You are previewing CISSP in 21 Days - Second Edition.
O'Reilly logo
CISSP in 21 Days - Second Edition

Book Description

Boost your confidence and get the competitive edge you need to crack the exam in just 21 days!

About This Book

  • Day-by-day plan to study and assimilate core concepts from CISSP CBK

  • Revise and take a mock test at the end of every four chapters

  • A systematic study and revision of myriad concepts to help you crack the CISSP examination

  • Who This Book Is For

    If you are a Networking professional aspiring to take the CISSP examination and obtain the coveted CISSP certification (considered to be the Gold Standard in Information Security personal certification), then this is the book you want.

    This book assumes that you already have sufficient knowledge in all 10 domains of the CISSP CBK by way of work experience and knowledge gained from other study books.

    What You Will Learn

  • Review Exam Cram and Practice review questions to reinforce the required concepts

  • Follow the day–by-day plan to revise important concepts a month before the CISSP® exam

  • Boost your time management for the exam by attempting the mock question paper

  • Develop a structured study plan for all 10 CISSP® domains

  • Build your understanding of myriad concepts in the Information Security domain

  • Practice the full-blown mock test to evaluate your knowledge and exam preparation

  • In Detail

    Certified Information Systems Security Professional (CISSP) is an internationally recognized and coveted qualification. Success in this respected exam opens the door to your dream job as a security expert with an eye-catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack confidence.

    This simple yet informative book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will build your confidence and enable you to crack the Gold Standard exam, knowing that you have done all you can to prepare for the big day.

    This book provides concise explanations of important concepts in all 10 domains of the CISSP Common Body of Knowledge (CBK). Starting with Confidentiality, Integrity, and Availability, you will focus on classifying information and supporting assets. You will understand data handling requirements for sensitive information before gradually moving on to using secure design principles while implementing and managing engineering processes. You will understand the application of cryptography in communication security and prevent or mitigate strategies for network attacks. You will also learn security control requirements and how to assess their effectiveness. Finally, you will explore advanced topics such as automated and manual test result analysis and reporting methods.

    A complete mock test is included at the end to evaluate whether you're ready for the exam. This book is not a replacement for full study guides; instead, it builds on and reemphasizes concepts learned from them.

