You are previewing CISSP® Exam Cram, Fourth Edition.
O'Reilly logo
CISSP® Exam Cram, Fourth Edition

Book Description

This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book. Access to the digital edition of the Cram Sheet is available through product registration at Pearson IT Certification; or see instructions in back pages of your eBook.

CISSP Exam Cram, Fourth Edition, is the perfect study guide to help you pass the tough new electronic version of the CISSP exam. It provides coverage and practice questions for every exam topic, including substantial new coverage of encryption, cloud security, information lifecycles, security management/governance, and more. The book contains an extensive set of preparation tools, such as quizzes, Exam Alerts, and two practice exams.

Covers the critical information you’ll need to pass the CISSP exam!

  • Enforce effective physical security throughout your organization

  • Apply reliable authentication, authorization, and accountability

  • Design security architectures that can be verified, certified, and accredited

  • Understand the newest attacks and countermeasures

  • Use encryption to safeguard data, systems, and networks

  • Systematically plan and test business continuity/disaster recovery programs

  • Protect today’s cloud, web, and database applications

  • Address global compliance issues, from privacy to computer forensics

  • Develop software that is secure throughout its entire lifecycle

  • Implement effective security governance and risk management

  • Use best-practice policies, procedures, guidelines, and controls

  • Ensure strong operational controls, from background checks to security audits

  • Table of Contents

    1. About This E-Book
    2. Title Page
    3. Copyright Page
    4. Contents at a Glance
    5. Table of Contents
    6. About the Author
    7. About the Technical Reviewers
    8. Dedication
    9. Acknowledgments
    10. We Want to Hear from You!
    11. Reader Services
    12. Introduction
      1. How to Prepare for the Exam
        1. Practice Tests
      2. Taking a Certification Exam
        1. Arriving at the Exam Location
        2. In the Testing Center
        3. After the Exam
        4. Retaking a Test
        5. Tracking Your CISSP Status
      3. About This Book
        1. The Chapter Elements
        2. Other Book Elements
        3. Chapter Contents
      4. Companion Website
      5. Pearson IT Certification Practice Test Engine and Questions
        1. Install the Software
        2. Activate and Download the Practice Exam
        3. Activating Other Exams
      6. Contacting the Author
      7. Self-Assessment
        1. CISSPs in the Real World
        2. The Ideal CISSP Candidate
        3. Put Yourself to the Test
        4. After the Exam
    13. Chapter 1. The CISSP Certification Exam
      1. Introduction
      2. Assessing Exam Readiness
      3. Taking the Exam
      4. Examples of CISSP Test Questions
        1. Multiple-Choice Question Format
        2. Drag and Drop Question Format
        3. Hotspot Question Format
      5. Answer to Multiple-Choice Question
      6. Answer to Drag and Drop Question
      7. Answer to Hotspot Question
      8. Exam Strategy
      9. Question-Handling Strategies
      10. Mastering the Inner Game
      11. Need to Know More?
    14. Chapter 2. Logical Asset Security
      1. Introduction
      2. Basic Security Principles
      3. Data Management: Determine and Maintain Ownership
        1. Data Governance Policy
        2. Roles and Responsibility
        3. Data Ownership
        4. Data Custodians
        5. Data Documentation and Organization
        6. Data Warehousing
        7. Data Mining
        8. Knowledge Management
      4. Data Standards
        1. Data Lifecycle Control
        2. Data Audit
        3. Data Storage and Archiving
      5. Data Security, Protection, Sharing, and Dissemination
        1. Privacy Impact Assessment
        2. Information Handling Requirements
        3. Data Retention and Destruction
        4. Data Remanence and Decommissioning
      6. Classifying Information and Supporting Assets
        1. Data Classification
      7. Asset Management and Governance
        1. Software Licensing
        2. Equipment Lifecycle
      8. Determine Data Security Controls
        1. Data at Rest
        2. Data in Transit
        3. Endpoint Security
        4. Baselines
      9. Laws, Standards, Mandates and Resources
        1. United States Resources
        2. International Resources
      10. Exam Prep Questions
      11. Answers to Exam Prep Questions
      12. Need to Know More?
    15. Chapter 3. Physical Asset Security
      1. Introduction
      2. Physical Security Risks
