Home > Store > Certification > Other IT

CISSP Cert Guide, 2nd Edition

Register your product to gain access to bonus material or receive a coupon.

CISSP Cert Guide, 2nd Edition

Best Value Purchase

Book + eBook Bundle

  • Your Price: $80.49
  • List Price: $139.98
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

More Purchase Options

Book

  • Your Price: $55.99
  • List Price: $69.99
  • Usually ships in 24 hours.

Premium Edition eBook

  • Your Price: $55.99
  • List Price: $69.99
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

About

Features

  • Delivers all the knowledge CISSP students need, without making them wade through 1500 pages!
  • Fully reflects major exam changes
  • Test-taking strategies, tips, notes, and two full sample exams delivered by the advanced PCPT test engine
  • By two leading IT security instructors and consultants

Description

  • Copyright 2016
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 768
  • Edition: 2nd
  • Book
  • ISBN-10: 0-7897-5518-1
  • ISBN-13: 978-0-7897-5518-6


In this best-of-breed study guide, two leading experts help you master all the topics you need to know to succeed on your CISSP exam and advance your career in IT security. Their concise, focused approach explains every exam objective from a real-world perspective, helping you quickly identify weaknesses and retain everything you need to know.


Every feature of this book supports both efficient exam preparation and long-term mastery:


  • Opening Topics Lists identify the topics you’ll need to learn in each chapter, and list (ISC)2’s official exam objectives
  • Key Topics feature figures, tables, and lists that call attention to the information that’s most crucial for exam success
  • Exam Preparation Tasks allow you to review key topics, complete memory tables, define key terms, work through scenarios, and answer review questions. All of these help you go beyond memorizing mere facts to master the concepts that are crucial to passing the exam and enhancing your career
  • Key Terms are listed in each chapter and defined in a complete glossary, explaining all the field’s essential terminology


The companion website contains the powerful Pearson IT Certification Practice Test Engine, with two practice exams and access to a large library of exam-realistic questions. The compansion website also includes memory tables, lists, and other resources, all in a searchable PDF format.


This study guide helps you master all the topics on the latest CISSP exam, including


  • Access control
  • Telecommunications and network security
  • Information security governance and risk management
  • Software development security
  • Cryptography
  • Security architecture and design
  • Operation security
  • Business continuity and disaster recovery planning
  • Legal, regulations, investigations, and compliance
  • Physical (environmental) security


Premium Edition

CISSP Cert Guide Premium Edition eBook and Practice Test
 
The exciting new CISSP Cert Guide Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:

--The CISSP Premium Edition Practice Test, including four full practice exams and enhanced practice test features
--PDF and EPUB formats of the CISSP Cert Guide from Cisco Press, which are accessible via your PC, tablet, and smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package

--Enables you to focus on individual topic areas or take complete, timed exams
--Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
--Provides unique sets of exam-realistic practice questions
--Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson IT Certification Practice Test minimum system requirements:
Windows Vista (SP2), Windows 7, or Windows 8.1 (desktop UI only); Microsoft .NET Framework 4.5 Client; Pentium class 1GHz processor (or equivalent); 512MB RAM; 650MB hard disk space plus 50MB for each exam download; access to the Internet to register and download exam databases

About the Premium Edition eBook

CISSP Cert Guide is a best-of-breed exam study guide. Leading IT certification experts Troy McMillan and Robin Abernathy share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

  

The powerful Pearson IT Certification Practice Test engine comes complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most, so you can succeed on the exam the first time.

The CISSP Cert Guide is the most comprehensive study guide available. With uniquely thorough coverage - carefully mapped to the exam's objectives - this book brings together all the information and insight readers need to succeed on the updated CISSP Exam. Coverage includes:

·    Access Control

·    Telecommunications and Network Security

·    Information Security Governance and Risk Management

·    Software Development Security

·    Cryptography

·    Security Architecture and Design

·    Security Operations

·    Business Continuity and Disaster Recovery Planning

·    Legal, Regulations, Investigations and Compliance

·    Physical (Environmental) Security

From start to finish, this book is organized to help professionals focus study time where they need the most help, retain more, and earn higher scores. Its features include:

·    Pre-chapter "Do I Know This Already" (DIKTA) quizzes that enable readers to assess their knowledge of each chapter's content and decide how much time to spend on each section

·    Foundation Topics sections that thoroughly explain concepts and theory, and link them to real-world configurations and commands

·    Key Topics icons that flag every figure, table, or list which must absolutely be understood and remembered

·    Chapter-ending Exam Preparation sections contain additional exercises and troubleshooting scenarios.

Sample Content

Sample Pages

Download the sample pages (includes Chapter 5 and Index)

Table of Contents


Introduction 3


    The Goals of the CISSP Certification 3


        Sponsoring Bodies 3


        Stated Goals 4


    The Value of the CISSP Certification 4


        To the Security Professional 4


        To the Enterprise 5


    The Common Body of Knowledge 5


        Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity) 5


        Asset Security (Protecting Security of Assets) 6


        Security Engineering (Engineering and Management of Security) 6


        Communication and Network Security (Designing and Protecting Network Security) 7


        Identity and Access Management (Controlling Access and Managing Identity) 7


        Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) 7


        Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery) 8


        Software Development Security (Understanding, Applying, and Enforcing Software Security) 8


    Steps to Becoming a CISSP 9


        Qualifying for the Exam 9


        Signing Up for the Exam 9


        About the CISSP Exam 10


Chapter 1 Security and Risk Management 14


    Security Terms 15


        CIA 15


        Confidentiality 15


        Integrity 16


        Availability 16


        Default Stance 16


        Defense in Depth 16


        Job Rotation 17


        Separation of Duties 17


    Security Governance Principles 17


        Security Function Alignment 18


        Organizational Strategy and Goals 19


        Organizational Mission and Objectives 19


        Business Case 19


        Security Budget, Metrics, and Effectiveness 20


        Resources 20


        Organizational Processes 21


        Acquisitions and Divestitures 21


        Governance Committees 23


        Security Roles and Responsibilities 23


        Board of Directors 23


        Management 24


        Audit Committee 25


        Data Owner 25


        Data Custodian 25


        System Owner 25


        System Administrator 25


        Security Administrator 26


        Security Analyst 26


        Application Owner 26


        Supervisor 26


        User 26


        Auditor 26


        Control Frameworks 27


        ISO/IEC 27000 Series 27


        Zachman Framework 30


        The Open Group Architecture Framework (TOGAF) 31


        Department of Defense Architecture Framework (DoDAF) 31


        British Ministry of Defence Architecture Framework (MODAF) 31


        Sherwood Applied Business Security Architecture (SABSA) 31


        Control Objectives for Information and Related Technology (CobiT) 32


        National Institute of Standards and Technology (NIST) Special Publication (SP) 33


        Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework 34


        Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) 34


        Information Technology Infrastructure Library (ITIL) 34


        Six Sigma 36


        Capability Maturity Model Integration (CMMI) 37


        CCTA Risk Analysis and Management Method (CRAMM) 37


        Top-Down Versus Bottom-Up Approach 38


        Security Program Life Cycle 38


        Due Care 39


        Due Diligence 39


    Compliance 40


        Legislative and Regulatory Compliance 41


        Privacy Requirements Compliance 42


    Legal and Regulatory Issues 42


        Computer Crime Concepts 42


        Computer-Assisted Crime 43


        Computer-Targeted Crime 43


        Incidental Computer Crime 43


        Computer Prevalence Crime 43


        Hackers Versus Crackers 44


        Computer Crime Examples 44


        Major Legal Systems 45


        Civil Code Law 45


        Common Law 46


        Criminal Law 46


        Civil/Tort Law 46


        Administrative/Regulatory Law 46


        Customary Law 47


        Religious Law 47


        Mixed Law 47


        Licensing and Intellectual Property 47


        Patent 47


        Trade Secret 48


        Trademark 49


        Copyright 49


        Software Piracy and Licensing Issues 50


        Internal Protection 51


        Digital Rights Management (DRM) 51


        Import/Export Controls 51


        Trans-Border Data Flow 52


        Privacy 52


        Personally Identifiable Information (PII) 52


        Laws and Regulations 53


        Data Breaches 58


    Professional Ethics 59


        (ISC)2 Code of Ethics 59


        Computer Ethics Institute 59


        Internet Architecture Board 60


        Organizational Ethics 60


    Security Documentation 60


        Policies 61


        Organizational Security Policy 62


        System-Specific Security Policy 63


        Issue-Specific Security Policy 63


        Policy Categories 63


        Standards 64


        Baselines 64


        Guidelines 64


        Procedures 64


    Business Continuity 64


        Business Continuity and Disaster Recovery Concepts 65


        Disruptions 65


        Disasters 66


        Disaster Recovery and the Disaster Recovery Plan (DRP) 67


        Continuity Planning and the Business Continuity Plan (BCP) 67


        Business Impact Analysis (BIA) 67


        Contingency Plan 67


        Availability 68


        Reliability 68


        Project Scope and Plan 68


        Personnel Components 68


        Project Scope 69


        Business Continuity Steps 69


        Business Impact Analysis Development 70


        Identify Critical Processes and Resources 71


        Identify Outage Impacts, and Estimate Downtime 71


        Identify Resource Requirements 72


        Identify Recovery Priorities 72


        Recoverability 73


        Fault Tolerance 73


    Personnel Security Policies 73


        Employment Candidate Screening 73


        Employment Agreement and Policies 75


        Employment Termination Policies 75


        Vendor, Consultant, and Contractor Controls 76


        Compliance 76


        Privacy 76


    Risk Management Concepts 77


        Vulnerability 77


        Threat 77


        Threat Agent 77


        Risk 77


        Exposure 77


        Countermeasure 78


        Risk Management Policy 78


        Risk Management Team 79


        Risk Analysis Team 79


        Risk Assessment 79


        Information and Asset (Tangible/Intangible) Value and Costs 81


        Identify Threats and Vulnerabilities 82


        Risk Assessment/Analysis 82


        Countermeasure (Safeguard) Selection 84


        Total Risk Versus Residual Risk 85


        Handling Risk 85


        Implementation 86


        Access Control Categories 86


        Compensative 87


        Corrective 87


        Detective 87


        Deterrent 87


        Directive 87


        Preventive 87


        Recovery 88


        Access Control Types 88


        Administrative (Management) Controls 88


        Logical (Technical) Controls 90


        Physical Controls 91


        Control Assessment, Monitoring, and Measurement 92


        Reporting and Continuous Improvement 92


        Risk Frameworks 93


    Threat Modeling 93


        Identifying Threats 94


        Potential Attacks 96


        Remediation Technologies and Processes 96


    Security Risks in Acquisitions 97


        Hardware, Software, and Services 97


        Third-Party Governance 97


        Onsite Assessment 98


        Document Exchange/Review 98


        Process/Policy Review 98


                Other Third-Party Governance Issues 98


        Minimum Security Requirements 98


    Minimum Service-Level Requirements 99


        Security Education, Training, and Awareness 100


        Levels Required 100


    Periodic Review 101


    Exam Preparation Tasks 101


    Review All Key Topics 101


    Complete the Tables and Lists from Memory 102


    Define Key Terms 102


    Answer Review Questions 103


    Answers and Explanations 107


Chapter 2 Asset Security 113


    Asset Security Concepts 114


        Data Policy 114


        Roles and Responsibilities 115


        Data Owner 116


        Data Custodian 116


        Data Quality 116


        Data Documentation and Organization 117


    Classify Information and Assets 118


        Sensitivity and Criticality 119


        Commercial Business Classifications 119


        Military and Government Classifications 120


        Information Life Cycle 121


        Databases 122


        DBMS Architecture and Models 122


        Database Interface Languages 124


        Data Warehouses and Data Mining 125


        Database Maintenance 126


        Database Threats 126


        Data Audit 127


    Asset Ownership 128


        Data Owners 128


        System Owners 129


        Business/Mission Owners 129


    Asset Management 129


        Redundancy and Fault Tolerance 130


        Backup and Recovery Systems 130


        Identity and Access Management 130


        RAID 131


        SAN 135


        NAS 135


        HSM 135


        Network and Resource Management 136


    Asset Privacy 137


        Data Processors 137


        Data Storage and Archiving 137


        Data Remanence 138


        Collection Limitation 139


    Data Retention 140


    Data Security and Controls 141


        Data Security 141


        Data at Rest 141


        Data in Transit 141


        Data Access and Sharing 142


        Baselines 142


        Scoping and Tailoring 143


        Standards Selection 144


        Crytography 146


        Link Encryption 147


        End-to-End Encryption 147


    Asset Handling Requirements 147


        Marking, Labeling, and Storing 148


        Destruction 148


    Exam Preparation Tasks 148


    Review All Key Topics 148


    Complete the Tables and Lists from Memory 149


    Define Key Terms 149


    Answers and Explanations 152


Chapter 3 Security Engineering 157


    Engineering Using Secure Design Principles 158


    Security Model Concepts 161


        Confidentiality, Integrity, and Availability 161


        Security Modes 161


        Dedicated Security Mode 162


        System High Security Mode 162


        Compartmented Security Mode 162


        Multilevel Security Mode 162


        Assurance 163


        Defense in Depth 163


        Security Model Types 163


        Security Model Types 163


        State Machine Models 164


        Multilevel Lattice Models 164


        Matrix-Based Models 164


        Non-inference Models 165


        Information Flow Models 165


        Security Models 165


        Bell-LaPadula Model 166


        Biba Model 167


        Clark-Wilson Integrity Model 168


        Lipner Model 169


        Brewer-Nash (Chinese Wall) Model 169


        Graham-Denning Model 169


        Harrison-Ruzzo-Ullman Model 169


        System Architecture Steps 170


        ISO/IEC 42010:2011 170


        Computing Platforms 171


        Mainframe/Thin Clients 171


        Distributed Systems 171


        Middleware 172


        Embedded Systems 172


        Mobile Computing 172


        Virtual Computing 172


        Security Services 173


        Boundary Control Services 173


        Access Control Services 173


        Integrity Services 174


        Cryptography Services 174


        Auditing and Monitoring Services 174


        System Components 174


        CPU and Multiprocessing 174


        Memory and Storage 175


        Input/Output Devices 177


        Operating Systems 178


        Multitasking 179


        Memory Management 180


    System Security Evaluation Models 180


        TCSEC 181


        Rainbow Series 181


        Orange Book 181


