|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| News | Security Certifications | Coverage | Recommended Links | Recommended Books | Recommended Articles | Sample Tests |
| Lists | Exam strategies | Refreshing your networking skills | TCP Protocol Layers | OSI Protocol Layers | CIRD and VLSM | Network Sniffers |
| Access Control | Role Engineering | Security Models | Cryptography | Network Security | Applications & Systems Development | Operations Security (Computer) |
| Security Policy and Standards | Security Management Practices | Authentication and Accounts Security | History | Humor | Etc |
|
|
CISSP stands for Certified Information Systems Security Professional. The certification is from the International Information Systems Security Certification Consortium, (ISC)2 (www.isc2.org).
|
|
This is "one inch deep and a mile wide" type of exams: 250 multiple-choice questions for 6 hours. Than means a little bit less than 1.5 minute per question. But I think that for those three areas where you really feel strong a rational approximation would be 10 seconds per question. As for another a difficult question can take up to 5 minutes to make an educated guess. As for many multiple choices exams in a dynamic field you can expect considerable number of question that are "strange" in some way. At the same time questions that look "normal" might have really strange "right" answers (see a review to the All-in-one CISSP Certicication Exam book for more information ).
A good thing is that you have to answer correctly only 70% of the questions.
A bad thing is that it might be more that 30% questions that are problematic, some because of gaps in your knowledge, some because any multiple choice exams always have questions are of lesser quality
That means that you need to develop a right exam strategy. You need to work on it and there is no substitute to planning how you take the exam. I will give just a couple of tips:
One thing should be mentioned: never leave any question unanswered, in case you do not know the right answer eliminate as many answers as you can and them chose a random answer from the remaining.
Judging from the content of the tests in CISSP preparation books, CISSP tests your vocabulary (how well you understand the meaning of words in "CISSP-speak" and believe me that a lot of acronyms :-(). Correspondingly, there is no quicker way to improve your CISSP scores than to improve your "CISSP speak" vocabulary. I know that's boring and have little practical value, but this is the way the game is played. Acronyms are an important part of the exam. IMHO flash cards in CISSP for Dummies can be a pretty good aid.
A dozen books exists to prepare for this exam. See Recommended Books. You probably need two-three books to prepare for the exam, although many people who wrote reviews of CISSP-related books on Amazon claimed that for them one was enough. Almost any will introduce you to to ISC2's unique vocabulary (which as I already mentioned several times is perhaps the most important aspect of the test). Over 80% of the terms and concepts you need to learn are presented in Recommended Books.
Make appointments with yourself for study time (i.e., in your daytimer) so that it is clear to you when you're doing well or shirking your study responsibilities. Study appointments may be among the most important that you ever make and keep since they very much determine your career. The key is to focus you efforts. You have only so much time and there is a lot of partially dull partially useless staff. Motivate yourself taking as many tests as possible. Use our FREE CISSP Diagnostic Tests to determine areas where you need to work, if any...
All in-all this is a typical multiple choice style exam, although a long one. No news here.
Exam covers 10 main domains of knowledge. Each domain includes a dozen or so subtopics. Some topics are artificially divided (for example, access control and security models) some are pretty eclectic. The core topic is operational security. Like one reader put in in amazon review "I should have studied operational security more than I did."
A lot of subtopics are based on outdated contents and while omitting vital information pay undue attention to obscure, useless, but perfectly suitable for multiple choice questions subtopics :-). Security Architecture & Model is a good example here:
TCSEC is now obsolete (and rightly so ;-). The value of TCSEC (as
well as new CC) for businesses is rather questionable and IMHO does
not justify the level of attention to the topic.
The central part of their topics is Bell-LaPadula model. IMHO the latter is much overrated or even damaging. What is captured by the Bell-LaPadula model is too trivial to be useful. Stripped of all formalism, their "Basic Security Theorem" states that if a system starts in a secure state and if all its transitions are such that at each state any old access that violates security under the new state's clearance functions is withdrawn and no new access is introduced that violates security, then the system will remain secure. But this is too obvious to be useful. Biba and Clark-Wilson models are more practical but not covered well.
As one can easily guess the networking part of the exam pays pretty high level of attention to obsolete ISO/OSI Model :-). Be prepared to review all those partially meaningless levels and understand the difference.
