SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This EPUB will be accessible from your Account page after purchase.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book.
Learn, prepare, and practice for CISSP exam success with the CISSP Cert Guide from Pearson IT Certification, a leader in IT Certification.
CISSP Cert Guide is a best-of-breed exam study guide. Leading IT certification experts Troy McMillan and Robin Abernathy share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
You'll get a complete test preparation routine organized around proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.
This study guide helps you master all the topics on the CISSP exam, including
Introduction
Chapter 1 The CISSP Certification 3
The Goals of the CISSP Certification 3
Sponsoring Bodies 3
Stated Goals 4
The Value of the CISSP Certification 4
To the Security Professional 5
To the Enterprise 5
The Common Body of Knowledge 5
Access Control 5
Telecommunications and Network Security 6
Information Security Governance and Risk Management 6
Software Development Security 7
Cryptography 7
Security Architecture and Design 8
Operations Security 8
Business Continuity and Disaster Recovery Planning 8
Legal, Regulations, Investigations, and Compliance 9
Physical and Environmental Security 9
Steps to Becoming a CISSP 10
Qualifying for the Exam 10
Signing Up for the Exam 10
About the CISSP Exam 10
Chapter 2 Access Control 13
Foundation Topics 13
Access Control Concepts 13
CIA 13
Default Stance 14
Defense In Depth 14
Access Control Process 15
Identify Resources 15
Identify Users 15
Identify Relationships Between Resources and Users 16
Identification and Authentication Concepts 16
Three Factors for Authentication 17
Knowledge Factors 17
Identity and Account Management 18
Password Types and Management 19
Ownership Factors 22
Synchronous and Asynchronous Token 22
Memory Cards 22
Smart Cards 23
Characteristic Factors 23
Physiological Characteristics 24
Behavioral Characteristics 25
Biometric Considerations 26
Authorization Concepts 28
Access Control Policies 28
Separation of Duties 29
Least Privilege/Need-to-Know 29
Default to No Access 30
Directory Services 30
Single Sign-on 31
Kerberos 32
SESAME 34
Federated Identity Management 35
Security Domains 35
Accountability 35
Auditing and Reporting 36
Vulnerability Assessment 37
Penetration Testing 38
Access Control Categories 39
Compensative 40
Corrective 40
Detective 40
Deterrent 40
Directive 40
Preventive 41
Recovery 41
Access Control Types 41
Administrative (Management) Controls 41
Logical (Technical) Controls 43
Physical Controls 43
Access Control Models 46
Discretionary Access Control 46
Mandatory Access Control 47
Role-based Access Control 47
Rule-based Access Control 48
Content-dependent Versus Context-dependent 48
Access Control Matrix 48
Capabilities Table 48
Access Control List (ACL) 49
Access Control Administration 49
Centralized 49
Decentralized 49
Provisioning Life Cycle 50
Access Control Monitoring 50
IDS 50
IPS 52
Access Control Threats 52
Password Threats 53
Dictionary Attack 53
Brute-Force Attack 53
Social Engineering Threats 53
Phishing/Pharming 54
Shoulder Surfing 54
Identity Theft 54
Dumpster Diving 55
DoS/DDoS 55
Buffer Overflow 55
Mobile Code 56
Malicious Software 56
Spoofing 56
Sniffing and Eavesdropping 57
Emanating 57
Backdoor/Trapdoor 57
Exam Preparation Tasks 57
Review All Key Topics 57
Complete the Tables and Lists from Memory 58
Define Key Terms 59
Review Questions 59
Answers and Explanations 61