        Red Book 184


        ITSEC 184


        Common Criteria 186


        Security Implementation Standards 187


        ISO/IEC 27001 188


        ISO/IEC 27002 189


        Payment Card Industry Data Security Standard (PCI-DSS) 190


        Controls and Countermeasures 190


    Security Capabilities of Information Systems 191


        Memory Protection 191


        Virtualization 191


        Trusted Platform Module (TPM) 192


        Interfaces 193


        Fault Tolerance 193


    Certification and Accreditation 193


    Security Architecture Maintenance 194


    Vulnerabilities of Security Architectures, Designs, and Solution Elements 194


        Client-Based 195


        Server-Based 196


        Data Flow Control 196


        Database Security 196


        Inference 197


        Aggregation 197


        Contamination 197


        Data Mining Warehouse 197


        Distributed Systems 197


        Cloud Computing 198


        Grid Computing 199


        Peer-to-Peer Computing 199


        Large-Scale Parallel Data Systems 201


        Cryptographic Systems 201


        Industrial Control Systems 202


    Vulnerabilities in Web-Based Systems 203


        Maintenance Hooks 203


        Time-of-Check/Time-of-Use Attacks 204


        Web-Based Attacks 204


        XML 204


        SAML 204


        OWASP 205


    Vulnerabilities in Mobile Systems 205


    Vulnerabilities in Embedded Devices and Cyber-Physical Systems 208


        Cryptography 209


        Cryptography Concepts 209


        Cryptographic Life Cycle 211


        Cryptography History 211


        Julius Caesar and the Caesar Cipher 212


        Vigenere Cipher 213


        Kerckhoff’s Principle 214


        World War II Enigma 214


        Lucifer by IBM 215


        Cryptosystem Features 215


        Authentication 215


        Confidentiality 215


        Integrity 216


        Authorization 216


        Non-repudiation 216


        Key Management 216


    Cryptographic Types 217


        Running Key and Concealment Ciphers 217


        Substitution Ciphers 218


        Transposition Ciphers 219


        Symmetric Algorithms 219


        Stream-based Ciphers 220


        Block Ciphers 221


        Initialization Vectors (IVs) 221


        Asymmetric Algorithms 221


        Hybrid Ciphers 222


        Substitution Ciphers 223


        One-Time Pads 223


        Steganography 224


    Symmetric Algorithms 224


        Digital Encryption Standard (DES) and Triple DES (3DES) 225


        DES Modes 225


        Triple DES (3DES) and Modes 228


        Advanced Encryption Standard (AES) 228


        IDEA 229


        Skipjack 229


        Blowfish 229


        Twofish 230


        RC4/RC5/RC6 230


        CAST 230


    Asymmetric Algorithms 231


        Diffie-Hellman 231


        RSA 232


        El Gamal 233


        ECC 233


        Knapsack 233


        Zero Knowledge Proof 233


    Public Key Infrastructure 234


        Certification Authority (CA) and Registration Authority (RA) 234


        OCSP 235


        Certificates 235


        Certificate Revocation List (CRL) 236


        PKI Steps 236


        Cross-Certification 236


    Key Management Practices 237


    Digital Signatures 245


    Digital Rights Management (DRM) 246


    Message Integrity 246


        Hashing 247


        One-Way Hash 248


        MD2/MD4/MD5/MD6 249


        SHA/SHA-2/SHA-3 250


        HAVAL 250


        RIPEMD-160 251


        Tiger 251


        Message Authentication Code 251


        HMAC 251


        CBC-MAC 252


        CMAC 252


        Salting 252


    Cryptanalytic Attacks 253


        Ciphertext-Only Attack 254


        Known Plaintext Attack 254


        Chosen Plaintext Attack 254


        Chosen Ciphertext Attack 254


        Social Engineering 255


        Brute Force 255


        Differential Cryptanalysis 255


        Linear Cryptanalysis 255


        Algebraic Attack 255


        Frequency Analysis 255


        Birthday Attack 256


        Dictionary Attack 256


        Replay Attack 256


        Analytic Attack 256


        Statistical Attack 256


        Factoring Attack 257


        Reverse Engineering 257


        Meet-in-the-Middle Attack 257


    Geographical Threats 257


        Internal Versus External Threats 257


        Natural Threats 257


        Hurricanes/Tropical Storms 258


        Tornadoes 258


        Earthquakes 258


        Floods 258


        System Threats 259


        Electrical 259


        Communications 259


        Utilities 260


        Human-Caused Threats 260


        Explosions 261


        Fire 261


        Vandalism 262


        Fraud 262


        Theft 262


        Collusion 262


        Politically Motivated Threats 262


        Strikes 263


        Riots 263


        Civil Disobedience 263


        Terrorist Acts 263


        Bombing 264


    Site and Facility Design 264


        Layered Defense Model 264


        CPTED 264


        Natural Access Control 264


        Natural Surveillance 265


        Natural Territorials Reinforcement 265


        Physical Security Plan 265


        Deter Criminal Activity 265


        Delay Intruders 266


        Detect Intruders 266


        Assess Situation 266


        Respond to Intrusions and Disruptions 266


        Facility Selection Issues 266


        Visibility 266


        Surrounding Area and External Entities 267


        Accessibility 267


        Construction 267


        Internal Compartments 268


        Computer and Equipment Rooms 268


    Building and Internal Security 269


        Doors 269


        Door Lock Types 269


        Turnstiles and Mantraps 270


        Locks 270


        Biometrics 271


        Glass Entries 272


        Visitor Control 272


        Equipment Rooms 273


        Work Areas 273


        Secure Data Center 273


        Restricted Work Area 273


        Media Storage Facilities 274


        Evidence Storage 274


    Environmental Security 274


        Fire Protection 274


        Fire Detection 274


        Fire Suppression 275


        Power Supply 276


        Types of Outages 276


        Preventive Measures 277


        HVAC 277


        Water Leakage and Flooding 278


        Environmental Alarms 278


    Equipment Security 278


        Corporate Procedures 278


        Tamper Protection 278


        Encryption 279


        Inventory 279


        Physical Protection of Security Devices 279


        Tracking Devices 279


        Portable Media Procedures 280


        Safes, Vaults, and Locking 280


    Exam Preparation Tasks 280


    Review All Key Topics 280


    Complete the Tables and Lists from Memory 282


    Define Key Terms 282


    Answer Review Questions 283


    Answers and Explanations 288


Chapter 4 Communication and Network Security 293


    Secure Network Design Principles 294


        OSI Model 294


        Application Layer 295


        Presentation Layer 295


        Session Layer 296


        Transport Layer 296


        Network Layer 296


        Data Link Layer 297


        Physical Layer 297


        TCP/IP Model 298


        Application Layer 299


        Transport Layer 300


        Internet Layer 302


        Link Layer 304


        Encapsulation 304


    IP Networking 305


        Common TCP/UDP Ports 305


        Logical and Physical Addressing 307


    IPv4 307


        IP Classes 308


        Public Versus Private IP Addresses 309


        NAT 310


        IPv4 Versus IPv6 310


        MAC Addressing 311


        Network Transmission 311


        Analog Versus Digital 311


        Asynchronous Versus Synchronous 312


        Broadband Versus Baseband 313


        Unicast, Multicast, and Broadcast 314


        Wired Versus Wireless 315


        Network Types 315


        LAN 315


        Intranet 316


        Extranet 316


        MAN 316


        WAN 317


    Protocols and Services 317


        ARP 317


        DHCP 318


        DNS 319


        FTP, FTPS, SFTP 319


        HTTP, HTTPS, SHTTP 320


        ICMP 320


        IMAP 321


        LDAP 321


        NAT 321


        NetBIOS 321


        NFS 321


        PAT 321


        POP 322


        CIFS/SMB 322


        SMTP 322


        SNMP 322


        Multi-Layer Protocols 322


    Converged Protocols 323


        FCoE 324


        MPLS 324


        VoIP 325


        iSCSI 325


    Wireless Networks 326


        FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 326


        802.11 Techniques 326


        Cellular or Mobile Wireless Techniques 327


        Satellites 327


        WLAN Structure 328


        Access Point 328


        SSID 328


        Infrastructure Mode Versus Ad Hoc Mode 328


        WLAN Standards 329


        802.11 329


        802.11a 329


