You are previewing CISSP® All-in-One Exam Guide.
O'Reilly logo
CISSP® All-in-One Exam Guide

Book Description

Get complete coverage of the latest release of the Certified Information Systems Security Professional (CISSP) exam inside this comprehensive, fully updated resource. Written by the leading expert in IT security certification and training, this authoritative guide covers all 10 CISSP exam domains developed by the International Information Systems Security Certification Consortium (ISC2). You'll find learning objectives at the beginning of each chapter, exam tips, practice exam questions, and in-depth explanations. Designed to help you pass the CISSP exam with ease, this definitive volume also serves as an essential on-the-job reference.

COVERS ALL 10 CISSP DOMAINS:

• Information security and risk management

• Access control

• Security architecture and design

• Physical and environmental security

• Telecommunications and network security

• Cryptography

• Business continuity and disaster recovery planning

• Legal regulations, compliance, and investigations

• Application security

• Operations security

THE CD-ROM FEATURES:

• Hundreds of practice exam questions

• Video training excerpt from the author

• E-book

Shon Harris, CISSP, is a security consultant, a former member of the Information Warfare unit in the Air Force, and a contributing writer to Information Security Magazine and Windows 2000 Magazine. She is the author of the previous editions of this book.

Table of Contents

  1. Cover Page
  2. CISSP® All-in-One Exam Guide
  3. Copyright Page
  4. Fm
  5. Contents
  6. Forewords
  7. Acknowledgments
  8. Introduction
  9. Chapter 1 Becoming a CISSP
    1. Why Become a CISSP?
    2. The CISSP Exam
    3. CISSP: A Brief History
    4. How Do You Become a CISSP?
    5. What Does This Book Cover?
    6. Tips for Taking the CISSP Exam
    7. How to Use This Book
      1. Questions
      2. Answers
  10. Chapter 2 Security Trends
    1. How Security Became an Issue
    2. Areas of Security
    3. Benign to Scary
      1. Evidence of the Evolution of Hacking
      2. How Are Nations Affected?
      3. How Are Companies Affected?
      4. The U.S. Government’s Actions
    4. Politics and Laws
      1. So What Does This Mean to Us?
    5. Hacking and Attacking
    6. Management
    7. A Layered Approach
      1. An Architectural View
      2. A Layer Missed
      3. Bringing the Layers Together
    8. Education
    9. Summary
  11. Chapter 3 Information Security and Risk Management
    1. Security Management
      1. Security Management Responsibilities
      2. The Top-Down Approach to Security
    2. Security Administration and Supporting Controls
      1. Fundamental Principles of Security
      2. Availability
      3. Integrity
      4. Confidentiality
      5. Security Definitions
      6. Security Through Obscurity
    3. Organizational Security Model
      1. Security Program Components
    4. Information Risk Management
      1. Who Really Understands Risk Management?
      2. Information Risk Management Policy
      3. The Risk Management Team
    5. Risk Analysis
      1. The Risk Analysis Team
      2. The Value of Information and Assets
      3. Costs That Make Up the Value
      4. Identifying Threats
      5. Failure and Fault Analysis
      6. Quantitative Risk Analysis
      7. Qualitative Risk Analysis
      8. Quantitative vs. Qualitative
      9. Protection Mechanisms
      10. Putting It Together
      11. Total Risk vs. Residual Risk
      12. Handling Risk
    6. Policies, Standards, Baselines, Guidelines, and Procedures
      1. Security Policy
      2. Standards
      3. Baselines
      4. Guidelines
      5. Procedures
      6. Implementation
    7. Information Classification
      1. Private Business vs. Military Classifications
      2. Classification Controls
    8. Layers of Responsibility
      1. Who’s Involved?
      2. The Data Owner
      3. The Data Custodian
      4. The System Owner