Chapter 3 Telecommunications and Network Security 65
Foundation Topics 66
OSI Model 66
Application Layer 67
Presentation Layer 67
Session Layer 67
Transport Layer 68
Network Layer 68
Data Link Layer 68
Physical Layer 69
Multi-Layer Protocols 70
TCP/IP Model 71
Application Layer 72
Transport Layer 72
Internet Layer 74
Link Layer 76
Encapsulation 76
Common TCP/UDP Ports 77
Logical and Physical Addressing 78
IPv4 78
IP Classes 80
Public Versus Private IP Addresses 81
NAT 81
IPv4 Versus IPv6 82
MAC Addressing 82
Network Transmission 83
Analog Versus Digital 83
Asynchronous Versus Synchronous 84
Broadband Versus Baseband 84
Unicast, Multicast, and Broadcast 85
Wired Versus Wireless 86
Cabling 87
Coaxial 87
Twisted Pair 88
Fiberoptic 90
Network Topologies 91
Ring 91
Bus 92
Star 92
Mesh 93
Hybrid 94
Network Technologies 94
Ethernet 802.3 94
Token Ring 802.5 96
FDDI 97
Contention Methods 97
CSMA/CD Versus CSMA/CA 98
Collision Domains 98
CSMA/CD 99
CSMA/CA 100
Token Passing 101
Polling 101
Network Protocols/Services 101
ARP 101
DHCP 102
DNS 103
FTP, FTPS, SFTP 103
HTTP, HTTPS, SHTTP 104
ICMP 104
IMAP 105
NAT 105
PAT 105
POP 105
SMTP 105
SNMP 105
Network Routing 106
Distance Vector, Link State, or Hybrid Routing 106
RIP 107
OSPF 107
IGRP 108
EIGRP 108
VRRP 108
IS-IS 108
BGP 108
Network Devices 109
Patch Panel 109
Multiplexer 109
Hub 109
Switch 110
VLANs 111
Layer 3 Versus Layer 4 111
Router 111
Gateway 112
Firewall 112
Types 113
Architecture 114
Virtualization 116
Proxy Server 116
PBX 116
Honeypot 117
Cloud Computing 117
Endpoint Security 119
Network Types 119
LAN 119
Intranet 119
Extranet 120
MAN 120
WAN 120
WAN Technologies 121
T Lines 121
E Lines 121
OC Lines (SONET) 122
CSU/DSU 122
Circuit-Switching Versus Packet-Switching 123
Frame Relay 123
ATM 123
X.25 124
Switched Multimegabit Data Service 124
Point-to-Point Protocol 124
High-Speed Serial Interface 124
PSTN (POTS, PBX) 125
VoIP 125
Remote Connection Technologies 126
Dial-up 126
ISDN 127
DSL 127
Cable 128
VPN 129
RADIUS and TACACS 132
Remote Authentication Protocols 133
Telnet 134
TLS/SSL 134
Multimedia Collaboration 134
Wireless Networks 135
FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 135
802.11 Techniques 136
Cellular or Mobile Wireless Techniques 136
WLAN Structure 137
Access Point 137
SSID 137
Infrastructure Mode Versus Ad Hoc Mode 137
WLAN Standards 137
802.11a 138
802.11b 138
802.11f 138
802.11g 138
802.11n 138
Bluetooth 139
Infrared 139
WLAN Security 139
WEP 139
WPA 140
WPA2 140
Personal Versus Enterprise 140
SSID Broadcast 141
MAC Filter 141
Satellites 141
Network Threats 142
Cabling 142
Noise 142
Attenuation 142
Crosstalk 143
Eavesdropping 143
ICMP Attacks 143
Ping of Death 143
Smurf 144
Fraggle 144
ICMP Redirect 144
Ping Scanning 145
DNS Attacks 145
DNS Cache Poisoning 145
DoS 146
DDoS 146
DNSSEC 146
URL Hiding 146
Domain Grabbing 147
Cybersquatting 147
Email Attacks 147
Email Spoofing 147
Spear Phishing 148
Whaling 148
Spam 148
Wireless Attacks 148
Wardriving 149
Warchalking 149
Remote Attacks 149
Other Attacks 149
SYN ACK Attacks 149
Session Hijacking 150
Port Scanning 150
Teardrop 150
IP Address Spoofing 150
Exam Preparation Tasks 151
Review All Key Topics 151
Define Key Terms 151
Review Questions 153
Answers and Explanations 155
Chapter 4 Information Security Governance and Risk Management 159
Foundation Topics 159
Security Principles and Terms 159
CIA 160
Vulnerability 160
Threat 161
Threat Agent 161
Risk 161
Exposure 161
Countermeasure 161
Due Care and Due Diligence 162
