You are previewing Official (ISC)2 Guide to the CISSP CBK, Fourth Edition, 4th Edition.
O'Reilly logo
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition, 4th Edition

Book Description

As a result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams, it has announced that enhancements will be made to both the Certified Information Systems Security Professional (CISSP) credential, beginning April 15, 2015. (ISC)² conducts this process on a regular basis to ensure that the examinations and subsequent training and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

Refreshed technical content has been added to the official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today. Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.

The domain names have been updated as follows:

CISSP Domains, Effective April 15, 2015

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Some candidates may be wondering how these updates affect training materials for the CISSP credential. As part of the organization’s comprehensive education strategy and certifying body best practices, (ISC)² training materials do not teach directly to its credential examinations. Rather, (ISC)² Education is focused on teaching the core competencies relevant to the roles and responsibilities of today’s practicing information security professional. It is designed to refresh and enhance the knowledge of experienced industry professionals.

Table of Contents

  1. Preliminaries
  2. Series
  3. Foreword
  4. Introduction
  5. Editors
  6. Preface
  7. Domain 1: Security & Risk Management
    1. Confidentiality, Integrity, and Availability
      1. Confidentiality
      2. Integrity
      3. Availability
    2. Security Governance
      1. Goals, Mission, and Objectives of the Organization
      2. Organizational Processes
      3. Security Roles and Responsibilities
        1. Today’s Security Organizational Structure
        2. Responsibilities of the Information Security Officer
        3. Communicate Risks to Executive Management
        4. Reporting Model
        5. Business Relationships
        6. Reporting to the CEO
        7. Reporting to the Information Technology (IT) Department
        8. Reporting to Corporate Security
        9. Reporting to the Administrative Services Department
        10. Reporting to the Insurance and Risk Management Department
        11. Reporting to the Internal Audit Department
        12. Reporting to the Legal Department
        13. Determining the Best Fit
        14. Budget
        15. Metrics
        16. Resources
      4. Information Security Strategies
        1. Strategic Planning
        2. Tactical Planning
        3. Operational and Project Planning
    3. The Complete and Effective Security Program
      1. Oversight Committee Representation
        1. Security Council Vision Statement
        2. Mission Statement
        3. Security Program Oversight
        4. End-Users
        5. Executive Management
        6. Information Systems Security Professional
        7. Data/Information/Business Owners
        8. Data/Information Custodian/Steward
        9. Information Systems Auditor
        10. Business Continuity Planner
        11. Information Systems/Information Technology Professionals
        12. Security Administrator
        13. Network/Systems Administrator
        14. Physical Security
        15. Administrative Assistants/Secretaries
        16. Help Desk/Service Desk Administrator
      2. Control Frameworks
      3. Due Care
      4. Due Diligence
    4. Compliance
      1. Governance, Risk Management, and Compliance (GRC)
      2. Legislative and Regulatory Compliance
      3. Privacy Requirements Compliance
    5. Global Legal and Regulatory Issues
      1. Computer/Cyber Crime
      2. Licensing and Intellectual Property
        1. Intellectual Property Laws
        2. Patent
        3. Trademark
        4. Copyright
        5. Trade Secret
        6. Licensing Issues
      3. Import/Export
      4. Trans-Border Data Flow
      5. Privacy
      6. Data Breaches
        1. eBay
        2. Michaels Stores
        3. Montana Department of Public Health and Human Services
        4. Variable Annuity Life Insurance Co.
        5. Spec’s
        6. St. Joseph Health System
        7. A Brief Primer on VERIS & VCDB
      7. Relevant Laws and Regulations
    6. Understand Professional Ethics
      1. Regulatory Requirements for Ethics Programs
      2. Topics in Computer Ethics
        1. Computers in the Workplace
        2. Computer Crime
        3. Privacy and Anonymity
        4. Intellectual Property
        5. Professional Responsibility and Globalization
      3. Common Computer Ethics Fallacies
        1. Computer Game Fallacy
        2. Law-Abiding Citizen Fallacy
        3. Shatterproof Fallacy
        4. Candy-from-a-Baby Fallacy
        5. Hacker Fallacy
        6. Free Information Fallacy
      4. Hacking and Hacktivism
        1. The Hacker Ethic
      5. Ethics Codes of Conduct and Resources
        1. The Code of Fair Information Practices
        2. Internet Activities Board (IAB) (Now the Internet Architecture Board) and RFC 1087
        3. Computer Ethics Institute (CEI)
        4. National Conference on Computing and Values
        5. The Working Group on Computer Ethics
        6. National Computer Ethics and Responsibilities Campaign (NCERC)
      6. (ISC)<span xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" class="cSuperscript">2</span> Code of Professional Ethics Code of Professional Ethics