Still those guys were the first and despite new entries to the field CISSP still remains the most influential security certification brand name. Some weaknesses of the exam are generic. Not only this one, but most such exams are questionable and often deteriorate to an exercise in memorizing obscure things. But at least they check the ability to memorize those obscure and useless things so that complete dummies and PHBs might have some difficulties in passing that test ;-) Also security certification should not be the end but only the beginning of your security education. Like is the case with Microsoft certifications and CISCO certifications, there always will be quite a lot completely clueless CISSP professionals around ;-)
Like one of Amazon Reviewers of the CISSP All-in-One Exam Guide aptly put it:
The CISSP exam is immature; that is, many of the questions appear convoluted for the sake of being obtuse. I doubt seriously if your score on this exam correlates to your true ability. That said, it is a necessary benchmark of a very broad subject.
Please be aware that many exam questions are connected not with computer security, but with physical security issues, and Security Management Practices. As far as I can tell CISSP is loosely modeled on CPA but they still are afraid to add the second day :-). For more information visit the AICPA's CPA exam section here or here.
ISC offers a draft Study Guide which contains just updated descriptions of the ten test domains. You need to get it to understand the scope of the exam better. It is available from www.isc2.org (you need to register).
To become a CISSP, you also must subscribe to ISC Code of Ethics, and have already three years of direct work experience in the field. The exam currently costs $450...
You need to pay annual membership fee to maintain CISSP. A CISSP can only maintain certification by earning 120 CPE (continuing professional education) credits over a three-year recertification period. If we are talking about educational courses this is impossible (counting 2 credit per 5-days course and two courses per year you can expect around 4*3=12 credits) but there is a loophole of conference attendance. Two-thirds (80 CPEs) must be earned in activities directly related to the information systems security profession and up to one third (40 CPEs) may be earned in other educational activities that enhance the CISSP’s overall professional skills, knowledge, and competency.
In addition to paying an annual maintenance fee and subscribing to the Code of Ethics, a CISSP or SSCP must earn continuing professional education credits every three years - or retake their certification examinations. CPE credits are earned by performing activities largely related to the information systems security profession including, but not limited to, the following:
- Educational courses or seminar attendance
- Security conference attendance
- Association chapter membership and meeting attendance
- Vendor presentations
- University/college course completion
- Providing security training
- Publishing security articles or books
- Serving on industry boards
- Self-study
- Volunteer work, including serving on
(ISC)2 volunteer committees
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
NSA Plans New Security Certification
March 10, 2003
NSA Plans New Security Certification
By Roy Mark
The International Information Systems Security Consortium (ISC2) has signed a five-year contract with the National Security Agency's Information Assurance Directorate (IAD) to develop and administer a new Information Systems Security Engineering Professional (ISSEP) certification.
The new certification will serve as an extension of the CISSP (Certified Information Systems Security Professional), offered by ISC2 for information security professionals with four years cumulative work experience in the field.
Persons interested in taking the ISSEP exam will be required to already hold a CISSP credential. The certification is designed to recognize mastery of an international standard for information security professionals and their understanding of the 10 domains of the ISC2 Common Body of Knowledge in forming security policies, standards and procedures.
NSA will provide the subject matter experts to develop the ISSEP examination. ISC2 will manage the additional domains and exam material for the extension. The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations.
The ISSEP complements the CISSP by addressing the systems engineering side of information security. As with the CISSP, the substance of the domains studied will be updated with the constantly changing field of information security.
"The U.S. government has a unique set of standards for information security," said Patricia L. Moreno, chief of staff for NSA's Information Assurance Directorate. "We believe (ISC2's longtime international expertise in professional certification best suits our training needs within NSA."
A Comment on the "Basic Security Theorem" of Bell and LaPadula- nice critique
Exam covers almost a dozen topics:
Security Management Practices
Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.
Management tools such as data classification and risk assessment/analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.
Security Architecture and Models
The Security Architecture and Models domain contains the concepts, principles, structures, and standards used to design, monitor, and secure operating systems, equipment, networks, applications and those controls used to enforce various levels of availability, integrity, and confidentiality.
Access Control Systems and Methodology
Access controls are a collection of mechanisms that work together to create a security architecture to protect the assets of the information system.