Job Rotation 163
Separation of Duties 163
Security Frameworks and Methodologies 163
ISO/IEC 27000 Series 164
Zachman Framework 166
The Open Group Architecture Framework (TOGAF) 168
Department of Defense Architecture Framework (DoDAF) 168
British Ministry of Defence Architecture Framework (MODAF) 168
Sherwood Applied Business Security Architecture (SABSA) 168
Control Objectives for Information and Related Technology (CobiT) 170
National Institute of Standards and Technology (NIST) Special Publication (SP) 170
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission Framework 171
Information Technology Infrastructure Library (ITIL) 172
Six Sigma 173
Capability Maturity Model Integration (CMMI) 174
Top-Down Versus Bottom-Up Approach 174
Security Program Life Cycle 174
Risk Assessment 175
Information and Asset (Tangible/Intangible) Value and Costs 177
Vulnerabilities and Threats Identification 177
Quantitative Risk Analysis 178
Qualitative Risk Analysis 179
Safeguard Selection 179
Total Risk Versus Residual Risk 180
Handling Risk 180
Risk Management Principles 181
Risk Management Policy 181
Risk Management Team 181
Risk Analysis Team 182
Information Security Governance Components 182
Policies 183
Organizational Security Policy 184
System-Specific Security Policy 185
Issue-Specific Security Policy 185
Policy Categories 185
Standards 185
Baselines 185
Guidelines 186
Procedures 186
Information Classification and Life Cycle 186
Commercial Business Classifications 186
Military and Government Classifications 187
Information Life Cycle 188
Security Governance Responsibilities and Roles 188
Board of Directors 188
Management 189
Audit Committee 189
Data Owner 190
Data Custodian 190
System Owner 190
System Administrator 190
Security Administrator 190
Security Analyst 191
Application Owner 191
Supervisor 191
User 191
Auditor 191
Third-Party Governance 191
Onsite Assessment 192
Document Exchange/Review 192
Process/Policy Review 192
Personnel Security (Screening, Hiring, and Termination) 192
Security Awareness Training 193
Security Budget, Metrics, and Effectiveness 194
Exam Preparation Tasks 195
Review All Key Topics 195
Complete the Tables and Lists from Memory 195
Define Key Terms 196
Review Questions 196
Answers and Explanations 198
Chapter 5 Software Development Security 203
Foundation Topics 203
System Development Life Cycle 203
Initiate 204
Acquire/Develop 204
Implement 205
Operate/Maintain 205
Dispose 205
Software Development Life Cycle 206
Gather Requirements 206
Design 207
Develop 207
Test/Validate 208
Release/Maintain 209
Change Management and Configuration Management 209
Software Development Security Best Practices 209
WASC 210
OWASP 210
BSI 210
ISO/IEC 27000 210
Software Development Methods 211
Build and Fix 211
Waterfall 212
V-Shaped 213
Prototyping 214
Incremental 214
Spiral 215
Rapid Application Development (RAD) 216
Agile 216
JAD 218
Cleanroom 218
CMMI 218
Programming Concepts 219
Machine Languages 219
Assembly Languages and Assemblers 219
High-level Languages, Compilers, and Interpreters 219
Object-Oriented Programming 220
Polymorphism 221
Cohesion 221
Coupling 221
Data Structures 221
Distributed Object-Oriented Systems 222
CORBA 222
COM and DCOM 222
OLE 223
Java 223
SOA 223
Mobile Code 223
Java Applets 223
ActiveX 224
Database Concepts and Security 224
DBMS Architecture and Models 224
Database Interface Languages 226
ODBC 226
JDBC 227
XML 227
OLE DB 227
Data Warehouses and Data Mining 227
Database Threats 228
Database Views 228
Database Locks 228
