Introduction to CISSP and CNIT 125

CISSP 1: CISSP Education & Certification
CISSP 2: (ISC)2 | Certified Information Security Education
CISSP 3: CISSP was the third highest salaried certification in 2009
CISSP 4: DOD 8570 requires CISSP, Sec+, and other certs for all gov\'t Information Assurance employees
CISSP 5: CISSP exam prices
CISSP 6: (ISC)2 Code of Ethics
CISSP 7: Associate of (ISC)˛ Certification
CISSP 8: SSCP Education & Certification
CISSP 9: Exam Prices (pdf)
CISSP 10: Test Prep: 10 Tips For Preparing and Passing the CISSP Exam
CISSP 11: How to get continuing education credit for CISSP certification holders
CISSP 12: GIAC Research in the Common Body of Knowledge -- Good white papers for the ten CISSP domains
CISSP 13: DoD Directive 8570.1 M - DoD Approved Baseline Certifications
CISSP 14: Associate of (ISC)^2 FAQ
CISSP 15: 7 Types of Hard CISSP Exam Questions and How To Approach Them
CISSP 16: How I Prepared for the CISSP Exam--Sam Bowne
CISSP 17: A CISSP Study Plan Memoir
CISSP 18: CISSP Practice Test
CISSP 19: San Francisco Bay Area ISSA--CISSP Study Sessions
CISSP 20: CPE Requirements
CISSP 21: (ISC)^2 SF Chapter

Links for Chapter Lectures

Ch 4a: Outlook webmail passwords restricted to 16 chars
Ch 4b: Lockpicking Forensics - Decoding
Ch 4c: The most common pin numbers (10 are 1234)
Ch 4d: How to Generate One Time Use Disposable Credit Card Numbers
Ch 4e: RSA SecurID SID700 Hardware Authenticator
Ch 4f: Divide and Conquer: Cracking MS-CHAPv2 with a 100 percent success rate
Ch 4g: Extensible Authentication Protocol - Wikipedia
Ch 4h: TACACS Plus - Wikipedia
Ch 4i: Teardrop attack - Wikipedia

Ch 5a: Checkpoint's Stateful Inspection Techniques
Ch 5b: FAQ - Microsoft's PPTP Implementation
Ch 5c: Microsoft says don't use PPTP and MS-CHAP
Ch 5l: SKEY - Wikipedia
Ch 5m: EAP-MD5-Challenge Authentication Protocol

Ch 6a: Bruce Lee's Goal and Milestone
Ch 6b: A tough lesson on medical privacy Pakistani transcriber threatens UCSF over back pay (from 2003)
Ch 6c: The Undoing of Scott Thompson at Yahoo
Ch 6d: Noncompete Agreements Are Also Nonlegal in California
Ch 6e: Admin hacks drug company virtual machines from McDonald's

Ch 7a: Object-Oriented Example
Ch 7b: Example of retail database view
Ch 7c: CREDIT Enrollment By Department--part of the CCSF DSS (runs in Java)
Ch 7d: LayerOne -- DC 949 cracked Google Captcha with artificial intelligence
Ch 7e: OWASP Top Ten Project
Ch 7f: Backdoors Found in Barracuda Networks Gear

Ch 8a: Printer steganography - Wikipedia
Ch 8b: NIST: Block Cipher Modes of Operation
Ch 8c: DES broken by brute force
Ch 8d: Triple DES - Wikipedia
Ch 8e: Animation of AES Encryption Process
Ch 8f: Forthcoming SHA-3 Hash Function May Be Unnecessary
Ch 8g: HMAC (Hash-based message authentication code) - Wikipedia
Ch 8h: The "MPLS Is A Private Network" Debate

Ch 9a: Ring (computer security) - Wikipedia
Ch 9b: Clark-Wilson model - Wikipedia

Ch 10a: Yahoo CEO Scott Thompson Quitting Over Fake Resume
Ch 10b: Bradley Manning - Wikipedia
Ch 10c: Logon Warning Message
Ch 10d: Amazon Web Services Outage Caused By Memory Leak And Failure In Monitoring Alarm
Ch 10e: Today's Outage Post Mortem - CloudFlare blog (From March 2013)
Ch 10f: Millions of LinkedIn passwords reportedly leaked online (From June, 2012)
Ch 10g: LinkedIn boosts encryption after last week's password leak (June 13, 2012)

