You are previewing CISSP All-in-One Exam Guide, Seventh Edition, 7th Edition.
O'Reilly logo
CISSP All-in-One Exam Guide, Seventh Edition, 7th Edition

Book Description

Completely revised and updated for the 2015 CISSP body of knowledge, this new edition by Fernando Maymì continues Shon Harris’s bestselling legacy, providing a comprehensive overhaul of the content that is the leading chosen resource for CISSP exam success, and has made Harris the #1 name in IT security certification.


This bestselling self-study guide fully prepares candidates for the challenging Certified Information Systems Security Professional exam and offers 100% coverage of all eight exam domains. This edition has been thoroughly revised to cover the new CISSP 2015 Common Body of Knowledge, including new hot spot and drag and drop question formats, and more.

Each chapter features learning objectives, exam tips, practice questions, and in-depth explanations. Beyond exam prep, the guide also serves as an ideal on-the-job reference for IT security professionals. CISSP All-in-One Exam Guide, Seventh Edition provides real-world insights and cautions that call out potentially harmful situations.

  • Fully updated to cover the 8 new domains in the 2015 CISSP body of knowledge
  • Written by leading experts in IT security certification and training
  • Features new hot spot and drag-and-drop question formats
  • Electronic content includes 1400+ updated practice exam questions

