The Certified Information Systems Security Professional designation is the "gold standard" in professional security certifications. It confirms that the holder has several years' experience in two or more security-related domains and has passed a rigorous six-hour examination.

Who Is the Presenter?

Les Bell has over 30 years experience in information security as a developer, administrator, consultant and lecturer. Les is currently an Adjunct Lecturer in Cryptography and Information Security at Macquarie University and is on the staff of the Optus Macquarie University Cyber Security Hub. Attendee evaluations consistently rate Les as a highly engaging and very knowledgeable speaker.

Who Should Attend?
This course is specifically designed to assist candidates for the CISSP exam to review their knowledge. The candidate should already have several years' experience in one or more of the domains listed below, and may have commenced study in the other domains. Each domain of the Common Body of Knowledge is reviewed in depth.

How You Will Learn
The core of the course is a 5-day instructor-led seminar in which the key concepts of information security are reviewed with case studies, war stories, examples and open discussion of real-life problems and issues. There are ample opportunities to ask questions, and lunch and coffee breaks are usually fairly intense, too.

But the learning does not stop there, since we realize that attendees may take some time to prepare for the exam. The course has been redesigned in the light of the latest research in educational psychology, and employs unique blended learning strategies to ensure deeper and more durable learning.

The traditional course notes have been replaced by online resources - a web site and mobile app - which allow for self-paced revision and exam preparation. The core of the material is a wiki of over 300 pages of detailed content and external links to news stories, academic papers, textbooks and other references. The online slides - constantly updated - link into the wiki, making it easy to 'drill down' for supporting detail.

Multiple self-test quizzes allow self-assessment. The questions now provide detailed feedback and also link into the wiki, allowing immediate follow-up. Finally, a discussion forum allows attendees to ask questions well after the course.

The mobile app (for Android, Apple iOS and Microsoft phones) allows the course materials to be used in any location, and much of the content can be used off-line.

What You Will Learn
In addition to the core course content, attendees will learn useful exam technique and study review techniques. You will also have the opportunity to discuss issues with other security professionals. Your learning continues after the course - the course is backed by an e-learning server which provides discussion forums, wikis, access to updated course materials and other resources.

Course Outline

Introduction

  • Welcome and Administrivia
  • Course Overview
  • Review and Revision Techniques
  • References
  • Specialised References and Additional Reading
  • Other Resources
  • The “CISSP World-View”
  • The Exam
  • On the Day of the Exam
  • Exam Technique
  • After the Exam
  • CISSP Concentrations
  • Blended Learning Follow-up

Security and Risk Management

  • Security Properties of Information and Systems - The CIA Triad
  • Security Governance
    • Organizational Structure and Processes
    • Security Roles and Responsibilities
    • Reporting Relationships
    • Governance of Third Parties
  • Compliance, Legal and Regulatory Requirements
    • Privacy Laws
    • Data Breaches and Mandatory Disclosure
    • An Infosec View of Privacy
    • Intellectual Property
    • Computer Ethics and Professional Ethics
  • Risk Management Concepts
    • Control Selection and Justification
    • Control Assessment, Testing and Monitoring
    • Definitions of Risk
    • Risk Management Processes (SP800-30, ISO27005, FAIR)
    • Information Risk Analysis, Audit Frameworks and Methodologies
    • Countermeasures and Controls
  • Threat Modeling
  • Business Continuity Requirements
    • Development of Business Continuity and Disaster Recovery Plans
  • Security Policies, Standards, Procedures, Guidelines
    • Personnel Security
  • Acquisitions Policy and Strategies
  • Supply-Chain Security and Supplier Assessment
  • Security Education, Awareness and Training

Asset Security

  • Information Assets - Identification, Ownership
  • Data Standards and Policy
  • Information Classification
  • Handling Requirements
  • Data Retention Policy, Destruction and Disposal

Day 2

Security Engineering

  • Security Engineering Lifecycle
  • Enterprise Security Architecture
    • Architectural Standards and Methodologies
    • Architectural Patterns
    • Security Architecture Standards and Methodologies
  • Systems Architecture
    • Platform Architecture - Hardware, Operating Systems
    • Virtualization, Containers and Sandboxes
    • Cloud Computing Architecture
    • Mobile Devices
  • Security Models
    • Discretionary Access Control
    • Mandatory Access Control Models
  • Evaluation, Certification and Accreditation
    • Evaluated Products and Trusted Systems
    • Evaluation Schemes
  • Security Implementation Guidelines, Frameworks and Standards
  • Database Security
  • Vulnerabilities
    • Architectural Vulnerabilities
    • Distributed Computing
    • Remote and Mobile Computing
    • Process Control and SCADA
    • Embedded Systems and the Internet of Things
  • Cryptology
    • Authentication & Digital Signatures
    • Public Key Infrastructure
    • Types of Cryptoprimitives
    • Classical Cryptography
    • Symmetric Cryptoprimitives
    • Unkeyed and Keyed Hashes and Digests
    • Public Key Cryptosystems
    • Key Management
    • Hybrid Cryptosystems and Protocols
      • TLS, SSH, etc
    • Advanced Concepts - Quantum computing, etc.
    • Cryptanalysis and Attacks
  • Site Planning and Design
    • Security Survey
    • Crime Prevention Through Environmental Design
    • Site Location and Construction
    • Power and Utility Supplies
  • Facility Security
    • Physical Security Principles
    • Perimeter Protection - Fences, Gates, Lighting, Sensors, CCTV
    • Doors, Locks, Key Control Procedures
    • Fire Detection and Suppression
    • Alarm Systems
    • Data Centers, Server Rooms and Wiring Closets
    • Secure Work Areas
    • Portable Device Security

