Access Control, Mind Map

Mind Map is a think tool that reflects instantly what goings on your head, it’s perfect to help in your study improving the power of your mind!
It’s help you easily remember points that you already studied, as CISSP certification has a lot of topics probably you will need a way to keeping your brain reminding lightly the CBK domains.

I found a great site that make available this map MindCert.com you shoud visit. The Mind Map can be download clicking in the image.

Exta TIP: Tony Buzan suggests using the following foundation structures for Mind Mapping:

1. Start in the centre with an image of the topic, using at least 3 colours.
2. Use images, symbols, codes and dimensions throughout your Mind Map.
3. Select key words and print using upper or lower case letters.
4. Each word/image must be alone and sitting on its own line.
5. The lines must be connected, starting from the central image. The central lines are thicker, organic and flowing, becoming thinner as they radiate out from the centre.
6. Make the lines the same length as the word/image.
7. Use colours – your own code – throughout the Mind Map.
8. Develop your own personal style of Mind Mapping.
9. Use emphasis and show associations in your Mind Map.
10. Keep the Mind Map clear by using radial hierarchy, numerical order or outlines to embrace your branches

Tags: CISSP, Access Control, Mind Map

CISSP Cartoons: Identification vs Security Risk

Keep in a good mood while you study to CISSP exam. Chek this Information Security Cartoon that plays with Identification and Security Risk:

Please visit the site: http://www.glasbergen.com/

CISSP questions: SQL

Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server?

Bind variables
Assimilation variables
Reduction variables
Resolution variables

Question: 476 | Difficulty: 3/5 | Relevancy: 3/3
Correct answer: Bind variables
Details: Bind variables are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server.
Source:: The CISSP Prep Guide: Gold Edition
Study area: CISSP CBK domain: Application and System Development Security
Covered topics: Structured Query Language (SQL)


This question is Sponsor and authorized by CCCURE

CISSP Terms and Definitions

Some definitions of Risk Management and Security Management that you need to know to CISSP exam:

Value of information
Cost to acquire + value to owners + what others are willing to pay

Asset
Something of value (resource, product, data)

Probability or Exposure
The chance or likelihood that an event (threat) will occur

Risk
The potential for harm or loss.
Total risk = asset value * vulnerabilities * threats

Safeguard (Control or Countermeasure)
Risk reducing measure (reducing both impact and likelihood) and must allow for auditability and accountability.

Safeguard Effectiveness (%)
Effective mitigation a vulnerability.

Threat
Defines an unfortunate event, undesirable impact on the well being of an asset.

Uncertainty (%)
Typically measured inversely with respect to confidence.

Exposure
Instance of being exposed to losses from specific threat.

Vulnerability
Absence or weakness of a safeguard (potential to allow a threat).

CISSP Books recommendation

It's a fact that by just reading one book you won't gather enough information to pass the exam, the recommendation to ready at least two books.

In my opinion the best CISSP book is All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris. My other suggestion is the Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series) from (ISC)2. Giving another option we also have CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition from Sybex.

Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series)
by Harold F. Tipton, Kevin Henry


CISSP All-in-One Exam Guide, Third Edition (All-in-One)
by Shon Harris

CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition
by James Michael Stewart, Ed Tittel, Mike Chapple


To see all the recommendation CISSP's books from (ISC)2 visit the page:
https://www.isc2.org/cgi-bin/content.cgi?page=36

Physical Security, CISSP Mind Map

CISSP Mind Map is a think tool that reflects instantly what goings on your head, it’s perfect to help in your study improving the power of your mind!
It’s help you easily remember points that you already studied, as CISSP certification has a lot of topics probably you will need a way to keeping your brain reminding lightly the CBK domains.

I found a great site that make available this maps MindCert.com you shoud visit. The Mind Map can be download clicking in the image.

Tags: CISSP, Mind Map, Physical Security

Are you looking for a Security Support ?

We have an urgent requirement for Security Support, enclosed are the details.

Location of Work: Chennai

Job Description :

1) In-Depth Knowledge of Checkpoint Firewall NGX preferably on Windows & Solaris platform

2) Good Knowledge of Alteon Switched Firewall (ASF) and Alteon Web switch (Load Balancing)

3) ISS - IPS and IDS, Internet Scanner & Security Fusion Module.