        802.11ac 329


        802.11b 329


        802.11f 329


        802.11g 330


        802.11n 330


        Bluetooth 330


        Infrared 330


        Near Field Communication (NFC) 331


        WLAN Security 331


        Open System Authentication 331


        Shared Key Authentication 331


        WEP 331


        WPA 332


        WPA2 332


        Personal Versus Enterprise 332


        SSID Broadcast 333


        MAC Filter 333


    Communications Cryptography 333


        Link Encryption 333


        End-to-End Encryption 334


        Email Security 334


        PGP 335


        MIME and S/MIME 335


        Quantum Cryptography 336


        Internet Security 336


        Remote Access 336


        SSL/TLS 337


        HTTP, HTTPS, and S-HTTP 337


        SET 337


        Cookies 338


        SSH 338


        IPsec 338


    Secure Network Components 339


        Hardware 339


        Network Devices 340


        Network Routing 351


        Transmission Media 354


        Cabling 354


        Network Topologies 358


        Network Technologies 362


        WAN Technologies 369


        Network Access Control Devices 374


        Quarantine/Remediation 376


        Firewalls/Proxies 376


        Endpoint Security 376


        Content Distribution Networks 377


    Secure Communication Channels 377


        Voice 377


        Multimedia Collaboration 377


        Remote Meeting Technology 378


        Instant Messaging 378


        Remote Access 379


        Remote Connection Technologies 379


        VPN Screen Scraper 388


        Virtual Application/Desktop 388


        Telecommuting 388


        Virtualized Networks 389


        SDN 389


        Virtual SAN 389


        Guest Operating Systems 390


    Network Attacks 390


        Cabling 390


        Noise 390


        Attenuation 391


        Crosstalk 391


        Eavesdropping 391


        Network Component Attacks 391


        Non-Blind Spoofing 392


        Blind Spoofing 392


        Man-in-the-Middle Attack 392


        MAC Flooding Attack 392


        802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack 393


        Double-Encapsulated 802.1Q/Nested VLAN Attack 393


        ARP Attack 393


        ICMP Attacks 393


        Ping of Death 394


        Smurf 394


        Fraggle 394


        ICMP Redirect 394


        Ping Scanning 395


        Traceroute Exploitation 395


        DNS Attacks 395


        DNS Cache Poisoning 395


        DoS 396


        DDoS 396


        DNSSEC 396


        URL Hiding 397


        Domain Grabbing 397


        Cybersquatting 397


        Email Attacks 397


        Email Spoofing 397


        Spear Phishing 398


        Whaling 398


        Spam 398


        Wireless Attacks 399


        Wardriving 399


        Warchalking 399


        Remote Attacks 399


        Other Attacks 400


        SYN ACK Attacks 400


        Session Hijacking 400


        Port Scanning 400


        Teardrop 401


        IP Address Spoofing 401


    Exam Preparation Tasks 401


    Review All Key Topics 401


    Define Key Terms 402


    Answer Review Questions 404


    Answers and Explanations 406


Chapter 5 Identity and Access Management 409


    Access Control Process 410


        Identify Resources 410


        Identify Users 410


    Identify the Relationships Between Resources and Users 411


    Physical and Logical Access to Assets 411


        Access Control Administration 412


        Centralized 412


        Decentralized 412


        Provisioning Life Cycle 413


        Information 413


        Systems 413


        Devices 414


        Facilities 414


    Identification and Authentication Concepts 415


        Five Factors for Authentication 415


        Knowledge Factors 416


        Ownership Factors 420


        Characteristic Factors 422


        Location Factors 427


        Time Factors 427


    Identification and Authentication Implementation 427


        Separation of Duties 427


        Least Privilege/Need-to-Know 428


        Default to No Access 429


        Directory Services 429


        Single Sign-on 430


        Kerberos 431


        SESAME 433


        Federated Identity Management 433


        Security Domains 434


        Session Management 434


        Registration and Proof of Identity 434


        Credential Management Systems 435


        Accountability 436


        Auditing and Reporting 437


    Identity as a Service (IDaaS) Implementation 438


    Third-Party Identity Services Implementation 439


    Authorization Mechanisms 439


        Access Control Models 439


        Discretionary Access Control 440


        Mandatory Access Control 440


        Role-Based Access Control 440


        Rule-Based Access Control 441


        Content-Dependent Versus Context-Dependent 441


        Access Control Matrix 442


        Access Control Policies 442


    Access Control Threats 443


        Password Threats 443


        Dictionary Attack 443


        Brute-Force Attack 444


        Social Engineering Threats 444


        Phishing/Pharming 444


        Shoulder Surfing 445


        Identity Theft 445


        Dumpster Diving 445


        DoS/DDoS 445


        Buffer Overflow 446


        Mobile Code 446


        Malicious Software 446


        Spoofing 447


        Sniffing and Eavesdropping 447


        Emanating 447


        Backdoor/Trapdoor 448


    Prevent or Mitigate Access Control Threats 448


    Exam Preparation Tasks 449


    Review All Key Topics 449


    Define Key Terms 449


    Review Questions 450


    Answers and Explanations 452


Chapter 6 Security Assessment and Testing 455


    Assessment and Testing Strategies 456


    Security Control Testing 456


        Vulnerability Assessment 456


        Penetration Testing 457


        Log Reviews 459


        NIST SP 800-92 460


        Synthetic Transactions 464


        Code Review and Testing 464


        Misuse Case Testing 465


        Test Coverage Analysis 466


        Interface Testing 466


    Collect Security Process Data 466


        NIST SP 800-137 467


        Account Management 467


        Management Review 468


        Key Performance and Risk Indicators 468


        Backup Verification Data 469


        Training and Awareness 469


        Disaster Recovery and Business Continuity 470


    Analyze and Report Test Outputs 470


    Internal and Third-Party Audits 470


    Exam Preparation Tasks 472


    Review All Key Topics 472


    Define Key Terms 472


    Review Questions 473


    Answers and Explanations 475


Chapter 7 Security Operations 480


    Investigations 481


        Forensic and Digital Investigations 481


        Identify Evidence 482


        Preserve and Collect Evidence 483


        Examine and Analyze Evidence 484


        Present Findings 484


        Decide 484


        IOCE/SWGDE and NIST 484


        Crime Scene 485


        MOM 486


        Chain of Custody 486


        Interviewing 487


        Evidence 487


        Five Rules of Evidence 488


        Types of Evidence 488


        Surveillance, Search, and Seizure 490


        Media Analysis 491


        Software Analysis 491


        Network Analysis 492


        Hardware/Embedded Device Analysis 492


    Investigation Types 493


        Operations 493


        Criminal 493


        Civil 493


        Regulatory 494


        eDiscovery 494


    Logging and Monitoring Activities 494


        Audit and Review 494


        Intrusion Detection and Prevention 495


        Security Information and Event Management (SIEM) 496


        Continuous Monitoring 496


        Egress Monitoring 496


    Resource Provisioning 497


        Asset Inventory 497


        Configuration Management 498


        Physical Assets 500


        Virtual Assets 500


        Cloud Assets 501


        Applications 501


    Security Operations Concepts 501


        Need to Know/Least Privilege 501


        Managing Accounts, Groups, and Roles 501


        Separation of Duties 502


        Job Rotation 503


        Sensitive Information Procedures 503


        Record Retention 504


        Monitor Special Privileges 504


        Information Life Cycle 504


        Service-Level Agreements 505


    Resource Protection 505


        Protecting Tangible and Intangible Assets 505


        Facilities 505


        Hardware 506


        Software 506


        Information Assets 507


        Asset Management 507


        Redundancy and Fault Tolerance 507


        Backup and Recovery Systems 508


        Identity and Access Management 508


        Media Management 509


        Media History 513


        Media Labeling and Storage 514


        Sanitizing and Disposing of Media 514


        Network and Resource Management 515