Day 3

Security in the Software Development Life Cycle

  • Application Development Concepts
    • Programming Languages
    • Development Tools
    • Object-Oriented Concepts and Security
    • Third-Party Libraries and Frameworks
    • Change Management and Revision Control
  • Vulnerabilities Introduced During Development
    • Buffer Overflows
    • Format String Vulnerabilities
    • Input /Output Sanitization
    • Citizen Programmers
    • Covert Channels
    • Time-of-Check/Time-of-Use Vulnerabilities
    • Injection Attacks
    • Object Reuse
    • Trapdoors and Backdoors
    • Executable Content and Mobile Code
  • Software Development Methodologies
    • Security Activities in the SDLC
    • Software Development Life Cycle
    • Prototyping, Iterative and Agile Techniques
    • Cleanroom and Formal Methods
    • Continuous Delivery and DevOps
    • Maturity Models
  • Databases and Data Warehouses
    • Database Concepts
    • Database Vulnerabilities and Controls
    • Unstructured Data and Knowledge Management
  • Web Application Security
    • SQL and Command Injection
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery
    • Insecure Direct Object Access
    • Incorrect Session Management
    • Insecure Configuration
    • Inadequate Use of TLS
    • Web Application Architectures and Languages
    • Common Vulnerabilities
  • Software Acquisition

 

Day 4

Communications and Network Security

  • Networking Principles
    • Protocol Layers
    • ISO/OSI vs TCP/IP
  • Physical Layer
    • Local Area Network Protocols
    • Wide Area Network Protocols
    • Physical Layer Attacks
  • Network Layer
    • IP Addressing and Routing
    • IP Protocol Operation
    • ICMP Protocol
    • Dynamic Routing Protocols
    • Software Defined Networking
    • Network Layer Attacks
  • Transport Layer
    • Transport Layer Concepts
    • UDP
    • TCP
    • Other Transport Layer Protocols
    • Transport Layer Attacks
  • Application Layer
    • Directory Services - BIND, LDAP, etc.
    • Remote Access and File Transfer
    • Email - SMTP, IMAP, SPF, DKIM, DMARC, Spam Filtering
      • Secure (Signed, Encrypted) Email
    • Web - HTTP
    • VoiP, Instant Messaging and Collaboration
    • Application Layer Protocols
    • Application Layer Vulnerabilities and Attacks
  • Firewall Principles and Architectures
    • Filtering Routers
    • Proxy Web Servers, Web Content Accelerators, Application Delivery Controllers
    • Practical Firewalls
    • Threat Intelligence
  • VPN Principles and Protocols
    • PPTP, IPSec, SSL VPN's
    • VPN Routing
  • Network Security Testing and Assurance
    • Intrusion Detection and Prevention Systems
    • Honeypots and Honeynets
    • Network Security Audits
    • Security Assessment and Vulnerability Scanning
    • Penetration Testing

Identity and Access Management

  • Basic Concepts: Trust, Identity, Authentication and Access Control
  • Management Principles
  • Authentication Techniques and Factors
    • Password Management
      • Digests, Hashes, Salt
      • Dictionary and Rainbow Tables Attacks
      • User Guidance
    • Tokens, FIDO U2F, Badges, Smartcards and Other Devices
    • Biometric Techniques
  • Centralized and Decentralized Authentication Protocols
    • CHAP, PAP, EAP, RADIUS, TACACS, 802.1x
    • Kerberos, LDAP and Active Directory, SESAME
  • Single Sign-On
  • Federated Identity Management Systems
    • OpenID 2.0, OpenID Connect, OAuth2, SAML
  • Thin Clients
  • Authorization and Access Control
    • Mandatory Access Control
      • Multi-Level Systems
      • Capability-Based Systems
    • Role-Based Access Control
    • Rule-Based Access Control and Attribute Based Access Control
    • Content-Based Access Control
    • Discretionary Access Control
    • Access Control in Databases
  • Intrusion Detection and Prevention Systems
  • Identity Management Lifecycle

 

Day 5

Security Assessment and Testing

  • Logs and Log Management
  • User Activity Monitoring
  • Security Audit, Assessment and Testing Concepts
    • First-Person and Third-Party Audits
    • Audit Standards and Frameworks
      • SOC, CoBIT, ISO 27001
  • Software Security Assessment
    • Unit Testing
    • Integration Testing
    • Regression Testing
    • The Problem with Testing
    • Advanced Techniques and Tools - Fuzzers, Model Checkers, Automated Theorem Provers
  • Systems Security Assessment
  • Network Security Assessment
  • Penetration Testing
  • Continuous Security Monitoring

Security Operations

  • Security Operations and Operations Security
    • Segregation of Roles, Job Rotation
    • Dealing with Privileged Accounts and Users
    • Information Lifecycle
  • Threats and Vulnerabilities
    • Viruses, Worms, Trojans, etc.
    • Rootkits
    • Remote-Access Trojans
    • Ransomware
    • Spyware and Adware
    • Malware
    • Logic Bombs
    • Social Engineering
    • Phishing, Spear-Phishing, Pharming, Whaling and Botnets
    • Hoaxes and Pranks
  • Defensive Controls
  • Configuration and Change Management
  • Patch Management and Vulnerabilities
  • Security Metrics, Monitoring and Reporting
    • Network Monitoring and Logging
    • Systems Monitoring and Logging
  • Security Operations Centers
  • The Cyber Kill Chain
  • Incident Response
    • Containment
    • Investigation
    • Recovery
    • Evidence Collection and Handling
    • Evidence Processing and Forensics
    • Presentation in Court
    • First Response
    • Crime Investigation
  • Concluding Remarks