        1. Natural Disasters
        2. Man-Made Threats
        3. Technical Problems
      3. Facility Concerns and Requirements
        1. CPTED
        2. Area Concerns
        3. Location
        4. Construction
        5. Doors, Walls, Windows, and Ceilings
        6. Asset Placement
        7. Physical Port Controls
      4. Perimeter Controls
        1. Fences
        2. Gates
        3. Bollards
        4. CCTV Cameras
        5. Lighting
        6. Guards and Dogs
        7. Locks
      5. Employee Access Control
        1. Badges, Tokens, and Cards
        2. Biometric Access Controls
      6. Environmental Controls
        1. Heating, Ventilating, and Air Conditioning
      7. Electrical Power
        1. Uninterruptible Power Supply
      8. Equipment Life Cycle
      9. Fire Prevention, Detection, and Suppression
        1. Fire-Detection Equipment
        2. Fire Suppression
      10. Alarm Systems
        1. Intrusion Detection Systems
        2. Monitoring and Detection
      11. Exam Prep Questions
      12. Answers to Exam Prep Questions
      13. Suggested Reading and Resources
    16. Chapter 4. Security and Risk Management
      1. Introduction
      2. Security Governance
        1. Third-Party Governance
        2. Organization Processes
      3. Protection of Intellectual Properly
      4. Privacy Laws and Protection of Personal Information
      5. Relevant Laws and Regulations
      6. United States Legal System and Laws
      7. International Legal Systems and Laws
      8. Computer Crime and Hackers
        1. Sexual Harassment
      9. Risk Management Concepts
        1. Risk Management Frameworks
        2. Risk Assessment
      10. Countermeasure Selection
      11. Develop and Implement Security Policy
        1. Security Policy
        2. Standards
        3. Baselines
        4. Guidelines
        5. Procedures
      12. Types of Controls
        1. Administrative Controls
        2. Technical Controls
        3. Physical Controls
        4. Access Control Categories
      13. Implement Personnel Security
        1. New-Hire Agreements and Policies
        2. Separation of Duties
        3. Job Rotation
        4. Least Privilege
        5. Mandatory Vacations
        6. Termination
      14. Security Education, Training, and Awareness
        1. Security Awareness
        2. Social Engineering
      15. Professional Ethics Training and Awareness
        1. ISC2 Code of Ethics
        2. Computer Ethics Institute
        3. Internet Architecture Board
        4. NIST SP 800-14
        5. Common Computer Ethics Fallacies
        6. Regulatory Requirements for Ethics Programs
      16. Exam Prep Questions
      17. Answers to Exam Prep Questions
      18. Need to Know More?
    17. Chapter 5. Security Engineering
      1. Introduction
      2. Fundamental Concepts of Security Models
        1. Central Processing Unit
        2. Storage Media
        3. I/O Bus Standards
        4. Virtual Memory and Virtual Machines
        5. Computer Configurations
      3. Security Architecture
        1. Protection Rings
        2. Trusted Computer Base
        3. Open and Closed Systems
        4. Security Modes of Operation
        5. Operating States
        6. Recovery Procedures
        7. Process Isolation
      4. Common Formal Security Models
        1. State Machine Model
        2. Information Flow Model
        3. Noninterference Model
        4. Confidentiality
        5. Integrity
        6. Other Models
      5. Product Security Evaluation Models
        1. The Rainbow Series
        2. Information Technology Security Evaluation Criteria
        3. Common Criteria
      6. System Validation
        1. Certification and Accreditation
      7. Security Guidelines and Governance
        1. Enterprise Architecture
        2. Regulatory Compliance and Process Control
      8. Vulnerabilities of Security Architectures
        1. Buffer Overflow
        2. Back Doors
        3. State Attacks
        4. Covert Channels
        5. Incremental Attacks
        6. Emanations
        7. Web-based Vulnerabilities
        8. Mobile System Vulnerabilities
      9. Exam Prep Questions
      10. Answers to Exam Prep Questions
      11. Need to Know More?
    18. Chapter 6. The Application and Use of Cryptography
      1. Introduction
      2. Cryptographic Basics
      3. History of Encryption
      4. Steganography
        1. Steganography Operation
        2. Digital Watermark
      5. Algorithms
      6. Cipher Types and Methods
      7. Symmetric Encryption
        1. Data Encryption Standard
        2. Triple-DES
        3. Advanced Encryption Standard (AES)
        4. International Data Encryption Algorithm
        5. Rivest Cipher Algorithms