        1. Code of Ethics Preamble
        2. Code of Ethics Canons
          1. Protect Society, the Commonwealth, and the Infrastructure
          2. Act Honorably, Honestly, Justly, Responsibly, and Legally
          3. Provide Diligent and Competent Service to Principals
          4. Advance and Protect the Profession
      7. Support Organization’s Code of Ethics
        1. How a Code of Ethics Applies to CISSPs
    7. Develop and Implement Security Policy
    8. Business Continuity (BC) & Disaster Recovery (DR) Requirements
      1. Project Initiation and Management
        1. Senior Leadership Support
        2. Additional Benefits of the Planning Process
      2. Develop and Document Project Scope and Plan
        1. Organizational Analysis
      3. Conducting the Business Impact Analysis (BIA)
      4. Identify and Prioritize
        1. Critical Organization Functions
        2. Determine Maximum Tolerable Downtime
      5. Assess Exposure to Outages
        1. Understanding the Organization
        2. External Threats and Vulnerabilities
        3. Internal Threats and Vulnerabilities
      6. Recovery Point Objectives (RPO)
    9. Manage Personnel Security
      1. Employment Candidate Screening
        1. Reference Checks
        2. Background Investigations
        3. Benefits of Background Checks
        4. Timing of Checks
        5. Types of Background Checks
        6. Credit History
        7. Criminal History
        8. Driving Records
        9. Drug and Substance Testing
        10. Prior Employment
        11. Education, Licensing, and Certification Verification
        12. Social Security Number Verification and Validation
        13. Suspected Terrorist Watch List
      2. Employment Agreements and Policies
        1. Job Rotation
        2. Separation of Duties (SOD)
        3. Least Privilege (Need to Know)
        4. Mandatory Vacations
      3. Employee Termination Processes
        1. Friendly Terminations
        2. Unfriendly Terminations
      4. Vendor, Consultant, and Contractor Controls
      5. Privacy
    10. Risk Management Concepts
      1. Organizational Risk Management Concepts
        1. Security and Audit Frameworks and Methodologies
        2. COSO
        3. ITIL
        4. COBIT
        5. ISO 27002:2013 (Formerly Known as ISO17799/BS7799)
      2. Risk Assessment Methodologies
        1. NIST SP 800–30r1, 800-39, and 800–66r1
        2. CRAMM
        3. Failure Modes and Effect Analysis
        4. FRAP
        5. OCTAVE
        6. Security Officers Management and Analysis Project (SOMAP)
        7. Spanning Tree Analysis
        8. VAR (Value at Risk)
        9. Qualitative Risk Assessments
        10. Quantitative Risk Assessments
      3. Identify Threats and Vulnerabilities
        1. Identify Vulnerabilities
        2. Identify Threats
        3. Selecting Tools and Techniques for Risk Assessment
      4. Risk Assessment/Analysis
        1. Likelihood Determination
        2. Determination of Impact
        3. Determination of Risk
        4. Risk Avoidance
        5. Risk Transfer
        6. Risk Mitigation
        7. Risk Acceptance
        8. Risk Assignment
      5. Countermeasure Selection
      6. Implementation of Risk Countermeasures
        1. Mobile Applications
        2. Web 2.0
        3. Cloud Computing Services
      7. Types of Controls
        1. Directive Controls
        2. Deterrent Controls
        3. Preventative Controls
        4. Compensating Controls
        5. Detective Controls
        6. Corrective Controls
        7. Recovery Controls
      8. Access Control Types
        1. Physical Controls
        2. Physical Entry
        3. Administrative Controls
        4. Policies and Procedures
        5. Personnel Security, Evaluation, and Clearances
        6. Security Policies
        7. Monitoring
        8. User Access Management
        9. Privilege Management
        10. Logical (Technical) Controls
        11. Network Access
        12. Remote Access
        13. System Access
        14. Application Access
        15. Malware Control
        16. Cryptography
      9. Controls Assessment/Monitoring and Measuring
        1. Vulnerability Assessment
        2. Penetration Testing
        3. Penetration Test Strategies
        4. Application Security Testing
        5. Denial-of-Service (DoS) Testing
        6. War Dialing
        7. Wireless Network Testing
        8. Social Engineering
        9. PBX and IP Telephony Testing
        10. Penetration Test Methodology
          1. Step 1: Reconnaissance
          2. Step 2: Enumeration
          3. Step 3: Vulnerability Analysis
          4. Step 4: Execution
          5. Step 5: Document Findings
      10. Tangible and Intangible Asset Valuation
        1. Tangible Asset Valuation
        2. Intangible Asset Valuation
      11. Continuous Improvement
        1. Continuous or Continual?
      12. Risk Management Frameworks
        1. Events – Risks and Opportunities
        2. Enterprise Risk Management Defined
        3. Achievement of Objectives
        4. Components of Enterprise Risk Management
        5. What is a Risk Management Framework?
        6. Purpose of a Risk Management Framework
          1. The Risk IT Framework - ISACA
          2. ISO 31000 - Risk management
          3. ISO 31000:2009, Risk Management
          4. Managing Risk
          5. Related Standards
          6. Enterprise Risk Management – Integrated Framework (2004)
          7. The NIST Risk Management Framework (RMF)
    11. Threat Modeling
      1. Determining Potential Attacks and Reduction Analysis
        1. What is a Social Engineering Attack?
        2. What Is a Pretexting Attack?
        3. What Is a Phishing Attack?
        4. What Is a Baiting Attack?
        5. What Is a Tailgating Attack?
        6. How Does an Individual Avoid Being a Victim?
        7. How Can Organizations Reduce Their Security Risks?
      2. Technologies & Processes to Remediate Threats
    12. Acquisitions Strategy and Practice
      1. Hardware, Software, and Services
      2. Manage Third-Party Governance
      3. Minimum Security and Service-Level Requirements
        1. Rules for Successful Requirements Gathering
        2. Service Level Requirements (SLR)
        3. Service Level Agreement (SLA)
        4. Service Level Report
    13. Security Education, Training, and Awareness
      1. Formal Security Awareness Training
        1. Training Topics
        2. Creating a Security Awareness Course
        3. What Is a Corporate Security Policy?
        4. Why Is Having a Corporate Security Policy Important?
        5. How Does This Policy Fit into My Role at the Organization?
        6. What about People Who Say They Do Not Have Any Security Functions Present in Their Current Role?
        7. Do I Have to Comply?
        8. What Are the Penalties for Noncompliance?
        9. What Is the Effect of This Corporate Policy on My Work (Will It Make Things Harder)?
        10. What Type of Things Should I Be Looking For?
      2. Awareness Activities and Methods – Creating the Culture of Awareness in the Organization
        1. Job Training
        2. Performance Metrics
    14. Domain 1: Review Questions
      1. Figure 1.1
      2. Figure 1.2
      3. Figure 1.3
      4. Figure 1.4
      5. Figure 1.5
      6. Figure 1.6
      7. Figure 1.7
      8. Figure 1.8
      9. Figure 1.9
      10. Figure 1.10
      11. Figure 1.11
      12. Figure 1.12
      13. Figure 1.13
      14. Figure 1.14
      15. Figure 1.15(a)
      16. Figure 1.15(b)
      17. Figure 1.16
      18. Figure 1.17
      19. Figure 1.18
      20. Figure 1.19
      21. Figure 1.20
      1. Table 1.1
      2. Table 1.2
  8. Domain 2 – Asset Security
    1. Data Management: Determine and Maintain Ownership
      1. Data Policy
      2. Roles and Responsibilities
      3. Data Ownership
      4. Data Custodianship
      5. Data Quality
      6. Data Documentation and Organization
        1. Dataset Titles and File Names
        2. File Contents
        3. Metadata
    2. Data Standards
      1. Data Lifecycle Control
      2. Data Specification and Modeling
      3. Database Maintenance
      4. Data Audit
      5. Data Storage and Archiving
    3. Longevity and Use
      1. Data Security
      2. Data Access, Sharing, and Dissemination
      3. Data Publishing
        1. Establish Handling Requirements
          1. Marking, Handling, Storing, and Destroying of Sensitive information
          2. Media
          3. Marking
          4. Handling
          5. Storing
          6. Destruction
          7. Record Retention
        2. Data Remanence
          1. Clearing
          2. Purging
          3. Destruction
        3. Media Destruction
    4. Classify Information and Supporting Assets
        1. What Classifications Should Be Used?
        2. Who Decides Data’s Classification?
    5. Asset Management
      1. Software Licensing
      2. Equipment Lifecycle
    6. Protect Privacy
    7. Ensure Appropriate Retention
      1. Media, Hardware, and Personnel
      2. Company “X” Data Retention Policy
        1. Key Principles
          1. Storage
          2. Retention
          3. Destruction and Disposal
    8. Determine Data Security Controls
      1. Data at Rest
        1. Description of Risk
        2. Recommendations
        3. Compliant Encryption Tools
      2. Data in Transit
        1. Link Encryption
        2. End-to-End Encryption
        3. Description of Risk
        4. Recommendations
          1. Picking Encryption Algorithms
          2. Wireless Connection
      3. Baselines
      4. Scoping and Tailoring
    9. Standards Selection
      1. United States Resources
        1. U.S. Department of Defense Policies
          1. Department of Defense Instruction 8510.01 (DoDI 8510.01)
          2. DoDI 8510.01 URL:
          3. United States National Security Agency (NSA) IA Mitigation Guidance
          4. NSA IA Mitigation Guidance Website:
        2. National Institute of Standards and Technology (NIST) Computer Security Division
        3. NIST Publications Series
          1. Federal Information Processing Standards (FIPS)
          2. FIPS Publication 199
          3. FIPS Publication 200
          4. Special Publications (SP) 800 Series
          5. SP 800-37, Guide for Applying Risk Management Framework to Federal Information Systems
          6. SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
          7. SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
        4. Additional NIST Resources
          1. Risk Management Framework
          2. National Checklist Program (NCP)
      2. International Resources
          1. 10 Steps to Cybersecurity
          2. Cybersecurity Strategy of the European Union
          3. European Network and Information Security Agency (ENISA)
        1. National Cyber Security Strategies: An Implementation Guide
        2. International Organization for Standardization (ISO)
          1. ISO/IEC 27001
          2. ISO/IEC 27002
        3. International Telecommunications Union-Telecommunications (ITU-T) Standardization
          1. Recommendations X.800 – X.849
          2. Recommendation X.1205
      3. National Cyber Security Framework Manual
      4. Framework for Improving Critical Infrastructure Cybersecurity
  9. Domain 2: Review Questions
    1. Figure 2.1
    1. Table 2.1
    2. Table 2.2
  10. Domain 3 – Security Engineering
        1. What?
        2. Why?
        3. How?
    1. The Engineering Lifecycle Using Security Design Principles
          1. Security Foundation
          2. Risk Based
          3. Ease of Use
          4. Increase Resilience
          5. Reduce Vulnerabilities
          6. Design with Network in Mind
    2. Fundamental Concepts of Security Models
      1. Common System Components
        1. Processors
          1. Overview
          2. Description
          3. Details from Xen
          4. Details from FreeBSD
          5. Details from Microsoft
          6. Mitigating Factors for User Mode Scheduler Memory Corruption Vulnerability
          7. Details from Red Hat
          8. Impact
        2. Memory and Storage
          1. Primary Storage
          2. Memory Protection
          3. Secondary Storage
          4. Virtual Memory
          5. Firmware
        3. Peripherals and Other Input/Output (I/O) Devices
        4. Operating Systems
      2. How They Work Together
      3. Enterprise Security Architecture
        1. Key Goals and Objectives
        2. Intended Benefits
        3. Defining and Maintaining Enterprise Security Architecture
      4. Common Security Services
        1. Security Zones of Control
        2. Common Architecture Frameworks
      5. Zachman Framework
        1. Sherwood Applied Business Security Architecture (SABSA) Framework
        2. The Open Group Architecture Framework (TOGAF)
        3. IT Infrastructure Library (ITIL)
        4. Types of Security Models
        5. Examples of Security Models
          1. Bell–LaPadula Confidentiality Model
          2. Biba Integrity Model
          3. Clark–Wilson Integrity Model
          4. Lipner Model
          5. Brewer–Nash (The Chinese Wall) Model
          6. Graham–Denning Model
          7. Harrison–Ruzzo–Ullman Model
      6. Capturing and Analyzing Requirements
      7. Creating and Documenting Security Architecture
    3. Information Systems Security Evaluation Models
      1. Common Formal Security Models
        1. Evaluation Criteria
        2. Certification and Accreditation
      2. Product Evaluation Models
        1. Trusted Computer System Evaluation Criteria (TCSEC)
        2. Information Technology Security Evaluation Criteria (ITSEC)
        3. The Common Criteria
      3. Industry and International Security Implementation Guidelines
        1. ISO/IEC 27001 and 27002 Security Standards
        2. Control Objects for Information and Related Technology (COBIT)
        3. Payment Card Industry Data Security Standard (PCI-DSS)
    4. Security Capabilities of Information Systems
      1. Access Control Mechanisms
      2. Secure Memory Management
        1. Processor States
        2. Layering
        3. Process Isolation
        4. Data Hiding
        5. Abstraction
        6. Cryptographic Protections
        7. Host Firewalls and Intrusion Prevention
        8. Audit and Monitoring Controls
        9. Virtualization
    5. Vulnerabilities of Security Architectures
          1. The Secunia Vulnerability Review 2014
          2. The Symantec Internet Security Threat Report 2014
          3. The Sophos Security Threat Report 2014
          4. The Cisco 2014 Annual Security Report
          5. Price Waterhouse Coopers the Global State of Information Security Survey 2014
          6. Trustwave’s 2014 Security Pressures Report
          7. Websense 2014 Threat Report
      1. Systems
        1. Emanations
        2. State Attacks
        3. Covert Channels
      2. Technology and Process Integration
        1. Mainframes and Other Thin Client Systems
        2. Middleware
        3. Embedded Systems
        4. Pervasive Computing and Mobile Devices
        5. General Mobile Device Best Practices
        6. IPAD/IPOD/IPHONE Specific Best Practices
      3. Single Point of Failure (SPOF)
        1. Data Connectivity
        2. Network Connectivity
        3. Cluster Communication
        4. Application Availability
        5. OS Availability
        6. Infrastructure
      4. Client-Based Vulnerabilities
        1. Desktops, Laptops, and Thin Clients
        2. Mobile Devices
      5. Server-Based Vulnerabilities
        1. Data Flow Control
    6. Database Security
        1. Warehousing
        2. Inference
        3. Aggregation
        4. Data Mining
      1. Large Scale Parallel Data Systems
      2. Distributed Systems
        1. Grid Computing
        2. Cloud Computing
      3. Cryptographic Systems
        1. Encryption Concepts
          1. Key Concepts and Definitions
        2. Foundational Concepts
        3. High Work Factor
        4. Methods of Cryptography
          1. Stream-Based Ciphers
          2. Block Ciphers
          3. Initialization Vectors (IV) – Why They Are Needed
          4. Key Length
          5. Block Size
        5. Encryption Systems
          1. Null Cipher
          2. Substitution Ciphers
          3. Playfair Cipher
          4. Transposition Ciphers
          5. The Rail Fence
          6. Rectangular Substitution Tables
          7. Monoalphabetic and Polyalphabetic Ciphers
          8. Blais de Vigenère
          9. Modular Mathematics and the Running Key Cipher
          10. Running Key Cipher
          11. One-Time Pads
          12. Message Integrity Controls (MICs)
        6. Symmetric Cryptography
          1. Examples of Symmetric Algorithms
          2. The Data Encryption Standard (DES)
          3. Basic Block Cipher Modes
          4. The Stream Modes of DES
          5. Advantages and Disadvantages of DES
          6. Double DES
          7. Meet in the Middle
          8. Triple DES (3DES)
          9. Advanced Encryption Standard
          10. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
        7. How CCMP Works
          1. Rijndael
          2. Substitute Bytes
          3. Shift Row Transformation
          4. Mix Column Transformation
          5. Add Round Key
          6. International Data Encryption Algorithm (IDEA)
          7. CAST
          8. Secure and Fast Encryption Routine (SAFER)
          9. Blowfish
          10. Twofish
          11. RC5
          12. RC4
        8. Advantages and Disadvantages of Symmetric Algorithms
        9. Asymmetric Cryptography
        10. Asymmetric Algorithms
          1. Confidential Messages
          2. Open Message
          3. Confidential Messages with Proof of Origin
          4. RSA
        11. Attacking RSA
          1. Diffie–Hellmann Algorithm
          2. El Gamal
          3. Elliptic Curve Cryptography (ECC)
        12. Advantages and Disadvantages of Asymmetric Key Algorithms
        13. Hybrid Cryptography
          1. Message Digests
          2. Message Authentication Code
          3. HMAC
    7. Software and System Vulnerabilities and Threats
      1. Web-Based
        1. XML
        2. SAML
        3. OWASP
    8. Vulnerabilities in Mobile Systems
      1. Risks from Remote Computing
      2. Risks from Mobile Workers
    9. Vulnerabilities in Embedded Devices and Cyber-Physical Systems
          1. Incident: Gasoline Pipeline Rupture
          2. Malicious Control System Cybersecurity Attack – Maroochy Water Services, Australia
          3. Incident: Virus Attacks Train Signaling System
    10. The Application and Use of Cryptography
      1. The History of Cryptography
        1. The Early (Manual) Era
        2. The Mechanical Era
        3. The Modern Era
      2. Emerging Technology
        1. Quantum Cryptography
      3. Core Information Security Principles
        1. Availability
        2. Confidentiality
        3. Integrity
      4. Additional Features of Cryptographic Systems
        1. Nonrepudiation
        2. Authentication
        3. Access Control
        4. Data at Rest
        5. Data in Transit
        6. Link Encryption
      5. The Cryptographic Lifecycle
        1. Algorithm/Protocol Governance
        2. Issues Surrounding Cryptography
          1. International Export Controls
          2. Law Enforcement
      6. Public Key Infrastructure (PKI)
      7. Key Management Processes
        1. Advances in Key Management
        2. Standards for Financial Institutions
        3. Segregation of Duties
        4. Dual Control
        5. Split Knowledge
      8. Creation and Distribution of Keys
          1. Creation of Keys
          2. Automated Key Generation
          3. Truly Random
          4. Random
          5. Key Length
          6. Asymmetric Key Length
          7. Key Wrapping and Key Encrypting Keys
          8. Key Distribution
          9. Key Distribution Centers
          10. Key Storage and Destruction
          11. Cost of Certificate Replacement/Revocation
          12. Key Recovery
          13. Key Escrow
      9. Digital Signatures
        1. Digital Signature Standard (DSS)
        2. Uses of Digital Signatures
      10. Digital Rights Management (DRM)
      11. Non-Repudiation
      12. Hashing
      13. Simple Hash Functions
        1. MD5 Message Digest Algorithm
        2. Secure Hash Algorithm (SHA) and SHA-1
        3. SHA-3
        4. HAVAL
        5. RIPEMD-160
        6. Attacks on Hashing Algorithms and Message Authentication Codes
          1. The Birthday Paradox
      14. Methods of Cryptanalytic Attacks
        1. Ciphertext-Only Attack
        2. Known Plaintext
        3. Chosen Plaintext
        4. Chosen Ciphertext
        5. Differential Cryptanalysis
        6. Linear Cryptanalysis
        7. Implementation Attacks
        8. Replay Attack
        9. Algebraic
        10. Rainbow Table
        11. Frequency Analysis
        12. Birthday Attack
        13. Factoring Attacks
        14. Social Engineering for Key Discovery
        15. Dictionary Attack
        16. Brute Force
        17. Reverse Engineering
        18. Attacking the Random Number Generators
        19. Temporary Files
    11. Site and Facility Design Considerations
      1. The Security Survey
        1. Target Identification
        2. Facility Characteristic
        3. Vulnerability Assessment
    12. Site Planning
      1. Roadway Design
      2. Crime Prevention through Environmental Design (CPTED)
      3. Windows
        1. Types of Glass
          1. Tempered Glass
          2. Wired Glass
          3. Laminated Glass
          4. Bullet Resistant (BR) Glass
        2. Glass Break Sensors
        3. Garages
        4. Location Threats
          1. Natural Threats
          2. Types of Natural Threats
        5. Man-Made Threats
        6. Utility Concerns
          1. Electrical
          2. Communications
          3. Utilities
    13. Design and Implement Facility Security
    14. Implementation and Operation of Facilities Security
      1. Communications and Server Rooms
        1. Securing the Area
          1. What is Cable Plant Management?
          2. Entrance Facility
          3. Equipment Room
          4. Backbone Distribution System
          5. Telecommunication Room
          6. Horizontal Distribution System
          7. Protection from Lightning
        2. Server Rooms
          1. Rack Security
      2. Restricted and Work Area Security
          1. Restricted Work Areas
      3. Data Center Security
        1. Utilities and HVAC Considerations
          1. Utilities and Power
          2. Uninterruptible Power Supply (UPS)
          3. Generator
          4. HVAC
          5. Air Contamination
          6. Water Issues
        2. Fire Prevention, Detection, and Suppression
          1. Fire Detection
          2. Fire Suppression
    15. Domain 3: Review Questions
    1. Figure 3.1
    2. Figure 3.2
    3. Figure 3.3
    4. Figure 3.4
    5. Figure 3.5
    6. Figure 3.6
    7. Figure 3.7
    8. Figure 3.8
    9. Figure 3.9
    10. Figure 3.10
    11. Figure 3.11
    12. Figure 3.12
    13. Figure 3.13
    14. Figure 3.14
    15. Figure 3.15
    16. Figure 3.16
    17. Figure 3.17
    18. Figure 3.18
    19. Figure 3.19
    20. Figure 3.20
    21. Figure 3.21
    22. Figure 3.22
    23. Figure 3.23
    24. Figure 3.24
    25. Figure 3.25
    26. Figure 3.26
    27. Figure 3.27
    28. Figure 3.28
    29. Figure 3.29
    30. Figure 3.30
    31. Figure 3.31
    32. Figure 3.32
    33. Figure 3.33
    34. Figure 3.34
    35. Figure 3.35
    36. Figure 3.36
    37. Figure 3.37
    38. Figure 3.38
    39. Figure 3.39
    40. Figure 3.40
    41. Figure 3.41
    42. Figure 3.42
    43. Figure 3.43
    44. Figure 3.44
    45. Figure 3.45
    46. Figure 3.46
    47. Figure 3.47
    48. Figure 3.48
    49. Figure 3.49
    50. Figure 3.50
    51. Figure 3.51
    52. Figure 3.52
  11. Domain 4 – Communications & Network Security
    1. Secure Network Architecture and Design
      1. OSI and TCP/IP
        1. Layer 1: Physical Layer
        2. Layer 2: Data Link Layer
        3. Layer 3: Network Layer
          1. Routing Information Protocol (RIP) versions 1 and 2
          2. Open Shortest Path First (OSPF) versions 1 and 2
          3. Internet Control Message Protocol (ICMP)
          4. Internet Group Management Protocol (IGMP)
        4. Layer 4: Transport Layer
        5. Layer 5: Session Layer
        6. Layer 6: Presentation Layer
          1. Services
          2. Sublayers
          3. CASE
          4. SASE
          5. Protocols
        7. Layer 7: Application Layer
          1. Border Gateway Protocol (BGP)
        8. TCP/IP Reference Model
      2. IP Networking
        1. IPv6
        2. Transmission Control Protocol (TCP)
        3. User Datagram Protocol (UDP)
        4. Internet–Intranet
        5. Extranet
        6. Dynamic Host Configuration Protocol (DHCP)
        7. Internet Control Message Protocol (ICMP)
        8. Ping of Death
        9. ICMP Redirect Attacks
        10. Ping Scanning
        11. Traceroute Exploitation
        12. Remote Procedure Calls
      3. Directory Services
        1. Domain Name Service (DNS)
        2. Lightweight Directory Access Protocol (LDAP)
        3. Network Basic Input Output System (NetBIOS)
        4. Network Information Service (NIS), NIS +
          1. NIS
          2. NIS +
        5. Common Internet File System (CIFS)/Server Message Block (SMB)
        6. Network File System (NFS)
        7. Simple Mail Transfer Protocol (SMTP) & Enhanced Simple Mail Transfer Protocol (ESMTP)
        8. File Transfer Protocol (FTP)
        9. Transfer Modes
        10. Anonymous FTP
        11. Trivial File Transfer Protocol (TFTP)
        12. Hypertext Transfer Protocol (HTTP)
        13. HTTP Proxying
          1. Anonymizing Proxies
          2. Open Proxy Servers
          3. Content Filtering
          4. HTTP Tunneling
    2. Implications of Multi-Layer Protocols
        1. SCADA
        2. Modbus
    3. Converged Protocols
        1. What is IP Convergence?
      1. Implementation
        1. Fibre Channel over Ethernet (FCoE)
        2. Internet Small Computer System Interface (iSCSI)
          1. How iSCSI Works:
        3. Multi-Protocol Label Switching (MPLS)
          1. So What Is the Advantage of Label Switching?
          2. So Why Do Security Professionals Still Care about MPLS?
          3. How Does MPLS Work?
          4. MPLS Pseudowires
          5. MPLS L3VPNs
          6. MPLS VPLS
          7. MPLS Fast Reroute
      2. Voice over Internet Protocol (VoIP)
        1. What is VoIP?: Some Useful Terms
        2. Session Initiation Protocol (SIP)
        3. Packet Loss
        4. Jitter
        5. Sequence Errors
        6. Codec Quality
      3. Wireless
        1. Types of Wireless Technologies
          1. Wi-Fi
          2. Bluetooth
          3. WiMAX
        2. Types of Wireless Networks
          1. Wireless PAN
          2. Wireless LAN
          3. Wireless Mesh Network
          4. Wireless MAN
          5. Wireless WAN
          6. Cellular Network
          7. Spread Spectrum
          8. Direct-Sequence Spread Spectrum (DSSS)
          9. Frequency-Hopping Spread Spectrum (FHSS)
          10. Orthogonal Frequency Division Multiplexing (OFDM)
          11. Vectored Orthogonal Frequency Division Multiplexing (VOFDM)
          12. Frequency Division Multiple Access (FDMA)
          13. Time Division Multiple Access (TDMA)
      4. Wireless Security Issues
          1. Open System Authentication
          2. Shared Key Authentication
          3. Ad-Hoc Mode
          4. Infrastructure Mode
          5. Wired Equivalent Privacy Protocol (WEP)
          6. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)
          7. A “Parking Lot” Attack
          8. Shared Key Authentication Flaw
          9. Service Set Identifier (SSID) Flaw
          10. The Vulnerability of Wired Equivalent Privacy Protocol (WEP)
          11. Attack on Temporal Key Integrity Protocol (TKIP)
      5. Cryptography Used to Maintain Communications Security
          1. Public Key Cryptography
        1. Digital Signature
        2. Electronic Payments
        3. Certifying Public Key Relationships
        4. Special Issues for Consideration with Cryptographic Policy
          1. User Trust
          2. User Choice
          3. Standardization
          4. Protection of Privacy
        5. Encryption and Decryption
          1. Symmetric-Key Encryption
          2. Public-Key Encryption
          3. Key Length and Encryption Strength
        6. Digital Signatures
        7. Certificates and Authentication
        8. Password-Based Authentication
        9. Certificate-Based Authentication
        10. How Certificates Are Used
          1. Types of Certificates
        11. SSL Protocol
        12. Signed and Encrypted Email
        13. Form Signing
        14. Single Sign-On
        15. Object Signing
        16. Contents of a Certificate
          1. Distinguished Names
          2. A Typical Certificate
        17. How CA Certificates Are Used to Establish Trust
          1. CA Hierarchies
          2. Certificate Chains
        18. Verifying a Certificate Chain
        19. Managing Certificates
          1. Issuing Certificates
          2. Certificates and the LDAP Directory
          3. Key Management
          4. Renewing and Revoking Certificates
          5. Registration Authorities
    4. Securing Network Components
        1. Secure Routing/Deterministic Routing
        2. Boundary Routers
          1. Non-Blind Spoofing
          2. Blind Spoofing
          3. Man in the Middle Attack
        3. Security Perimeter
        4. Network Partitioning
        5. Dual-Homed Host
        6. Bastion Host
        7. Demilitarized Zone (DMZ)
      1. Hardware
        1. Modems
        2. Concentrators
        3. Front-End Processors
        4. Multiplexers
        5. Hubs and Repeaters
        6. Bridges and Switches
        7. Routers
      2. Transmission Media
        1. Wired
        2. Twisted Pair
        3. Unshielded Twisted Pair (UTP)
        4. Shielded Twisted Pair (STP)
        5. Coaxial Cable
        6. Patch Panels
        7. Fiber Optic
      3. Network Access Control Devices
        1. Firewalls
        2. Filtering
          1. By Address
          2. By Service
        3. Network Address Translation (NAT)
        4. Port Address Translation (PAT)
        5. Static Packet Filtering
        6. Stateful Inspection or Dynamic Packet Filtering
        7. Proxies
          1. Circuit-Level Proxy
          2. Application-Level Proxy
          3. Personal Firewalls
      4. End Point Security
      5. Content Distribution Networks
    5. Secure Communication Channels
      1. Voice
        1. Modems and Public Switched Telephone Networks (PSTN)
        2. War Dialing
        3. POTS
        4. PBX
          1. How Are Analog and Digital Phone Systems Different?
      2. Multimedia Collaboration
        1. Peer-to-Peer Applications and Protocols
        2. Remote Meeting Technology
        3. Instant Messaging
      3. Open Protocols, Applications, and Services
        1. Extensible Messaging and Presence Protocol (XMPP) and Jabber
        2. Internet Relay Chat (IRC)
          1. Authenticity
          2. Confidentiality
          3. Scripting
          4. Social Engineering
          5. Spam over Instant Messaging (SPIM)
        3. Tunneling Firewalls and Other Restrictions
      4. Remote Access
        1. VPN
          1. Virtual Private Network (VPN)
          2. IPSec Authentication and Confidentiality for VPNs
          3. Authentication Header (AH)
          4. Encapsulating Security Payload (ESP)
          5. Security Associations
          6. Transport Mode and Tunnel Mode
          7. Internet Key Exchange (IKE)
          8. High Assurance Internet Protocol Encryptor (HAIPE)
        2. Tunneling
          1. Point-to-Point Tunneling Protocol (PPTP)
          2. Layer 2 Tunneling Protocol (L2TP)
          3. Remote Authentication Dial-in User Service (RADIUS)
          4. Simple Network Management Protocol (SNMP)
          5. Remote-Access Services
          6. TCP/IP Terminal Emulation Protocol (TELNET)
          7. Remote Log-in (rlogin), Remote Shell (rsh), Remote Copy (rcp)
        3. Screen Scraper
        4. Virtual Applications and Desktops
          1. Virtual Network Terminal Services
        5. Telecommuting
      5. Data Communications
        1. Analog Communication
        2. Digital Communication
        3. Network Topologies
          1. Bus
          2. Tree
          3. Ring
          4. Mesh
          5. Star
        4. Unicast, Multicast, and Broadcast Transmissions
        5. Circuit-Switched Networks
        6. Packet-Switched Networks
        7. Switched Virtual Circuits (SVCs) and Permanent Virtual Circuits (PVCs)
        8. Carrier Sense Multiple Access (CSMA)
        9. Polling
        10. Token Passing
        11. Ethernet (IEEE 802.3)
        12. Token Ring (IEEE 802.5):
        13. Fiber Distributed Data Interface (FDDI)
        14. Multiprotocol Label Switching (MPLS)
        15. Local Area Network (LAN)
        16. TLS/SSL
          1. Secure Shell (SSH)
          2. SOCKS
          3. SSL/TLS VPNs
        17. Virtual Local Area Networks (VLANs)
        18. Integrated Services Digital Network (ISDN)
        19. Point-to-Point Lines
        20. T1, T3, etc.
        21. E1, E3, etc.
        22. OC1, OC12, etc.
        23. Digital Subscriber Lines (DSL)
        24. Cable Modem
        25. X.25
        26. Frame Relay
        27. Asynchronous Transfer Mode (ATM)
      6. Virtualized Networks
        1. Software Defined Networking
          1. Architectural Components
          2. Software Defined Storage andVirtual SAN
          3. Hypervisor-Converged Storage
          4. VM-Centric Policy-Based Management and Automation
          5. Server-Side Read/Write Caching
          6. Built-in Failure Tolerance
          7. Granular Non-Disruptive Scale-Up and Scale-Out
          8. Hardware Independent
          9. PVLANs, Virtual Networks, and Guest Operating Systems
          10. Private VLANs: Extending the Abilities of a VLAN
          11. Three Types of Secondary PVLANs
          12. Just What Is a Virtual Network Anyway? (And why security professionals need to understand them)
          13. Standard Switches
          14. Distributed Switches
    6. Network Attacks
      1. The Network as an Enabler or Channel of Attack
      2. The Network as a Bastion of Defense
      3. Network Security Objectives and Attack Modes
        1. Confidentiality
          1. Eavesdropping (Sniffing)
        2. Integrity
        3. Availability
          1. Domain Litigation
        4. Open Mail Relay Servers
          1. Spam
      4. Scanning Techniques
        1. Port Scanning
          1. FIN, NULL, and XMAS Scanning
        2. TCP Sequence Number Attacks
        3. Methodology of an Attack
          1. Target Acquisition
          2. Target Analysis
          3. Target Access
          4. Target Appropriation
        4. Network Security Tools and Tasks
        5. Intrusion Detection Systems
      5. Security Event Management (SEM)
        1. Security Event and Incident Management (SEIM)
        2. Scanners
          1. Discovery Scanning
          2. Compliance Scanning
          3. Vulnerability Scanning and Penetration Testing
          4. Scanning Tools
        3. Network Taps
      6. IP Fragmentation Attacks and Crafted Packets
        1. Teardrop
        2. Overlapping Fragment Attack
        3. Source Routing Exploitation
        4. Smurf and Fraggle Attacks
        5. NFS Attacks
        6. Network News Transport Protocol (NNTP) Security
        7. Finger User Information Protocol
      7. Denial-of-Service (DoS) / Distributed-Denial-of Service (DDoS) Attacks
        1. SYN Flooding
      8. Spoofing
        1. IP Address Spoofing and SYN-ACK Attacks
        2. Email Spoofing
        3. DNS Spoofing
        4. Manipulation of DNS Queries
        5. Information Disclosure
        6. Namespace-Related Risks
      9. Session Highjack
        1. SYN Scanning
    7. Domain 4: Review Questions
    1. Figure 4.1
    2. Figure 4.2
    3. Figure 4.3
    4. Figure 4.4
    5. Figure 4.5
    6. Figure 4.6
    7. Figure 4.7
    8. Figure 4.8
    9. Figure 4.9
    10. Figure 4.10
    11. Figure 4.11
    12. Figure 4.12
    13. Figure 4.13
    14. Figure 4.14
    15. Figure 4.15
    16. Figure 4.16
    17. Figure 4.17
    18. Figure 4.18
    19. Figure 4.19
    20. Figure 4.20
    21. Figure 4.21
    22. Figure 4.22
    23. Figure 4.23
    24. Figure 4.24
    25. Figure 4.25
    26. Figure 4.26
    27. Figure 4.27
    28. Figure 4.28
    29. Figure 4.29
    30. Figure 4.30
    31. Figure 4.31
    32. Figure 4.32
    33. Figure 4.33
    34. Figure 4.34
    35. Figure 4.35
    36. Figure 4.36
    37. Figure 4.37
    38. Figure 4.38
    39. Figure 4.39
    40. Figure 4.40
    41. Figure 4.41
    42. Figure 4.42
    1. Table 4.1
    2. Table 4.2
    3. Table 4.3
    4. Table 4.4
    5. Table 4.5
    6. Table 4.6
    7. Table 4.7
    8. Table 4.8
    9. Table 4.9
    10. Table 4.10
    11. Table 4.11
    12. Table 4.12
    13. Table 4.13
    14. Table 4.14
    15. Table 4.15
    16. Table 4.16
    17. Table 4.17
    18. Table 4.18
    19. Table 4.19
    20. Table 4.20
    21. Table 4.21
    22. Table 4.22
    23. Table 4.23
  12. Domain 5 – Identity & Access Management
    1. Physical and Logical Access to Assets
    2. Identification and Authentication of People and Devices
      1. Identification, Authentication, and Authorization
        1. Identification Methods
          1. Identification Badges
          2. User ID
          3. Account Number/PIN
          4. MAC Address
          5. IP Address
          6. Radio Frequency Identification (RFID)
          7. Email Address
          8. User Identification Guidelines
    3. Identity Management Implementation
      1. Password Management
      2. Account Management
      3. Profile Management
      4. Directory Management
      5. Directory Technologies
        1. LDAP
        2. Active Directory Domain Services (ADDS)
        3. X.400
        4. Single Sign-On
        5. Script-Based Single Sign-On
        6. Kerberos
          1. The Kerberos Process
        7. Perimeter-Based Web Portal Access
        8. Federated Identity Management
        9. Once In-Unlimited Access
      6. Single/Multi-Factor Authentication
        1. MFA Form Factors
          1. Virtual MFA Applications
        2. “SUBJECT: Policies for a Common Identification Standard for Federal Employees and Contractors
        3. Tokens
          1. Soft Token Implementation
          2. Hard Token Implementation
        4. Biometrics
          1. Biometric Readers
          2. Fingerprint
          3. Facial Image
          4. Hand Geometry
          5. Voice Recognition
          6. Iris Patterns
          7. Retinal Scanning
          8. Signature Dynamics
          9. Vascular Patterns
          10. Keystroke Dynamics
      7. Accountability
        1. Strong Identification
        2. Strong Authentication
        3. User Training and Awareness
        4. Monitoring
        5. Audit Logs
        6. Independent Audits
        7. Policy
        8. Organizational Behavior
      8. Session Management
        1. Desktop Sessions
          1. Screensavers
          2. Timeouts and Automatic Logouts
          3. Session/Logon Limitation
          4. Schedule Limitations
        2. Logical Sessions
      9. Registration and Proof of Identity
      10. Credential Management Systems
          1. Keep a History
          2. Enforce Stronger Passwords
          3. Effortlessly Generate Passwords
          4. Find Passwords Fast
          5. Fine-Grained Access Control
          6. Limit Their Access
          7. Keep All Passwords Safe
          8. Disaster Preparedness
          9. Always On, Always Available
          10. Keep Control of Credentials
          11. Track and Audit Access
        1. Risks
        2. Benefits
        3. Graphical Identification and Authentication (GINA) Architecture
    4. Identity as a Service (IDaaS)
    5. Integrate Third-Party Identity Services
    6. Implement and Manage Authorization Mechanisms
      1. Role-Based Access Control
      2. Rule-Based Access Control
      3. Mandatory Access Controls (MACs)
      4. Discretionary Access Controls (DACs)
    7. Prevent or Mitigate Access Control Attacks
          1. Step 1 – Raise the Domain Functional Level
        1. To Raise The Domain Functional Level
      1. Windows PowerShell Equivalent Commands
          1. Step 2 – Create Test Users, Groups, and Organizational Units
          2. Step 3 – Create a New Fine-Grained Password Policy
        1. To Create A New Fine-Grained Password Policy
      2. Windows PowerShell Equivalent Commands
          1. Step 4 – View a Resultant Set of Policies for a User
        1. To View A Resultant Set Of Policies For A User
      3. Windows PowerShell Equivalent Commands
          1. Step 5 – Edit a Fine-Grained Password Policy
        1. To Edit A Fine-Grained Password Policy
      4. Windows PowerShell Equivalent Commands
          1. Step 6 – Delete a Fine-Grained Password Policy
        1. To Delete A Fine-Grained Password Policy
      5. Windows PowerShell Equivalent Commands
        1. Managing Fine-Grained Password Policies
  13. Identity and Access Provisioning Lifecycle
    1. Provisioning
    2. Review
    3. Revocation
  14. Domain 5: Review Questions
    1. Figure 5.1
    2. Figure 5.2
    3. Figure 5.3
    4. Figure 5.4
    5. Figure 5.5
    6. Figure 5.6
    7. Figure 5.7
    8. Figure 5.8
    9. Figure 5.9
    10. Figure 5.10
    11. Figure 5.11
    12. Figure 5.12
    13. Figure 5.13
    14. Figure 5.14
    15. Figure 5.15
    16. Figure 5.16
  15. Domain 6: Security Assessment & Testing
    1. Assessment and Test Strategies
      1. Software Development as Part of System Design
        1. Software is Different from Hardware
      2. Log Reviews
        1. Policies and Procedures for Log Management
        2. Prioritize Log Management
        3. Create and Maintain a Log Management Infrastructure
        4. Provide Proper Support for All Staff with Log Management Responsibilities
        5. Standard Log Management Operational Processes
          1. System Events
          2. Audit Records
      3. Synthetic Transactions
      4. Code Review and Testing<span xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" class="cSuperscript">2</span>
        1. During Planning and Design
        2. During Application Development
        3. Executable in a Test Environment
        4. System Operation and Maintenance
      5. Negative Testing/Misuse Case Testing
        1. Typical Negative Testing Scenarios
      6. Interface Testing
        1. Common Software Vulnerabilities
        2. Category-Based View of the Top 25
          1. Insecure Interaction between Components
          2. Risky Resource Management
          3. Porous Defenses
    2. Collect Security Process Data
    3. Internal and Third-Party Audits
      1. SOC Reporting Options
        1. SOC Report Types
        2. SOC 2/SOC 3 Principles
        3. SOC 2/SOC 3 Criteria
          1. Security
          2. Availability
          3. Confidentiality
          4. Processing Integrity
          5. Privacy
          6. Audit Preparation Phase
          7. Audit Phase
        4. Point of View on the Use of SOC Reports
  16. Domain 6: Review Questions
    1. Figure 6.1
    2. Figure 6.2
    1. Table 6-1
  17. Domain 7: Security Operations
    1. Investigations
      1. The Crime Scene
        1. General Guidelines
      2. Policy, Roles, and Responsibilities
        1. Incident Response
      3. Incident Handling and Response
        1. Triage Phase
        2. Investigative Phase
        3. Containment
        4. Analysis and Tracking
      4. Recovery Phase
      5. Evidence Collection and Handling
        1. Chain of Custody
        2. Interviewing
      6. Reporting and Documenting
        1. Understand Forensic Procedures
          1. Media Analysis
          2. Network Analysis
          3. Software Analysis
          4. Hardware/Embedded Device Analysis
        2. Requirements for Investigation Types
        3. Role of the First-Responder
        4. Information, Instrumentation, and Interviewing
      7. Evidence Collection and Processing
        1. Jurisdiction
        2. Logging and Monitoring Activities through Intrusion Detection and Prevention and Security Information and Event Management (SIEM)
          1. Security Information and Event Management
      8. Continuous and Egress Monitoring
        1. Egress Monitoring
      9. Data Leak/Loss Prevention (DLP)
        1. Defining Data Leak Prevention
          1. Data at Rest
          2. Data in Motion (Network)
          3. Data in Use (End Point)
        2. Organizational Data Classification, Location, and Pathways
        3. Steganography and Watermarking
          1. Steganographic Methods
    2. Provisioning of Resources through Configuration Management
          1. The CMMI steps for CM
    3. Foundational Security Operations Concepts
      1. Key Themes
        1. Key Operational Processes and Procedures
      2. Controlling Privileged Accounts
        1. Need to-Know/Least Privilege
      3. Managing Accounts Using Groups and Roles
        1. Different Types of Accounts
          1. Privileged Accounts
          2. Ordinary or Limited User Accounts
      4. Separation of Duties and Responsibilities
        1. System Administrators
        2. Operators
        3. Security Administrators
        4. Help/Service Desk Personnel
        5. Ordinary Users
      5. Monitor Special Privileges
        1. Clearances, Suitability, and Background Checks/Investigations
        2. Account Validation
      6. Job Rotation
      7. Manage the Information Lifecycle
      8. Service Level Agreements (SLAs)
        1. What is an SLA?
        2. Why Do I Need SLAs?
        3. Who Provides the SLA?
        4. What’s in an SLA?
        5. What Are Key Components of an SLA?
        6. What about Indemnification?
        7. Is an SLA Transferable?
        8. How Can I Verify Service Levels?
        9. What Kind of Metrics Should Be Monitored?
        10. What Uptime Provisions Are Typical for Network Service Providers?
        11. When Should We Review Our SLAs?
    4. Resource Protection
      1. Tangible versus Intangible Assets
        1. Protecting Physical Assets
        2. Facilities
      2. Hardware
      3. Media Management
        1. Removable Media
        2. Archival and Offline Storage
        3. Cloud and Virtual Storage
        4. Different Types of Virtualized Storage
          1. Host-based
          2. Storage Device-based
          3. Network-based
        5. Hard Copy Records
          1. Protecting Hard-Copy Records
        6. Disposal/Reuse
    5. Incident Response
      1. Incident Management
      2. Security Measurements, Metrics, and Reporting
      3. Managing Security Technologies
        1. Boundary Controls
      4. Detection
        1. Anti-Malware Systems
        2. Security Event Information Management (SEIM)
      5. Response
      6. Reporting
      7. Recovery
      8. Remediation and Review (Lessons Learned)
        1. Root Cause Analysis
        2. Problem Management
        3. Security Audits and Reviews – The Precursor to Mitigation
    6. Preventative Measures against Attacks
      1. Unauthorized Disclosure
        1. Destruction, Interruption, and Theft
        2. Corruption and Improper Modification
      2. Network Intrusion Detection System Architecture
        1. Host-Based Intrusion Detection System (HIDS)
        2. IDS Analysis Engine Methods
        3. Stateful Matching Intrusion Detection
        4. Statistical Anomaly-Based Intrusion Detection
        5. Protocol Anomaly-Based Intrusion Detection
        6. Traffic Anomaly-Based Intrusion Detection
        7. Intrusion Response
        8. Alarms and Signals
        9. IDS Management
      3. Whitelisting, Blacklisting, and Greylisting... Oh My!
      4. Third-party Security Services, Sandboxing, Anti-malware, Honeypots and Honeynets
    7. Patch and Vulnerability Management
      1. Security and Patch Information Sources
        1. Patch Prioritization and Scheduling
        2. Patch Testing
        3. Change Management
        4. Patch Installation and Deployment
        5. Audit and Assessment
        6. Consistency and Compliance
        7. Vulnerability Management Systems
    8. Change and Configuration Management
      1. Configuration Management
        1. Develop a Recovery Strategy
        2. Implement a Backup Storage Strategy
      2. Recovery Site Strategies
        1. Mobile Sites
        2. Processing Agreement
        3. Reciprocal Agreements
        4. Outsourcing
      3. Multiple Processing Sites
      4. System Resilience and Fault Tolerance Requirements
        1. Trusted Paths and Fail Secure Mechanisms
        2. Redundancy and Fault Tolerance
          1. Power Supplies
          2. Drives and Data Storage
        3. Backup and Recovery Systems
        4. Staffing for Resilience
    9. The Disaster Recovery Process
      1. Documenting the Plan
      2. Response
      3. Personnel
      4. Communications
        1. Employee Notification
      5. Assessment
      6. Restoration
      7. Provide Training
      8. Exercise, Assess, and Maintain the Plan
    10. Test Plan Review
      1. Tabletop Exercise/Structured Walk-Through Test
      2. Walk-Through Drill/Simulation Test
      3. Functional Drill/Parallel Test
      4. Full-Interruption/Full-Scale Test
      5. Update and Maintenance of the Plan
        1. Transitioning from Project to Program
        2. Roles and Responsibilities
    11. Business Continuity and Other Risk Areas
      1. Implementation and Operation of Perimeter Security
        1. Gates and Fences
          1. Barriers
          2. Fences
          3. Gates
          4. Walls
        2. Perimeter Intrusion Detection
          1. Infrared Sensors
          2. Microwave
          3. Coaxial Strain-Sensitive Cable
          4. Time Domain Reflectometry (TDR) Systems
          5. Video Content Analysis and Motion Path Analysis
        3. Lighting
          1. Types of Lighting Systems
          2. Types of Lights
          3. Infrared Illuminators
    12. Access Control
      1. Card Types
        1. Access Control Head End
      2. Closed Circuit TV
        1. Cameras
          1. Outdoor Cameras
          2. Fixed Position Cameras
          3. Pan/Tilt/Zoom (PTZ) Cameras
          4. Dome Cameras
          5. Internet Protocol (IP) Cameras
          6. Lens Selection
          7. Lighting Requirements
          8. Resolution
          9. Frames Per Second (FPS)
          10. Compression
          11. Digital Video Recorder
          12. Matrix Displaying for Large Format Displays
          13. Guards
          14. Proprietary
          15. Contract
          16. Hybrid
        2. Alarm Monitoring
        3. Design Requirements
      3. Internal Security
        1. Interior Intrusion Detection Systems
        2. Escort and Visitor Control
      4. Building and Inside Security
        1. Doors
        2. Door Locks
          1. Electric Locks
          2. Electric Strikes
          3. Magnetic Locks
          4. Anti-Passback
        3. Turnstiles and Mantraps
        4. Keys, Locks, and Safes
          1. Types of Locks
          2. Rim Lock
          3. Mortise Lock
          4. Locking Cylinders
          5. Cipher Lock
          6. Hi-Tech Keys
        5. Safes
        6. Vaults
        7. Containers
        8. Key Control
    13. Personnel Safety
      1. Privacy
      2. Travel
        1. You Should Know
        2. Before You Travel
        3. While You’re Away
        4. When You Return
      3. Duress
    14. Domain 7: Review Questions
    1. Figure 7.1
    2. Figure 7.2
    3. Figure 7.3
    4. Figure 7.4
    5. Figure 7.5
    6. Figure 7.6
    7. Figure 7.7
    8. Figure 7.8
    9. Figure 7.9
    10. Figure 7.10
    11. Figure 7.11
    12. Figure 7.12
    13. Figure 7.13
    14. Figure 7.14
    15. Figure 7.15
    16. Figure 7.16
    17. Figure 7.17
    18. Figure 7.18
    19. Figure 7.19
    20. Figure 7.20
    21. Figure 7.21
    22. Figure 7.22
    23. Figure 7.23
    24. Figure 7.24
    25. Figure 7.25
    26. Figure 7.26
    27. Figure 7.27
    28. Figure 7.28
    29. Figure 7.29
    30. Figure 7.30
    31. Figure 7.31
    32. Figure 7.32
    33. Figure 7.33
    34. Figure 7.34
    35. Figure 7.35
    36. Figure 7.36
  18. Domain 8: Security in the Software Development Life Cycle
    1. Software Development Security Outline
      1. Development Life Cycle
        1. Functional Requirements Definition
        2. System Design Specifications
        3. Development and Implementation
        4. Documentation and Common Program Controls
        5. Acceptance
        6. Testing and Evaluation Controls
        7. Certification and Accreditation (Security Authorization)
        8. Transition to Production (Implementation)
        9. Revisions and System Replacement
      2. Maturity Models
        1. System Life Cycle and Systems Development
      3. Operation and Maintenance
      4. Change Management
      5. Integrated Product Team (e.g., DevOps)
    2. Environment and Security Controls
      1. Software Development Methods
          1. Waterfall
          2. Iterative Development 7
          3. Other Methods and Models
        1. Model Choice Considerations and Combinations
      2. The Database and Data Warehousing Environment
        1. DBMS Architecture
        2. Hierarchical Database Management Model
        3. Network Database Management Model
        4. Relational Database Management Model
        5. Integrity Constraints in Relational Databases
        6. Structured Query Language (SQL)
        7. Object-Oriented Database Model
        8. Database Interface Languages
          1. Open Database Connectivity (ODBC)
          2. Java Database Connectivity (JDBC)
          3. eXtensible Markup Language (XML)
          4. Object Linking and Embedding Database (OLE DB)
          5. Accessing Databases through the Internet
          6. ActiveX Data Objects (ADO)
        9. Metadata
        10. Online Analytical Processing (OLAP)
        11. Data Mining
      3. Database Vulnerabilities and Threats
      4. DBMS Controls
        1. Lock Controls
        2. Other DBMS Access Controls
        3. View-Based Access Controls
        4. Grant and Revoke Access Controls
        5. Security for Object-Oriented (OO) Databases
        6. Metadata Controls
        7. Data Contamination Controls
        8. Online Transaction Processing (OLTP)
      5. Knowledge Management
      6. Web Application Environment
        1. Web Application Threats and Protection
    3. Security of the Software Environment
      1. Applications Development and Programming Concepts
        1. Current Software Environment
        2. Open Source
        3. Full Disclosure
      2. The Software Environment
        1. Security Issues of Programming Languages
        2. Process and Elements
        3. The Programming Procedure
        4. Java Security
        5. Object-Oriented Technology and Programming
          1. Encapsulation (Also Known as Data Hiding)
          2. Inheritance
          3. Polymorphism
          4. Polyinstantiation -(Why Dogs Go WOOF and Cats Go MEOW)22
        6. Object-Oriented Security
        7. Distributed Object-Oriented Systems
        8. Common Object Request Broker Architecture (CORBA)
      3. Libraries & Toolsets
        1. Integrated Development Environments (IDEs) & Runtime
      4. Security Issues in Source Code
        1. Buffer Overflow
        2. Citizen Programmers
        3. Covert Channel
        4. Malicious Software (Malware)
        5. Malformed Input Attacks
        6. Memory Reuse (Object Reuse)
        7. Executable Content/Mobile Code
        8. Social Engineering
        9. Time of Check/Time of Use (TOC/TOU)
        10. Between-the-Lines Attack
        11. Trapdoor/Backdoor
        12. Source Code Analysis Tools
      5. Malicious Software (Malware)
        1. Malware Types
        2. Viruses
          1. Types of Viruses
        3. Worms
        4. Hoaxes
        5. Trojans
          1. Social Engineering
          2. Remote-Access Trojans (RATs)
        6. DDoS Zombies
        7. Logic Bombs
        8. Spyware and Adware
        9. Pranks
        10. Botnets
      6. Malware Protection
        1. Scanners
        2. Heuristic Scanners
        3. Activity Monitors
        4. Change Detection
        5. Reputation Scoring
        6. Zero-Day/Zero-Hour
          1. Why Use Web Reputation Technology?
        7. Anti-Malware Policies
        8. Malware Assurance
    4. Software Protection Mechanisms
      1. Security Kernels, Reference Monitors, and the TCB
        1. Processor Privilege States
        2. Security Controls for Buffer Overflows
        3. Controls for Incomplete Parameter Check and Enforcement
        4. Process Isolation and Memory Protection
        5. Covert Channel Controls
        6. Cryptography
        7. Password Protection Techniques
        8. Inadequate Granularity of Controls
        9. Control and Separation of Environments
        10. Race Conditions vs. Time of Check/Time of Use (TOC/TOU) Attacks 30
        11. Social Engineering
        12. Backup Controls
        13. Software Forensics
        14. Mobile Code Controls
        15. Sandbox
        16. Programming Language Support
      2. Configuration Management
        1. Information Protection Management
      3. Security of Code Repositories
          1. Physical Security
          2. System Security
          3. Operational Security
          4. Software Security
          5. Communications
          6. File System and Backups
          7. Employee Access
          8. Maintaining Security
          9. Credit Card Safety
        1. How Do I Do It?
        2. How to Make an Existing Directory a Working Copy of a New Repository
          1. On Unix:
          2. On Windows:
      4. Security of Application Programming Interfaces (API)
        1. Basic Authentication w/ TLS
        2. Oauth1.0a
        3. Oauth2
          1. OK:
          2. NOT OK:
    5. Assess the Effectiveness of Software Security
      1. Certification and Accreditation
      2. Auditing and Logging of Changes
        1. Information Integrity
        2. Information Accuracy
        3. Information Auditing
      3. Risk Analysis and Mitigation
        1. Corrective Actions
          1. Use a Change Control Process
          2. Read All Related Documentation
          3. Testing
          4. Have a Working Backup and Schedule Production Downtime
          5. Always Have a Back-Out Plan
          6. Forewarn Helpdesk and Key User Groups
          7. Target Non-Critical Servers First
        2. Testing and Verification
        3. Regression and Acceptance Testing
    6. Assess Software Acquisition Security
    7. Domain 8: Review Questions
    1. Figure 8.1
    2. Figure 8.2
    3. Figure 8.3
    4. Figure 8.4
  19. Appendix A – Answers to Domain Review Questions
    1. Domain 1 – Security and Risk Management
    2. Domain 2 – Asset Security
    3. Domain 3 – Security Engineering
    4. Domain 4 – Communications and Network Security
    5. Domain 5 – Identity and Access Management
    6. Domain 6 – Security Assessment and Testing
    7. Domain 7 – Security Operations
    8. Domain 8 – Software Development Security
  20. Appendix B – Domain 1 Materials
        1. Breach Register Template
        2. Document Revision History
        3. Introduction
        4. General Risks
        5. Specific Risks
        6. Number
        7. Risk/Threat
        8. Business Priority
        9. Risk Category
          1. Impact
          2. Occurrence Probability
          3. Exposure (Rank)
        10. Risk Management Strategy
          1. Mitigation Activities
          2. Contingency
          3. Tr igger
          4. Condition
          5. Date
          6. Schedule
          7. Activities
          8. Status
        11. Document Revision History
        12. Statement
        13. Objectives
        14. Roles and Responsibilities
        15. Risk Process
        16. Risk Management Worksheets
  21. Appendix C – Domain 2 Materials
      1. Record Retention and Destruction Policy
        1. Engagement Files
        2. Audit/Review/Compilation Services
        3. Other Services (Includes Tax and Consulting Services)
        4. Administrative Files
        5. Physical Security
        6. Hard Copy Form
        7. Electronic Form
        8. Confidentiality
        9. Destruction of Records
      2. Roles and Responsibilities
      3. Exhibit A
        1. Sample Engagement Letter Language Re: Record Retention
      4. Exhibit B
        1. Record Retention Periods—Engagement Files
      5. Notes to the Author
    1. Version History
    2. 1 Introduction
      1. 1.1. Purpose of the Security Approach
    3. 2 Security Approach
      1. 2.1 Process Overview
      2. 2.2 Security Approach Summary
    4. 3 Team Members
      1. 3.1 Certification and Accreditation Team
      2. 3.2 Security Team
    5. 4 System Categorization
      1. 4.1 Core Systems
      2. 4.2 Sub-Systems
      3. 4.3 Interconnected Systems
    6. 5 Programmatic Activities
      1. 5.1 Team Training
      2. 5.2 Requirements Management
      3. 5.3 Configuration Management
      4. 5.4 Risk Management
      5. 5.5 Change Management
    7. Appendix A: Security Approach Approval
    8. Appendix C: Key Terms
    9. Appendix D: Related Documents
  22. Appendix D – Domain 3 Materials
      1. Example Mobile Device Security Policy
        1. Using this Policy
        2. Background to this Policy
      2. Example Policy
        1. 1. Introduction
        2. 2. Scope
        3. 3. Policy
  23. Appendix E – Domain 4 Materials
        1. Installing Hyper-V
          1. The Following are the Basic Steps for Using Server Manager:
          2. To Create a Virtual Machine:
          3. Windows PowerShell Equivalent Commands
          4. To Install the Guest Operating System into the VM:
  24. Appendix F – Domain 5 Materials
          1. Introduction
          2. Purpose
          3. Audience
          4. Definitions
          5. Password Policy
          6. Password Guidelines
          7. Creating a Strong Password
          8. Disciplinary Actions
          9. Supporting Information Reference #
  25. Appendix G – Domain 6 Materials
    1. Sample Log Management Policy
          1. Revisions
          2. Purpose:
          3. Scope:
          4. Policy:
          5. Definitions:
          6. Responsibilities:
          7. Administration and Interpretations:
          8. Amendment/Termination of this Policy:
          9. References to Applicable Policies/Standards:
          10. Exceptions:
          11. Violations/Enforcement:
    2. Sample Log Procedures Document
          1. ABC Corp. Information Technology Services
  26. Appendix H – Domain 7 Materials
      1. Introduction
      2. Roles and Responsibilities
      3. Configuration Control Board (CCB)
      4. Project Sponsor
      5. Project Manager
      6. Configuration Manager
      7. Lead Engineers
      8. Engineers
      9. Configuration Control
      10. Configuration Management Database (CMDB)
      11. Configuration Status Accounting
          1. Configuration Audits
          2. Sponsor Acceptance
  27. Appendix I – Domain 8 Materials
    1. Revision History
    2. Template Overview and Instructions:
      1. 1 Purpose
      2. 2 Procedures For Change Identification
      3. 3 Procedures For Change Analysis
      4. 4 Change Request Approval Process
      5. 5 Change Tracking
      6. Attachment A: Sample Project Change Request Form
      7. Attachment B: Sample Change Control Log
  28. Appendix J – Glossary