You are previewing CISSP All-in-One Exam Guide, 6th Edition.
O'Reilly logo
CISSP All-in-One Exam Guide, 6th Edition

Book Description

A complete, up-to-date revision of the leading CISSP training resource from the #1 name in IT security certification and training, Shon Harris. Well regarded for its engaging and informative style, CISSP All-in-One Exam Guide, Sixth Edition provides 100% complete coverage of the exam objectives for the Certified Information Security Specialist credentialing exam from (ISC)2. Updated to ensure total coverage of the latest body of knowledge and domains from (ISC)2, this new edition also provides references for government employees and contractors subject to new requirements.Exam tips highlight actual exam topics and technical discussion sidebars offer a level of instruction not found in other certification guides. The All-in-One also includes hands-on examples and exercises that reinforce practical learning and sample practice questions at the end of each chapter that test for comprehension and prepare you for each subject area or domain of the exam.

Table of Contents

  1. Cover Page
  2. CISSP ALL IN ONE EXAM GUIDE, SIXTH EDITION
  3. Copyright Page
  4. ABOUT THE AUTHOR
  5. CONTENTS AT A GLANCE
  6. CONTENTS
  7. Foreword
  8. Acknowledgments
  9. Chapter 1 Becoming a CISSP
    1. Why Become a CISSP?
    2. The CISSP Exam
    3. CISSP: A Brief History
    4. How Do You Sign Up for the Exam?
    5. What Does This Book Cover?
    6. Tips for Taking the CISSP Exam
    7. How to Use This Book
      1. Questions
      2. Answers
  10. Chapter 2 Information Security Governance and Risk Management
    1. Fundamental Principles of Security
      1. Availability
      2. Integrity
      3. Confidentiality
      4. Balanced Security
    2. Security Definitions
    3. Control Types
    4. Security Frameworks
      1. ISO/IEC 27000 Series
      2. Enterprise Architecture Development
      3. Security Controls Development
      4. COSO
      5. Process Management Development
      6. Functionality vs. Security
    5. Security Management
    6. Risk Management
      1. Who Really Understands Risk Management?
      2. Information Risk Management Policy
      3. The Risk Management Team
    7. Risk Assessment and Analysis
      1. Risk Analysis Team
      2. The Value of Information and Assets
      3. Costs That Make Up the Value
      4. Identifying Vulnerabilities and Threats
      5. Methodologies for Risk Assessment
      6. Risk Analysis Approaches
      7. Qualitative Risk Analysis
      8. Protection Mechanisms
      9. Putting It Together
      10. Total Risk vs. Residual Risk
      11. Handling Risk
      12. Outsourcing
    8. Policies, Standards, Baselines, Guidelines, and Procedures
      1. Security Policy
      2. Standards
      3. Baselines
      4. Guidelines
      5. Procedures
      6. Implementation
    9. Information Classification
      1. Classifications Levelss
      2. Classification Controls
    10. Layers of Responsibility
      1. Board of Directors
      2. Executive Management
      3. Chief Information Officer
      4. Chief Privacy Officer
      5. Chief Security Officer
    11. Security Steering Committee
      1. Audit Committee
      2. Data Owner
      3. Data Custodian
      4. System Owner
      5. Security Administrator
      6. Security Analyst
      7. Application Owner
      8. Supervisor
      9. Change Control Analyst
      10. Data Analyst
      11. Process Owner
      12. Solution Provider
      13. User
      14. Product Line Manager
      15. Auditor
      16. Why So Many Roles?
      17. Personnel Security
      18. Hiring Practices
      19. Termination
      20. Security-Awareness Training
      21. Degree or Certification?
    12. Security Governance
      1. Metrics
    13. Summary
    14. Quick Tips
      1. Questions
      2. Answers
  11. Chapter 3 Access Control
    1. Access Controls Overview
    2. Security Principles
      1. Availability
      2. Integrity
      3. Confidentiality
    3. Identification, Authentication, Authorization, and Accountability
      1. Identification and Authentication
      2. Password Management
      3. Authorization
    4. Access Control Models
      1. Discretionary Access Control
      2. Mandatory Access Control
      3. Role-Based Access Control
    5. Access Control Techniques and Technologies
      1. Rule-Based Access Control
      2. Constrained User Interfaces
      3. Access Control Matrix
      4. Content-Dependent Access Control
      5. Context-Dependent Access Control
    6. Access Control Administration
      1. Centralized Access Control Administration