    Incident Management 516


        Event Versus Incident 516


        Incident Response Team and Incident Investigations 516


        Rules of Engagement, Authorization, and Scope 517


        Incident Response Procedures 517


        Incident Response Management 518


        Detect 518


        Respond 518


        Mitigate 519


        Report 519


        Recover 519


        Remediate 520


        Lessons Learned and Review 520


    Preventive Measures 520


        Clipping Levels 520


        Deviations from Standards 520


        Unusual or Unexplained Events 521


        Unscheduled Reboots 521


        Unauthorized Disclosure 521


        Trusted Recovery 521


        Trusted Paths 521


        Input/Output Controls 522


        System Hardening 522


        Vulnerability Management Systems 522


        IDS/IPS 523


        Firewalls 523


        Whitelisting/Blacklisting 523


        Third-Party Security Services 523


        Sandboxing 524


        Honeypots/Honeynets 524


        Anti-malware/Antivirus 524


    Patch Management 524


    Change Management Processes 525


    Recovery Strategies 526


        Redundant Systems, Facilities, and Power 526


        Fault-Tolerance Technologies 526


        Insurance 527


        Data Backup 527


        Fire Detection and Suppression 527


        High Availability 528


        Quality of Service 528


        System Resilience 529


        Create Recovery Strategies 529


        Categorize Asset Recovery Priorities 530


        Business Process Recovery 530


        Facility Recovery 531


        Supply and Technology Recovery 534


        User Environment Recovery 537


        Data Recovery 537


        Training Personnel 541


    Disaster Recovery 541


        Response 542


        Personnel 542


        Damage Assessment Team 543


        Legal Team 543


        Media Relations Team 543


        Recovery Team 543


        Relocation Team 543


        Restoration Team 544


        Salvage Team 544


        Security Team 544


        Communications 544


        Assessment 544


        Restoration 545


        Training and Awareness 545


    Testing Recovery Plans 545


        Read-Through Test 546


        Checklist Test 546


        Table-Top Exercise 546


        Structured Walk-Through Test 547


        Simulation Test 547


        Parallel Test 547


        Full-Interruption Test 547


        Functional Drill 547


        Evacuation Drill 547


    Business Continuity Planning and Exercises 547


    Physical Security 548


        Perimeter Security 548


        Gates and Fences 549


        Perimeter Intrusion Detection 550


        Lighting 552


        Patrol Force 553


        Access Control 553


        Building and Internal Security 554


    Personnel Privacy and Safety 554


        Duress 554


        Travel 555


        Monitoring 555


    Exam Preparation Tasks 555


    Review All Key Topics 555


    Define Key Terms 556


    Answer Review Questions 557


    Answers and Explanations 560


Chapter 8 Software Development Security 565


    Software Development Concepts 566


        Machine Languages 566


        Assembly Languages and Assemblers 566


        High-Level Languages, Compilers, and Interpreters 566


        Object-Oriented Programming 567


        Polymorphism 568


        Polyinstantiation 568


        Encapsulation 568


        Cohesion 569


        Coupling 569


        Data Structures 569


        Distributed Object-Oriented Systems 569


        CORBA 569


        COM and DCOM 570


        OLE 570


        Java 570


        SOA 571


        Mobile Code 571


        Java Applets 571


        ActiveX 571


    Security in the System and Software Development Life Cycle 572


        System Development Life Cycle 572


        Initiate 572


        Acquire/Develop 573


        Implement 573


        Operate/Maintain 573


        Dispose 574


        Software Development Life Cycle 574


        Plan/Initiate Project 575


        Gather Requirements 575


        Design 576


        Develop 576


        Test/Validate 576


        Release/Maintain 577


        Certify/Accredit 578


        Change Management and Configuration Management/Replacement 578


        Software Development Methods and Maturity Models 578


        Build and Fix 579


        Waterfall 580


        V-Shaped 580


        Prototyping 582


        Modified Prototype Model (MPM) 582


        Incremental 582


        Spiral 583


        Agile 583


        Rapid Application Development (RAD) 584


        Joint Analysis Development (JAD) 585


        Cleanroom 585


        Structured Programming Development 585


        Exploratory Model 586


        Computer-Aided Software Engineering (CASE) 586


        Component-Based Development 586


        CMMI 586


        ISO 9001:2015/90003:2014 587


        Integrated Product Team 588


    Security Controls in Development 589


        Software Development Security Best Practices 589


        WASC 590


        OWASP 590


        BSI 590


        ISO/IEC 27000 590


        Software Environment Security 591


        Source Code Issues 591


        Buffer Overflow 591


        Escalation of Privileges 593


        Backdoor 593


        Rogue Programmers 594


        Covert Channel 594


        Object Reuse 594


        Mobile Code 594


        Time of Check/Time of Use (TOC/TOU) 595


        Source Code Analysis Tools 595


        Code Repository Security 595


        Application Programming Interface Security 596


        Software Threats 596


        Malware 596


        Malware Protection 600


        Scanning Types 601


        Security Policies 601


        Software Protection Mechanisms 601


    Assess Software Security Effectiveness 602


        Auditing and Logging 603


        Risk Analysis and Mitigation 603


        Regression and Acceptance Testing 604


    Security Impact of Acquired Software 604


    Exam Preparation Tasks 605


    Review All Key Topics 605


    Define Key Terms 605


    Answer Review Questions 606


    Answers and Explanations 609


Glossary 613


Appendix A Memory Tables 671


Appendix B Memory Tables Answer Key 683


TOC, 9780789755186, 5/2/2016



Introduction 3


    The Goals of the CISSP Certification 3


        Sponsoring Bodies 3


        Stated Goals 4


    The Value of the CISSP Certification 4


        To the Security Professional 4


        To the Enterprise 5


    The Common Body of Knowledge 5


        Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity) 5


        Asset Security (Protecting Security of Assets) 6


        Security Engineering (Engineering and Management of Security) 6


        Communication and Network Security (Designing and Protecting Network Security) 7


        Identity and Access Management (Controlling Access and Managing Identity) 7


        Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) 7


        Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery) 8


        Software Development Security (Understanding, Applying, and Enforcing Software Security) 8


    Steps to Becoming a CISSP 9


        Qualifying for the Exam 9


        Signing Up for the Exam 9


        About the CISSP Exam 10


Chapter 1 Security and Risk Management 14


    Security Terms 15


        CIA 15


        Confidentiality 15


        Integrity 16


        Availability 16


        Default Stance 16


        Defense in Depth 16


        Job Rotation 17


        Separation of Duties 17


    Security Governance Principles 17


        Security Function Alignment 18


        Organizational Strategy and Goals 19


        Organizational Mission and Objectives 19


        Business Case 19


        Security Budget, Metrics, and Effectiveness 20


        Resources 20


        Organizational Processes 21


        Acquisitions and Divestitures 21


        Governance Committees 23


        Security Roles and Responsibilities 23


        Board of Directors 23


        Management 24


        Audit Committee 25


        Data Owner 25


        Data Custodian 25


        System Owner 25


        System Administrator 25


        Security Administrator 26


        Security Analyst 26


        Application Owner 26


        Supervisor 26


        User 26


        Auditor 26


        Control Frameworks 27


        ISO/IEC 27000 Series 27


        Zachman Framework 30


        The Open Group Architecture Framework (TOGAF) 31


        Department of Defense Architecture Framework (DoDAF) 31


        British Ministry of Defence Architecture Framework (MODAF) 31


        Sherwood Applied Business Security Architecture (SABSA) 31


        Control Objectives for Information and Related Technology (CobiT) 32


        National Institute of Standards and Technology (NIST) Special Publication (SP) 33


        Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework 34


        Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) 34


        Information Technology Infrastructure Library (ITIL) 34


        Six Sigma 36


        Capability Maturity Model Integration (CMMI) 37


        CCTA Risk Analysis and Management Method (CRAMM) 37


        Top-Down Versus Bottom-Up Approach 38


        Security Program Life Cycle 38


        Due Care 39


        Due Diligence 39


    Compliance 40


        Legislative and Regulatory Compliance 41


        Privacy Requirements Compliance 42


    Legal and Regulatory Issues 42


        Computer Crime Concepts 42


        Computer-Assisted Crime 43


        Computer-Targeted Crime 43


        Incidental Computer Crime 43


        Computer Prevalence Crime 43


        Hackers Versus Crackers 44


        Computer Crime Examples 44


        Major Legal Systems 45


        Civil Code Law 45


        Common Law 46


        Criminal Law 46


        Civil/Tort Law 46


        Administrative/Regulatory Law 46


        Customary Law 47


        Religious Law 47


        Mixed Law 47


        Licensing and Intellectual Property 47


        Patent 47


        Trade Secret 48


        Trademark 49


        Copyright 49


        Software Piracy and Licensing Issues 50


        Internal Protection 51


        Digital Rights Management (DRM) 51


        Import/Export Controls 51


        Trans-Border Data Flow 52


        Privacy 52


        Personally Identifiable Information (PII) 52


        Laws and Regulations 53


        Data Breaches 58


    Professional Ethics 59


        (ISC)2 Code of Ethics 59


        Computer Ethics Institute 59


        Internet Architecture Board 60


        Organizational Ethics 60


    Security Documentation 60


        Policies 61


        Organizational Security Policy 62


        System-Specific Security Policy 63


        Issue-Specific Security Policy 63


        Policy Categories 63


        Standards 64


        Baselines 64


        Guidelines 64


        Procedures 64


    Business Continuity 64


        Business Continuity and Disaster Recovery Concepts 65


        Disruptions 65


        Disasters 66


        Disaster Recovery and the Disaster Recovery Plan (DRP) 67


        Continuity Planning and the Business Continuity Plan (BCP) 67


        Business Impact Analysis (BIA) 67


        Contingency Plan 67


        Availability 68


        Reliability 68


        Project Scope and Plan 68


        Personnel Components 68


        Project Scope 69


        Business Continuity Steps 69


        Business Impact Analysis Development 70


        Identify Critical Processes and Resources 71


        Identify Outage Impacts, and Estimate Downtime 71


        Identify Resource Requirements 72


        Identify Recovery Priorities 72


        Recoverability 73


        Fault Tolerance 73


    Personnel Security Policies 73


        Employment Candidate Screening 73


        Employment Agreement and Policies 75


        Employment Termination Policies 75


        Vendor, Consultant, and Contractor Controls 76


        Compliance 76


        Privacy 76


    Risk Management Concepts 77


        Vulnerability 77


        Threat 77


        Threat Agent 77


        Risk 77


        Exposure 77


        Countermeasure 78


        Risk Management Policy 78


        Risk Management Team 79


        Risk Analysis Team 79


        Risk Assessment 79


        Information and Asset (Tangible/Intangible) Value and Costs 81


        Identify Threats and Vulnerabilities 82


        Risk Assessment/Analysis 82


        Countermeasure (Safeguard) Selection 84


        Total Risk Versus Residual Risk 85


        Handling Risk 85


        Implementation 86


        Access Control Categories 86


        Compensative 87


        Corrective 87


        Detective 87


        Deterrent 87


        Directive 87


        Preventive 87


        Recovery 88


        Access Control Types 88


        Administrative (Management) Controls 88


        Logical (Technical) Controls 90


        Physical Controls 91


        Control Assessment, Monitoring, and Measurement 92


        Reporting and Continuous Improvement 92


        Risk Frameworks 93


    Threat Modeling 93


        Identifying Threats 94


        Potential Attacks 96


        Remediation Technologies and Processes 96


    Security Risks in Acquisitions 97


        Hardware, Software, and Services 97


        Third-Party Governance 97


        Onsite Assessment 98


        Document Exchange/Review 98


        Process/Policy Review 98


                Other Third-Party Governance Issues 98


        Minimum Security Requirements 98


    Minimum Service-Level Requirements 99


        Security Education, Training, and Awareness 100


        Levels Required 100


    Periodic Review 101


    Exam Preparation Tasks 101


    Review All Key Topics 101


    Complete the Tables and Lists from Memory 102


    Define Key Terms 102


    Answer Review Questions 103


    Answers and Explanations 107


Chapter 2 Asset Security 113


    Asset Security Concepts 114


        Data Policy 114


        Roles and Responsibilities 115


        Data Owner 116


        Data Custodian 116


        Data Quality 116


        Data Documentation and Organization 117


    Classify Information and Assets 118


        Sensitivity and Criticality 119


        Commercial Business Classifications 119


        Military and Government Classifications 120


        Information Life Cycle 121


        Databases 122


        DBMS Architecture and Models 122


        Database Interface Languages 124


        Data Warehouses and Data Mining 125


        Database Maintenance 126


        Database Threats 126


        Data Audit 127


    Asset Ownership 128


        Data Owners 128


        System Owners 129


        Business/Mission Owners 129


    Asset Management 129


        Redundancy and Fault Tolerance 130


        Backup and Recovery Systems 130


        Identity and Access Management 130


        RAID 131


        SAN 135


        NAS 135


        HSM 135


        Network and Resource Management 136


    Asset Privacy 137


        Data Processors 137


        Data Storage and Archiving 137


        Data Remanence 138


        Collection Limitation 139


    Data Retention 140


    Data Security and Controls 141


        Data Security 141


        Data at Rest 141


        Data in Transit 141


        Data Access and Sharing 142


        Baselines 142


        Scoping and Tailoring 143


        Standards Selection 144


        Crytography 146


        Link Encryption 147


        End-to-End Encryption 147


    Asset Handling Requirements 147


        Marking, Labeling, and Storing 148


        Destruction 148


    Exam Preparation Tasks 148


    Review All Key Topics 148


    Complete the Tables and Lists from Memory 149


    Define Key Terms 149


    Answers and Explanations 152


Chapter 3 Security Engineering 157


    Engineering Using Secure Design Principles 158


    Security Model Concepts 161


        Confidentiality, Integrity, and Availability 161


        Security Modes 161


        Dedicated Security Mode 162


        System High Security Mode 162


        Compartmented Security Mode 162


        Multilevel Security Mode 162


        Assurance 163


        Defense in Depth 163


        Security Model Types 163


        Security Model Types 163


        State Machine Models 164


        Multilevel Lattice Models 164


        Matrix-Based Models 164


        Non-inference Models 165


        Information Flow Models 165


        Security Models 165


        Bell-LaPadula Model 166


        Biba Model 167


        Clark-Wilson Integrity Model 168


        Lipner Model 169


        Brewer-Nash (Chinese Wall) Model 169


        Graham-Denning Model 169


        Harrison-Ruzzo-Ullman Model 169


        System Architecture Steps 170


        ISO/IEC 42010:2011 170


        Computing Platforms 171


        Mainframe/Thin Clients 171


        Distributed Systems 171


        Middleware 172


        Embedded Systems 172


        Mobile Computing 172


        Virtual Computing 172


        Security Services 173


        Boundary Control Services 173


        Access Control Services 173


        Integrity Services 174


        Cryptography Services 174


        Auditing and Monitoring Services 174


        System Components 174


        CPU and Multiprocessing 174


        Memory and Storage 175


        Input/Output Devices 177


        Operating Systems 178


        Multitasking 179


        Memory Management 180


    System Security Evaluation Models 180


        TCSEC 181


        Rainbow Series 181


        Orange Book 181


        Red Book 184


        ITSEC 184


        Common Criteria 186


        Security Implementation Standards 187


        ISO/IEC 27001 188


        ISO/IEC 27002 189


        Payment Card Industry Data Security Standard (PCI-DSS) 190


        Controls and Countermeasures 190


    Security Capabilities of Information Systems 191


        Memory Protection 191


        Virtualization 191


        Trusted Platform Module (TPM) 192


        Interfaces 193


        Fault Tolerance 193


    Certification and Accreditation 193


    Security Architecture Maintenance 194


    Vulnerabilities of Security Architectures, Designs, and Solution Elements 194


        Client-Based 195


        Server-Based 196


        Data Flow Control 196


        Database Security 196


        Inference 197


        Aggregation 197


        Contamination 197


        Data Mining Warehouse 197


        Distributed Systems 197


        Cloud Computing 198


        Grid Computing 199


        Peer-to-Peer Computing 199


        Large-Scale Parallel Data Systems 201


        Cryptographic Systems 201


        Industrial Control Systems 202


    Vulnerabilities in Web-Based Systems 203


        Maintenance Hooks 203


        Time-of-Check/Time-of-Use Attacks 204


        Web-Based Attacks 204


        XML 204


        SAML 204


        OWASP 205


    Vulnerabilities in Mobile Systems 205


    Vulnerabilities in Embedded Devices and Cyber-Physical Systems 208


        Cryptography 209


        Cryptography Concepts 209


        Cryptographic Life Cycle 211


        Cryptography History 211


        Julius Caesar and the Caesar Cipher 212


        Vigenere Cipher 213


        Kerckhoff’s Principle 214


        World War II Enigma 214


        Lucifer by IBM 215


        Cryptosystem Features 215


        Authentication 215


        Confidentiality 215


        Integrity 216


        Authorization 216


        Non-repudiation 216


        Key Management 216


    Cryptographic Types 217


        Running Key and Concealment Ciphers 217


        Substitution Ciphers 218