      8. Asymmetric Encryption
        1. Diffie-Hellman
        2. RSA
        3. El Gamal
        4. Elliptical Curve Cryptosystem
        5. Merkle-Hellman Knapsack
        6. Review of Symmetric and Asymmetric Cryptographic Systems
      9. Hybrid Encryption
      10. Integrity and Authentication
        1. Hashing and Message Digests
        2. Digital Signatures
        3. Cryptographic System Review
      11. Public Key Infrastructure
        1. Certificate Authority
        2. Registration Authority
        3. Certificate Revocation List
        4. Digital Certificates
        5. The Client’s Role in PKI
      12. Email Protection Mechanisms
        1. Pretty Good Privacy
        2. Other Email Security Applications
      13. Securing TCP/IP with Cryptographic Solutions
        1. Application/Process Layer Controls
        2. Host to Host Layer Controls
        3. Internet Layer Controls
        4. Network Access Layer Controls
        5. Link and End-to-End Encryption
      14. Cryptographic Attacks
      15. Exam Prep Questions
      16. Answers to Exam Prep Questions
      17. Need to Know More?
    19. Chapter 7. Communications and Network Security
      1. Introduction
      2. Secure Network Design
      3. Network Models and Standards
        1. OSI Model
        2. Encapsulation/De-encapsulation
      4. TCP/IP
        1. Network Access Layer
        2. Internet Layer
        3. Host-to-Host (Transport) Layer
        4. Application Layer
      5. LANs and Their Components
        1. LAN Communication Protocols
        2. Network Topologies
        3. LAN Cabling
        4. Network Types
        5. Network Storage
      6. Communication Standards
      7. Network Equipment
        1. Repeaters
        2. Hubs
        3. Bridges
        4. Switches
        5. Mirrored Ports and Network Taps
        6. VLANs
        7. Routers
        8. Gateways
      8. Routing
      9. WANs and Their Components
        1. Packet Switching
        2. Circuit Switching
      10. Cloud Computing
      11. Voice Communications and Wireless Communications
        1. Voice over IP
        2. Cell Phones
        3. 802.11 Wireless Networks and Standards
      12. Network Access Control Devices
        1. Firewalls
        2. Demilitarized Zone
        3. Firewall Design
      13. Remote Access
        1. Point-to-Point Protocol
        2. Remote Authentication Dial-in User Service
        3. Terminal Access Controller Access Control System
        4. IPsec
      14. Message Privacy and Multimedia Collaboration
      15. Exam Prep Questions
      16. Answers to Exam Prep Questions
      17. Need to Know More?
    20. Chapter 8. Identity and Access Management
      1. Introduction
      2. Identification, Authentication, and Authorization of People and Devices
        1. Authentication Techniques
        2. Identity Management Implementation
      3. Single Sign-On
        1. Kerberos
        2. Sesame
      4. Authorization and Access Control Techniques
        1. Discretionary Access Control
        2. Mandatory Access Control
        3. Role-Based Access Control
        4. Other Types of Access Controls
      5. Access Control Models
        1. Centralized Access Control
        2. Decentralized Access Control
      6. Audit and Monitoring
        1. Monitoring Access and Usage
        2. Intrusion Detection Systems
        3. Intrusion Prevention Systems
        4. Network Access Control
        5. Keystroke Monitoring
      7. Exam Prep Questions
      8. Answers to Exam Prep Questions
      9. Suggesting Reading and Resources
    21. Chapter 9. Security Assessment and Testing
      1. Introduction
      2. Security Assessments and Penetration Test Strategies
        1. Audits
        2. Vulnerability Assessments
        3. Penetration Testing
      3. Test Techniques and Methods
      4. Security Threats and Vulnerabilities
        1. Threat Actors
        2. Attack Methodologies
      5. Network Security Threats and Attack Techniques
        1. Session Hijacking
        2. Sniffing
        3. Wiretapping
        4. DoS Attacks
        5. Distributed Denial of Service
        6. Botnets
        7. Other Network Attack Techniques
      6. Access Control Threats and Attack Techniques
        1. Unauthorized Access
        2. Access Aggregation
        3. Password Attacks
        4. Spoofing
        5. Eavesdropping and Shoulder Surfing
        6. Identity Theft
      7. Social-based Threats and Attack Techniques
      8. Malicious Software Threats and Attack Techniques
        1. Viruses
        2. Worms
        3. Logic Bombs
        4. Backdoors and Trojans
        5. Rootkits
        6. Crimeware Kits
        7. Advanced Persistent Threats
        8. Ransomware