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. Contents
  7. In Memory of Shon Harris
  8. Foreword
  9. Acknowledgments
  10. From the Author
  11. Why Become a CISSP?
  12. Chapter 1 Security and Risk Management
    1. Fundamental Principles of Security
      1. Availability
      2. Integrity
      3. Confidentiality
      4. Balanced Security
    2. Security Definitions
    3. Control Types
    4. Security Frameworks
      1. ISO/IEC 27000 Series
      2. Enterprise Architecture Development
      3. Security Controls Development
      4. Process Management Development
      5. Functionality vs. Security
    5. The Crux of Computer Crime Laws
    6. Complexities in Cybercrime
      1. Electronic Assets
      2. The Evolution of Attacks
      3. International Issues
      4. Types of Legal Systems
    7. Intellectual Property Laws
      1. Trade Secret
      2. Copyright
      3. Trademark
      4. Patent
      5. Internal Protection of Intellectual Property
      6. Software Piracy
    8. Privacy
      1. The Increasing Need for Privacy Laws
      2. Laws, Directives, and Regulations
      3. Employee Privacy Issues
    9. Data Breaches
      1. U.S. Laws Pertaining to Data Breaches
      2. Other Nations’ Laws Pertaining to Data Breaches
    10. Policies, Standards, Baselines, Guidelines, and Procedures
      1. Security Policy
      2. Standards
      3. Baselines
      4. Guidelines
      5. Procedures
      6. Implementation
    11. Risk Management
      1. Holistic Risk Management
      2. Information Systems Risk Management Policy
      3. The Risk Management Team
      4. The Risk Management Process
    12. Threat Modeling
      1. Vulnerabilities
      2. Threats
      3. Attacks
      4. Reduction Analysis
    13. Risk Assessment and Analysis
      1. Risk Analysis Team
      2. The Value of Information and Assets
      3. Costs That Make Up the Value
      4. Identifying Vulnerabilities and Threats
      5. Methodologies for Risk Assessment
      6. Risk Analysis Approaches
      7. Qualitative Risk Analysis
      8. Protection Mechanisms
      9. Putting It Together
      10. Total Risk vs. Residual Risk
      11. Handling Risk
      12. Outsourcing
    14. Risk Management Frameworks
      1. Categorize Information System
      2. Select Security Controls
      3. Implement Security Controls
      4. Assess Security Controls
      5. Authorize Information System
      6. Monitor Security Controls
    15. Business Continuity and Disaster Recovery
      1. Standards and Best Practices
      2. Making BCM Part of the Enterprise Security Program
      3. BCP Project Components
    16. Personnel Security
      1. Hiring Practices
      2. Termination
      3. Security-Awareness Training
      4. Degree or Certification?
    17. Security Governance
      1. Metrics
    18. Ethics
      1. The Computer Ethics Institute
      2. The Internet Architecture Board
      3. Corporate Ethics Programs
    19. Summary
    20. Quick Tips
      1. Questions
      2. Answers
  13. Chapter 2 Asset Security
    1. Information Life Cycle
      1. Acquisition
      2. Use
      3. Archival
      4. Disposal
    2. Information Classification
      1. Classifications Levels
      2. Classification Controls
    3. Layers of Responsibility
      1. Executive Management
      2. Data Owner
      3. Data Custodian
      4. System Owner
      5. Security Administrator
      6. Supervisor
      7. Change Control Analyst
      8. Data Analyst
      9. User
      10. Auditor
      11. Why So Many Roles?
    4. Retention Policies
      1. Developing a Retention Policy
    5. Protecting Privacy
      1. Data Owners
      2. Data Processers
      3. Data Remanence
      4. Limits on Collection
    6. Protecting Assets
      1. Data Security Controls
      2. Media Controls
    7. Data Leakage
      1. Data Leak Prevention
    8. Protecting Other Assets
      1. Protecting Mobile Devices
      2. Paper Records
      3. Safes
    9. Summary
    10. Quick Tips
      1. Questions
      2. Answers
  14. Chapter 3 Security Engineering
    1. System Architecture
    2. Computer Architecture
      1. The Central Processing Unit
      2. Multiprocessing
      3. Memory Types
    3. Operating Systems
      1. Process Management
      2. Memory Management
      3. Input/Output Device Management
      4. CPU Architecture Integration
      5. Operating System Architectures
      6. Virtual Machines
    4. System Security Architecture
      1. Security Policy
      2. Security Architecture Requirements
    5. Security Models
      1. Bell-LaPadula Model
      2. Biba Model
      3. Clark-Wilson Model
      4. Noninterference Model
      5. Brewer and Nash Model
      6. Graham-Denning Model
      7. Harrison-Ruzzo-Ullman Model
    6. Systems Evaluation
      1. Common Criteria
      2. Why Put a Product Through Evaluation?
    7. Certification vs. Accreditation
      1. Certification
      2. Accreditation
    8. Open vs. Closed Systems
      1. Open Systems
      2. Closed Systems
    9. Distributed System Security
      1. Cloud Computing
      2. Parallel Computing
      3. Databases
      4. Web Applications
      5. Mobile Devices
      6. Cyber-Physical Systems
    10. A Few Threats to Review
      1. Maintenance Hooks
      2. Time-of-Check/Time-of-Use Attacks
    11. Cryptography in Context
      1. The History of Cryptography
    12. Cryptography Definitions and Concepts
      1. Kerckhoffs’ Principle
      2. The Strength of the Cryptosystem
      3. Services of Cryptosystems
      4. One-Time Pad
      5. Running and Concealment Ciphers
      6. Steganography
    13. Types of Ciphers
      1. Substitution Ciphers
      2. Transposition Ciphers
    14. Methods of Encryption
      1. Symmetric vs. Asymmetric Algorithms
      2. Symmetric Cryptography
      3. Block and Stream Ciphers
      4. Hybrid Encryption Methods
    15. Types of Symmetric Systems
      1. Data Encryption Standard
