9i: Lock My PC backdoor password
Ch 10a: Multiprotocol Label Switching - Good explanation of why MPLS will replace ATM
Ch 10b: Verizon Wireless -and CDMA
Ch 10c: CLEAR 4G Wireless Broadband Internet Service--WIMAX
Ch 10d: How to reach maximum 802.11n speed and throughput
Ch 10e: Near Field Communication - Wikipedia
Ch 10f: Address Resolution Protocol - Could be regarded as an OSI model layer 2 or 3 protocol
Ch 10g: TCP/IP model - Wikipedia
Ch 10h: Anycast - Wikipedia
Ch 10i: Is RIP layer 3 protocol or layer 7 protocol? : layer, rip, protocol
Web Security Tools˛: skipfish and iScanner--excellent introduction to these tools
Information Security Careers Cheatsheet
Luhn Check - MOD 10 Algorithm
Byron Sonne, G20 \"Bomber\", Was a CISSP--Certification Suspended (2010-06-25)
LOQMail--encrypted email solution, free 30-day trial
Data Encryption | First Data--End-to-end encryption to completely escape PCI Compliance requirements
Project: www.rcfl.org - /downloads/ -- directory traversal vulnerability
How To Get Your Very Own Free SSL Certificate
Tech//404 -- Calculates expected financial loss for lost records
SSL-1: Security Certificate Warnings Don\\\'t Work
SSL-2: Boffins bust web authentication with game consoles
SSL-3: VeriSign remedies massive SSL blunder (kinda, sorta)
SSL-4: MD5 Hack Interesting, But Not Threatening
SSL-5: National Software Reference Library--Md5 not recognized
SSL-6: FIPS 140-2 (2001) can be downloaded here
SSL-7: 14% of SSL certificates on the Internet potentially unsafe
SSL-8: China Internet Network Information Center accepted as a Mozilla root CA
SSL-9: Bug 549701 %u2013 Remove inactive RSA Security 1024 V3 root
SSL-10: Vulnerabilities Allow Attacker to Impersonate Any Website
SSLstrip & Slowloris & Scary SSL Attacks (ppt)
Safe--countermeasure for sslstrip attack
Rainbow Series - Wikipedia, the free encyclopedia
Orange Book--Reference Monitor and Security Kernel
Security modes - The four MAC modes: Dedicated, System high security, Compartmented, Multilevel
Acosta v Byrum--very important precedent for HIPPA-based lawsuits
An Illustrated Guide to IPsec
LOMAC -- Linux method for protecting integrity of system files
2010-07-21: 7 Types of Hard CISSP Exam Questions and How To Approach Them
How I Prepared for the CISSP Exam--Sam Bowne

          
Back to Top
Last Updated: 6-6-10