        Transposition Ciphers 219


        Symmetric Algorithms 219


        Stream-based Ciphers 220


        Block Ciphers 221


        Initialization Vectors (IVs) 221


        Asymmetric Algorithms 221


        Hybrid Ciphers 222


        Substitution Ciphers 223


        One-Time Pads 223


        Steganography 224


    Symmetric Algorithms 224


        Digital Encryption Standard (DES) and Triple DES (3DES) 225


        DES Modes 225


        Triple DES (3DES) and Modes 228


        Advanced Encryption Standard (AES) 228


        IDEA 229


        Skipjack 229


        Blowfish 229


        Twofish 230


        RC4/RC5/RC6 230


        CAST 230


    Asymmetric Algorithms 231


        Diffie-Hellman 231


        RSA 232


        El Gamal 233


        ECC 233


        Knapsack 233


        Zero Knowledge Proof 233


    Public Key Infrastructure 234


        Certification Authority (CA) and Registration Authority (RA) 234


        OCSP 235


        Certificates 235


        Certificate Revocation List (CRL) 236


        PKI Steps 236


        Cross-Certification 236


    Key Management Practices 237


    Digital Signatures 245


    Digital Rights Management (DRM) 246


    Message Integrity 246


        Hashing 247


        One-Way Hash 248


        MD2/MD4/MD5/MD6 249


        SHA/SHA-2/SHA-3 250


        HAVAL 250


        RIPEMD-160 251


        Tiger 251


        Message Authentication Code 251


        HMAC 251


        CBC-MAC 252


        CMAC 252


        Salting 252


    Cryptanalytic Attacks 253


        Ciphertext-Only Attack 254


        Known Plaintext Attack 254


        Chosen Plaintext Attack 254


        Chosen Ciphertext Attack 254


        Social Engineering 255


        Brute Force 255


        Differential Cryptanalysis 255


        Linear Cryptanalysis 255


        Algebraic Attack 255


        Frequency Analysis 255


        Birthday Attack 256


        Dictionary Attack 256


        Replay Attack 256


        Analytic Attack 256


        Statistical Attack 256


        Factoring Attack 257


        Reverse Engineering 257


        Meet-in-the-Middle Attack 257


    Geographical Threats 257


        Internal Versus External Threats 257


        Natural Threats 257


        Hurricanes/Tropical Storms 258


        Tornadoes 258


        Earthquakes 258


        Floods 258


        System Threats 259


        Electrical 259


        Communications 259


        Utilities 260


        Human-Caused Threats 260


        Explosions 261


        Fire 261


        Vandalism 262


        Fraud 262


        Theft 262


        Collusion 262


        Politically Motivated Threats 262


        Strikes 263


        Riots 263


        Civil Disobedience 263


        Terrorist Acts 263


        Bombing 264


    Site and Facility Design 264


        Layered Defense Model 264


        CPTED 264


        Natural Access Control 264


        Natural Surveillance 265


        Natural Territorials Reinforcement 265


        Physical Security Plan 265


        Deter Criminal Activity 265


        Delay Intruders 266


        Detect Intruders 266


        Assess Situation 266


        Respond to Intrusions and Disruptions 266


        Facility Selection Issues 266


        Visibility 266


        Surrounding Area and External Entities 267


        Accessibility 267


        Construction 267


        Internal Compartments 268


        Computer and Equipment Rooms 268


    Building and Internal Security 269


        Doors 269


        Door Lock Types 269


        Turnstiles and Mantraps 270


        Locks 270


        Biometrics 271


        Glass Entries 272


        Visitor Control 272


        Equipment Rooms 273


        Work Areas 273


        Secure Data Center 273


        Restricted Work Area 273


        Media Storage Facilities 274


        Evidence Storage 274


    Environmental Security 274


        Fire Protection 274


        Fire Detection 274


        Fire Suppression 275


        Power Supply 276


        Types of Outages 276


        Preventive Measures 277


        HVAC 277


        Water Leakage and Flooding 278


        Environmental Alarms 278


    Equipment Security 278


        Corporate Procedures 278


        Tamper Protection 278


        Encryption 279


        Inventory 279


        Physical Protection of Security Devices 279


        Tracking Devices 279


        Portable Media Procedures 280


        Safes, Vaults, and Locking 280


    Exam Preparation Tasks 280


    Review All Key Topics 280


    Complete the Tables and Lists from Memory 282


    Define Key Terms 282


    Answer Review Questions 283


    Answers and Explanations 288


Chapter 4 Communication and Network Security 293


    Secure Network Design Principles 294


        OSI Model 294


        Application Layer 295


        Presentation Layer 295


        Session Layer 296


        Transport Layer 296


        Network Layer 296


        Data Link Layer 297


        Physical Layer 297


        TCP/IP Model 298


        Application Layer 299


        Transport Layer 300


        Internet Layer 302


        Link Layer 304


        Encapsulation 304


    IP Networking 305


        Common TCP/UDP Ports 305


        Logical and Physical Addressing 307


    IPv4 307


        IP Classes 308


        Public Versus Private IP Addresses 309


        NAT 310


        IPv4 Versus IPv6 310


        MAC Addressing 311


        Network Transmission 311


        Analog Versus Digital 311


        Asynchronous Versus Synchronous 312


        Broadband Versus Baseband 313


        Unicast, Multicast, and Broadcast 314


        Wired Versus Wireless 315


        Network Types 315


        LAN 315


        Intranet 316


        Extranet 316


        MAN 316


        WAN 317


    Protocols and Services 317


        ARP 317


        DHCP 318


        DNS 319


        FTP, FTPS, SFTP 319


        HTTP, HTTPS, SHTTP 320


        ICMP 320


        IMAP 321


        LDAP 321


        NAT 321


        NetBIOS 321


        NFS 321


        PAT 321


        POP 322


        CIFS/SMB 322


        SMTP 322


        SNMP 322


        Multi-Layer Protocols 322


    Converged Protocols 323


        FCoE 324


        MPLS 324


        VoIP 325


        iSCSI 325


    Wireless Networks 326


        FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 326


        802.11 Techniques 326


        Cellular or Mobile Wireless Techniques 327


        Satellites 327


        WLAN Structure 328


        Access Point 328


        SSID 328


        Infrastructure Mode Versus Ad Hoc Mode 328


        WLAN Standards 329


        802.11 329


        802.11a 329


        802.11ac 329


        802.11b 329


        802.11f 329


        802.11g 330


        802.11n 330


        Bluetooth 330


        Infrared 330


        Near Field Communication (NFC) 331


        WLAN Security 331


        Open System Authentication 331


        Shared Key Authentication 331


        WEP 331


        WPA 332


        WPA2 332


        Personal Versus Enterprise 332


        SSID Broadcast 333


        MAC Filter 333


    Communications Cryptography 333


        Link Encryption 333


        End-to-End Encryption 334


        Email Security 334


        PGP 335


        MIME and S/MIME 335


        Quantum Cryptography 336


        Internet Security 336


        Remote Access 336


        SSL/TLS 337


        HTTP, HTTPS, and S-HTTP 337


        SET 337


        Cookies 338


        SSH 338


        IPsec 338


    Secure Network Components 339


        Hardware 339


        Network Devices 340


        Network Routing 351


        Transmission Media 354


        Cabling 354


        Network Topologies 358


        Network Technologies 362


        WAN Technologies 369


        Network Access Control Devices 374


        Quarantine/Remediation 376


        Firewalls/Proxies 376


        Endpoint Security 376


        Content Distribution Networks 377


    Secure Communication Channels 377


        Voice 377


        Multimedia Collaboration 377


        Remote Meeting Technology 378


        Instant Messaging 378


        Remote Access 379


        Remote Connection Technologies 379


        VPN Screen Scraper 388


        Virtual Application/Desktop 388


        Telecommuting 388


        Virtualized Networks 389


        SDN 389


        Virtual SAN 389


        Guest Operating Systems 390


    Network Attacks 390


        Cabling 390


        Noise 390


        Attenuation 391


        Crosstalk 391


        Eavesdropping 391


        Network Component Attacks 391


        Non-Blind Spoofing 392


        Blind Spoofing 392


        Man-in-the-Middle Attack 392


        MAC Flooding Attack 392


        802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack 393


        Double-Encapsulated 802.1Q/Nested VLAN Attack 393


        ARP Attack 393


        ICMP Attacks 393


        Ping of Death 394


        Smurf 394


        Fraggle 394


        ICMP Redirect 394


        Ping Scanning 395


        Traceroute Exploitation 395


        DNS Attacks 395


        DNS Cache Poisoning 395


        DoS 396


        DDoS 396


        DNSSEC 396


        URL Hiding 397


        Domain Grabbing 397


        Cybersquatting 397


        Email Attacks 397


        Email Spoofing 397


        Spear Phishing 398


        Whaling 398


        Spam 398


        Wireless Attacks 399


        Wardriving 399


        Warchalking 399


        Remote Attacks 399


        Other Attacks 400


        SYN ACK Attacks 400


        Session Hijacking 400


        Port Scanning 400


        Teardrop 401


        IP Address Spoofing 401


    Exam Preparation Tasks 401


    Review All Key Topics 401


    Define Key Terms 402


    Answer Review Questions 404


    Answers and Explanations 406


Chapter 5 Identity and Access Management 409


    Access Control Process 410


        Identify Resources 410


        Identify Users 410


    Identify the Relationships Between Resources and Users 411


    Physical and Logical Access to Assets 411


        Access Control Administration 412


        Centralized 412


        Decentralized 412


        Provisioning Life Cycle 413


        Information 413


        Systems 413


        Devices 414


        Facilities 414


    Identification and Authentication Concepts 415


        Five Factors for Authentication 415


        Knowledge Factors 416


        Ownership Factors 420


        Characteristic Factors 422


        Location Factors 427


        Time Factors 427


    Identification and Authentication Implementation 427


        Separation of Duties 427


        Least Privilege/Need-to-Know 428


        Default to No Access 429


        Directory Services 429


        Single Sign-on 430


        Kerberos 431


        SESAME 433