    Style and approach

    There are many overlapping concepts that are applicable to more than one security domain in the CISSP exam. Hence, the eight security domains are aligned in a logical order so as to cover the concepts in the most appropriate sequence in this guide. Each chapter provides an illustration in the form of a flow diagram at the start to supply an overall view of the concepts covered in that chapter. This will facilitate a bird's-eye view of the chapter contents and the core security concepts covered. You can refer to this book throughout while preparing for the test or most importantly systematically revise the eight domains on a day-by-day basis up to one month before the exam. Hence the chapters are divided into 21 convenient days.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. CISSP in 21 Days Second Edition
      1. CISSP in 21 Days Second Edition
      2. Credits
      3. About the Author
      4. About the Reviewer
      5. www.PacktPub.com
        1. Why subscribe?
        2. Free access for Packt account holders
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the color images of this book 
          2. Errata
          3. Piracy
          4. Questions
      7. 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies
        1. Overview of security, compliance, and policies
          1. Asset
          2. Asset protection
        2. Confidentiality, Integrity, and Availability (CIA)
          1. Confidentiality
          2. Integrity
          3. Availability
        3. Security governance
          1. Strategy, goals, mission, and objectives
          2. Organizational processes
          3. Security roles and responsibilities
          4. Control frameworks
            1. Management controls
            2. Administrative controls
            3. Technical controls
          5. Due diligence and due care
        4. Compliance
          1. Legislative and regulatory compliance
          2. Privacy requirements in compliance
          3. Licensing and intellectual property
        5. Legal and regulatory issues
          1. Computer crimes
            1. Fraud
            2. Theft
            3. Malware/malicious code
            4. Cyber crime
          2. Importing and exporting controls
          3. Transborder data flow
          4. Data breaches
        6. Professional ethics
          1. Codes of ethics
          2. (ISC)2 code of professional ethics
        7. Security policies, standards, procedures, and guidelines
        8. Personnel security policies
          1. Employment candidate screening
          2. Employment agreement and policies
          3. Employment termination processes
          4. Vendor, consultant, and contractor controls
          5. Compliance and privacy
        9. Summary
        10. Sample questions
      8. 2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education
        1. Overview of risk management, business continuity, and security education
        2. Risk management
          1. Threats, vulnerabilities, and attacks
          2. Threat risk modeling
          3. Threat and vulnerability analysis
          4. Attack analysis
          5. Risk analysis
            1. Quantitative risk analysis
            2. Qualitative risk analysis
          6. Risk treatment
          7. Business continuity management
          8. The Business Continuity Planning (BCP) process
          9. BCP best practices
        3. Security risk considerations in acquisitions, strategy, and practice
        4. Information security education, training, and awareness
        5. Summary
        6. Sample questions
      9. 3. Day 3 – Asset Security - Information and Asset Classification
        1. Overview of asset security - information and asset classification
        2. Asset classification and control
          1. Classification types in government
          2. The United States information classification
          3. Classification types in corporations
        3. Data privacy
          1. Data owners
          2. Data processors
          3. Data remanence
          4. Data collection limitations
        4. Data retention
          1. Data in media
          2. Data in hardware
          3. Data with personnel
        5. Summary
        6. Sample questions
      10. 4. Day 4 – Asset Security - Data Security Controls and Handling
        1. Overview of asset security - data security controls and handling
        2. Data security controls
          1. Data security requirements
          2. Payment Card Industry Data Security Standard (PCI DSS)
            1. Sarbanes-Oxley Act (SOX)
            2. Gramm-Leach-Bliley Act (GLBA)
            3. EU Data Protection Act (DPA)
        3. Data Loss Prevention (DLP)
          1. Data in motion
          2. Data at rest
          3. Data in use
        4. Data Loss Prevention strategies
        5. DLP controls
        6. Cryptographic methods to secure data
          1. Encryption
          2. Hashing
          3. Digital signatures
        7. Data handling requirements
          1. Handling sensitive information
        8. Summary
        9. Sample questions
      11. 5. Day 5 – Exam Cram and Practice Questions
        1. An overview of exam cram and practice questions
          1. CISSP CBK domain #1 – security and risk management
          2. CISSP CBK domain #2 – asset security
        2. Sample questions
        3. References and further reading
        4. Summary
      12. 6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation
        1. An overview of security design, practices, models, and vulnerability mitigation
        2. Secure design principles
          1. The computer architecture
          2. Computer system
          3. Trusted computing
        3. Assurance
          1. Common Criteria
        4. Certification and accreditation
          1. DITSCAP
          2. NIACAP
          3. DIACAP
          4. Security engineering practices
        5. Information security models
          1. Take-grant model
          2. Bell-LaPadula model
          3. Biba model
          4. Clark-Wilson model
        6. Vulnerability assessment and mitigation
          1. Vulnerability assessment
          2. Penetration testing
          3. Vulnerability assessment and the penetration testing process
          4. CVE and CVSS
        7. Summary
        8. Sample questions
      13. 7. Day 7 – Security Engineering - Cryptography