Polyinstantiation 228
OLTP ACID Test 229
Knowledge-Based Systems 229
Software Threats 230
Malware 230
Virus 230
Worm 231
Trojan Horse 231
Logic Bomb 232
Spyware/Adware 232
Botnet 232
Rootkit 233
Source Code Issues 233
Buffer Overflow 233
Escalation of Privileges 235
Backdoor 235
Malware Protection 235
Antivirus Software 235
Antimalware Software 236
Security Policies 236
Software Security Effectiveness 236
Certification and Accreditation 236
Auditing 237
Exam Preparation Tasks 237
Review All Key Topics 237
Define Key Terms 238
Complete the Tables and Lists from Memory 238
Review Questions 238
Answers and Explanations 240
Chapter 6 Cryptography 243
Foundation Topics 244
Cryptography Concepts 244
Cryptographic Life Cycle 246
Cryptography History 246
Julius Caesar and the Caesar Cipher 247
Vigenere Cipher 248
Kerckhoff’s Principle 249
World War II Enigma 249
Lucifer by IBM 250
Cryptosystem Features 250
Authentication 250
Confidentiality 250
Integrity 251
Authorization 251
Non-repudiation 251
Encryption Systems 251
Running Key and Concealment Ciphers 251
Substitution Ciphers 252
Transposition Ciphers 253
Symmetric Algorithms 253
Stream-based Ciphers 254
Block Ciphers 255
Initialization Vectors (IVs) 255
Asymmetric Algorithms 255
Hybrid Ciphers 256
Substitution Ciphers 257
One-Time Pads 257
Steganography 258
Symmetric Algorithms 258
Digital Encryption Standard (DES) and Triple DES (3DES) 259
DES Modes 259
Triple DES (3DES) and Modes 262
Advanced Encryption Standard (AES) 263
IDEA 263
Skipjack 264
Blowfish 264
Twofish 264
RC4/RC5/RC6 264
CAST 265
Asymmetric Algorithms 265
Diffie-Hellman 266
RSA 267
El Gamal 267
ECC 267
Knapsack 268
Zero Knowledge Proof 268
Message Integrity 268
Hash Functions 269
One-Way Hash 269
MD2/MD4/MD5/MD6 271
SHA/SHA-2/SHA-3 271
HAVAL 272
RIPEMD-160 272
Tiger 272
Message Authentication Code 273
HMAC 273
CBC-MAC 274
CMAC 274
Digital Signatures 274
Public Key Infrastructure 275
Certification Authority (CA) and Registration Authority (RA) 275
OCSP 276
Certificates 276
Certificate Revocation List (CRL) 277
PKI Steps 277
Cross-Certification 278
Key Management 278
Trusted Platform Module (TPM) 279
Encryption Communication Levels 280
Link Encryption 280
End-to-End Encryption 281
E-mail Security 281
PGP 281
MIME and S/MIME 282
Quantum Cryptography 282
Internet Security 282
Remote Access 283
SSL/TLS 283
HTTP, HTTPS, and SHTTP 284
SET 284
Cookies 284
SSH 285
IPsec 285
Cryptography Attacks 286
Ciphertext-Only Attack 287
Known Plaintext Attack 287
Chosen Plaintext Attack 287
Chosen Ciphertext Attack 287
Social Engineering 287
Brute Force 288
Differential Cryptanalysis 288
Linear Cryptanalysis 288
Algebraic Attack 288
Frequency Analysis 288
Birthday Attack 289
Dictionary Attack 289
Replay Attack 289
Analytic Attack 289
Statistical Attack 289
Factoring Attack 289
Reverse Engineering 289
Meet-in-the-Middle Attack 290
Exam Preparation Tasks 290
Review All Key Topics 290
Complete the Tables and Lists from Memory 290
Define Key Terms 291
Review Questions 291
Answers and Explanations 293
Chapter 7 Security Architecture and Design 297
Foundation Topics 297
Security Model Concepts 297
Confidentiality 297
Integrity 297
Availability 298
Defense in Depth 298
System Architecture 298
System Architecture Steps 299
ISO/IEC 42010:2011 299
Computing Platforms 300
Mainframe/Thin Clients 300
Distributed Systems 300
Middleware 301
Embedded Systems 301
Mobile Computing 301
Virtual Computing 301
Security Services 302
Boundary Control Services 302
Access Control Services 302
body <>