Application Development Security
This domain addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role software plays in providing information system security.
Operations Security
Operations Security is used to identify the controls over hardware, media, and the operators and administrators with access privileges to any of these resources. Audit and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.
Physical Security
The physical security domain provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including all of the information system resources.
Cryptography
The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality and authenticity.
Telecommunications, Network, and Internet Security
The telecommunications, network, and Internet security domain discusses the:
Business Continuity Planning
The Business Continuity Plan (BCP) domain addresses the preservation and recovery of business operations in the event of outages.
Law, Investigations, and Ethics
The Law, Investigations, and Ethics domain addresses:
Even though the curriculum and CBK were developed in the United States, the material does not boast a definite US flavor. In fact, the material, as well as the exam, focuses on international issues.
Judging from the content of CISSP preparation books tests a log the questions on the CISSP test your vocabulary (how well you understand the meaning of words) in some form. Correspondingly, there is no quicker way to improve your CISSP scores than to improve your vocabulary. I know that's boring and have little or know practical value, but this is the way the game is played.
Google matched content |
CCCure -- a very nice site with a lot of useful material and several tests.
(ISC)2CERTIFICATION ONLINE STUDY GUIDES -- here you can submit a request for the study guide.
CS4601 Computer Security -- excellent set of slides
Introduction to Computer Security -- nice set of lectures
NIAP - NATIONAL INFORMATION ASSURANCE PARTNERSHIP ®
SC-80 Security Home Page The mission of the Security Management Program in the Office of Science is to assure the adequate protection of information and assets while maintaining the openness and integrity that is necessary to foster the advancement of basic science and technological innovation.
Cissp.com The web portal for the certified information systems security professionals -- almost no useful info except resource page and (questionable :-) 15 question exam practice. The book that they sell is definitely overpriced ;-)
Each Demo includes 12 sample questions
...
Cert21.com - available practice exams -- free test. Registration requered
|
CISSP
CISSP |
40 questions |
INCITS, InterNational Committee for Information Technology Standards
TECS The Encyclopedia of Computer Security
Landwehr, C.E., C. L. Heitmeyer, and J. D. McLean, "A security model for military message systems: retrospective," Proceedings 17th Annual Computer Security Applications Conference (ACSAC '01), pp. 174-190, 10-14 Dec 2001. PDF
Originally published in the 1984 ACM Transactions on Computer Systems, this paper was republished in 2001 as a "classic paper" in computer security. The Introduction to the Classic Papers by Dan Thomsen of Secure Computing Corporation (ACSAC '01 Proceedings, p. 161) states that because computer security is a "relatively new field that spans a wide range of topics", the question is how to sort through computer security history to find the data needed by computer security practitioners when they are "swamped with just the data published in the past year." The answer, according to Thomsen, is "to dust off papers that influenced security thought and print them again." In addition to republishing their papers, the authors of the three selected papers were asked to update their papers, place them in historical perspective, and describe what happened to the work after publication. This paper deals with a basic component of computer security: application-specific security policies.
Generally Accepted System Security Principles Ver 1.0 (GASSP)
Handbook of Information Security Management Access Control
Preparing for the CISSP exam, Part 1 , 03-21-01
" How does the CISSP compare to the [Systems Security Certified Practitioner] in terms of the exam itself and the relative weight/importance of the certification? "
Both are useful stages in professional development. Visit the International Information Systems Security Certification Consortium (ISC)╡ Web site - http://www.isc2.org/ - where you will find a wealth of material about the CISSP and the SSCP.
The SSCP is more hands-on and limited to technical issues. According to the description at https://www.isc2.org/sscp_examover.html: "The International Information Systems Security Certification Consortium, or (ISC)╡, working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination which consists of multiple-choice questions that address the seven topical test domains of the CBK. The information systems security test domains are:
* Access Control.
* Administration.
* Audit and Monitoring.
* Risk, Response, and Recovery.
* Cryptography.
* Data Communications.
* Malicious Code."
In contrast, the CISSP is deliberately designed to cover a wide range of topics that distinguish information security experts from other kinds of IT experts. As described at https://www.isc2.org/cissp_examover.html: "Candidates have up to 6 hours to complete the examination which consists of 250 multiple-choice questions that address the [10] topical test domains of the CBK. The information systems security test domains are:
* Access Control Systems & Methodology.