      2. Decentralized Access Control Administration
    7. Access Control Methods
      1. Access Control Layers
      2. Administrative Controls
      3. Physical Controls
      4. Technical Controls
    8. Accountability
      1. Review of Audit Information
      2. Protecting Audit Data and Log Information
      3. Keystroke Monitoring
    9. Access Control Practices
      1. Unauthorized Disclosure of Information
    10. Access Control Monitoring
      1. Intrusion Detection
      2. Intrusion Prevention Systems
    11. Threats to Access Control
      1. Dictionary Attack
      2. Brute Force Attacks
      3. Spoofing at Logon
      4. Phishing and Pharming
      5. Threat Modeling
    12. Summary
    13. Quick Tips
      1. Questions
      2. Answers
  12. Chapter 4 Security Architecture and Design
    1. Computer Security
    2. System Architecture
    3. Computer Architecture
      1. The Central Processing Unit
      2. Multiprocessing
      3. Operating System Components
      4. Memory Types
      5. Virtual Memory
      6. Input/Output Device Management
      7. CPU Architecture
    4. Operating System Architectures
      1. Virtual Machines
    5. System Security Architecture
      1. Security Policy
      2. Security Architecture Requirements
    6. Security Models
      1. State Machine Models
      2. Bell-LaPadula Model
      3. Biba Model
      4. Clark-Wilson Model
      5. Information Flow Model
      6. Noninterference Model
      7. Lattice Model
      8. Brewer and Nash Model
      9. Graham-Denning Model
      10. Harrison-Ruzzo-Ullman Model
    7. Security Modes of Operation
      1. Dedicated Security Mode
      2. System High-Security Mode
      3. Compartmented Security Mode
      4. Multilevel Security Mode
      5. Trust and Assurance
    8. Systems Evaluation Methods
      1. Why Put a Product Through Evaluation?
      2. The Orange Book
    9. The Orange Book and the Rainbow Series
      1. The Red Book
    10. Information Technology Security Evaluation Criteria
    11. Common Criteria
    12. Certification vs. Accreditation
      1. Certification
      2. Accreditation
    13. Open vs. Closed Systems
      1. Open Systems
      2. Closed Systems
    14. A Few Threats to Review
      1. Maintenance Hooks
      2. Time-of-Check/Time-of-Use Attacks
    15. Summary
    16. Quick Tips
      1. Questions
      2. Answers
  13. Chapter 5 Physical and Environmental Security
    1. Introduction to Physical Security
    2. The Planning Process
      1. Crime Prevention Through Environmental Design
      2. Designing a Physical Security Program
    3. Protecting Assets
    4. Internal Support Systems
      1. Electric Power
      2. Environmental Issues
      3. Ventilation
      4. Fire Prevention, Detection, and Suppression
    5. Perimeter Security
      1. Facility Access Control
      2. Personnel Access Controls
      3. External Boundary Protection Mechanisms
      4. Intrusion Detection Systems
      5. Patrol Force and Guards
      6. Dogs
      7. Auditing Physical Access
      8. Testing and Drills
    6. Summary
    7. Quick Tips
      1. Questions
      2. Answers
  14. Chapter 6 Telecommunications and Network Security
    1. Telecommunications
    2. Open Systems Interconnection Reference Model
      1. Protocol
      2. Application Layer
      3. Presentation Layer
      4. Session Layer
      5. Transport Layer
      6. Network Layer
      7. Data Link Layer
      8. Physical Layer
      9. Functions and Protocols in the OSI Model
      10. Tying the Layers Together
    3. TCP/IP Model
      1. TCP
      2. IP Addressing
      3. IPv6
      4. Layer 2 Security Standards
    4. Types of Transmission
      1. Analog and Digital
      2. Asynchronous and Synchronous
      3. Broadband and Baseband
    5. Cabling
      1. Coaxial Cable
      2. Twisted-Pair Cable
      3. Fiber-Optic Cable
      4. Cabling Problems
    6. Networking Foundations
      1. Network Topology
      2. Media Access Technologies
      3. Network Protocols and Services
      4. Domain Name Service
      5. E-mail Services
      6. Network Address Translation
      7. Routing Protocols
    7. Networking Devices
      1. Repeaters
      2. Bridges
      3. Routers
      4. Switches
      5. Gateways
      6. PBXs
      7. Firewalls
      8. Proxy Servers
      9. Honeypot
      10. Unified Threat Management
      11. Cloud Computing
    8. Intranets and Extranets
    9. Metropolitan Area Networks
    10. Wide Area Networks
      1. Telecommunications Evolution
      2. Dedicated Links
      3. WAN Technologies
    11. Remote Connectivity
      1. Dial-up Connections
