You are previewing CISSP Rapid Review.
O'Reilly logo
CISSP Rapid Review

Book Description

Assess your readiness for the CISSP Exam—and quickly identify where you need to focus and practice. This practical, streamlined guide provides objective overviews, exam tips, "need-to-know" checklists, review questions, and a list of valuable resources—all designed to help evaluate and reinforce your preparation.

Bolster your exam prep with a Rapid Review of these objectives:

  • Information Security Governance and Risk Management

  • Access Control

  • Cryptography

  • Physical (Environmental) Security

  • Security Architecture and Design

  • Legal, Regulations, Investigations and Compliance

  • Telecommunications and Network Security

  • Business Continuity and Disaster Recovery Planning

  • Software Development Security

  • Security Operations

  • This book is an ideal complement to the in-depth training of the Microsoft Press 2-in-1 Training Kit for the CISSP Exam and other exam-prep resources.

    Table of Contents

    1. Introduction
      1. (ISC)<sup xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" xmlns:m="http://www.w3.org/1998/Math/MathML" xmlns:pls="http://www.w3.org/2005/01/pronunciation-lexicon" xmlns:ssml="http://www.w3.org/2001/10/synthesis" xmlns:svg="http://www.w3.org/2000/svg">2</sup> professional certification program professional certification program
      2. Acknowledgments
      3. Support & feedback
        1. Errata
        2. We want to hear from you
        3. Stay in touch
        4. Preparing for the Exam
    2. 1. Access Control
      1. Objective 1.1: Control access by applying the following concepts/methodologies/techniques
        1. Exam need to know…
        2. Policies
        3. Types of controls (preventive, detective, corrective, and so on)
        4. Techniques (non-discretionary, discretionary, and mandatory)
        5. Identification and authentication
        6. Decentralized/distributed access control techniques
        7. Authorization mechanisms
        8. Logging and monitoring
        9. Can you answer these questions?
      2. Objective 1.2: Understand access control attacks
        1. Exam need to know…
        2. Threat modeling
        3. Asset valuation
        4. Vulnerability analysis
        5. Access aggregation
        6. Can you answer these questions?
      3. Objective 1.3: Assess effectiveness of access controls
        1. Exam need to know…
        2. User entitlement
        3. Access review and audit
        4. Can you answer these questions?
      4. Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
        1. Exam need to know…
        2. Provisioning
        3. Review
        4. Revocation
        5. Can you answer these questions?
      5. Answers
        1. Objective 1.1: Control access by applying the following concepts/methodologies/techniques
        2. Objective 1.2: Understand access control attacks
        3. Objective 1.3: Assess effectiveness of access controls
        4. Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
    3. 2. Telecommunications and Network Security
      1. Objective 2.1: Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)
        1. Exam need to know…
        2. OSI and TCP/IP models
        3. IP networking
        4. Implications of multilayer protocols
        5. Can you answer these questions?
      2. Objective 2.2: Securing network components
        1. Exam need to know…
        2. Hardware (modems, switches, routers, wireless access points)
        3. Transmission media (wired, wireless, fiber)
        4. Network access control devices (firewalls, proxies)
        5. End-point security
        6. Can you answer these questions?
      3. Objective 2.3: Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)
        1. Exam need to know…
        2. Voice (for example, POTS, PBX, VoIP)
        3. Multimedia collaboration (remote meeting technology, instant messaging)
        4. Remote access (screen scraper, virtual application/desktop, telecommuting)
        5. Data communications
        6. Can you answer these questions?
      4. Objective 2.4: Understand network attacks (e.g., DDoS, spoofing)
        1. Exam need to know…
        2. DoS and DDoS
        3. Spoofing
        4. Can you answer these questions?
      5. Answers
        1. Objective 2.1: Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)
        2. Objective 2.2: Securing network components
        3. Objective 2.3: Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)
        4. Objective 2.4: Understand network attacks (e.g., DDoS, spoofing)
    4. 3. Information Security Governance & Risk Management
      1. Objective 3.1: Understand and align security function to goals, mission, and objectives of the organization
        1. Exam need to know…
        2. Align security function