        1. An overview of cryptography
        2. The fundamentals of cryptography
          1. The methods of encryption
            1. The cryptographic process
            2. Cryptographic algorithms
            3. The cryptographic method
          2. Types of encryption
            1. Symmetric key encryption
            2. The operation modes of block ciphers
          3. Asymmetric key encryption
            1. Hashing
          4. The key length and security
          5. The summary of encryption types
        3. Applications and the use of cryptography
        4. Public Key Infrastructure (PKI)
          1. Secure messaging
          2. Message digest
          3. Digital signature
          4. The digital certificate
        5. Key management techniques
          1. Key management procedures
          2. Type of keys
          3. Key management best practices
          4. Key states
          5. Key management phases
        6. Cryptanalytic attacks
          1. The methods of cryptanalytic attacks
        7. Cryptographic standards
          1. Wireless cryptographic standards
          2. The Federal Information Processing Standard
        8. Summary
        9. Sample questions
      14. 8. Day 8 – Communication and Network Security - Network Security
        1. An overview of communication and network security
        2. Network architecture, protocols, and technologies
          1. Layered architecture
        3. Open System Interconnect (OSI) model
          1. Transmission Control Protocol / Internet Protocol (TCP/IP)
        4. OSI layers and security
          1. Application layer protocols and security
            1. Domain Name System (DNS)
              1. Threats, attacks, and countermeasures
            2. Dynamic Host Configuration Protocol (DHCP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            3. Hyper Text Transfer Protocol (HTTP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            4. FTP and TELNET
              1. Threats, vulnerabilities, attacks, and countermeasures
            5. Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            6. Simple Network Management Protocol (SNMP)
              1. Threats, vulnerabilities, attacks, and countermeasures
          2. Presentation layer protocols and security
            1. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
              1. Threats, vulnerabilities, attacks, and countermeasures
            2. Session layer protocols and security
              1. Threats, vulnerabilities, attacks, and countermeasures
        5. Summary
        6. Sample questions
      15. 9. Day 9 – Communication and Network Security - Communication Security
        1. An overview of communication security
          1. Transport layer protocols and security
            1. Transmission Control Protocol (TCP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            2. User Datagram Protocol (UDP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            3. Internet Control Message Protocol (ICMP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            4. Other protocols in the transport layer
          2. The network layer protocols and security
            1. Internet Protocol (IP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            2. IPsec protocols
              1. Threats, vulnerabilities, attacks, and countermeasures
          3. Data link layer protocols and security
            1. Link layer protocols
            2. Address Resolution Protocol (ARP)
              1. Threats, vulnerabilities, attacks, and countermeasures
            3. Border Gateway Protocol
              1. Threats, vulnerabilities, attacks, and countermeasures
            4. Ethernet
              1. Threats, vulnerabilities, attacks, and countermeasures
          4. The physical layer and security
        2. Security in communication channels
          1. Security requirements in voice, multimedia, remote access, data communications, and virtualized networks
        3. Attacks on communication networks
        4. Preventing or mitigating communication network attacks
          1. Security controls in communication networks
        5. Summary
        6. Sample questions
      16. 10. Day 10 – Exam Cram and Practice Questions
        1. An overview of exam cram and practice questions
        2. The exam cram
          1. CISSP CBK Domain #3 –€“ security engineering
          2. CISSP CBK Domain #4 –€ communication and network security
        3. Sample questions
        4. References and further reading
        5. Summary
      17. 11. Day 11 – Identity and Access Management - Identity Management
        1. An overview of identity and access management
        2. Physical and logical access to assets
        3. Identity management principles and implementation
        4. Identity as a service
          1. Security concerns
        5. Third-party identity services
        6. Summary
        7. Sample questions
      18. 12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks
        1. An overview of access management
        2. Access management concepts, methodologies, and techniques
          1. Basic concepts
          2. Access control models
            1. Discretionary access control
            2. Non-discretionary access control
          3. Authentication and authorization
            1. Authorization
        3. Identity and provisioning life cycle
        4. Access control attacks and countermeasures
          1. Port scanning and compromise
          2. Hijacking
          3. Malicious codes
          4. Password attacks
          5. Vulnerability compromises
        5. Accountability
        6. Summary
        7. Sample questions
      19. 13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests
        1. An overview of security assessment and testing
        2. Security assessment and test strategies
          1. Designing and validating assessment and testing strategies
        3. Security controls
          1. Conduct security control testing
            1. Vulnerability assessments
            2. Penetration testing
              1. Black box testing
              2. White box testing
              3. Grey box testing
            3. Log reviews
            4. Synthetic transactions
              1. Stress tests
              2. Denial-of-Service tests