4) Websense

5) Trend Micro or any other Antivirus products.

6) Fortigate Firewall

7) Good knowledge of Security Concepts, VPN, routing and swtiching.

Mandatory Certifications on Checkpoint, ASF, CCNA, CCNP
Preferred Certifications: Cisco Certified Security Professional (CCSP), Certified Ethical Hacker (CEH), CISSP

Mail your resume to careers@ codem-soft.com

CISSP questions: backup method

Which common backup method is the fastest on a daily basis?
Full backup method
Incremental backup method
Fast backup method
Differential backup method

Question 905 | Difficulty level: 3/5 | Relevancy: 3/3
Correct answer: Incremental backup method
Details: The incremental backup method only copies files that have been recently changed or added. Only files with their archive bit set are backed up. This method is fast and uses less tape space but has some inherent vulnerabilities, one being that all incremental backups need to be available and restored from the date of the last full backup to the desired date should a restore be needed.
Study area: CISSP CBK domain: Telecommunication and Network Security
Covered topics: Backups and offsite storage

This question is Sponsor and authorized by CCCURE

INCREASE REQUIREMENTS FOR CISSP

Effective 1 October 2007, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK.

Also effective 1 October, CISSP candidates will be required to obtain an endorsement of their candidature exclusively from an (ISC)² - certified professional in good standing.

https://www.isc2.org/cgi-bin/content.cgi?page=1228

CISSP questions: Closed Circuit Television (CCTV)

The recording of events with a closed-circuit TV camera is considered a:
Preventative control.
Detective control.
Compensating control.
Corrective control.

Question 1177 | Difficulty level: 2/5 | Relevancy: 3/3
Correct answer: Detective control
Details: Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution. When events are monitored, it is considered preventative whereas recording of events is considered detective in nature.
Study area: CISSP CBK domain: Physical Security
Covered topics: Administrative physical security controls, Closed Circuit Television (CCTV)

This question is Sponsor and authorized by CCCURE

Business Continuity Planning and Disaster Recovery Planning, Mind Map

Mind Map is a think tool that reflects instantly what goings on your head, it’s perfect to help in your study improving the power of your mind!
It’s help you easily remember points that you already studied, as CISSP certification has a lot of topics probably you will need a way to keeping your brain reminding lightly the CBK domains.

I found a great site that make available this maps MindCert.com you shoud visit. The Mind Map can be download clicking in the image.

Exta TIP: Tony Buzan suggests using the following foundation structures for Mind Mapping:

1. Start in the centre with an image of the topic, using at least 3 colours.
2. Use images, symbols, codes and dimensions throughout your Mind Map.
3. Select key words and print using upper or lower case letters.
4. Each word/image must be alone and sitting on its own line.
5. The lines must be connected, starting from the central image. The central lines are thicker, organic and flowing, becoming thinner as they radiate out from the centre.
6. Make the lines the same length as the word/image.
7. Use colours – your own code – throughout the Mind Map.
8. Develop your own personal style of Mind Mapping.
9. Use emphasis and show associations in your Mind Map.
10. Keep the Mind Map clear by using radial hierarchy, numerical order or outlines to embrace your branches

Tags: CISSP, Mind Map, Business Continuity Planning (BCP), Disaster Recovery Planning (DRP)

CISSP questions: Business Continuity Planning (BCP)

Which of the following focuses on sustaining an organization's business functions during and after a disruption?
Business continuity plan
Business recovery plan
Continuity of operations plan
Disaster recovery plan

Question 1154 | Difficulty level: 3/5 | Relevancy: 3/3
Correct answer: Business Continuity Plan BCP
Details: A business continuity plan (BCP) focuses on sustaining an organization's business functions during and after a disruption. Information systems are considered in the BCP only in terms of their support to the larger business processes. The business recovery plan (BRP) addresses the restoration of business processes after an emergency. The BRP is similar to the BCP, but it typically lacks procedures to ensure continuity of critical processes throughout an emergency or disruption. The continuity of operations plan (COOP) focuses on restoring an organization's essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. The disaster recovery plan (DRP) applies to major, usually catastrophic events that deny access to the normal facility for an extended period. A DRP is narrower in scope than an IT contingency plan in that it does not address minor disruptions that do not require relocation.
Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 8).
Study area: CISSP CBK domain #8 - Business Continuity Planning and DRP
Covered topics: Business Continuity Planning (BCP) and Disaster Recovery Plan (DRP)