      2. ISDN
      3. DSL
      4. Cable Modems
      5. VPN
      6. Authentication Protocols
    12. Wireless Technologies
      1. Wireless Communications
      2. WLAN Components
      3. Wireless Standards
      4. War Driving for WLANs
      5. Satellites
      6. Mobile Wireless Communication
      7. Mobile Phone Security
    13. Summary
    14. Quick Tips
      1. Questions
      2. Answers
  15. Chapter 7 Cryptography
    1. The History of Cryptography
    2. Cryptography Definitions and Concepts
      1. Kerckhoffs’ Principle
      2. The Strength of the Cryptosystem
      3. Services of Cryptosystems
      4. One-Time Pad
      5. Running and Concealment Ciphers
      6. Steganography
    3. Types of Ciphers
      1. Substitution Ciphers
      2. Transposition Ciphers
    4. Methods of Encryption
      1. Symmetric vs. Asymmetric Algorithms
      2. Symmetric Cryptography
      3. Block and Stream Ciphers
      4. Hybrid Encryption Methods
      5. Types of Symmetric Systems
      6. Data Encryption Standard
      7. Triple-DES
      8. The Advanced Encryption Standard
      9. International Data Encryption Algorithm
      10. Blowfish
      11. RC4
      12. RC5
      13. RC6
    5. Types of Asymmetric Systems
      1. The Diffie-Hellman Algorithm
      2. RSA
      3. El Gamal
      4. Elliptic Curve Cryptosystems
      5. Knapsack
      6. Zero Knowledge Proof
    6. Message Integrity
      1. The One-Way Hash
      2. Various Hashing Algorithms
      3. MD2
      4. MD4
      5. MD5
      6. Attacks Against One-Way Hash Functions
      7. Digital Signatures
      8. Digital Signature Standard
    7. Public Key Infrastructure
      1. Certificate Authorities
      2. Certificates
      3. The Registration Authority
      4. PKI Steps
    8. Key Management
      1. Key Management Principles
      2. Rules for Keys and Key Management
    9. Trusted Platform Module
      1. TPM Uses
    10. Link Encryption vs. End-to-End Encryption
    11. E-mail Standards
      1. Multipurpose Internet Mail Extension
      2. Pretty Good Privacy
    12. Internet Security
      1. Start with the Basics
    13. Attacks
      1. Ciphertext-Only Attacks
      2. Known-Plaintext Attacks
      3. Chosen-Plaintext Attacks
      4. Chosen-Ciphertext Attacks
      5. Differential Cryptanalysis
      6. Linear Cryptanalysis
      7. Side-Channel Attacks
      8. Replay Attacks
      9. Algebraic Attacks
      10. Analytic Attacks
      11. Statistical Attacks
      12. Social Engineering Attacks
      13. Meet-in-the-Middle Attacks
    14. Summary
    15. Quick Tips
      1. Questions
      2. Answers
  16. Chapter 8 Business Continuity and Disaster Recovery Planning
    1. Business Continuity and Disaster Recovery
      1. Standards and Best Practices
      2. Making BCM Part of the Enterprise Security Program
    2. BCP Project Components
      1. Scope of the Project
      2. BCP Policy
      3. Project Management
      4. Business Continuity Planning Requirements
      5. Business Impact Analysis (BIA)
      6. Interdependencies
    3. Preventive Measures
    4. Recovery Strategies
      1. Business Process Recovery
      2. Facility Recovery
      3. Supply and Technology Recovery
      4. Choosing a Software Backup Facility
      5. End-User Environment
      6. Data Backup Alternatives
      7. Electronic Backup Solutions
      8. High Availability
    5. Insurance
    6. Recovery and Restoration
      1. Developing Goals for the Plans
      2. Implementing Strategies
    7. Testing and Revising the Plan
      1. Checklist Test
      2. Structured Walk-Through Test
      3. Simulation Test
      4. Parallel Test
      5. Full-Interruption Test
      6. Other Types of Training
      7. Emergency Response
      8. Maintaining the Plan
    8. Summary
    9. Quick Tips
      1. Questions
      2. Answers
  17. Chapter 9 Legal, Regulations, Investigations, and Compliance
    1. The Many Facets of Cyberlaw
    2. The Crux of Computer Crime Laws
    3. Complexities in Cybercrime
      1. Electronic Assets
      2. The Evolution of Attacks
      3. International Issues
      4. Types of Legal Systems
    4. Intellectual Property Laws
      1. Trade Secret
      2. Copyright
      3. Trademark
      4. Patent
      5. Internal Protection of Intellectual Property
      6. Software Piracy
    5. Privacy
      1. The Increasing Need for Privacy Laws
      2. Laws, Directives, and Regulations
    6. Liability and Its Ramifications
      1. Personal Information
      2. Hacker Intrusion
      3. Third-Party Risk
      4. Contractual Agreements
      5. Procurement and Vendor Processes
    7. Compliance