* {Computer} Operations Security.
* Cryptography.
* Application & Systems Development.
* Business Continuity & Disaster Recovery Planning.
* Telecommunications & Network Security.
* Security Architecture & Models.
* Physical Security.
* Security Management Practices.
* Law, Investigations & Ethics."
Pritsky also asked:
" What can you tell me about the exam itself? A lot of questions? Evenly distributed amongst the 10 domains? Multiple choice? Hands-on? I don't really know what to expect. "
CISSPs and all who take the exam are under nondisclosure agreement not to divulge the detailed content. See sample questions on the (ISC)2 Web site.
In the next segment of this three-part series, I will look at useful reading for future CISSPs
Will telecommuting be restricted to equipment owned, managed and controlled by the company or will a person's private equipment be allowed to access the corporate network? Several Security issues depend on this answer. I think we will be addressing questions from both perspectives: company HW/SW vs. personally owned.
Do you require teleworkers install a personal firewall on their home system?... which one? ...only for cable or DSL modems?
Do you require they install virus software on their home system? ...who pays?
Does the personally owned PC become a State resource if the teleworker is using it to do work for the agency?
Is the teleworker's right to privacy at risk if an agency remotely inventories all software on a personally owned PC to fulfill the SW inventory requirement for State resources?
How does the teleworker segregate work related files from personal files? ...backups? ...encrypted or password protected?
If the teleworker's personally owned PC needs State owned software installed, how do you verify the software and agency data has been removed when the telework agreement has terminated? ...temp or swap files? ...cache?
How are security concerns addressed if voice over IP is used?
How to secure information stored on systems located at home?
How do handle disposing of company hard copy documents?
What type of telephone services will be provided, extended company PBX lines, voice over IP?
Do you allow business conversations with wireless handset phones and if so what are the security considerations?
Should home offices be subject to periodic audits for proper working conditions and security?
Should you take the CISSP exam? By Richard Power "Reprinted from the March 1997 issue of Computer Security Institute's monthly newsletter, Computer Security Alert.
Do you consider yourself an information security professional? Have you been working as an information security practitioner for at least three years? Are you going to attempt to make a career out of information security? You should seriously consider seeking certification as a Certified Information Systems Security Professional (CISSP). Even if information security is only part of your overall job description or career path, you should probably seek certification. CISSP certification is only available to those qualified candidates who successfully pass the examination created by the International Information Systems Security Certification Consortium (ISC)2. The consortium is supported by Computer Security Institute (CSI), Information Systems Security Association (ISSA), Canadian Information Processing Society (CIPS), and other reputable industry presences. The CISSP exam is built from a pool of 1,200 multiple choice questions based on a Common Body of Knowledge (CBK), consisting of ten test domains, for example, access control, risk management, application program security, etc.
Information security has reached center stage. The "1997 Information Security Staffing Levels and the Standard of Due Care" study conducted by CSI and Charles Cresson Wood of Baseline Software indicates that budgets for information security staffing are expected to rise 17.8% over the next year and that information security as a percentage of total employment has increased nearly 100% over the last seven years. Information security is rapidly gaining ground relative to related organizational functions like EDP audit, physical security and information systems. There are other strong indicators. Consider the remarks of Tracy A. Lenzner (Williamsville, NY), an independent executive search consultant who recently managed an aggressive recruitment campaign for one of the Big Six firms. "The information security market is very hot. I have never seen people going after one area so aggressively. It's because there are so few infosec professionals with real expertise. If you find people who really know what they're doing, they are worth their weight in gold. One week, I'm talking to candidates, the next week they have been contacted by four companies. And these aren't just little companies, these are the big guns going after everybody and anybody."
But there is also significant evidence that those who want to cash in on the information security Gold Rush will greatly benefit from having a CISSP designation on their resumes. CISSP is starting to show up in more and more job listings, and is typically listed as either "minimum requirement" or "a definite plus."
Does CISSP give you a competitive edge in the job market?