This question is Sponsor and authorized by CCCURE

Tecnorati Tags: Business Continuity Planning (BCP), CISSP, Questions

Controls and countermeasures about Physical Security

Controls and countermeasures about Physical Security and their gains:

1. Deterrence of criminal activity
Fences
Warning signs
Security guards
Dogs

2. Delay of intruders to help ensure that they can be caught
Locks
Defense in depth measures
Access controls

3. Detection of intruders
External intruder sensors
Internal intruder sensors

4. Assessment of situations
Security guard procedures
Communication structure (calling tree)

5. Response to intrusions and disruptions
Response force
Emergency response procedures
Police, fire, medical personnel

Tags: CISSP, Physical Security

CISSP questions: Encryption

What encryption algorithm is best suited for communication with handheld wireless devices?
ECC
RSA
SHA
RC4

Question 671 | Difficulty level: 4/5 | Relevancy: 3/3
Correct answer: ECC
Details: The Elliptic Curve Cryptosystems (ECC) are used as asymmetric algorithms and can provide signature, key distribution and encryption functionality. The fact that it uses less resource makes it appropriate for small handheld devices.
Study area: CISSP CBK domain #5 - Cryptography
Covered topics: Elliptic Curve Cryptosystems (ECC), Mobile, wireless and satellite technologies and security

This question is Sponsor and authorized by CCCURE

Applications and Systems Development Security, Mind Map

Mind Map is a think tool that reflects instantly what goings on your head, it’s perfect to help in your study improving the power of your mind!
It’s help you easily remember points that you already studied, as CISSP certification has a lot of topics probably you will need a way to keeping your brain reminding lightly the CBK domains.

I found a great site that make available this map MindCert.com you shoud visit. The Mind Map can be download clicking in the image.

Keywords: CISSP, Mind Map, Applications and Systems Development Security

Fingerprint

Fingerprint is an impression of the friction ridges of all or any part of the finger.
The details of this ridges and are called minutiae. It is the distinctiveness of these minutiae that gives each individual a unique fingerprint. An individual places his finger on a device that reads the details of the fingerprint and compares this to a reference file. If the two match, the individual’s identity has been verified.

This resource is used as type of access control using Biometric.

Video - MythBusters versus a fingerprint scanner

CISSP questions: Access Control

In biometrics, "one-to-many" search against database of stored biometric images is done in:
Authentication
Identification
Identities
Identity-based access control

Question 430 Difficulty level: 4/5 Relevancy: 3/3
Correct answer: Identification
Details: In biometrics, identification is a "one-to-many" search of an individual's characteristics from a database of stored images.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.
Study area: CISSP CBK domain #1 - Access Control Systems and Methodology
Covered topic: Biometrics

This question is Sponsor by CCCURE, authorized by Clement.

Security Models

Today we go present the first topic of Security Models and Architecture, one of the CISSP domains.

Security models are an important concept in the design and analysis of secure computer systems, because it incorporates the security policy that should be enforced in the system. To a clear understanding between Security policy and model:

• security policy provides the abstract goals;
• security model provides the DOs and DONT’s necessary to accomplish these goals.

Security policy states that subjects need to be authorized to access objects, the security model would provide the mathematical relationships and formulas explaining how x can access y only through the outlined specific methods.

The first security models were designed to meet the needs of multi-level security, defined as a class of system-containing information with different sensitivities that simultaneously permits access by users with different security clearances and needs-to-know, but prevents users from obtaining access to information for which they lack authorization (DoD TCSEC 1985). Information, also referred to as the “object,” possesses a classification; and people, also referred to as the “subject,” possess a clearance.

The purpose of a multi-level security system is to prevent compromise where users are able to read information classified at a level for which they are not cleared. Industry information may be considered commercially sensitive or have privacy considerations, such as personnel or medical information while in the military security policy, the security levels are considered hierarchical, such as unclassified > confidential > secret > top secret. To access information, a person must possess an access class whose level is greater than or equal to the level of the access class of the information.