      2. Triple-DES
      3. Advanced Encryption Standard
      4. International Data Encryption Algorithm
      5. Blowfish
      6. RC4
      7. RC5
      8. RC6
    16. Types of Asymmetric Systems
      1. Diffie-Hellman Algorithm
      2. RSA
      3. El Gamal
      4. Elliptic Curve Cryptosystems
      5. Knapsack
      6. Zero Knowledge Proof
    17. Message Integrity
      1. The One-Way Hash
      2. Various Hashing Algorithms
      3. MD4
      4. MD5
      5. SHA
      6. Attacks Against One-Way Hash Functions
      7. Digital Signatures
      8. Digital Signature Standard
    18. Public Key Infrastructure
      1. Certificate Authorities
      2. Certificates
      3. The Registration Authority
      4. PKI Steps
    19. Key Management
      1. Key Management Principles
      2. Rules for Keys and Key Management
    20. Trusted Platform Module
      1. TPM Uses
    21. Attacks on Cryptography
      1. Ciphertext-Only Attacks
      2. Known-Plaintext Attacks
      3. Chosen-Plaintext Attacks
      4. Chosen-Ciphertext Attacks
      5. Differential Cryptanalysis
      6. Linear Cryptanalysis
      7. Side-Channel Attacks
      8. Replay Attacks
      9. Algebraic Attacks
      10. Analytic Attacks
      11. Statistical Attacks
      12. Social Engineering Attacks
      13. Meet-in-the-Middle Attacks
    22. Site and Facility Security
    23. The Site Planning Process
      1. Crime Prevention Through Environmental Design
      2. Designing a Physical Security Program
    24. Protecting Assets
      1. Protecting Mobile Devices
      2. Using Safes
    25. Internal Support Systems
      1. Electric Power
      2. Environmental Issues
      3. Fire Prevention, Detection, and Suppression
    26. Summary
    27. Quick Tips
      1. Questions
      2. Answers
  15. Chapter 4 Communication and Network Security
    1. Telecommunications
    2. Open Systems Interconnection Reference Model
      1. Protocol
      2. Application Layer
      3. Presentation Layer
      4. Session Layer
      5. Transport Layer
      6. Network Layer
      7. Data Link Layer
      8. Physical Layer
      9. Functions and Protocols in the OSI Model
      10. Tying the Layers Together
      11. Multilayer Protocols
    3. TCP/IP Model
      1. TCP
      2. IP Addressing
      3. IPv6
      4. Layer 2 Security Standards
      5. Converged Protocols
    4. Types of Transmission
      1. Analog and Digital
      2. Asynchronous and Synchronous
      3. Broadband and Baseband
    5. Cabling
      1. Coaxial Cable
      2. Twisted-Pair Cable
      3. Fiber-Optic Cable
      4. Cabling Problems
    6. Networking Foundations
      1. Network Topology
      2. Media Access Technologies
      3. Transmission Methods
      4. Network Protocols and Services
      5. Domain Name Service
      6. E-mail Services
      7. Network Address Translation
      8. Routing Protocols
    7. Networking Devices
      1. Repeaters
      2. Bridges
      3. Routers
      4. Switches
      5. Gateways
      6. PBXs
      7. Firewalls
      8. Proxy Servers
      9. Honeypot
      10. Unified Threat Management
      11. Content Distribution Networks
      12. Software Defined Networking
    8. Intranets and Extranets
    9. Metropolitan Area Networks
      1. Metro Ethernet
    10. Wide Area Networks
      1. Telecommunications Evolution
      2. Dedicated Links
      3. WAN Technologies
    11. Remote Connectivity
      1. Dial-up Connections
      2. ISDN
      3. DSL
      4. Cable Modems
      5. VPN
      6. Authentication Protocols
    12. Wireless Networks
      1. Wireless Communications Techniques
      2. WLAN Components
      3. Evolution of WLAN Security
      4. Wireless Standards
      5. Best Practices for Securing WLANs
      6. Satellites
      7. Mobile Wireless Communication
    13. Network Encryption
      1. Link Encryption vs. End-to-End Encryption
      2. E-mail Encryption Standards
      3. Internet Security
    14. Network Attacks
      1. Denial of Service
      2. Sniffing
      3. DNS Hijacking
      4. Drive-by Download
    15. Summary
    16. Quick Tips
      1. Questions
      2. Answers
  16. Chapter 5 Identity and Access Management
    1. Security Principles
      1. Availability
      2. Integrity
      3. Confidentiality
    2. Identification, Authentication, Authorization, and Accountability
      1. Identification and Authentication
      2. Authentication
      3. Authorization
      4. Federation
      5. Identity as a Service
      6. Integrating Identity Services
    3. Access Control Models
      1. Discretionary Access Control
      2. Mandatory Access Control
      3. Role-Based Access Control
      4. Rule-Based Access Control
    4. Access Control Techniques and Technologies
      1. Constrained User Interfaces
      2. Access Control Matrix
      3. Content-Dependent Access Control
      4. Context-Dependent Access Control
    5. Access Control Administration
      1. Centralized Access Control Administration
      2. Decentralized Access Control Administration
    6. Access Control Methods
      1. Access Control Layers
      2. Administrative Controls
      3. Physical Controls
      4. Technical Controls
    7. Accountability
      1. Review of Audit Information
      2. Protecting Audit Data and Log Information
      3. Keystroke Monitoring
    8. Access Control Practices
      1. Unauthorized Disclosure of Information
    9. Access Control Monitoring
      1. Intrusion Detection Systems
      2. Intrusion Prevention Systems
    10. Threats to Access Control
      1. Dictionary Attack
      2. Brute-Force Attacks
      3. Spoofing at Logon
      4. Phishing and Pharming
    11. Summary
    12. Quick Tips
      1. Questions
      2. Answers
  17. Chapter 6 Security Assessment and Testing
    1. Audit Strategies
      1. Internal Audits
      2. Third-Party Audits
    2. Auditing Technical Controls
      1. Vulnerability Testing
      2. Penetration Testing