        3. Can you answer these questions?
      2. Objective 3.2: Understand and apply security governance
        1. Exam need to know…
        2. Organizational processes (e.g., acquisitions, divestitures, governance committees)
        3. Security roles and responsibilities
        4. Legislative and regulatory compliance
        5. Privacy requirements compliance
        6. Control frameworks
        7. Due care
        8. Due diligence
        9. Can you answer these questions?
      3. Objective 3.3: Understand and apply concepts of confidentiality, integrity, and availability
        1. Exam need to know…
        2. Confidentiality
        3. Integrity
        4. Availability
        5. Can you answer these questions?
      4. Objective 3.4: Develop and implement security policy
        1. Exam need to know…
        2. Security policies
        3. Standards/Baselines
        4. Procedures
        5. Guidelines
        6. Documentation
        7. Can you answer these questions?
      5. Objective 3.5: Manage the information lifecycle (e.g., classification, categorization, and ownership)
        1. Exam need to know…
        2. Manage the information lifecycle
        3. Can you answer these questions?
      6. Objective 3.6: Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
        1. Exam need to know…
        2. Third-party governance
        3. Can you answer these questions?
      7. Objective 3.7: Understand and apply risk management concepts
        1. Exam need to know…
        2. Identify threats and vulnerabilities
        3. Risk assessment/analysis (qualitative, quantitative, hybrid)
        4. Risk assignment/acceptance
        5. Countermeasure selection
        6. Tangible and intangible asset valuation
        7. Can you answer these questions?
      8. Objective 3.8: Manage personnel security
        1. Exam need to know…
        2. Employment candidate screening (e.g., reference checks, education verification)
        3. Employment agreements and policies
        4. Employee termination processes
        5. Vendor, consultant, and contractor controls
        6. Can you answer these questions?
      9. Objective 3.9: Develop and manage security education, training, and awareness
        1. Exam need to know…
        2. Security education, training, and awareness
        3. Can you answer these questions?
      10. Objective 3.10: Manage the security function
        1. Exam need to know…
        2. Budget
        3. Metrics
        4. Resources
        5. Develop and implement information security strategies
        6. Assess the completeness and effectiveness of the security program
        7. Can you answer these questions?
      11. Answers
        1. Objective 3.1: Understand and align security function to goals, mission, and objectives of the organization
        2. Objective 3.2: Understand and apply security governance
        3. Objective 3.3: Understand and apply concepts of confidentiality, integrity, and availability
        4. Objective 3.4: Develop and implement security policy
        5. Objective 3.5: Manage the information lifecycle (e.g., classification, categorization, and ownership)
        6. Objective 3.6: Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
        7. Objective 3.7: Understand and apply risk management concepts
        8. Objective 3.8: Manage personnel security
        9. Objective 3.9: Develop and manage security education, training, and awareness
        10. Objective 3.10: Manage the Security Function
    5. 4. Software Development Security
      1. Objective 4.1: Understand and apply security in the software development lifecycle
        1. Exam need to know…
        2. Development lifecycle
        3. Maturity models
        4. Operation and maintenance
        5. Change management
        6. Can you answer these questions?
      2. Objective 4.2: Understand the environment and security controls
        1. Exam need to know…
        2. Security of the software environment
        3. Security issues of programming languages
        4. Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor)
        5. Configuration management
        6. Can you answer these questions?
      3. Objective 4.3: Assess the effectiveness of software security
        1. Exam need to know…
        2. Assessment methods
        3. Can you answer these questions?
      4. Answers
        1. Objective 4.1: Understand and apply security in the software development lifecycle
        2. Objective 4.2: Understand the environment and security controls
        3. Objective 4.3: Assess the effectiveness of software security
    6. 5. Cryptography
      1. Objective 5.1: Understand the application and use of cryptography
        1. Exam need to know…
        2. Data at rest (e.g., hard drive)
        3. Data in transit (e.g., on the wire)
        4. Can you answer these questions?
      2. Objective 5.2: Understand the cryptographic lifecycle (e.g., cryptographic limitations, algorithm/protocol governance)
        1. Exam need to know…
        2. Cryptographic lifecycle
        3. Algorithm/protocol governance
        4. Can you answer these questions?
      3. Objective 5.3: Understand encryption concepts
        1. Exam need to know…
        2. Foundational concepts
        3. Symmetric cryptography
        4. Asymmetric cryptography
        5. Hybrid cryptography
        6. Message digests
        7. Hashing
        8. Can you answer these questions?
      4. Objective 5.4: Understand key management processes
        1. Exam need to know…
        2. Creation/distribution
        3. Storage/destruction
        4. Recovery
        5. Key escrow
        6. Can you answer these questions?
      5. Objective 5.5: Understand digital signatures
        1. Exam need to know…
        2. Purpose and process of digital signatures
        3. Can you answer these questions?
      6. Objective 5.6: Understand non-repudiation
        1. Exam need to know…
        2. Non-repudiation
        3. Can you answer these questions?
      7. Objective 5.7: Understand methods of cryptanalytic attacks
        1. Exam need to know…
        2. Chosen plaintext
        3. Social engineering for key discovery
        4. Brute force (e.g., rainbow tables, specialized/scalable architecture)
        5. Ciphertext only
        6. Known plaintext
        7. Frequency analysis
        8. Chosen ciphertext
        9. Implementation attacks
        10. Can you answer these questions?
      8. Objective 5.8: Use cryptography to maintain network security
        1. Exam need to know…
        2. Link vs. end-to-end encryption
        3. SSL and TLS
        4. IPsec
        5. Can you answer these questions?
      9. Objective 5.9: Use cryptography to maintain application security
        1. Exam need to know…
        2. Application security
        3. Can you answer these questions?
      10. Objective 5.10: Understand Public Key Infrastructure (PKI)
        1. Exam need to know…
        2. PKI
        3. Can you answer these questions?
      11. Objective 5.11: Understand certificate related issues
        1. Exam need to know…
        2. Certificates
        3. Validating certificates
        4. Can you answer these questions?
      12. Objective 5.12: Understand information hiding alternatives (e.g., steganography, watermarking)
        1. Exam need to know…
        2. Information hiding alternatives
        3. Can you answer these questions?
      13. Answers
        1. Objective 5.1: Understand the application and use of cryptography.
        2. Objective 5.2: Understand the cryptographic lifecycle (e.g., cryptographic limitations, algorithm/protocol governance)
        3. Objective 5.3: Understand encryption concepts
        4. Objective 5.4: Understand key management processes
        5. Objective 5.5: Understand digital signatures
        6. Objective 5.6: Understand non-repudiation
        7. Objective 5.7: Understand methods of cryptanalytic attacks
        8. Objective 5.8: Use cryptography to maintain network security
        9. Objective 5.9: Use cryptography to maintain application security
        10. Objective 5.10: Understand Public Key Infrastructure (PKI)
        11. Objective 5.11: Understand certificate related issues
        12. Objective 5.12: Understand information hiding alternatives (e.g., steganography, watermarking)
    7. 6. Security Architecture & Design
      1. Objective 6.1: Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)
        1. Exam need to know…
        2. Security models
        3. Can you answer these questions?
      2. Objective 6.2: Understand the components of information systems security evaluation models
        1. Exam need to know…
        2. Product evaluation models (e.g., Common Criteria)
        3. Industry and international security implementation guidelines (e.g., PCI DSS, ISO)
        4. Can you answer these questions?
      3. Objective 6.3: Understand security capabilities of information systems (e.g., memory protection, virtualization, Trusted Platform Module)
        1. Exam need to know…
        2. Security capabilities of information systems
        3. Can you answer these questions?
      4. Objective 6.4: Understand the vulnerabilities of security architectures
        1. Exam need to know…
        2. System (e.g., covert channels, state attacks, emanations)
        3. Technology and process integration (e.g., single point of failure, service-oriented architecture)
        4. Can you answer these questions?
      5. Objective 6.5: Understand software and system vulnerabilities and threats
        1. Exam need to know…
        2. Web-based (e.g., XML, SAML, OWASP)
        3. Client-based (e.g., applets)
        4. Server-based (e.g., data flow control)
        5. Database security (e.g., inference, aggregation, data mining, warehousing)
        6. Distributed systems (e.g., cloud computing, grid computing, peer to peer)
        7. Can you answer these questions?
      6. Objective 6.6: Understand countermeasure principles (e.g., defense in depth)
        1. Exam need to know…
        2. Defense in depth
        3. Can you answer these questions?
      7. Answers
        1. Objective 6.1: Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)
        2. Objective 6.2: Understand the components of information systems security evaluation models
        3. Objective 6.3: Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module)
        4. Objective 6.4: Understand the vulnerabilities of security architectures
        5. Objective 6.5: Understand software and system vulnerabilities and threats
        6. Objective 6.6: Understand countermeasure principles (e.g., defense in depth)
    8. 7. Operations Security
      1. Objective 7.1: Understand security operations concepts
        1. Exam need to know…
        2. Need-to-know/least privilege
        3. Separation of duties and responsibilities
        4. Monitor special privileges (e.g., operators, administrators)
        5. Job rotation
        6. Marking, handling, storing, and destroying of sensitive information
        7. Record retention
        8. Can you answer these questions?
      2. Objective 7.2: Employ resource protection
        1. Exam need to know…
        2. Media management
        3. Asset management (e.g., equipment lifecycle, software licensing)
        4. Can you answer these questions?
      3. Objective 7.3: Manage incident response
        1. Exam need to know…
        2. Detection
        3. Response
        4. Reporting
        5. Recovery
        6. Remediation and review (e.g., root cause analysis)
        7. Can you answer these questions?
      4. Objective 7.4: Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service)
        1. Exam need to know…
        2. Attacks
        3. Preventative measures
        4. Can you answer these questions?
      5. Objective 7.5: Implement and support patch and vulnerability management
        1. Exam need to know…
        2. Patch management
        3. Vulnerability management
        4. Can you answer these questions?
      6. Objective 7.6: Understand change and configuration management (e.g., versioning, base lining)
        1. Exam need to know…
        2. Change management
        3. Configuration management
        4. Can you answer these questions?
      7. Objective 7.7: Understand system resilience and fault tolerance requirements
        1. Exam need to know…
        2. Fault tolerance for disks
        3. Fault tolerance for servers
        4. Can you answer these questions?
      8. Answers
        1. Objective 7.1: Understand security operations concepts
        2. Objective 7.2: Employ resource protection
        3. Objective 7.3: Manage incident response
        4. Objective 7.4: Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service)
        5. Objective 7.5: Implement and support patch and vulnerability management
        6. Objective 7.6: Understand change and configuration management (e.g., versioning, base lining)
        7. Objective 7.7: Understand system resilience and fault tolerance requirements
    9. 8. Business Continuity & Disaster Recovery Planning
      1. Objective 8.1: Understand business continuity requirements
        1. Exam need to know…
        2. Develop and document project scope and plan
        3. Can you answer these questions?
      2. Objective 8.2: Conduct business impact analysis
        1. Exam need to know…
        2. Identify and prioritize critical business functions
        3. Determine maximum tolerable downtime and other criteria
        4. Assess exposure to outages (e.g., local, regional, global)
        5. Define recovery objectives
        6. Can you answer these questions?
      3. Objective 8.3: Develop a recovery strategy
        1. Exam need to know…
        2. Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation)
        3. Recovery site strategies
        4. Can you answer these questions?
      4. Objective 8.4: Understand disaster recovery process
        1. Exam need to know…
        2. Response
        3. Personnel
        4. Communications
        5. Assessment
        6. Restoration
        7. Provide training
        8. Can you answer these questions?
      5. Objective 8.5: Exercise, assess, and maintain the plan (e.g., version control, distribution)
        1. Exam need to know…
        2. Exercises
        3. Maintain the plan
        4. Can you answer these questions?
      6. Answers
        1. Objective 8.1: Understand business continuity requirements
        2. Objective 8.2: Conduct business impact analysis
        3. Objective 8.3: Develop a recovery strategy
        4. Objective 8.4: Understand disaster recovery process
        5. Objective 8.5: Exercise, assess and maintain the plan (e.g., version control, distribution)
    10. 9. Legal, Regulations, Investigations, and Compliance
      1. Objective 9.1: Understand legal issues that pertain to information security internationally
        1. Exam need to know…
        2. Computer crime
        3. Licensing and intellectual property (e.g., copyright, trademark)
        4. Import/Export
        5. Trans-border data flow
        6. Privacy
        7. Can you answer these questions?
      2. Objective 9.2: Understand professional ethics
        1. Exam need to know…
        2. (ISC)<sup xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" xmlns:m="http://www.w3.org/1998/Math/MathML" xmlns:pls="http://www.w3.org/2005/01/pronunciation-lexicon" xmlns:ssml="http://www.w3.org/2001/10/synthesis" xmlns:svg="http://www.w3.org/2000/svg">2</sup> Code of Professional Ethics Code of Professional Ethics
        3. Support organization’s code of ethics
        4. Can you answer these questions?
      3. Objective 9.3: Understand and support investigations
        1. Exam need to know…
        2. Policy, roles, and responsibilities (e.g., rules of engagement, authorization, scope)
        3. Incident handling and response
        4. Evidence collection and handling (e.g., chain of custody, interviewing)
        5. Reporting and documenting
        6. Can you answer these questions?
      4. Objective 9.4: Understand forensic procedures
        1. Exam need to know…
        2. Media analysis
        3. Network analysis
        4. Software analysis
        5. Hardware/embedded device analysis
        6. Can you answer these questions?
      5. Objective 9.5: Understand compliance requirements and procedures
        1. Exam need to know…
        2. Regulatory environment
        3. Audits
        4. Reporting
        5. Can you answer these questions?
      6. Objective 9.6: Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)
        1. Exam need to know…
        2. Contractual agreements and procurement processes
        3. Can you answer these questions?
      7. Answers
        1. Objective 9.1: Understand legal issues that pertain to information security internationally
        2. Objective 9.2: Understand professional ethics
        3. Objective 9.3: Understand and support investigations
        4. Objective 9.4: Understand forensic procedures
        5. Objective 9.5: Understand compliance requirements and procedures
        6. Objective 9.6: Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)
    11. 10. Physical (Environmental) Security
      1. Objective 10.1: Understand site and facility design considerations
        1. Exam need to know…
        2. Site and facility design considerations
        3. Can you answer these questions?
      2. Objective 10.2: Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
        1. Exam need to know…
        2. Physical access control and monitoring
        3. Audit trails/access logs
        4. Can you answer these questions?
      3. Objective 10.3: Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
        1. Exam need to know…
        2. Escort requirements/visitor control
        3. Keys and locks
        4. Can you answer these questions?
      4. Objective 10.4: Support the implementation and operation of facilities security (e.g., technology convergence)
        1. Exam need to know…
        2. Communications and server rooms
        3. Restricted and work area security
        4. Data center security
        5. Utilities and heating, ventilation, and air conditioning (HVAC) considerations
        6. Water issues (e.g., leakage, flooding)
        7. Fire prevention, detection, and suppression
        8. Can you answer these questions?
      5. Objective 10.5: Support the protection and securing of equipment
        1. Exam need to know…
        2. Can you answer these questions?
      6. Objective 10.6: Understand personnel privacy and safety (e.g., duress, travel, monitoring)
        1. Exam need to know…
        2. Personnel privacy and safety
        3. Can you answer these questions?
      7. Answers
        1. Objective 10.1: Understand site and facility design considerations
        2. Objective 10.2: Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
        3. Objective 10.3: Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
        4. Objective 10.4: Support the implementation and operation of facilities security (e.g., technology convergence)
        5. Objective 10.5: Support the protection and securing of equipment
        6. Objective 10.6: Understand personnel privacy and safety (e.g., duress, travel, monitoring)
    12. Index
    13. About the Author
    14. Copyright