Ch 11a: HIPAA Violations and Enforcement

Ch 12b: Software Patents and the Rise of Patent Trolls Electronic Frontier Foundation
Ch 12c: Brand Guidelines Android Developers
Ch 12d: Computer Fraud And Abuse Act Reform
Ch 12e: Chain of Custody
Ch 12e: Subscriber identity module - Wikipedia

Ch 13a: #OpUSA hacking spree kicks off early
Ch 13b: Sweden's cold climate ideal for data centers
Ch 13c: The Data Center Inside a Cold War Nuclear Bunker
Ch 13d: Photos: Inside the Polaris Data Centre
Ch 13e: Biometric authentication

The Security Circus

Circus-a: How Dan Kaminsky broke and fixed DNS
Circus-b: The Most Dangerous Man in Cyberspace
Circus-c: JadedSecurity » What the CISSP won*quot*t teach you
Circus-d: Modern Day Witch Hunting by CISSP Members Minus The Ergot
Circus-e: My Canons on (ISC)˛ Ethics - Such as They Are
Circus-f: Dan Kaminsky & Kevin Mitnick Hacked
Circus-g: How Byron Sonne\'s obsession with the G20 security apparatus cost him everything
Circus-h: Anonymous hacker quits, calls group\'s members hypocrites and its efforts fruitless
Circus-i: Byron Sonne, G20 "Bomber", Was a CISSP--Certification Suspended (2010-06-25)

Links from old textbook (Peter Gregory)


Textbook author's website
Textbook author on Twitter

Ch 4a: Active Directory\'s LDAP Compliance
Ch 4b: Crack Password Hashes in Lion -- OS X 10.7 - Hack Mac
Ch 4c: Lockheed Says Hacker Used Stolen SecurID Data -

Ch 5a: Multiprotocol Label Switching - Good explanation of why MPLS will replace ATM
Ch 5b: Verizon Wireless -and CDMA
Ch 5c: CLEAR 4G Wireless Broadband Internet Service--WIMAX
Ch 5d: How to reach maximum 802.11n speed and throughput
Ch 5e: Near Field Communication - Wikipedia
Ch 5f: Address Resolution Protocol - Could be regarded as an OSI model layer 2 or 3 protocol
Ch 5g: TCP/IP model - Wikipedia
Ch 5h: Anycast - Wikipedia
Ch 5i: Is RIP layer 3 protocol or layer 7 protocol? : layer, rip, protocol
Ch 5j: 3GPP Long Term Evolution - Wikipedia
Ch 5k: Frame Injection at Layer 1: 802.11 Packets in Packets

Ch 6a: CCSF Catalog Mission Statement
Ch 6b: Mission statement - Wikipedia, the free encyclopedia
Ch 6c: Objective(Goal) - Wikipedia
Ch 6d: Objective Definition | Definition of Objective at
Ch 6e: NIST 800-30:Risk Management Guide for Information Technology Systems
Ch 6f: ISO27k infosec management standards
Ch 6g: ISO/IEC 27001 - Wikipedia
Ch 6h: Assessing risk of IE 0day vulnerability
Ch 6i: Information Security Governance (pdf)
Ch 6j: SANS: Information Security Policy Templates
Ch 6k: Sarbanes-Oxley Act - Wikipedia
Ch 6l: The Sarbanes-Oxley Act 2002
Ch 6m: Operation Aurora - Wikipedia

Ch 7a: OWASP
Ch 7b: Vulnerability scanners miss 49% of the vulns they are looking for (see figure near bottom of article)
Ch 7c: Memory Parsing Vulnerability being used to steal credit card numbers (pdf)
Ch 7d: OWASP Top Ten Web Application Vulnerabilities
Ch 7e: Object Oriented Database Management Systems

Ch 8a: Substitution cipher - Wikipedia
Ch 8b: Transposition cipher - Wikipedia
Ch 8c: Running key cipher - Wikipedia
Ch 8d: NIST Recommendation for Block Cipher Modes of Operation (pdf)
Ch 8e: NIST Cryptographic Algorithms and Key Sizes (1024-bit RSA no longer recommended)
Ch 8f: US-CERT Vulnerability Note VU#836068--MD5 vulnerable to collision attacks
Ch 8g: - Federal agencies should stop using SHA-1

Ch 9a: Bell-La Padula model - Wikipedia
Ch 9b: Biba Model - Wikipedia
Ch 9c: Clark-Wilson model - Wikipedia
Ch 9d: Non-interference (security) - Wikipedia
Ch 9e: Common Criteria - Wikipedia
Ch 9f: Bus (computing) - Wikipedia
Ch 9g: Ring (computer security) - Wikipedia
Ch 9h: Windows Architecture--only rings 0 and 3 are used
Ch 9i: Lock My PC backdoor password

Ch 10a: Security Control Types and Operational Security

Ch 12a: Differences between Civil and Criminal Law in the USA
Ch 12b: NET Act - Wikipedia
Ch 12c: The technique of computer matching
Ch 12d: Privacy Act Overview, 2010 Edition: Computer Matching

Ch 13a: Man Trap
Ch 13b: Crash gates
Ch 13c: How to Calculate HVAC Tonnage

SSL-1: Security Certificate Warnings Don\\\'t Work
SSL-2: Boffins bust web authentication with game consoles
SSL-3: VeriSign remedies massive SSL blunder (kinda, sorta)
SSL-4: MD5 Hack Interesting, But Not Threatening
SSL-5: National Software Reference Library--Md5 not recognized
SSL-6: FIPS 140-2 (2001) can be downloaded here
SSL-7: 14% of SSL certificates on the Internet potentially unsafe
SSL-8: China Internet Network Information Center accepted as a Mozilla root CA
SSL-9: Bug 549701 %u2013 Remove inactive RSA Security 1024 V3 root
SSL-10: Vulnerabilities Allow Attacker to Impersonate Any Website
SSL-11: SSLstrip & Slowloris & Scary SSL Attacks (ppt)
SSL-12: Safe--countermeasure for sslstrip attack

Miscellaneous Links

The 7 Psychological Principles of Scams: Protect Yourself by Learning the Techniques
Exposing Network Vulnerabilities -- Campus Technology
The Apache Cassandra Project--highly scalable distributed database
Web Security Tools˛: skipfish and iScanner--excellent introduction to these tools
Information Security Careers Cheatsheet
Luhn Check - MOD 10 Algorithm
LOQMail--encrypted email solution, free 30-day trial
Data Encryption | First Data--End-to-end encryption to completely escape PCI Compliance requirements
Project: - /downloads/ -- directory traversal vulnerability
How To Get Your Very Own Free SSL Certificate
Tech//404 -- Calculates expected financial loss for lost records
Rainbow Series - Wikipedia, the free encyclopedia
Orange Book--Reference Monitor and Security Kernel
Security modes - The four MAC modes: Dedicated, System high security, Compartmented, Multilevel
Acosta v Byrum--very important precedent for HIPPA-based lawsuits
An Illustrated Guide to IPsec
LOMAC -- Linux method for protecting integrity of system files
Fix to save restore points in a dual-boot
DOD offers tiny, secure linux distribution -- 125 Project
Google's Web Application Security Training Resource - -- Better than WebGoat?
Integrating Nessus with BackTrack 5's Tools -- CNIT 125 Project
The Ultimate Web App Security Scanner Comparison Published - AppScan Standard Leads the Pack <--Project ideas
Pingdom stores & transmits passwords in cleartext -- possible project
John The Ripper Hash Formats --useful for projects
More SQL injections; apparently hotels in TN -- COLD CALLS DATA
Yale Gets Google Dorked -- project idea

2d: Ghost in the Wires: My Adventures as the World*quot*s Most Wanted Hacker (9780316037709): Kevin Mitnick, Steve Wozniak, William L. Simon: Books
2e: Mitnick fakes way into LA Telco Central Office - YouTube
2011-09-14: EMET - Whitelisting for Windows -- Good CNIT 125 Project
Lilith -- Web Application Security Audit Tool | Darknet - PROJECT IDEA
WAVSEP -- Web Application Vulnerability Scanner Evaluation Project -- PROJECT IDEA
0-Day SCADA Exploits Released, Publicly Exposed Servers At Risk -- COLD CALLS PROJECT DATA
Windows 7 kernel ASLR research. Statistics on number of unique images addresses per 100 OS runs -- POSSIBLE PROJECT
Bypassing Chrome*quot*s Anti-XSS filter --GOOD PROJECT IDEA
Fake Twitter typosquatting page -- DO NOT LOG IN -- PROJECT IDEA -- Find more of these & take them down
Cold Calls Project Instructions
New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies -- GOOD PROJECT
NetworkMiner 1.1 - Network Forensic Analysis Tool (NFAT) Released -- PROJECT IDEA
Free Proxy - Surf Anonymously & Hide Your IP Address - Hide My Ass! <--PROJECT IDEA
Certificate Patrol <--PROJECT IDEA
From the man who discovered Stuxnet, dire warnings one year later -
2011-09-28: Flawfinder -- source code security scanner <--PROJECT IDEA
2011-09-29: sqli1 - -- More data for CNIT 125 Projects
Google tracks you. We don*quot*t. An illustrated guide.
Except for nuclear power plants, no regulations govern how to secure systems against cyber-attacks
More SCADA vulns for Cold Calls -- atvise
Interesting SCADA Security Presentation (from 2004)
2011-10-08: Securing Flash Drives within the Enterprise
2011-10-11: Vuln Audit. _St0rm - -- PROJECT DATA
Ethics Project: (ISC)˛ Ethics Complaint Procedure
Ethics Project: (ISC)2 Code of Ethics
2011-10-14: jjghui - Google Search -- MORE COLD CALLS DATA -- INFECTED WEBSITES
Mass infections from (SQL injection) <--MORE INFO FOR COLD CALLS
2011-10-15: Jadedsecurity emails re: CISSP
My Canons on (ISC)˛ Ethics - Such as They Are -- Jericho from Attrition
(ISC)^2 Code of Ethics PDF
2011-10-19: Over a million web sites affected in mass SQL injection attack -- MORE INFO FOR COLD CALLS
2011-10-28: Government websites with SQLi <--MORE FRESH COLD CALLS DATA
Sample Contact Letter for Government Cold Calls
Preventing SQL Injection in Java - OWASP --COLD CALLS INFORMATION
Huge list of vulnerable Web apps for training -- PROJECT IDEAS
Computer Security -- Free online class at Stanford

CISSP Reloaded -- study notes
2012-02-06: Hospital appeals $250,000 fine for late breach disclosure - 19 days
2012-02-06: California law requires breach notification within 5 days (for medical data)
2012-02-06: CA Codes (civ:1798.80-1798.84) -- breach notification, see .82 (a) and (c)
2012-02-06: California Amends its Security Breach Notification Law : Workplace Privacy Counsel

CISSP Certification, Information Security and Risk Management

Finding PII with Google--COLD CALLS DATA

Websites that welcome vulnerability tests

Ethics Complaint Against Sam Bowne
Sql Vulnerable Sites (Added New Sites) -xHax0r - -- GOOD LIST VERIFIED 1-1-13
Thousands of SCADA Devices Discovered On the Open Internet -- COLD CALL DATA?
SmokePing - smokeping_examples - FOR SERVER MONITORING PROJECT A guide to preventing SQL injection
Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? (2010) --PROJECTS AND VIDEOS NEEDED
Why SSD Drives Destroy Evidence (2012) --Happens in Win 7 but not Win XP!
Recovering data from erased or formated SD and USB media
A defective iPhone App for your hacking pleasure -- PROJECT IDEA
owasp-igoat - OWASP iGoat vulnerable iPhone App -- PROJECT IDEA
Windows Server 2012 Minshell: Install & Uninstall the GUI
VulnHub - Vulnerable By Design -- PROJECT IDEAS
2013-04-15: SQL Injection Vulnerable Websites -
2013-04-15: MySQL SQL Injection list. -
2013-04-15: Sql Injection VULNERABLE SITES -
Slides for Shon Harris v5 from Paladin
2014-08-20: =====Vulnerable sites!===== http:www.kidswithfoodallergies.orgresourcespre -
2014-08-20: 27 SQLI Vulnerable Shops -
2014-08-20: SQLI Vulns Admin User&Pass -
2014-08-20: DB Leak SQLI VULN -
2014-08-20: Sqli vulnerable sites -
2014-08-27: @HackingDave called out IRS re their IRS bogus email claim on June 18 --SHOW TO CLASS
Hacking Challenges -- USEFUL FOR PROJECTS
6 free network vulnerability scanners --USEFUL FOR SECURITY AUDITS
OSSEC Open surce IDS
The Bro Network Security Monitor
11 open source security tools catching fire on GitHub --PROJECT IDEAS
Ch 7g: how Microsoft's SDL saved Windows
Example disclosure policy -- USEFUL FOR SECURITY AUDITS
Test Email flow using SMTP commands
Lynis - Security auditing tool for UnixLinux systems
CCSF data exposure in 2007 -- official notice
2015-03-29: Free CISSP Certification Training Class from Cybrary
Eleventh Hour CISSP -- Recommended CISSP review book
Dropbox wins international cloud security cert: ISO 27018 (May, 2015)
Example security audit by a Tufts student -- USEFUL FOR PROJECTS
Skillset - Free CEH and CISSP Certification Practice Tests and Skill Assessments
HoneyTags: An OpenSource HoneyDocs Project -- USEFUL FOR HONEYPOTS