Will CISSP be more of a factor in the future? According to Lenzner, yes. "In the years ahead, there will be a greater demand for IT security as an integral part of corporate success. And therefore, there will be a greater demand for highly skilled, knowledge based expertise in security. CISSP certification is a distinctive indication of both technical and theoretical security expertise. Thus, CISSP certification will become an increasingly important factor in the near future."
Although certification is clearly an advantage on the job market, there are still only a handful of CISSP holders, as Lenzner explains. "As an executive recruiter engaging heavily in security recruitment, I do encounter CISSP holders. But I would say only 20% of the security professionals I speak with are CISSP-certified at this time."
What kind of difference could a CISSP certification make for job candidates?
Could it give them a significant edge over other candidates who don't have a CISSP certification?
"Absolutely! CISSP certification could potentially be a huge plus for candidates. Like many advanced degrees and certifications, CISSP is an additional asset that a candidate can possess, both from a competitive standpoint and in added value to the hiring company."
Consider the remarks of Satnam Purewal. Until recently, she was an information security professional at the University of British Columbia (Vancouver, BC). She took the CISSP exam and soon after was hired by Deloitte and Touche LLP as a Senior Computer Assurance Services (CAS) Specialist. Does she feel being a CISSP holder helped her in her recent job search?
"Yes. It's a great self marketing tool. I know the concepts, but a CISSP after my name says that a formal organization also believes that I know the material. There are certification bodies for engineers and accountants. These organizations enable employers to choose from a qualified group of people. Information system security is a critical function for any enterprise. Only qualified people should work on security. Computer security is more than just IDs and passwords. Security professionals must have working knowledge of policies, investigations, and laws. It was hard work. But it formalized the knowledge I obtained on the job."
How do you know if you are ready to take the test?
How can people evaluate whether or not they're ready to take the test? Purewal offers some tips. "People should take the self test in the CISSP Examination Study Guide available from (ISC)2. It will help you identify the areas were more learning is required. (ISC)2 asks for three years of experience. I seriously doubt anyone under three years of experience could pass the test anyway."
How would she suggest you prepare for the CISSP?
"Get hands on experience in as many areas of the Common Body of Knowledge as possible. Familiarize yourself with industry standards. An individual's knowledge should cover more than what technologies and practices are used at their own organization."
CISSP is approaching critical mass
Hal Tipton of HFT Associates (Villa Park, CA) is one of the scions of information security and a leading force in the Herculean effort to make the certification process a reality. Tipton was also the driving force in developing both the CISSP training course and study guide.
According to Tipton, there are over 700 CISSP holders. Approximately 400 have passed the exam, approximately 300 were "grandfathered" in at the beginning. "When we get a thousand or so certified people and there's a pool of people available, we'll see more headhunters and HR people insisting on CISSP as a qualification."
How big is the known universe of those who should take the test?
Tipton says it could be as many as 20,000. Clearly the high number involves many beyond those whose full-time job is information security. Among others Tipton cites as likely candidates to benefit from being a CISSP holder include network administrators, auditors and industrial security personnel. "A lot of small organizations might not be able to afford a full-time information security person, but they might be able to afford someone who is certified and double-hat the person with some other job. For example, a network administrator in an organization that cannot afford information security staff but has the need for security."
Tipton suggests that independent security consultants seek CISSP certification as well. "Some of the Big Six people really want you to have that CISSP designation. And for the smaller independent guys, it's a good way to win a contract. If you put in your proposal that you're CISSP-certified and the other bidders aren't, well, that's an advantage."
Why people fail and how you can avoid it
Of course, every silver lining is attached to a cloud. The CISSP exam is a straight pass or fail situation and some people do fall short. "The object of the certification process is not to fail peopleПwe would like to have 90% passП but it's all passed on the curve set up by the testing service based on the group that have taken the exam in that particular period of time." Tipton cautions against going it alone.
"The people that have failed are those who didn't take the seminar and just did the review on their own. They're failing 'Physical Security,' 'Cryptography' and 'Law, Investigations and Ethics.' That makes a lot of sense. In the field, information security personnel usually don't have a lot of hands-on experience with physical security. It is usually left to the industrial security types. In regard to cryptography, most organizations weren't into crypto at all until recently. With the rise of the Internet, it is becoming a much more important issue. It shouldn't be too hard to guess why the test scores on "Law, Investigations and Ethics" are so low. Organizations simply don't report incidents."