      9. How Computer Crime Has Changed
      10. Well-Known Computer Crimes and Criminals
      11. Investigating Computer Crime
        1. Computer Crime Jurisdiction
        2. Incident Response
      12. Forensics
        1. Standardization of Forensic Procedures
        2. Computer Forensics
      13. Investigations
        1. Search, Seizure, and Surveillance
        2. Interviews and Interrogations
        3. Honeypots and Honeynets
        4. Evidence Types
      14. Trial
        1. The Evidence Life-Cycle
      15. Exam Prep Questions
      16. Answers to Exam Prep Questions
      17. Need to Know More?
    22. Chapter 10. Security Operations
      1. Introduction
      2. Foundational Security Operations Concepts
        1. Managing Users and Accounts
        2. Privileged Entities
        3. Controlling Access
        4. Clipping Levels
      3. Resource Protection
        1. Due Care and Due Diligence
        2. Asset Management
        3. System Hardening
        4. Change and Configuration Management
        5. Trusted Recovery
        6. Remote Access
        7. Media Management, Retention, and Destruction
      4. Telecommunication Controls
        1. Cloud Computing
        2. Email
        3. Whitelisting, Blacklisting, and Graylisting
        4. Fax
        5. PBX
        6. Anti-malware
        7. Honeypots and Honeynets
        8. Patch Management
      5. System Resilience, Fault Tolerance, and Recovery Controls
        1. Backups
        2. Fault Tolerance
        3. RAID
        4. Recovery Controls
      6. Monitoring and Auditing Controls
        1. Auditing User Activity
        2. Monitoring Application Transactions
        3. Security Information and Event Management (SIEM)
        4. Network Access Control
        5. Keystroke Monitoring
        6. Emanation Security
        7. Controlling Physical Access
      7. Intrusion Detection Systems
        1. Network-Based Intrusion Detection Systems
        2. Host-Based Intrusion-Detection Systems
        3. Signature-Based, Anomaly-Based, and Rule-Based IDS Engines
        4. Intrusion Prevention Systems
      8. Responding to Operational Security Incidents
        1. Incident Response
      9. The Disaster Recovery Life Cycle
        1. Teams and Responsibilities
      10. Exam Prep Questions
      11. Answers to Exam Prep Questions
      12. Need to Know More?
    23. Chapter 11. Software Development Security
      1. Introduction
      2. Software Development
        1. Avoiding System Failure
        2. The System Development Lifecycle
      3. Development Methods
        1. The Waterfall Model
        2. The Spiral Model
        3. Joint Application Development
        4. Rapid Application Development
        5. Incremental Development
        6. Prototyping
        7. Modified Prototype Model (MPM)
        8. Computer-Aided Software Engineering
        9. Agile Development Methods
        10. Capability Maturity Model
        11. Scheduling
      4. Change Management
      5. Programming Languages
        1. Object-Oriented Programming
        2. CORBA
      6. Database Management
        1. Database Terms
        2. Integrity
        3. Transaction Processing
        4. Artificial Intelligence and Expert Systems
      7. Security of the Software Environment
        1. Mobile Code
        2. Buffer Overflow
        3. Financial Attacks
        4. Change Detection
        5. Viruses
        6. Worms
      8. Exam Prep Questions
      9. Answers to Exam Prep Questions
      10. Need to Know More?
    24. Chapter 12. Business Continuity Planning
      1. Introduction
      2. Threats to Business Operations
      3. Business Continuity Planning (BCP)
        1. Project Management and Initiation
        2. Business Impact Analysis
        3. Recovery Strategy
        4. Plan Design and Development
        5. Implementation
        6. Testing
        7. Monitoring and Maintenance
      4. Exam Prep Questions
      5. Answers to Exam Prep Questions
      6. Need to Know More?
    25. Practice Exam I
      1. Practice Exam Questions
    26. Answers to Practice Exam I
    27. Practice Exam II
      1. Practice Exam Questions
    28. Answers to Practice Exam II
    29. Glossary
    30. Index
    31. Exam Cram The CISSP Cram Sheet
      1. Logical and Physical Asset Security
      2. Security and Risk Management
      3. Security Engineering
      4. The Application and Use of Cryptography
      5. Telecommunications and Communications and Network Security
      6. Identity and Access Management
      7. Security Assessment and Testing
      8. Security Assessment
      9. Software Development Security
      10. Business Continuity Planning
    32. Where are the companion content files?
    33. Code Snippets