      5. The Security Administrator
      6. The Security Analyst
      7. The Application Owner
      8. The Supervisor
      9. The Change Control Analyst
      10. The Data Analyst
      11. The Process Owner
      12. The Solution Provider
      13. The User
      14. The Product Line Manager
      15. The Auditor
      16. Why So Many Roles?
      17. Personnel
      18. Structure
      19. Hiring Practices
      20. Employee Controls
      21. Termination
    9. Security-Awareness Training
      1. Different Types of Security-Awareness Training
      2. Evaluating the Program
      3. Specialized Security Training
    10. Summary
    11. Quick Tips
      1. Questions
      2. Answers
  12. Chapter 4 Access Control
    1. Access Controls Overview
    2. Security Principles
      1. Availability
      2. Integrity
      3. Confidentiality
    3. Identification, Authentication, Authorization, and Accountability
      1. Identification and Authentication
      2. Password Management
      3. Authorization
    4. Access Control Models
      1. Discretionary Access Control
      2. Mandatory Access Control
      3. Role-Based Access Control
    5. Access Control Techniques and Technologies
      1. Rule-Based Access Control
      2. Constrained User Interfaces
      3. Access Control Matrix
      4. Content-Dependent Access Control
      5. Context-Dependent Access Control
    6. Access Control Administration
      1. Centralized Access Control Administration
      2. Decentralized Access Control Administration
    7. Access Control Methods
      1. Access Control Layers
      2. Administrative Controls
      3. Physical Controls
      4. Technical Controls
    8. Access Control Types
      1. Preventive: Administrative
      2. Preventive: Physical
      3. Preventive: Technical
    9. Accountability
      1. Review of Audit Information
      2. Keystroke Monitoring
      3. Protecting Audit Data and Log Information
    10. Access Control Practices
      1. Unauthorized Disclosure of Information
    11. Access Control Monitoring
      1. Intrusion Detection
      2. Intrusion Prevention Systems
    12. A Few Threats to Access Control
      1. Dictionary Attack
      2. Brute Force Attacks
      3. Spoofing at Logon
    13. Summary
    14. Quick Tips
      1. Questions
      2. Answers
  13. Chapter 5 Security Architecture and Design
    1. Computer Architecture
    2. The Central Processing Unit
      1. Multiprocessing
      2. Operating System Architecture
      3. Process Activity
      4. Memory Management
      5. Memory Types
      6. Virtual Memory
      7. CPU Modes and Protection Rings
      8. Operating System Architecture
      9. Domains
      10. Layering and Data Hiding
      11. The Evolution of Terminology
      12. Virtual Machines
      13. Additional Storage Devices
      14. Input/Output Device Management
    3. System Architecture
      1. Defined Subsets of Subjects and Objects
      2. Trusted Computing Base
      3. Security Perimeter
      4. Reference Monitor and Security Kernel
      5. Security Policy
      6. Least Privilege
    4. Security Models
      1. State Machine Models
      2. The Bell-LaPadula Model
      3. The Biba Model
      4. The Clark-Wilson Model
      5. The Information Flow Model
      6. The Noninterference Model
      7. The Lattice Model
      8. The Brewer and Nash Model
      9. The Graham-Denning Model
      10. The Harrison-Ruzzo-Ullman Model
    5. Security Modes of Operation
      1. Dedicated Security Mode
      2. System High-Security Mode
      3. Compartmented Security Mode
      4. Multilevel Security Mode
      5. Trust and Assurance
    6. Systems Evaluation Methods
      1. Why Put a Product Through Evaluation?
      2. The Orange Book
    7. The Orange Book and the Rainbow Series
      1. The Red Book
    8. Information Technology Security Evaluation Criteria
    9. Common Criteria
    10. Certification vs. Accreditation
      1. Certification
      2. Accreditation
    11. Open vs. Closed Systems
      1. Open Systems
      2. Closed Systems
    12. Enterprise Architecture
    13. A Few Threats to Review
      1. Maintenance Hooks
      2. Time-of-Check/Time-of-Use Attacks
      3. Buffer Overflows
    14. Summary
    15. Quick Tips
      1. Questions
      2. Answers
  14. Chapter 6 Physical and Environmental Security
    1. Introduction to Physical Security
    2. The Planning Process
      1. Crime Prevention Through Environmental Design
      2. Designing a Physical Security Program
    3. Protecting Assets
    4. Internal Support Systems
      1. Electric Power
      2. Environmental Issues
      3. Ventilation
      4. Fire Prevention, Detection, and Suppression
    5. Perimeter Security
      1. Facility Access Control
      2. Personnel Access Controls
      3. External Boundary Protection Mechanisms
      4. Intrusion Detection Systems
      5. Patrol Force and Guards
      6. Dogs
      7. Auditing Physical Access
      8. Testing and Drills
    6. Summary
    7. Quick Tips
      1. Questions
      2. Answers
  15. Chapter 7 Telecommunications and Network Security
    1. Open Systems Interconnection Reference Model
      1. Protocol
      2. Application Layer
      3. Presentation Layer
      4. Session Layer
      5. Transport Layer
      6. Network Layer
      7. Data Link Layer
      8. Physical Layer
      9. Functions and Protocols in the OSI Model
      10. Tying the Layers Together
    2. TCP/IP
      1. TCP
      2. IP Addressing
      3. IPv6
    3. Types of Transmission
      1. Analog and Digital
      2. Asynchronous and Synchronous
      3. Broadband and Baseband
    4. LAN Networking
      1. Network Topology
      2. LAN Media Access Technologies
      3. Cabling
      4. Transmission Methods
      5. Media Access Technologies
      6. LAN Protocols
    5. Routing Protocols
    6. Networking Devices
      1. Repeaters
      2. Bridges
      3. Routers
      4. Switches
      5. Gateways
      6. PBXs
      7. Firewalls
      8. Honeypot
      9. Network Segregation and Isolation
    7. Networking Services and Protocols
      1. Domain Name Service
      2. Directory Services
      3. Lightweight Directory Access Protocol
      4. Network Address Translation
    8. Intranets and Extranets
    9. Metropolitan Area Networks
    10. Wide Area Networks
      1. Telecommunications Evolution
      2. Dedicated Links
      3. WAN Technologies
    11. Remote Access
      1. Dial-Up and RAS
      2. ISDN
      3. DSL
      4. Cable Modems
      5. VPN
      6. Authentication Protocols
      7. Remote Access Guidelines
    12. Wireless Technologies
      1. Wireless Communications
      2. WLAN Components
      3. Wireless Standards
      4. WAP
      5. i-Mode
      6. Mobile Phone Security
      7. War Driving for WLANs
      8. Satellites
    13. Rootkits
      1. Spyware and Adware
      2. Instant Messaging
    14. Summary
    15. Quick Tips
      1. Questions
      2. Answers
  16. Chapter 8 Cryptography
    1. The History of Cryptography
    2. Cryptography Definitions and Concepts
      1. Kerckhoffs’ Principle
      2. The Strength of the Cryptosystem
      3. Services of Cryptosystems
      4. One-Time Pad
      5. Running and Concealment Ciphers
      6. Steganography
    3. Types of Ciphers
      1. Substitution Ciphers
      2. Transposition Ciphers
    4. Methods of Encryption
      1. Symmetric vs. Asymmetric Algorithms
      2. Symmetric Cryptography
      3. Block and Stream Ciphers
      4. Hybrid Encryption Methods
    5. Types of Symmetric Systems
      1. Data Encryption Standard
      2. Triple-DES
      3. The Advanced Encryption Standard
      4. International Data Encryption Algorithm
      5. Blowfish
      6. RC4
      7. RC5
      8. RC6
    6. Types of Asymmetric Systems
      1. The Diffie-Hellman Algorithm
      2. RSA
      3. El Gamal
      4. Elliptic Curve Cryptosystems
      5. LUC
      6. Knapsack
      7. Zero Knowledge Proof
    7. Message Integrity
      1. The One-Way Hash
      2. Various Hashing Algorithms
      3. MD2
      4. MD4
      5. MD5
      6. Attacks Against One-Way Hash Functions
      7. Digital Signatures
      8. Digital Signature Standard
    8. Public Key Infrastructure
      1. Certificate Authorities
      2. Certificates
      3. The Registration Authority
      4. PKI Steps
    9. Key Management
      1. Key Management Principles
      2. Rules for Keys and Key Management
    10. Link Encryption vs. End-to-End Encryption
    11. E-mail Standards
      1. Multipurpose Internet Mail Extension
      2. Privacy-Enhanced Mail
      3. Message Security Protocol
      4. Pretty Good Privacy
      5. Quantum Cryptography
    12. Internet Security
      1. Start with the Basics
    13. Attacks
      1. Cipher-Only Attacks
      2. Known-Plaintext Attacks
      3. Chosen-Plaintext Attacks
      4. Chosen-Ciphertext Attacks
      5. Differential Cryptanalysis
      6. Linear Cryptanalysis
      7. Side-Channel Attacks
      8. Replay Attacks
      9. Algebraic Attacks
      10. Analytic Attacks
      11. Statistical Attacks
    14. Summary
    15. Quick Tips
      1. Questions
      2. Answers
  17. Chapter 9 Business Continuity and Disaster Recovery
    1. Business Continuity and Disaster Recovery
      1. Business Continuity Steps
      2. Making BCP Part of the Security Policy and Program
      3. Project Initiation
    2. Business Continuity Planning Requirements
      1. Business Impact Analysis
      2. Preventive Measures
      3. Recovery Strategies
      4. Business Process Recovery
      5. Facility Recovery
      6. Supply and Technology Recovery
      7. The End-User Environment
      8. Data Backup Alternatives
      9. Electronic Backup Solutions
      10. Choosing a Software Backup Facility
      11. Insurance
      12. Recovery and Restoration
      13. Developing Goals for the Plans
      14. Implementing Strategies
      15. Testing and Revising the Plan
      16. Maintaining the Plan
    3. Summary
    4. Quick Tips
      1. Questions
      2. Answers
  18. Chapter 10 Legal, Regulations, Compliance, and Investigations
    1. The Many Facets of Cyberlaw
    2. The Crux of Computer Crime Laws
    3. Complexities in Cybercrime
      1. Electronic Assets
      2. The Evolution of Attacks
      3. Different Countries
      4. Types of Laws
    4. Intellectual Property Laws
      1. Trade Secret
      2. Copyright
      3. Trademark
      4. Patent
      5. Internal Protection of Intellectual Property
      6. Software Piracy
    5. Privacy
      1. Laws, Directives, and Regulations
    6. Liability and Its Ramifications
      1. Personal Information
      2. Hacker Intrusion
    7. Investigations
      1. Incident Response
      2. Incident Response Procedures
      3. Computer Forensics and Proper Collection of Evidence
      4. International Organization on Computer Evidence
      5. Motive, Opportunity, and Means
      6. Computer Criminal Behavior
      7. Incident Investigators
      8. The Forensics Investigation Process
      9. What Is Admissible in Court?
      10. Surveillance, Search, and Seizure
      11. Interviewing and Interrogating
      12. A Few Different Attack Types
    8. Ethics
      1. The Computer Ethics Institute
      2. The Internet Architecture Board
      3. Corporate Ethics Programs
    9. Summary
    10. Quick Tips
      1. Questions
      2. Answers
  19. Chapter 11 Application Security
    1. Software’s Importance
    2. Where Do We Place the Security?
    3. Different Environments Demand Different Security
    4. Environment vs. Application
    5. Complexity of Functionality
    6. Data Types, Format, and Length
    7. Implementation and Default Issues
    8. Failure States
    9. Database Management
      1. Database Management Software
      2. Database Models
      3. Database Programming Interfaces
      4. Relational Database Components
      5. Integrity
      6. Database Security Issues
      7. Data Warehousing and Data Mining
    10. System Development
      1. Management of Development
      2. Life-Cycle Phases
      3. Software Development Methods
      4. Computer-Aided Software Engineering
      5. Prototyping
      6. Secure Design Methodology
      7. Secure Development Methodology
      8. Security Testing
      9. Change Control
      10. The Capability Maturity Model
      11. Software Escrow
    11. Application Development Methodology
    12. Object-Oriented Concepts
      1. Polymorphism
      2. Data Modeling
      3. Software Architecture
      4. Data Structures
      5. Cohesion and Coupling
    13. Distributed Computing
      1. CORBA and ORBs
      2. COM and DCOM
      3. Enterprise JavaBeans
      4. Object Linking and Embedding
      5. Distributed Computing Environment
    14. Expert Systems and Knowledge-Based Systems
    15. Artificial Neural Networks
    16. Web Security
      1. Vandalism
      2. Financial Fraud
      3. Privileged Access
      4. Theft of Transaction Information
      5. Theft of Intellectual Property
      6. Denial-of-Service (DoS) Attacks
      7. Create a Quality Assurance Process
      8. Web Application Firewalls
      9. Intrusion Prevention Systems
      10. Implement SYN Proxies on the Firewall
      11. Specific Threats for Web Environments
    17. Mobile Code
      1. Java Applets
      2. ActiveX Controls
      3. Malicious Software (Malware)
      4. Antivirus Software
      5. Spam Detection
      6. Anti-Malware Programs
    18. Patch Management
      1. Step 1: Infrastructure
      2. Step 2: Research
      3. Step 3: Assess and Test
      4. Step 4: Mitigation (“Rollback”)
      5. Step 5: Deployment (“Rollout”)
      6. Step 6: Validation, Reporting, and Logging
      7. Limitations to Patching
      8. Best Practices
      9. Anything Else?
      10. Attacks
    19. Summary
    20. Quick Tips
      1. Questions
      2. Answers
  20. Chapter 12 Operations Security
    1. The Role of the Operations Department
    2. Administrative Management
      1. Security and Network Personnel
      2. Accountability
      3. Clipping Levels
    3. Assurance Levels
    4. Operational Responsibilities
      1. Unusual or Unexplained Occurrences
      2. Deviations from Standards
      3. Unscheduled Initial Program Loads (a.k.a. Rebooting)
      4. Asset Identification and Management
      5. System Controls
      6. Trusted Recovery
      7. Input and Output Controls
      8. System Hardening
      9. Remote Access Security
    5. Configuration Management
      1. Change Control Process
      2. Change Control Documentation
    6. Media Controls
    7. Data Leakage
    8. Network and Resource Availability
      1. Mean Time Between Failures (MTBF)
      2. Mean Time to Repair (MTTR)
      3. Single Points of Failure
      4. Backups
      5. Contingency Planning
    9. Mainframes
    10. E-mail Security
      1. How E-mail Works
      2. Facsimile Security
      3. Hack and Attack Methods
    11. Vulnerability Testing
      1. Penetration Testing
      2. Wardialing
      3. Other Vulnerability Types
      4. Postmortem
    12. Summary
    13. Quick Tips
      1. Questions
      2. Answers
  21. Appendix A Security Content Automation Protocol Overview
    1. Background
    2. SCAP—More Than Just a Protocol
    3. A Vulnerability Management Problem
    4. A Vulnerability Management Solution—SCAP and SCAP Specifications
    5. SCAP Product Validation Program
    6. The Future of Security Automation
    7. Conclusion
  22. Appendix B About the CD-ROM
    1. Running the QuickTime Cryptography Video Sample
      1. Troubleshooting
    2. Installing Total Seminars’ Test Software
      1. Navigation
      2. Practice Mode
      3. Final Mode
      4. Minimum System Requirements for Total Seminars’ Software
      5. Technical Support
  23. Glossary
  24. Index
  25. Footnote
    1. Ch13
      1. Ch13-fn01
      2. Ch13-fn02
      3. Ch13-fn03
      4. Ch13-fn04
      5. Ch13-fn05
  26. Bm