    8. Investigations
      1. Incident Management
      2. Incident Response Procedures
      3. Computer Forensics and Proper Collection of Evidence
      4. International Organization on Computer Evidence
      5. Motive, Opportunity, and Means
      6. Computer Criminal Behavior
      7. Incident Investigators
      8. The Forensics Investigation Process
      9. What Is Admissible in Court?
      10. Surveillance, Search, and Seizure
      11. Interviewing and Interrogating
      12. A Few Different Attack Types
      13. Cybersquatting
    9. Ethics
      1. The Computer Ethics Institute
      2. The Internet Architecture Board
      3. Corporate Ethics Programs
    10. Summary
    11. Quick Tips
      1. Questions
      2. Answers
  18. Chapter 10 Software Development Security
    1. Software’s Importance
    2. Where Do We Place Security?
      1. Different Environments Demand Different Security
      2. Environment versus Application
      3. Functionality versus Security
      4. Implementation and Default Issues
    3. System Development Life Cycle
      1. Initiation
      2. Acquisition/Development
      3. Implementation
      4. Operations/Maintenance
      5. Disposal
    4. Software Development Life Cycle
      1. Project Management
      2. Requirements Gathering Phase
      3. Design Phase
      4. Development Phase
      5. Testing/Validation Phase
      6. Release/Maintenance Phase
    5. Secure Software Development Best Practices
    6. Software Development Models
      1. Build and Fix Model
      2. Waterfall Model
      3. V-Shaped Model (V-Model)
      4. Prototyping
      5. Incremental Model
      6. Spiral Model
      7. Rapid Application Development
      8. Agile Model
    7. Capability Maturity Model Integration
    8. Change Control
      1. Software Configuration Management
    9. Programming Languages and Concepts
      1. Assemblers, Compilers, Interpreters
      2. Object-Oriented Concepts
    10. Distributed Computing
      1. Distributed Computing Environment
      2. CORBA and ORBs
      3. COM and DCOM
      4. Java Platform, Enterprise Edition
      5. Service-Oriented Architecture
    11. Mobile Code
      1. Java Applets
      2. ActiveX Controls
    12. Web Security
      1. Specific Threats for Web Environments
      2. Web Application Security Principles
    13. Database Management
      1. Database Management Software
      2. Database Models
      3. Database Programming Interfaces
      4. Relational Database Components
      5. Integrity
      6. Database Security Issues
      7. Data Warehousing and Data Mining
    14. Expert Systems/Knowledge-Based Systems
    15. Artificial Neural Networks
    16. Malicious Software (Malware)
      1. Viruses
      2. Worms
      3. Rootkit
      4. Spyware and Adware
      5. Botnets
      6. Logic Bombs
      7. Trojan Horses
      8. Antivirus Software
      9. Spam Detection
      10. Antimalware Programs
    17. Summary
    18. Quick Tips
      1. Questions
      2. Answers
  19. Chapter 11 Security Operations
    1. The Role of the Operations Department
    2. Administrative Management
      1. Security and Network Personnel
      2. Accountability
      3. Clipping Levels
    3. Assurance Levels
    4. Operational Responsibilities
      1. Unusual or Unexplained Occurrences
      2. Deviations from Standards
      3. Unscheduled Initial Program Loads (aka Rebooting)
      4. Asset Identification and Management
      5. System Controls
      6. Trusted Recovery
      7. Input and Output Controls
      8. System Hardening
      9. Remote Access Security
    5. Configuration Management
      1. Change Control Process
      2. Change Control Documentation
    6. Media Controls
    7. Data Leakage
    8. Network and Resource Availability
      1. Mean Time Between Failures
      2. Mean Time to Repair
      3. Single Points of Failure
      4. Backups
      5. Contingency Planning
    9. Mainframes
    10. E-mail Security
      1. How E-mail Works
      2. Facsimile Security
      3. Hack and Attack Methods
    11. Vulnerability Testing
      1. Penetration Testing
      2. Wardialing
      3. Other Vulnerability Types
      4. Postmortem
    12. Summary
    13. Quick Tips
      1. Questions
      2. Answers
  20. Appendix A Comprehensive Questions
    1. Answers
  21. Appendix B About the Download
    1. Downloading the Total Tester
    2. Total Tester System Requirements
      1. Installing and Running Total Tester
      2. About Total Tester CISSP Practice Exam Software
    3. Media Center Download
      1. Cryptography Video Sample
      2. Technical Support
  22. Glossary
  23. Index