      3. War Dialing
      4. Other Vulnerability Types
      5. Postmortem
      6. Log Reviews
      7. Synthetic Transactions
      8. Misuse Case Testing
      9. Code Reviews
      10. Interface Testing
    3. Auditing Administrative Controls
      1. Account Management
      2. Backup Verification
      3. Disaster Recovery and Business Continuity
      4. Security Training and Security Awareness Training
      5. Key Performance and Risk Indicators
    4. Reporting
      1. Technical Reporting
      2. Executive Summaries
    5. Management Review
      1. Before the Management Review
      2. Reviewing Inputs
      3. Management Actions
    6. Summary
    7. Quick Tips
      1. Questions
      2. Answers
  18. Chapter 7 Security Operations
    1. The Role of the Operations Department
    2. Administrative Management
      1. Security and Network Personnel
      2. Accountability
      3. Clipping Levels
    3. Assurance Levels
    4. Operational Responsibilities
      1. Unusual or Unexplained Occurrences
      2. Deviations from Standards
      3. Unscheduled Initial Program Loads (aka Rebooting)
    5. Configuration Management
      1. Trusted Recovery
      2. Input and Output Controls
      3. System Hardening
      4. Remote Access Security
    6. Physical Security
      1. Facility Access Control
      2. Personnel Access Controls
      3. External Boundary Protection Mechanisms
      4. Intrusion Detection Systems
      5. Patrol Force and Guards
      6. Dogs
      7. Auditing Physical Access
    7. Secure Resource Provisioning
      1. Asset Inventory
      2. Configuration Management
      3. Provisioning Cloud Assets
    8. Network and Resource Availability
      1. Mean Time Between Failures
      2. Mean Time to Repair
      3. Single Points of Failure
      4. Backups
      5. Contingency Planning
    9. Preventative Measures
      1. Firewalls
      2. Intrusion Detection and Prevention Systems
      3. Antimalware
      4. Patch Management
      5. Honeypots
    10. The Incident Management Process
      1. Detection
      2. Response
      3. Mitigation
      4. Reporting
      5. Recovery
      6. Remediation
    11. Disaster Recovery
      1. Business Process Recovery
      2. Facility Recovery
      3. Supply and Technology Recovery
      4. Choosing a Software Backup Facility
      5. End-User Environment
      6. Data Backup Alternatives
      7. Electronic Backup Solutions
      8. High Availability
    12. Insurance
    13. Recovery and Restoration
      1. Developing Goals for the Plans
      2. Implementing Strategies
    14. Investigations
      1. Computer Forensics and Proper Collection of Evidence
      2. Motive, Opportunity, and Means
      3. Computer Criminal Behavior
      4. Incident Investigators
      5. The Forensic Investigation Process
      6. What Is Admissible in Court?
      7. Surveillance, Search, and Seizure
      8. Interviewing Suspects
    15. Liability and Its Ramifications
      1. Liability Scenarios
      2. Third-Party Risk
      3. Contractual Agreements
      4. Procurement and Vendor Processes
    16. Compliance
    17. Personal Safety Concerns
    18. Summary
    19. Quick Tips
      1. Questions
      2. Answers
  19. Chapter 8 Software Development Security
    1. Building Good Code
    2. Where Do We Place Security?
      1. Different Environments Demand Different Security
      2. Environment vs. Application
      3. Functionality vs. Security
      4. Implementation and Default Issues
    3. Software Development Life Cycle
      1. Project Management
      2. Requirements Gathering Phase
      3. Design Phase
      4. Development Phase
      5. Testing/Validation Phase
      6. Release/Maintenance Phase
    4. Secure Software Development Best Practices
    5. Software Development Models
      1. Build and Fix Model
      2. Waterfall Model
      3. V-Shaped Model (V-Model)
      4. Prototyping
      5. Incremental Model
      6. Spiral Model
      7. Rapid Application Development
      8. Agile Models
    6. Integrated Product Team
      1. DevOps
    7. Capability Maturity Model Integration
    8. Change Control
      1. Software Configuration Management
      2. Security of Code Repositories
    9. Programming Languages and Concepts
      1. Assemblers, Compilers, Interpreters
      2. Object-Oriented Concepts
      3. Other Software Development Concepts
      4. Application Programming Interfaces
    10. Distributed Computing
      1. Distributed Computing Environment
      2. CORBA and ORBs
      3. COM and DCOM
      4. Java Platform, Enterprise Edition
      5. Service-Oriented Architecture
    11. Mobile Code
      1. Java Applets
      2. ActiveX Controls
    12. Web Security
      1. Specific Threats for Web Environments
      2. Web Application Security Principles
    13. Database Management
      1. Database Management Software
      2. Database Models
      3. Database Programming Interfaces
      4. Relational Database Components
      5. Integrity
      6. Database Security Issues
      7. Data Warehousing and Data Mining
    14. Malicious Software (Malware)
      1. Viruses
      2. Worms
      3. Rootkit
      4. Spyware and Adware
      5. Botnets
      6. Logic Bombs
      7. Trojan Horses
      8. Antimalware Software
      9. Spam Detection
      10. Antimalware Programs
    15. Assessing the Security of Acquired Software
    16. Summary
    17. Quick Tips
      1. Questions
      2. Answers
  20. Appendix A Comprehensive Questions
    1. Answers
  21. Appendix B About the Download
    1. System Requirements
    2. Total Tester Premium Practice Exam Software
      1. Downloading Total Tester
      2. Installing and Running Total Tester
    3. Hotspot and Drag-and-Drop Questions
      1. McGraw-Hill Professional Media Center Download
    4. Technical Support
      1. Total Seminars Technical Support
      2. McGraw-Hill Education Content Support
  22. Glossary
  23. Index