        Federated Identity Management 433


        Security Domains 434


        Session Management 434


        Registration and Proof of Identity 434


        Credential Management Systems 435


        Accountability 436


        Auditing and Reporting 437


    Identity as a Service (IDaaS) Implementation 438


    Third-Party Identity Services Implementation 439


    Authorization Mechanisms 439


        Access Control Models 439


        Discretionary Access Control 440


        Mandatory Access Control 440


        Role-Based Access Control 440


        Rule-Based Access Control 441


        Content-Dependent Versus Context-Dependent 441


        Access Control Matrix 442


        Access Control Policies 442


    Access Control Threats 443


        Password Threats 443


        Dictionary Attack 443


        Brute-Force Attack 444


        Social Engineering Threats 444


        Phishing/Pharming 444


        Shoulder Surfing 445


        Identity Theft 445


        Dumpster Diving 445


        DoS/DDoS 445


        Buffer Overflow 446


        Mobile Code 446


        Malicious Software 446


        Spoofing 447


        Sniffing and Eavesdropping 447


        Emanating 447


        Backdoor/Trapdoor 448


    Prevent or Mitigate Access Control Threats 448


    Exam Preparation Tasks 449


    Review All Key Topics 449


    Define Key Terms 449


    Review Questions 450


    Answers and Explanations 452


Chapter 6 Security Assessment and Testing 455


    Assessment and Testing Strategies 456


    Security Control Testing 456


        Vulnerability Assessment 456


        Penetration Testing 457


        Log Reviews 459


        NIST SP 800-92 460


        Synthetic Transactions 464


        Code Review and Testing 464


        Misuse Case Testing 465


        Test Coverage Analysis 466


        Interface Testing 466


    Collect Security Process Data 466


        NIST SP 800-137 467


        Account Management 467


        Management Review 468


        Key Performance and Risk Indicators 468


        Backup Verification Data 469


        Training and Awareness 469


        Disaster Recovery and Business Continuity 470


    Analyze and Report Test Outputs 470


    Internal and Third-Party Audits 470


    Exam Preparation Tasks 472


    Review All Key Topics 472


    Define Key Terms 472


    Review Questions 473


    Answers and Explanations 475


Chapter 7 Security Operations 480


    Investigations 481


        Forensic and Digital Investigations 481


        Identify Evidence 482


        Preserve and Collect Evidence 483


        Examine and Analyze Evidence 484


        Present Findings 484


        Decide 484


        IOCE/SWGDE and NIST 484


        Crime Scene 485


        MOM 486


        Chain of Custody 486


        Interviewing 487


        Evidence 487


        Five Rules of Evidence 488


        Types of Evidence 488


        Surveillance, Search, and Seizure 490


        Media Analysis 491


        Software Analysis 491


        Network Analysis 492


        Hardware/Embedded Device Analysis 492


    Investigation Types 493


        Operations 493


        Criminal 493


        Civil 493


        Regulatory 494


        eDiscovery 494


    Logging and Monitoring Activities 494


        Audit and Review 494


        Intrusion Detection and Prevention 495


        Security Information and Event Management (SIEM) 496


        Continuous Monitoring 496


        Egress Monitoring 496


    Resource Provisioning 497


        Asset Inventory 497


        Configuration Management 498


        Physical Assets 500


        Virtual Assets 500


        Cloud Assets 501


        Applications 501


    Security Operations Concepts 501


        Need to Know/Least Privilege 501


        Managing Accounts, Groups, and Roles 501


        Separation of Duties 502


        Job Rotation 503


        Sensitive Information Procedures 503


        Record Retention 504


        Monitor Special Privileges 504


        Information Life Cycle 504


        Service-Level Agreements 505


    Resource Protection 505


        Protecting Tangible and Intangible Assets 505


        Facilities 505


        Hardware 506


        Software 506


        Information Assets 507


        Asset Management 507


        Redundancy and Fault Tolerance 507


        Backup and Recovery Systems 508


        Identity and Access Management 508


        Media Management 509


        Media History 513


        Media Labeling and Storage 514


        Sanitizing and Disposing of Media 514


        Network and Resource Management 515


    Incident Management 516


        Event Versus Incident 516


        Incident Response Team and Incident Investigations 516


        Rules of Engagement, Authorization, and Scope 517


        Incident Response Procedures 517


        Incident Response Management 518


        Detect 518


        Respond 518


        Mitigate 519


        Report 519


        Recover 519


        Remediate 520


        Lessons Learned and Review 520


    Preventive Measures 520


        Clipping Levels 520


        Deviations from Standards 520


        Unusual or Unexplained Events 521


        Unscheduled Reboots 521


        Unauthorized Disclosure 521


        Trusted Recovery 521


        Trusted Paths 521


        Input/Output Controls 522


        System Hardening 522


        Vulnerability Management Systems 522


        IDS/IPS 523


        Firewalls 523


        Whitelisting/Blacklisting 523


        Third-Party Security Services 523


        Sandboxing 524


        Honeypots/Honeynets 524


        Anti-malware/Antivirus 524


    Patch Management 524


    Change Management Processes 525


    Recovery Strategies 526


        Redundant Systems, Facilities, and Power 526


        Fault-Tolerance Technologies 526


        Insurance 527


        Data Backup 527


        Fire Detection and Suppression 527


        High Availability 528


        Quality of Service 528


        System Resilience 529


        Create Recovery Strategies 529


        Categorize Asset Recovery Priorities 530


        Business Process Recovery 530


        Facility Recovery 531


        Supply and Technology Recovery 534


        User Environment Recovery 537


        Data Recovery 537


        Training Personnel 541


    Disaster Recovery 541


        Response 542


        Personnel 542


        Damage Assessment Team 543


        Legal Team 543


        Media Relations Team 543


        Recovery Team 543


        Relocation Team 543


        Restoration Team 544


        Salvage Team 544


        Security Team 544


        Communications 544


        Assessment 544


        Restoration 545


        Training and Awareness 545


    Testing Recovery Plans 545


        Read-Through Test 546


        Checklist Test 546


        Table-Top Exercise 546


        Structured Walk-Through Test 547


        Simulation Test 547


        Parallel Test 547


        Full-Interruption Test 547


        Functional Drill 547


        Evacuation Drill 547


    Business Continuity Planning and Exercises 547


    Physical Security 548


        Perimeter Security 548


        Gates and Fences 549


        Perimeter Intrusion Detection 550


        Lighting 552


        Patrol Force 553


        Access Control 553


        Building and Internal Security 554


    Personnel Privacy and Safety 554


        Duress 554


        Travel 555


        Monitoring 555


    Exam Preparation Tasks 555


    Review All Key Topics 555


    Define Key Terms 556


    Answer Review Questions 557


    Answers and Explanations 560


Chapter 8 Software Development Security 565


    Software Development Concepts 566


        Machine Languages 566


        Assembly Languages and Assemblers 566


        High-Level Languages, Compilers, and Interpreters 566


        Object-Oriented Programming 567


        Polymorphism 568


        Polyinstantiation 568


        Encapsulation 568


        Cohesion 569


        Coupling 569


        Data Structures 569


        Distributed Object-Oriented Systems 569


        CORBA 569


        COM and DCOM 570


        OLE 570


        Java 570


        SOA 571


        Mobile Code 571


        Java Applets 571


        ActiveX 571


    Security in the System and Software Development Life Cycle 572


        System Development Life Cycle 572


        Initiate 572


        Acquire/Develop 573


        Implement 573


        Operate/Maintain 573


        Dispose 574


        Software Development Life Cycle 574


        Plan/Initiate Project 575


        Gather Requirements 575


        Design 576


        Develop 576


        Test/Validate 576


        Release/Maintain 577


        Certify/Accredit 578


        Change Management and Configuration Management/Replacement 578


        Software Development Methods and Maturity Models 578


        Build and Fix 579


        Waterfall 580


        V-Shaped 580


        Prototyping 582


        Modified Prototype Model (MPM) 582


        Incremental 582


        Spiral 583


        Agile 583


        Rapid Application Development (RAD) 584


        Joint Analysis Development (JAD) 585


        Cleanroom 585


        Structured Programming Development 585


        Exploratory Model 586


        Computer-Aided Software Engineering (CASE) 586


        Component-Based Development 586


        CMMI 586


        ISO 9001:2015/90003:2014 587


        Integrated Product Team 588


    Security Controls in Development 589


        Software Development Security Best Practices 589


        WASC 590


        OWASP 590


        BSI 590


        ISO/IEC 27000 590


        Software Environment Security 591


        Source Code Issues 591


        Buffer Overflow 591


        Escalation of Privileges 593


        Backdoor 593


        Rogue Programmers 594


        Covert Channel 594


        Object Reuse 594


        Mobile Code 594


        Time of Check/Time of Use (TOC/TOU) 595


        Source Code Analysis Tools 595


        Code Repository Security 595


        Application Programming Interface Security 596


        Software Threats 596


        Malware 596


        Malware Protection 600


        Scanning Types 601


        Security Policies 601


        Software Protection Mechanisms 601


    Assess Software Security Effectiveness 602


        Auditing and Logging 603


        Risk Analysis and Mitigation 603


        Regression and Acceptance Testing 604


    Security Impact of Acquired Software 604


    Exam Preparation Tasks 605


    Review All Key Topics 605


    Define Key Terms 605


    Answer Review Questions 606


    Answers and Explanations 609


Glossary 613


Appendix A Memory Tables 671


Appendix B Memory Tables Answer Key 683


TOC, 9780789755186, 5/2/2016



Updates

Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership