You are previewing CISSP® Study Guide.
O'Reilly logo
CISSP® Study Guide

Book Description

"Ideal preparation tool for the CISSP? exam; gives you exactly what you need to know in an accurate, concentrated, no frills, no fluff manner. The EXAM WARNINGs (clear explanations about common misconceptions) are priceless and I learned a lot from them."-Stephen Northcutt, President, The SANS Technology Institute

The CISSP certification is the very first and most prestigious, globally-recognized, vendor neutral exam for information security professionals. Over 60,000 professionals are certified worldwide with many more joining their ranks. Our new study guide is aligned to cover all of the material included in the exam complete with special attention to recent updates. The ten domains are covered completely and as concisely as possible with an eye to acing the exam.

Each of the ten domains has its own chapter that includes specially designed pedagogy to aid the test-taker in passing the exam like:

* Clearly Stated Exam Objectives

* Unique Terms/Definitions

* Exam Warnings

* Learning by Example

* Chapter Ending Questions

* Our author team knows how to impart the essential info; having coached tons of students

* Only contains what you need to pass the test - fully covers the 10 CISSP domains with no fluff!

* Features: Two practice exams, tiered chapter ending questions that allow for a gradual learning curve; and a self-test appendix

Table of Contents

  1. Copyright
  2. Acknowledgments
  3. About the authors
    1. Lead Author
    2. Contributing Authors
    3. About the Technical Editor
  4. 1. Introduction
    1. How to Prepare for the Exam
      1. The Notes Card Approach
      2. Practice Tests
      3. Read the Glossary
      4. Readiness Checklist
    2. How to Take the Exam
      1. Steps to Becoming a CISSP®
      2. Exam Logistics
      3. How to Take the Exam
        1. The Two-Pass Method
          1. Pass One
          2. Pass Two
        2. The Three-Pass Method
      4. After the Exam
    3. Good Luck!
      1. Reference
  5. 2. Domain 1: Information security governance and risk management
    1. Unique Terms and Definitions
    2. Introduction
    3. Cornerstone Information Security Concepts
      1. Confidentiality, Integrity, and Availability
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Tension Between the Concepts
        5. Disclosure Alteration and Destruction
      2. Identity and Authentication, Authorization, and Accountability
        1. Identity and Authentication
        2. Authorization
        3. Accountability
        4. Nonrepudiation
      3. Least Privilege and Need to Know
      4. Defense-in-Depth
    4. Risk Analysis
      1. Assets
      2. Threats and Vulnerabilities
      3. Risk = Threat × Vulnerability
      4. Impact
      5. Risk Analysis Matrix
      6. Calculating Annualized Loss Expectancy
        1. Asset Value
        2. Exposure Factor
        3. Single Loss Expectancy
        4. Annual Rate of Occurrence
        5. Annualized Loss Expectancy
      7. Total Cost of Ownership
      8. Return on Investment
      9. Risk Choices
        1. Accept the Risk
          1. Risk Acceptance Criteria
        2. Mitigate the Risk
        3. Transfer the Risk
        4. Risk Avoidance
      10. Qualitative and Quantitative Risk Analysis
      11. The Risk Management Process
    5. Information Security Governance
      1. Security Policy and Related Documents
        1. Policy
          1. Components of Program Policy
          2. Policy Types
        2. Procedures
        3. Standards
        4. Guidelines
        5. Baselines
      2. Security Awareness and Training
      3. Roles and Responsibilities
      4. Compliance with Laws and Regulations
      5. Privacy
      6. Due Care and Due Diligence
        1. Gross Negligence
      7. Best Practice
      8. Outsourcing and Offshoring
      9. Auditing and Control Frameworks
        1. OCTAVE
        2. ISO 17799 and the ISO 27000 Series
        3. COBIT
        4. ITIL
      10. Certification and Accreditation
    6. Ethics
      1. The (ISC)2 © Code of Ethics
    7. Summary of Exam Objectives
    8. Self Test
    9. Self Test Quick Answer Key
      1. References
  6. 3. Domain 2: Access control
    1. Unique Terms and Definitions
    2. Introduction
    3. Cornerstone Access Control Concepts
      1. The CIA triad
        1. Confidentiality
        2. Integrity
        3. Availability
      2. Identification and AAA
      3. Subjects and objects
    4. Access Control Models
      1. Discretionary Access Controls (DAC)
      2. Mandatory Access Controls (MAC)
      3. Non-Discretionary Access Control
      4. Content and Context-Dependent Access Controls
      5. Centralized Access Control
      6. Decentralized Access Control
      7. Access Control Protocols and Frameworks
        1. RADIUS
        2. Diameter
        3. TACACS and TACACS+
        4. PAP and CHAP
        5. Microsoft Active Directory Domains
    5. Procedural Issues for Access Control
      1. Labels, Clearance, Formal Access Approval, and Need to Know
        1. Labels
        2. Clearance
        3. Formal Access Approval
        4. Need to Know
      2. Rule-Based Access Controls
      3. Access Control Lists
    6. Access Control Defensive Categories and Types
      1. Preventive
      2. Detective
      3. Corrective
      4. Recovery
      5. Deterrent
      6. Compensating
      7. Comparing Access Controls
    7. Authentication Methods
      1. Type 1 Authentication: Something You Know
        1. Passwords
        2. Password Hashes and Password Cracking
          1. Dictionary Attacks
          2. Brute-Force and Hybrid Attacks
          3. Salts
          4. Password Management
          5. Password Control
      2. Type 2 Authentication: Something You Have
        1. Synchronous Dynamic Token
        2. Asynchronous Dynamic Token
      3. Type 3 Authentication: Something You Are
        1. Biometric Fairness, Psychological Comfort, and Safety
        2. Biometric Enrollment and Throughput
        3. Accuracy of Biometric Systems
          1. False Reject Rate (FRR)
          2. False Accept Rate (FAR)
          3. Crossover Error Rate (CER)
        4. Types of Biometric Controls
          1. Fingerprints
          2. Retina Scan
          3. Iris Scan
          4. Hand Geometry
          5. Keyboard Dynamics
          6. Dynamic Signature
          7. Voice Print
          8. Facial Scan
      4. Someplace You Are
    8. Access Control Technologies
      1. Single Sign-On (SSO)
      2. Kerberos
        1. Kerberos Characteristics
        2. Kerberos Operational Steps
        3. Kerberos Strengths
        4. Kerberos Weaknesses
      3. SESAME
      4. Security Audit Logs
    9. Types of Attackers
      1. Hackers
      2. Black Hats and White Hats
      3. Script Kiddies
      4. Outsiders
      5. Insiders
      6. Hacktivist
      7. Bots and BotNets
      8. Phishers and Spear Phishers
    10. Assessing Access Control
      1. Penetration Testing
        1. Penetration Testing Tools and Methodology
        2. Assuring Confidentiality, Data Integrity, and System Integrity
      2. Vulnerability Testing
      3. Security Audits
      4. Security Assessments
    11. Summary of Exam Objectives
    12. Self Test
    13. Self Test Quick Answer Key
      1. References
  7. 4. Domain 3: Cryptography
    1. Unique Terms and Definitions
    2. Introduction
    3. Cornerstone Cryptographic Concepts
      1. Key Terms
      2. Confidentiality, Integrity, Authentication, and Non-Repudiation
      3. Confusion, Diffusion, Substitution, and Permutation
      4. Cryptographic Strength
      5. Monoalphabetic and Polyalphabetic Ciphers
      6. Modular Math
      7. Exclusive Or (XOR)
      8. Types of Cryptography
    4. History of Cryptography
      1. Egyptian Hieroglyphics
      2. Spartan Scytale
      3. Caesar Cipher and other Rotation Ciphers
      4. Vigenère Cipher
      5. Cipher Disk
      6. Jefferson Disks
      7. Book Cipher and Running-Key Cipher