Where and when to move forward
CSI will host Hal Tipton's all-day course "An Introduction to the CISSP Exam" at NetSec '97 (San Francisco, CA) on Sun-day, June 8th. Later in the year, CSI will host the CISSP exam at the 24th Annual Computer Security Conference and Exhibition (Washington, DC) on Sunday, November 16th, 1997. For more information on the CISSP certification process and training materials, contact (ISC)2 via the World Wide Web at http://www.isc2.org, e-mail: [email protected], telephone: 508-842-7329 or fax: 508-842-6461.
Information Security Magazine Can You Top the Bar? BY MOLLIE KREHNKE AND DAVID KREHNKE
MOLLIE KREHNKE, CISSP, is a computer security analyst at Lockheed Martin Energy Systems. DAVID KREHNKE, CISSP, is the program manager for ISC.
Information Security Magazine CISSP SAMPLE EXAMINATION The paper also contains answers to those question
I. Access Control Systems and Methodology
1. In a discretionary mode, who has delegation authority to grant access to information to other people?
a. User
b. Security officer
c. Group leader
d. Owner2. An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?
a. Discretionary access
b. Least privilege
c. Mandatory access
d. Separation of duties3. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called
a. Keystroke capturing
b. Access validation testing
c. Brute force testing
d. Accountability testingII. Telecommunications & Network Security
4. Which of the following telecommunications media is MOST resistant to tapping?
a. Twisted pair
b. Coaxial
c. Shielded coaxial
d. Fiber optic5. Which network topology passes all traffic through all active nodes?
a. Broadband
b. Hub and spoke
c. Baseband
d. Token ring6. Layer 4 of the OSI stack is known as
a. The data link layer
b. The transport layer
c. The network layer
d. The presentation layerIII. Security Management
7. Which of the following represents an ALE calculation?
a. Gross loss expectancy x loss frequency
b. Asset value x loss expectancy
c. Total cost of loss + actual replacement value
d. Single loss expectancy x annualized rate of occurrence8. Who is ultimately responsible for ensuring that information is categorized and that specific protective measures are taken?
a. Security officer
b. Management
c. Data owner
d. Custodian9. What principle recommends the division of responsibilities so that one person cannot commit an undetected fraud?
a. Separation of duties
b. Mutual exclusion
c. Need to know
d. Least privilegeIV. Application & System Development Security
10. When a database error has been detected requiring a backing-out process, a mechanism that permits starting the process at designated places in the process is calleda. Restart
b. Reboot
c. Checkpoint
d. Journal11. Which one of the following is an automated software product used to review security logs?
a. User profiling
b. Intrusion detection
c. System baselining
d. Access modeling12. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?
a. Logic bomb
b. Virus
c. Worm
d. Trojan horseV. Cryptography
13. In what way does the Rivest-Shamir-Adleman algorithm differ from the Data Encryption Standard?
a. It is based on a symmetric algorithm.
b. It uses a public key for encryption.
c. It eliminates the need for a key-distribution center.
d. It cannot produce a digital signature.14. The fact that it is easier to find prime numbers than to factor the product of two prime numbers is fundamental to what kind of algorithm?
a. Symmetric key
b. Asymmetric key
c. Secret key
d. Stochastic key15. The Data Encryption Algorithm performs how many rounds of substitution and permutation?
a. 4
b. 16
c. 54
d. 64VI. Security Architecture & Models
16. At which ITSEC or TCSEC class is design verification first required?
a. F5 or A1
b. F3 or B1
c. F2 or C2
d. F1 or C1 17.What software flaw allows stack overflows and other memory-bound attacks to succeed?
a. Inadequate confinement properties.
b. Compartmentalization not enforced.
c. Insufficient parameter checking.
d. Applications execute in privileged mode.18. Between-the-lines, line disconnects, interrupt and NAK attacks are all examples of exploits related to
a. System data channel
b. System timing (TOC/TOU)
c. System bounds checking
d. Passive monitoringVII. Operations Security
19. Why are unique user IDs critical in the review of audit trails?
a. They show which files were altered.
b. They establish individual accountability.
c . They cannot be easily altered.