State machine models verify the security of a system, which means that all current permissions and all current instances of subjects accessing objects must be captured (like a snapshot), it is used to describe the behavior of a system to different inputs. There are many activities that can alter this state, which are referred to as state transitions. When the system has to decide if this transition should be allowed. To allow this transition, the object’s security attributes and the access rights of the subject must be reviewed and allowed by the operating system.

The first mathematical model of a multi-level security system, and probably the most famous, is the Bell-LaPadula model (Bell and LaPadula, 1973), the model defined a number of terms and concepts that have since been adopted by most other models of multi-level security. The well known security models and their proposes:

• Bell-LaPadula, enforce rules to provide confidentiality protection.
• Biba, enforce rules to provide integrity protection.
• Clark-Wilson, are used as a framework to describe how security policies should be expressed and executed.
• Chinese Wall, conflict of interests.

References:

Official (ISC)2 Guide to the CISSP Exam

CISSP All-in-One Exam Guide, Third Edition (All in One)

CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition

Technorati : CISSP

Access Control Concepts

In our study to CISSP exam let’s start defining access: a specific type of interaction between a subject and a object that results in a flow of information from one to the other. The entity that can perform actions in the system are called subject while the resources which access may need to be controlled are called objects.

The "AAA" or "Triple A" concept is one of main concepts of security, it is composed of: Authentication, Authorization and Accounting.

Access control is a security feature that control how users and systems communicate and interact with other systems and resources. It protect these from unauthorized access and can be a component that participates in determining the level of authorization after an authentication procedure has successfully completed.

• identification and authentication this combination determine who can or not access/logging in;
• authorization determines what a subject can do;
• accountability identifies what a subject did.

Identification describes a method of ensuring that a subject is the entity it claims to be, used to establish user accountability. The requirements for identification are:

• Must uniquely identify the user.
• Shouldn't identify that user's position or relative importance in an organization (such as labels like Director or Manager).
• Should avoid using common or shared user accounts, such as root, admin, and sysadmin.

Authentication is the process of verifying a claimed identity, determining if the subject is really who claims to be. It is based on at least one of these three factors:

• something a person knows (password, passphrase, PIN),
• something a person has (Smart card, token, key, swipe card, badge),
• something a person is (fingerprint, voice, retina/iris characteristics).

* Strong authentication contains two out of these three methods.

Authorization is the process of determining what types of activities are permitted, checking the necessary rights and privileges.

Accounting is the systematically tracks and records the operations and activities undertaken by individuals or accounts while they're active in a system or working environment, such audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for:

• Detecting security violations
• Re-creating security incidents

References:
Access control, Wikipedia
CISSP All-in-One Exam Guide, Third Edition (All in One)

Awareness

A company could spend a lot of money in technology to raise the security but to ensure it; persons need to be trained and committed.
People need to be aware about what the company expects of them about security policy, creating Security Awareness Trainings. These in help to achieve some benefits: Measurable reduction in unauthorized access attempts, Increase effectiveness of control and Help to avoid fraud and abuse.

Proverb: A chain is strong as its weakest link; remember people are the weakest link in security.

It’s important to have periodic awareness sessions for new employees and remember those that already had. Methods of awareness improvement: Live interactive presentations, Computer Based Training (CBT), Publishing of posters and newsletters, Incentives and awards and Reminders, login banners

I found an comic material for Password’s Campaign: Office of Policy and Education, University of Michigan


Passwords are like Underwear. . . Change Yours Often!
You should change yours passwords often (every 90 days).

Passwords are like Underwear . . . Don’t Share Them with Friends!
Never share your password with ANYONE. Your password is the only thing that that ensures privacy of your account. You are responsible for how your account is used, so do not let other people have access to it.

Passwords are like Underwear . . . Be Mysterious!
When creating your password don’t use anything that would be easy for someone to guess. For example, never use any part of your username or legal name. Don’t use your phone number, birth date, or license plate number.

Passwords are like Underwear . . . The Longer the Better!
A longer password equals better security. The longer your password is the harder it is for someone to figure out. Your password should be at least 8 characters long and contain a mix of numbers and letters.

Passwords are like Underwear . . . Don’t Leave Yours Lying Around!
Keep your password hidden. Do not write your password down on a piece of paper. Instead commit it to memory!