      8. Codebooks
      9. One-Time Pad
        1. Vernam Cipher
        2. Project VENONA
      10. Hebern Machines and Purple
        1. Enigma
        2. SIGABA
        3. Purple
      11. Cryptography Laws
        1. COCOM
        2. Wassenaar Arrangement
    5. Symmetric Encryption
      1. Stream and Block Ciphers
      2. Initialization Vectors and Chaining
      3. Data Encryption Standard
        1. Modes of DES
          1. Electronic Code Book (ECB)
          2. Cipher Block Chaining (CBC)
          3. Cipher Feedback (CFB)
          4. Output Feedback (OFB)
          5. Counter (CTR)
        2. Single DES
        3. Triple DES
          1. Triple DES encryption order and keying options
      4. International Data Encryption Algorithm (IDEA)
      5. Advanced Encryption Standard (AES)
        1. Choosing AES
        2. AES functions
          1. ShiftRows
          2. MixColumns
          3. SubBytes
          4. AddRoundKey
      6. Blowfish and Twofish
      7. RC5 and RC6
    6. Asymmetric Encryption
      1. Asymmetric Methods
        1. Factoring Prime Numbers
        2. Discrete Logarithm
          1. Diffie-Hellman key agreement protocol
        3. Elliptic Curve Cryptography (ECC)
        4. Asymmetric and Symmetric Tradeoffs
    7. Hash Functions
      1. Collisions
      2. MD5
      3. Secure Hash Algorithm
      4. HAVAL
    8. Cryptographic Attacks
      1. Brute Force
      2. Known Plaintext
      3. Chosen Plaintext and Adaptive Chosen Plaintext
      4. Chosen Ciphertext and Adaptive Chosen Ciphertext
      5. Meet-in-the-middle Attack
      6. Known Key
      7. Differential Cryptanalysis
      8. Linear Cryptanalysis
      9. Side-channel Attacks
      10. Birthday Attack
      11. Key Clustering
    9. Implementing Cryptography
      1. Digital Signatures
      2. HMAC
      3. CBC-MAC
      4. Public Key Infrastructure
        1. Certificate Authorities
        2. Certificate Revocation Lists
      5. IPsec
        1. AH and ESP
        2. Security Association and ISAKMP
        3. Tunnel and Transport Mode
        4. IKE
      6. SSL and TLS
      7. PGP
      8. S/MIME
      9. Escrowed Encryption
        1. Clipper Chip
      10. Steganography
      11. Digital Watermarks
    10. Summary of Exam Objectives
    11. Self Test
    12. Self Test Quick Answer Key
      1. References
  8. 5. Domain 4: Physical (Environmental) security
    1. Unique Terms and Definitions
    2. Introduction
    3. Perimeter Defenses
      1. Fences
      2. Gates
      3. Bollards
      4. Lights
      5. CCTV
      6. Locks
        1. Key locks
          1. Lock Picking
          2. Master and Core Keys
        2. Combination Locks
      7. Smart Cards and Magnetic Stripe Cards
      8. Tailgating/piggybacking
      9. Mantraps and Turnstiles
      10. Contraband Checks
      11. Motion Detectors and Other Perimeter Alarms
      12. Doors and Windows
      13. Walls, floors, and ceilings
      14. Guards
      15. Dogs
      16. Restricted Areas and Escorts
    4. Site Selection, Design, and Configuration
      1. Site Selection Issues
        1. Topography
        2. Utility Reliability
        3. Crime
      2. Site Design and Configuration Issues
        1. Site marking
        2. Shared Tenancy and Adjacent Buildings
        3. Shared Demarc
    5. System Defenses
      1. Asset Tracking
      2. Port Controls
      3. Drive and Tape Encryption
      4. Media Storage and Transportation
      5. Media Cleaning and Destruction
        1. Paper Shredders
        2. Overwriting
        3. Degaussing and Destruction
          1. Degaussing
          2. Destruction
    6. Environmental Controls
      1. Electricity
        1. Types of Electrical Faults
        2. Surge Protectors, UPSs, and Generators
          1. Surge Protectors
          2. Uninterruptible Power Supplies
          3. Generators
        3. EMI
      2. HVAC
        1. Positive Pressure and Drains
        2. Heat and Humidity
        3. Static and Corrosion
        4. Airborne Contaminants
      3. Heat, Flame, and Smoke Detectors
        1. Heat Detectors
        2. Smoke Detectors
        3. Flame Detectors
      4. Safety Training and Awareness
        1. Evacuation Routes
        2. Evacuation Roles and Procedures
      5. ABCD Fires and Suppression
        1. Classes of Fire and Suppression Agents
      6. Types of Fire Suppression Agents
        1. Water
        2. Soda Acid
        3. Dry Powder
        4. Wet Chemical
        5. CO2
        6. Halon and Halon Substitutes
          1. Montreal Accord
        7. Halon Replacements
        8. Count-down Timers
        9. Sprinkler Systems
          1. Wet Pipe
          2. Dry Pipe
          3. Deluge
          4. Pre-Action
        10. Portable Fire Extinguishers
    7. Summary of Exam Objectives
    8. Self Test
    9. Self Test Quick Answer Key
      1. References
  9. 6. Domain 5: Security architecture and design
    1. Unique Terms and Definitions
    2. Introduction
    3. Secure System Design Concepts
      1. Layering
      2. Abstraction
      3. Security Domains
      4. The Ring Model
      5. Open and Closed Systems
    4. Secure Hardware Architecture
      1. The System Unit and Motherboard
      2. The Computer Bus
        1. Northbridge and southbridge
      3. The CPU
        1. Arithmetic Logic Unit and Control Unit
        2. Fetch & execute
        3. Pipelining
        4. Interrupts
        5. Processes and threads
        6. Multitasking and Multiprocessing
          1. Watchdog Timers
        7. CISC and RISC
      4. Memory
        1. Cache memory
        2. RAM and ROM
        3. DRAM and SRAM
        4. Memory Addressing
      5. Memory Protection
        1. Process Isolation
        2. Hardware Segmentation
        3. Virtual Memory
          1. Swapping and Paging
        4. Firmware
          1. Flash Memory
          2. BIOS
        5. WORM Storage
    5. Secure Operating System and Software Architecture
      1. The Kernel
        1. Reference Monitor
      2. Users and File Permissions
        1. Linux and UNIX permissions
        2. Microsoft NTFS Permissions
        3. Privileged Programs
      3. Virtualization
        1. Virtualization Benefits
        2. Virtualization Security Issues
      4. Thin Clients
        1. Diskless Workstations
        2. Thin Client Applications
    6. System Vulnerabilities, Threats, and Countermeasures
      1. Emanations
      2. Covert Channels
        1. Covert Storage Channels
        2. Covert Timing Channels
      3. Buffer Overflows
      4. TOCTOU/Race Conditions
      5. Backdoors
      6. Malicious Code (Malware)
        1. Computer Viruses
        2. Worms
        3. Trojans
        4. Rootkits
        5. Packers
        6. Logic Bombs
        7. Antivirus software
      7. Server-Side Attacks
      8. Client-Side Attacks
      9. Web Application Attacks
        1. XML
        2. Applets
          1. Java
          2. ActiveX
      10. Mobile Device Attacks
        1. Mobile Device Defenses
      11. Database Security
        1. Polyinstantiation
        2. Inference and aggregation
          1. Inference and Aggregation Controls
        3. Data Mining
      12. Countermeasures
    7. Security Models
      1. Reading Down and Writing Up
      2. State Machine model
      3. Bell-LaPadula model
        1. Simple Security Property
        2. * Security Property (Star Security Property)
        3. Strong and Weak Tranquility Property
      4. Lattice-Based Access Controls
      5. Integrity Models
        1. Biba Model
          1. Simple Integrity Axiom
          2. * Integrity Axiom
        2. Clark-Wilson
          1. Well-Formed Transactions
          2. Certification, Enforcement, and Separation of Duties
      6. Information Flow Model
      7. Chinese Wall model
      8. Noninterference
      9. Take-Grant
      10. Access Control Matrix
      11. Zachman Framework for Enterprise Architecture
      12. Graham-Denning Model
      13. Harrison-Ruzzo-Ullman Model
      14. Modes of Operation
        1. Dedicated
        2. System high
        3. Compartmented
        4. Multilevel
    8. Evaluation Methods, Certification, and Accreditation
      1. The Orange Book
        1. The TCSEC Divisions
        2. TNI/Red Book
      2. ITSEC
      3. The International Common Criteria
        1. Common Criteria terms
        2. Levels of Evaluation
      4. PCI-DSS
      5. Certification and Accreditation
    9. Summary of Exam Objectives
    10. Self Test
    11. Self Test Quick Answer Key
      1. References
  10. 7. Domain 6: Business continuity and disaster recovery planning
    1. Unique Terms and Definitions
    2. Introduction
    3. BCP and DRP Overview and Process
      1. Business Continuity Planning (BCP)
      2. Disaster Recovery Planning (DRP)
      3. Relationship between BCP and DRP
      4. Disasters or disruptive Events
        1. Errors and omissions
        2. Natural Disasters
        3. Electrical or power Problems
        4. Temperature and Humidity Failures
        5. Warfare, terrorism, and sabotage
        6. Financially-motivated Attackers
        7. Personnel Shortages
          1. Pandemics and Disease
          2. Strikes
          3. Personnel Availability
        8. Communications Failure
      5. The Disaster Recovery Process
        1. Respond
        2. Activate Team
        3. Communicate
        4. Assess
        5. Reconstitution
    4. Developing a BCP/DRP
      1. Project Initiation
        1. Management Support
        2. BCP/DRP Project Manager
        3. Building BCP/DRP Team
      2. Scoping the Project
      3. Assessing the Critical State
      4. Conduct Business Impact Analysis (BIA)
        1. Identify Critical Assets
        2. Conduct BCP/DRP-focused Risk Assessment
        3. Determine Maximum Tolerable Downtime
          1. Alternate terms for MTD
        4. Failure and Recovery Metrics
          1. Recovery Point Objective
          2. Recovery Time Objective (RTO) and Work Recovery Time (WRT)
          3. Mean Time Between Failures
          4. Mean Time to Repair (MTTR)
          5. Minimum Operating Requirements
      5. Identify Preventive Controls
      6. Recovery Strategy
        1. Supply Chain Management
        2. Telecommunication Management
        3. Utility Management
        4. Recovery options
          1. Redundant Site
          2. Hot Site
          3. Warm Site
          4. Cold Site
          5. Reciprocal Agreement
          6. Mobile Site
          7. Subscription Services
      7. Related Plans
        1. Continuity of Operations Plan (COOP)
        2. Business Recovery Plan (BRP)
        3. Continuity of Support Plan
        4. Cyber Incident Response Plan
        5. Occupant Emergency Plan (OEP)
        6. Crisis Management Plan (CMP)
          1. Crisis Communications Plan
          2. Call Trees
          3. Automated Call Trees
          4. Emergency Operations Center (EOC)
          5. Vital Records
        7. Executive Succession Planning
      8. Plan Approval
    5. Backups and Availability
      1. Hardcopy Data
      2. Electronic Backups
        1. Full Backups
        2. Incremental Backups
        3. Differential Backups
        4. Electronic vaulting
        5. Remote Journaling
        6. Database shadowing
        7. HA options
      3. Software Escrow
    6. DRP Testing, Training, and Awareness
      1. DRP Testing
        1. DRP Review
        2. Checklist
        3. Structured Walkthrough/Tabletop
        4. Simulation Test/Walkthrough Drill
        5. Parallel Processing
        6. Partial and Complete Business Interruption
      2. Training
        1. Starting Emergency Power
        2. Calling Tree Training/Test
      3. Awareness
    7. Continued BCP/DRP Maintenance
      1. Change Management
      2. BCP/DRP Mistakes
    8. Specific BCP/DRP Frameworks
      1. NIST SP 800-34
      2. ISO/IEC-27031
      3. BS-25999
      4. BCI
    9. Summary of Exam Objectives
    10. Self Test
    11. Self Test Quick Answer Key
      1. References
  11. 8. Domain 7: Telecommunications and network security
    1. Unique Terms and Definitions
    2. Introduction
    3. Network Architecture and Design
      1. Network Defense-in-Depth
      2. Fundamental Network Concepts
        1. Simplex, Half-Duplex, and Full-Duplex Communication
        2. Baseband and Broadband
        3. Analog & Digital
        4. LANs, WANs, MANs, GANs, and PANs
        5. Internet, Intranet, and Extranet
        6. Circuit-Switched and Packet-Switched Networks
          1. Quality of Service
        7. Layered Design
        8. Models and Stacks
      3. The OSI Model
        1. Layer 1: Physical
        2. Layer 2: Data link
        3. Layer 3: Network
        4. Layer 4: Transport
        5. Layer 5: Session
        6. Layer 6: Presentation
        7. Layer 7: Application
      4. The TCP/IP Model
        1. Network Access Layer
        2. Internet Layer
        3. Host-to-host Transport Layer
        4. Application Layer
      5. Encapsulation
      6. Network Access, Internet and Transport Layer Protocols and Concepts
        1. MAC Addresses
          1. EUI-64 MAC addresses
        2. IPv4
          1. Key IPv4 Header Fields
          2. IP Fragmentation
        3. IPv6
          1. IPv6 Addresses and Autoconfiguration
          2. IPv6 Security Challenges
        4. Classful Networks
        5. Classless Inter-Domain Routing
        6. RFC 1918 Addressing
        7. Network Address Translation
        8. ARP and RARP
        9. Unicast, Multicast, and Broadcast Traffic
          1. Limited and Directed Broadcast Addresses
          2. Layer 2 Broadcast
          3. Promiscuous Network Access
        10. TCP
          1. Key TCP Header Fields
          2. TCP Ports
          3. Socket Pairs
          4. TCP Flags
          5. The TCP handshake
        11. UDP
        12. ICMP
          1. Ping
          2. Traceroute
      7. Application Layer TCP/IP Protocols and Concepts
        1. Telnet
        2. FTP
        3. TFTP
        4. SSH
        5. SMTP, POP, and IMAP
        6. DNS
          1. DNS Weaknesses
          2. DNSSEC
        7. SNMP
        8. HTTP and HTTPS
        9. BOOTP and DHCP
      8. Layer 1 Network Cabling
        1. Twisted Pair Cabling
        2. Coaxial Cabling
        3. Fiber Optic Network Cable
      9. LAN Technologies and Protocols
        1. Ethernet
          1. CSMA
        2. ARCNET & Token Ring
        3. FDDI
      10. LAN Physical Network Topologies
        1. Bus
        2. Tree
        3. Ring
        4. Star
        5. Mesh
      11. WAN Technologies and Protocols
        1. T1s, T3s, E1s, E3s
        2. Frame Relay
        3. X.25
        4. ATM
        5. MPLS
        6. SDLC and HDLC
    4. Network Devices and Protocols
      1. Repeaters and Hubs
      2. Bridges
      3. Switches
        1. VLANs
        2. SPAN ports
      4. TAPs
      5. Routers
        1. Static and Default Routes
        2. Routing Protocols
          1. Distance Vector Routing Protocols
          2. RIP
          3. Link State Routing Protocols
          4. OSPF
          5. BGP
      6. Firewalls
        1. Packet Filter
        2. Stateful Firewalls
        3. Proxy Firewalls
          1. Application-Layer Proxy Firewalls
          2. Circuit-Level Proxies Including SOCKS
        4. Fundamental Firewall Designs
          1. Bastion Hosts
          2. Dual-Homed Host
          3. Screened Host Architecture
          4. DMZ Networks and Screened Subnet Architecture
      7. Modem
      8. DTE/DCE and CSU/DSU
      9. Intrusion Detection Systems and Intrusion Prevention Systems
        1. IDS and IPS Event Types
        2. NIDS and NIPS
        3. HIDS and HIPS
        4. Pattern Matching
        5. Protocol Behavior
        6. Anomaly Detection
      10. Honeypots
      11. Network Attacks
        1. TCP SYN Flood
        2. LAND Attack
        3. Smurf and Fraggle attacks
        4. Teardrop Attack
      12. Network Scanning Tools
        1. Scan Types
          1. ARP Scans
          2. TCP Scans
          3. UDP Scans
    5. Secure Communications
      1. Authentication Protocols and Frameworks
        1. PAP & CHAP
        2. 802.1X and EAP
      2. VPN
        1. SLIP and PPP
        2. PPTP and L2TP
        3. IPSec
          1. IPSec Architectures
          2. Tunnel and Transport Mode
        4. SSL and TLS
      3. VoIP
      4. Wireless Local Area Networks
        1. DoS & Availability
        2. Unlicensed Bands
        3. FHSS, DSSS, and OFDM
        4. 802.11 abgn
        5. Managed, Master, Ad Hoc, and Monitor modes
        6. SSID and MAC Address Filtering
        7. WEP
        8. 802.11i
        9. Bluetooth
        10. PDAs
        11. Wireless Application Protocol
      5. RFID
      6. Remote Access
        1. ISDN
        2. DSL
        3. Cable Modems
        4. Callback & Caller ID
        5. Instant Messaging
        6. Remote Meeting Technology
    6. Summary of Exam Objectives
    7. Self Test
    8. Self Test Quick Answer Key
      1. References
  12. 9. Domain 8: Application development security
    1. Unique Terms and Definitions
    2. Introduction
    3. Programming Concepts
      1. Machine Code, Source Code, and Assemblers
      2. Compilers, Interpreters, and Bytecode
      3. Procedural and Object-Oriented Languages
      4. Fourth-generation Programming Language
      5. Computer-Aided Software Engineering (CASE)
      6. Top-Down versus Bottom-Up Programming
      7. Types of Publicly-Released Software
        1. Open and Closed Source Software
        2. Free Software, Shareware, and Crippleware
        3. Software Licensing
    4. Application Development Methods
      1. Waterfall Model
      2. Sashimi Model
      3. Agile Software Development
        1. Scrum
        2. Extreme Programming (XP)
      4. Spiral
      5. Rapid Application Development (RAD)
      6. Prototyping
      7. SDLC
      8. Software Escrow
    5. Object-Oriented Design and Programming
      1. Object-Oriented Programming (OOP)
        1. Cornerstone Object-Oriented Programming Concepts
        2. Coupling and Cohesion
      2. Object Request Brokers
        1. COM and DCOM
        2. CORBA
      3. Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)
    6. Software Vulnerabilities, Testing, and Assurance
      1. Software Vulnerabilities
        1. Types of Software Vulnerabilities
      2. Software Testing Methods
        1. Software Testing Levels
        2. Fuzzing
        3. Combinatorial Software Testing
      3. Disclosure
      4. Software Capability Maturity Model (CMM)
    7. Databases
      1. Types of Databases
        1. Relational Databases
          1. Foreign Keys
          2. Referential, Semantic, and Entity Integrity
          3. Database Normalization
          4. Database Views
          5. The Data Dictionary
          6. Database Query Languages
        2. Hierarchical Databases
        3. Object-oriented Databases
      2. Database Integrity
      3. Database Replication and Shadowing
      4. Data Warehousing and Data Mining
    8. Artificial Intelligence
      1. Expert Systems
      2. Artificial Neural Networks
        1. Real Neural Networks
        2. How Artificial Neural Networks Operate
      3. Bayesian Filtering
      4. Genetic Algorithms and Programming
    9. Summary of Exam Objectives
    10. Self Test
    11. Self Test Quick Answer Key
      1. References
  13. 10. Domain 9: Operations security
    1. Unique Terms and Definitions
    2. Introduction
    3. Administrative Security
      1. Administrative Personnel Controls
        1. Least Privilege or Minimum Necessary Access
          1. Need to know
        2. Separation of Duties
        3. Rotation of Duties/Job Rotation
        4. Mandatory Leave/Forced Vacation
        5. Non-Disclosure Agreement
        6. Background Checks
      2. Privilege Monitoring
    4. Sensitive Information/Media Security
      1. Sensitive Information
        1. Labeling/marking
        2. Handling
        3. Storage
        4. Retention
        5. Media Sanitization or Destruction of Data
          1. Data Remanence
          2. Wiping, overwriting, or shredding
          3. Degaussing
          4. Physical Destruction
          5. Shredding
    5. Asset Management
      1. Configuration Management
        1. Baselining
        2. Patch Management
        3. Vulnerability Management
          1. Zero-Day Vulnerabilities and Zero-Day Exploits
      2. Change Management
    6. Continuity of Operations
      1. Service Level Agreements (SLA)
      2. Fault Tolerance
        1. Backup
          1. Full
          2. Incremental
          3. Differential
        2. Redundant Array of Inexpensive Disks (RAID)
          1. RAID 0: Striped Set
          2. RAID 1: Mirrored Set
          3. RAID 2: Hamming Code
          4. RAID 3: Striped Set with Dedicated Parity (byte level)
          5. RAID 4: Striped Set with Dedicated Parity (block level)
          6. RAID 5: Striped Set with Distributed Parity
          7. RAID 6: Striped Set with Dual Distributed Parity
          8. RAID 1 + 0 or RAID 10
        3. System Redundancy
          1. Redundant Hardware
          2. Redundant Systems
          3. High-Availability Clusters
    7. Incident Response Management
      1. Methodology
        1. Detection
        2. Containment
        3. Eradication
        4. Recovery
        5. Reporting
      2. Types of attacks
        1. Threat Agents
        2. Threat Vectors
        3. Password Guessing and Password Cracking
        4. Session Hijacking and MITM
        5. Malware
          1. Denial of Service (DoS) and Distributed Denial of Service (DDoS)
    8. Summary of Exam Objectives
    9. Self Test
    10. Self Test Quick Answer Key
      1. References
  14. 11. Domain 10: Legal, regulations, investigations, and compliance
    1. Unique Terms and Definitions
    2. Introduction
    3. Major Legal Systems
      1. Civil Law (legal system)
      2. Common Law
      3. Religious Law
      4. Other Systems
    4. Criminal, Civil, and Administrative Law
      1. Criminal Law
      2. Civil Law
      3. Administrative Law
    5. Information Security Aspects of Law
      1. Computer Crime
        1. International Cooperation
      2. Intellectual Property
        1. Trademark
        2. Patent
        3. Copyright
          1. Copyright limitations
        4. Licenses
        5. Trade Secrets
        6. Intellectual Property Attacks
      3. Import/export Restrictions
      4. Privacy
        1. European Union Privacy
        2. OECD Privacy Guidelines
        3. EU-US Safe Harbor
        4. US Privacy Act of 1974
      5. Liability
        1. Due Care
        2. Due Diligence
    6. Legal Aspects of Investigations
      1. Digital Forensics
      2. Incident Response
      3. Evidence
        1. Real evidence
        2. Direct evidence
        3. Circumstantial evidence
        4. Corroborative evidence
        5. Hearsay
        6. Best Evidence Rule
        7. Secondary Evidence
      4. Evidence Integrity
      5. Chain of Custody
      6. Reasonable Searches
      7. Entrapment and enticement
    7. Important Laws and Regulations
      1. U.S. Computer Fraud and Abuse Act
      2. USA PATRIOT Act
      3. HIPAA
      4. United States Breach Notification Laws
    8. Ethics
      1. Computer Ethics Institute
      2. IAB’s Ethics and the Internet
      3. The (ISC)2 © Code of Ethics
    9. Summary of Exam Objectives
    10. Self Test
    11. Self Test Quick Answer Key
      1. References
  15. Self test
    1. Chapter 2 Domain 1: Information Security Governance and Risk Management
    2. Chapter 3 Domain 2: Access Control
    3. Chapter 4 Domain 3: Cryptography
    4. Chapter 5 Domain 4: Physical (Environmental) Security
    5. Chapter 6 Domain 5: Security Architecture and Design
    6. Chapter 7 Domain 6: Business Continuity and Disaster Recovery Planning
    7. Chapter 8 Domain 7: Telecommunications and Network Security
    8. Chapter 9 Domain 8: Application Development Security
    9. Chapter 10 Domain 9: Operations Security
    10. Chapter 11 Domain 10: Legal, Regulations, Investigations, and Compliance
  16. Glossary