textbook

Information Security Professional
(CISSP Preparation)

MPICT Summer Conference
Mon, June 13 - Fri, June 17, 2011, CCSF
Sam Bowne

Schedule · Lecture Notes · Projects · Links · Home Page

 

Class Description

Covers information security thoroughly, including access control, application security, business continuity, cryptography, risk management, legal issues, physical security, and telecommunications and network security. This class helps to prepare students for the Certified Information Systems Security Professional (CISSP) credential, which is essential for high-level information security professionals. Students are strongly encouraged to practice with the Transcender prep tests before taking the exam, and access to those tests will be included in the class.

Prerequsites: Students should have Network+ and Security+ level understanding of networking and security. Previous experience of hacking is helpful but not required.

Upon successful completion of this course, the student will be able to:

  1. Explain security and risk management.
  2. Define and implement access controls.
  3. Assess application security.
  4. Plan for business continuity and disaster recovery.
  5. Apply cryptography correctly to protect information.
  6. Explain legal regulations and ensure compliance.
  7. Perform investigations, preserve evidence, and cooperate with law enforcement authorities.
  8. Explain codes of conduct and ethical issues.
  9. Maintain security of operations.
  10. Assess physical and environmental security.
  11. Design security architecture.
  12. Explain telecommunications and network security.

Textbook

CISSP All-in-One Exam Guide, Fifth Edition, by Shon Harris ISBN-10: 0071602178 Buy from Amazon

Optional Supplementary Textbook (source of lectures)
CISSP Guide to Security Essentials, 1st Edition, by Peter Gregory ISBN-10: 1435428196 Buy from Amazon




Schedule

Date Topic
Mon, June 13
9:30 - 12:30 &
1:30 - 4:30
  Ch 3: Information Security and Risk Management
Ch 4: Access controls
 
Tue, June 14
9:30 - 12:30 &
1:30 - 4:30
  Ch 5: Security Architecture and Design
Ch 6: Physical and Environmental Security
Wardriving
 
Wed, June 15
9:30 - 12:30 &
1:30 - 4:30
  Ch 7: Telecommunications and Network Security
Ch 8: Cryptography
Social Event 5 - 7
 
Thu, June 16
9:30 - 12:30 &
1:30 - 4:30
  Ch 9: Business Continuity and Disaster Recovery Planning
Ch 10: Legal, Regulations, Compliance and Investigations
Ch 11: Application Security
OWASP's Top Ten Web Application Risks
 
Fri, June 17
9:30 - 12:30
  Ch 12: Operations Security





Lectures

Introduction to CNIT 125
Encrypted email setup guide
 
3: Information Security and Risk Management    Word doc
4: Access controls    Word doc
5: Security Architecture and Design    Word doc
6: Physical and Environmental Security    Word doc
7: Telecommunications and Network Security    Word doc
8: Cryptography    Word doc
9: Business Continuity and Disaster Recovery Planning    Word doc
10: Legal, Regulations, Compliance and Investigations    Word doc
11: Application Security    Word doc
   OWASP's Top Ten Web Application Risks
12: Operations Security    Word doc
The lectures are in Word and PowerPoint formats.
If you do not have Word or PowerPoint you will need to install the
Free Word Viewer 2003 and/or the Free PowerPoint Viewer 2003.


Back to Top

Projects


Professional Networking

Twitter (10 pts.)

Application Security

HTTP Headers
Tamper Data
WebGoat Setup
WebGoat Introduction
WebGoat: Access Control
HackThisSite

Network Security

Using Metasploit 3 to Take Over a Windows XP Computer
Stealing Passwords with a Packet Sniffer
Port Scans and Firewalls
Analyzing Types of Port Scans
Building a Web Server
DoS Attack with the Low Orbit Ion Cannon
      LOIC (7-zip, password sam)
Attacking Apache
Protecting a Web Server with a Load Balancer
      haproxy-1.4.11.tar.gz
Protecting Apache with mod_security
Attacking Apache with the OWASP Slow Http Tool
Attacking IIS with the OWASP Slow Http Tool
Introduction to scapy
TCP Handshake with scapy
Port Knocking on BackTrack Linux
Attacking nginx
Attacking nginx with the OWASP Slow Http Tool
Benchmarking Web Server Performance
Protecting Apache with iptables
Slow Loris Attack with scapy
yesman--Scanner Honeypot with scapy
ARP Spoofing with scapy
Detecting Promiscuous NICs with scapy
Social Engineering Toolkit Java Exploit

IPv6 Security

IPv6 Tunnel
IPv6 Router Advertisements
Using thc-ipv6 to Scan an IPv6 Network
IPv6 with scapy
Win 7 DoS with Router Advertisements
Router Advertisements with scapy
Router Advertisement attack with npg on Windows
      ra-attack.txt
Duplicate Address Detection
DoS with Secure Neighbor Discovery (SeND)
Introduction to gdb

Operating System Security

Preparing a Trusted Windows XP Virtual Machine
Installing Ubuntu Linux
Using a Software Keylogger
     Download SC Keylog Pro Demo
Rootkitting Windows
     hxdef100r (open with 7-zip, password sam)
Using the Ultimate Boot CD to Create Administrator Accounts
Rootkitting Ubuntu Linux      fk.tgz      fix-fu
Using a Hardware Keylogger
PDF Exploit with Metasploit

Cryptography

Cracking Windows XP Passwords with Ophcrack
Cracking Windows Passwords with Cain
MD5 Collisions
Hijacking HTTPS Sessions with SSLstrip
    sslstrip-0.4.tar.gz
Getting into Ubuntu Linux Without a Password
TrueCrypt
Encrypted Email
Password Guessing Games

Basic Programming

Programming in C on Ubuntu Linux
Programming in Perl on Ubuntu Linux
Programming with Python on Windows

Wireless

Cracking Wired Equivalent Privacy (WEP) with an EEE PC 
Cracking WPA


New for Summer 2010

Encrypted email with Gnu & Thuinderbird

From Spring 2010

Encrypted Email Setup
Backing up a Private Key
NDA from Spring 2010

Back to Top

Links

Introduction to CISSP and CNIT 125

CISSP 1: CISSP Education & Certification
CISSP 2: (ISC)2 | Certified Information Security Education
CISSP 3: CISSP was the third highest salaried certification in 2009
CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees
CISSP 5: CISSP exam prices
CISSP 6: (ISC)2 Code of Ethics
CISSP 7: Associate of (ISC) Certification
CISSP 8: SSCP Education & Certification
CISSP 9: Exam Prices (pdf)
CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam
CISSP 11: How to get continuing education credit for CISSP certification holders
CISSP 12: GIAC Research in the Common Body of Knowledge -- Good white papers for the ten CISSP domains
CISSP 13: DoD Directive 8570.1 M - DoD Approved Baseline Certifications
CISSP 14: Associate of (ISC)^2 FAQ
CISSP 15: 7 Types of Hard CISSP Exam Questions and How To Approach Them
CISSP 16: How I Prepared for the CISSP Exam--Sam Bowne
CISSP 17: A CISSP Study Plan Memoir
CISSP 18: CISSP Practice Test
CISSP 19: San Francisco Bay Area ISSA--CISSP Study Sessions
CISSP 20: CPE Requirements
CISSP 21: (ISC)^2 SF Chapter
CISSP 22: Average CISSP Salary 2017
CISSP 23: Exam Prices 2017
CISSP 24: Dilbert : How the CISSP Exam was Written
CISSP 25: Your Guide to the Certified Information Systems Security Professional (CISSP) Exam
CISSP 26: Transcender Practice Exam

Links for Chapter Lectures

Ch 2a: Octomom's hospital records accessed, 15 workers fired (from 2009)
Ch 2b: Three Primary Analytics Lessons Learned from 9/11 (2012)
Ch 2c: The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America: James Bamford: 9780307279392: Amazon.com: Books
Ch 2d: Chelsea Manning explains why she leaked secret military documents, fought for transgender rights behind bars
Ch 2e: WikiLeaks Q & A: who is Bradley Manning and what did he do?
Ch 2f: Chelsea Manning - Wikipedia

Ch 4a: Memory segmentation - Wikipedia
Ch 4b: Trusted Computer System Evaluation Criteria - Wikipedia
Ch 4c: Internet of Shit (@internetofshit) | Twitter
Ch 4d: OWASP Top Ten Project
Ch 4e: Secret Service codename - Wikipedia
Ch 4f: Pretty Rindjael Animation
Ch 4g: IPsec - Wikipedia

Ch 5a: 64-bit Global Identifier (EUI-64)
Ch 5b: How FTP port requests challenge firewall security
Ch 5c: Online Dig | Men & Mice

Ch 6a: Call It Super Bowl Face Scan I (From 2001)
Ch 6b: Obama Eyeing Internet ID for Americans (from 2011)

Ch 9a: Metasploit Module Source Code in Ruby

Other Links

A Beginner's Guide to Data Compliance
HIPAA certification HCISPP vs CSCS
Certified Security Compliance Specialist
How to Reverse Engineering with Radare2 -- INTERESTING FOR PROJECTS
COBIT 5 Laminate
Describe the main differences in due dilligence and due care
DREAD (risk assessment model) - Wikipedia
US-EU Safe Harbor Data-Transfer Talks Enter Final Week (1-25-16)
Separation of Duties in Information Technology

New Unsorted Links

Ch 2g: U.S.-EU & U.S.-Swiss Safe Harbor Frameworks
Ch 2h: Privacy Shield
Ch 2i: Privacy Shield -- Is Safe Harbour's Replacement Up To The Job In 2017? (May, 2017)
ISC2 Launches New CISSP Exam Format to Help Bring More Cybersecurity Professionals into the Field
Ideas for Student Projects 2017
Official (ISC)^2 CISSP Study App
SpiderMonkey -- Deobfuscates JavaScript Malware ty @lennyzeltser #IRespondCon

          
Back to Top
Last Updated: 6-15-11 8 am