d. They trigger corrective controls.20. An e-mail gateway that does not restrict the reception of e-mail to a known set of addresses can be used by a hacker for
a. Spamming attacks
b. NAK attacks
c. Exhaustive attacks
d. Spoofing attacks21. Which of the following is an example of an operations security attack that is designed to cause the system, or a portion of the system, to cease operations?
a. Ping of Death
b. Brute force
c. Satan attack
d. Back doorVIII. Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
22. Which of the following criteria should be met by off-site storage protection for media backup?
a. The storage site should be located at least 15 miles from the main site.
b. The storage site should be easily accessible during working hours.
c. The storage site should always be protected by an armed guard.
d. The storage site should guard against unauthorized access.23. Which of the following best describes remote journaling?
a. Send hourly tapes containing transactions off-site.
b. Send daily tapes containing transactions off-site.
c . Real-time capture of transactions to multiple storage devices.
d. The electronic forwarding of transactions to an off-site facility.IX. Law, Investigations & Ethics
24. Computer-generated evidence is not considered reliable because it is
a. Stored on volatile media
b. Too complex for jurors to understand
c. Seldom comprehensive enough to validate
d. Too difficult to detect electronic tampering25. Before powering off a computer system, the computer crime investigator should record the contents of the monitor and
a. Save the contents of the spooler queue
b. Dump the memory contents to disk
c. Back up the hard drive
d. Collect the owner's bootup disks26. According to the Internet Activities Board, which one of the following activities is in violation of RFC 1087 "Ethics and the Internet?"
a. Performing penetration testing against an Internet host.
b. Entering information into an active Web page.
c. Creating a network-based computer virus.
d. Disrupting Internet communica- tions.X. Physical Security
27. Which of the following measures would be the BEST deterrent to the theft of corporate information from a laptop that was left in a hotel room?
a. Store all data on disks and lock them in an in-room safe.
b. Remove the batteries and power supply from the laptop and store them separately from the computer.
c. Install a cable lock on the laptop when it is unattended.
d. Encrypt the data on the hard drive.28. Which of the following BEST describes a transponder-based identification card?
a. The card is read by passing it through a magnetic strip reader.
b. The card is read by holding it in the proximity of the reader.
c. The card is read by slipping the card into a standard card edge connector.
d. The card is read by passing light through the holes in the card.29. Under what conditions would use of a "Class C" hand-held fire extinguisher be preferable to use of a "Class A" hand-held fire extinguisher?
a. When the fire is in its incipient stage.
b. When the fire involves electrical equipment.
c. When the fire is located in an enclosed area.
d. When the fire is caused by flammable products
Security Management Concepts and Principles
Change/Control Management
Data Classification Schemes
Employment Policies and Practices
Security Policies, Standards, Guidelines, and Procedures
Information Vulnerability and the WWW; Deputy Secretary of Defense Hamre (09/24/1998)
Public Key Infrastructure/ Program Management Office
Information Assurance Support Environment (IASE)
Increasing the Security Posture of the Unclassified but Sensitive Internet Protocol Router Network
Security Policies:
Application Security Policy
Business Continuity Management Policy
Enterprise Authentication and Authorization Services Policy
Identification and Authentication Using Ids and Passwords
Information Asset Protection
NCIIN Network Perimeter Security
Policy and Guidelines for Handling Data
Public Key Infrastructure And Digital Certificates
Template - Business Continuity Plan Components
Virus Protection Policy and Guidelines
Template - Security Risk Assessment
Guidance, Best Practices and Approaches for Developing E-Government
Applications
Policy and Criteria For the Approval of Fees for E-Government Transactions
Transaction Fee Request and Approval Process
Transaction Fee Cost and Benefit Analysis Spreadsheet
Notification Letter to Members of the Executive Cabinet
Notification Letter to University Chancellors
and Financial Officers
Sample Memo - Electronic Transaction
Fee Approval
Format - Criteria for Justifying E-Government
Transaction Fees
(PDF Format)
Form - IRMC E-Government Transaction
Fee Review
(PDF Format)
The Moratorium on Web Site Advertising
(PDF Format)
Antivirus policies
Risk Analysis Management
Roles and Responsibilities
Security Awareness
Security Management Planning
Integrated Safeguards and Security Management