              3. Load tests
              4. Concurrency tests
              5. Latency test
            5. Code review and testing
              1. Manual code review
              2. Dynamic code review
              3. Static code review
              4. Fuzz code review
            6. Misuse case testing
            7. Test coverage analysis
            8. Interface testing
              1. The API
              2. The UI
              3. Physical
          2. The effectiveness of controls
        4. Summary
        5. Sample questions
      20. 14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting
        1. An overview of controlling, analyzing, auditing, and reporting security test data
        2. A collection of security process data
          1. The control of security process data
            1. The protection and control of system test data
            2. Audit logging
            3. System logs
            4. Administrator and operator logs
            5. Fault logging
            6. Key performance and risk indicators
            7. Disaster recovery and business continuity
        3. Analyzing security process data
          1. False positives
          2. False negatives
          3. The effectiveness of a security control
        4. Internal and third-party security audits
          1. Internal audits
          2. Third-party audits
          3. Information system audit controls
        5. Reporting test and audit outputs
        6. Summary
        7. Sample questions
      21. 15. Day 15 – Exam Cram and Practice Questions
        1. An overview of exam cram and practice questions
        2. Exam cram
          1. CISSP CBK Domain #5 – identity and access management
          2. CISSP CBK Domain #6 – security assessment and testing
        3. Mock test
        4. References and further reading
        5. Summary
      22. 16. Day 16 – Security Operations - Foundational Concepts
        1. An overview of operations security
        2. The physical security design
          1. Physical facility
          2. Geographic operating location
          3. Supporting facilities
        3. Physical and operations security controls
          1. Threats, vulnerabilities, and countermeasures for physical and operations security
          2. Common threats
          3. Common vulnerabilities
          4. Designing physical and operations security controls
          5. Perimeter security
          6. Interior security
            1. Unauthorized intrusions
            2. Motion detectors
          7. Fire
            1. Fire classes
            2. Fire detectors
            3. Fire suppression mediums
            4. Water sprinklers
            5. Gas dischargers
          8. Electrical power
        4. Operations/facility security
          1. Auditing
            1. Audit trail
          2. Emergency procedures
            1. Startup and shutdown procedures
            2. Evacuation procedures
            3. Training and awareness
        5. Protecting and securing equipment
          1. Equipment security
          2. Media security
        6. Computer investigations
        7. Summary
        8. Sample questions
      23. 17. Day 17 – Security Operations - Incident Management and Disaster Recovery
        1. Incident management and reporting
          1. The examples of incidents
          2. Incident management objective and goals
          3. Incident management controls
            1. Intrusion detection systems
            2. Vulnerability assessment and penetration testing
            3. Patch management
            4. Configuration management
        2. Business Continuity Planning (BCP)
          1. BCP goals and objectives
          2. BCP process
            1. BCP best practices
        3. Disaster Recovery Planning (DRP)
          1. Goals and objectives
          2. Components of disaster recovery planning
          3. Recovery teams
          4. Recovery sites
          5. Business resumption from alternative sites
            1. A reciprocal agreement
            2. Subscription services
          6. Backup terminologies
          7. Testing procedures
        4. Summary
        5. Sample questions
      24. 18. Day 18 – Software Development Security - Security in Software Development Life Cycle
        1. An overview of software development security
        2. Systems engineering
          1. Initiation phase
          2. Development/acquisition phase
          3. Implementation phase
          4. Operation/maintenance phase
          5. Disposal phase
        3. Software development life cycle
          1. Software development models
            1. Simplistic model
              1. Waterfall model
            2. Complex models
              1. Incremental model
              2. Spiral model
              3. Agile framework
        4. Security in software development
          1. Security controls in software development
            1. Separation of development, test, and operational facilities
            2. Change control processes and procedures
            3. Vendor-supplied software packages
            4. Avoiding covert channels
        5. Summary
        6. Sample questions
      25. 19. Day 19 – Software Development Security - Assessing effectiveness of Software Security
        1. Overview
        2. Security in information technology systems
          1. Object-oriented systems
            1. Object-oriented programming (OOP)
            2. The security in object-oriented software
          2. Artificial Intelligence (AI) systems
          3. Database systems
        3. Threats and vulnerabilities to application systems
          1. Web application security
            1. Common web application vulnerabilities
        4. Security impact analysis
        5. Monitoring and testing activities
        6. Summary
        7. Sample questions
      26. 20. Day 20 – Exam Cram and Practice Questions
        1. Overview of exam cram and practice questions
        2. Exam cram
          1. CISSP CBK Domain #7 –€ security operations
          2. CISSP CBK Domain #8 –€ software development security
        3. References and further reading
        4. Summary
        5. Sample questions
      27. 21. Day 21 – Exam Cram and Mock Test
        1. An overview of the exam cram and mock test
        2. Exam cram
        3. Summary
        4. Mock test
        5. References and further reading