SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Updated for 2009
Covers the critical information you’ll need to know to score higher on your CISSP exam!
CD Features Test Engine Powered by MeasureUp!
Exam Profile: (ISC)2 Certified Information Systems Security Professional (CISSP)
Exploring Common Web Server Attacks
The Ideal Security Professional
CISSP Exam Cram: Business Continuity and Disaster Recovery Planning
Download the sample pages (includes Chapter 7 and Index)
Introduction 1
Chapter 1:
The CISSP Certification Exam ............................................................15
Introduction ..............................................................................................16
Assessing Exam Readiness........................................................................16
Taking the Exam.......................................................................................17
Multiple-Choice Question Format ..........................................................19
Exam Strategy...........................................................................................19
Question-Handling Strategies..................................................................21
Mastering the Inner Game.......................................................................21
Need to Know More?...............................................................................22
Chapter 2:
Physical Security ...........................................................................23
Introduction ..............................................................................................24
Physical Security Risks .............................................................................24
Natural Disasters.............................................................................25
Man-Made Threats .........................................................................26
Technical Problems .........................................................................27
Facility Concerns and Requirements.......................................................28
CPTED ...........................................................................................28
Area Concerns .................................................................................29
Location...........................................................................................30
Construction....................................................................................30
Doors, Walls, Windows, and Ceilings............................................31
Asset Placement...............................................................................34
Perimeter Controls...................................................................................34
Fences ..............................................................................................34
Gates ................................................................................................36
Bollards ............................................................................................37
CCTV Cameras ..............................................................................38
Lighting ...........................................................................................39
Guards and Dogs.............................................................................40
Locks................................................................................................41
Employee Access Control ........................................................................44
Badges, Tokens, and Cards..............................................................44
Biometric Access Controls ..............................................................46
Environmental Controls...........................................................................47
Heating, Ventilating, and Air Conditioning...................................48
Electrical Power........................................................................................49
Uninterruptible Power Supply .......................................................50
Equipment Life Cycle ..............................................................................50
Fire Prevention, Detection, and Suppression..........................................51
Fire-Detection Equipment..............................................................52
Fire Suppression ..............................................................................52
Alarm Systems...........................................................................................55
Intrusion Detection Systems...........................................................55
Monitoring and Detection ..............................................................56
Exam Prep Questions ...............................................................................58
Answers to Exam Prep Questions............................................................60
Suggested Reading and Resources ...........................................................61
Chapter 3:
Access Control Systems and Methodology .............................................63
Introduction ..............................................................................................64
Identification, Authentication, and Authorization ..................................65
Authentication .................................................................................65
Single Sign-On .........................................................................................78
Kerberos...........................................................................................78
SESAME..........................................................................................81
Authorization and Access Controls Techniques ......................................81
Discretionary Access Control .........................................................81
Mandatory Access Control..............................................................82
Role-Based Access Control .............................................................84
Other Types of Access Controls .....................................................85
Access Control Methods ..........................................................................86
Centralized Access Control.............................................................86
Decentralized Access Control.........................................................89
Access Control Types ...............................................................................90
Administrative Controls ..................................................................90
Technical Controls ..........................................................................91
Physical Controls.............................................................................91
Access Control Categories ..............................................................92
Audit and Monitoring...............................................................................93
Monitoring Access and Usage ........................................................93
Intrusion Detection Systems...........................................................94
Intrusion Prevention Systems .........................................................98
Network Access Control .................................................................98
Keystroke Monitoring.....................................................................99
Emanation Security .......................................................................100
Access Control Attacks ...........................................................................101
Password Attacks ...........................................................................101
Spoofing.........................................................................................105
Sniffing...........................................................................................105
Eavesdropping and Shoulder Surfing...........................................105
Wiretapping...................................................................................106
Identity Theft ................................................................................106
Denial of Service Attacks ..............................................................107
Distributed Denial of Service Attacks ..........................................109
Botnets ...........................................................................................109
Exam Prep Questions .............................................................................111
Answers to Exam Prep Questions..........................................................113
Suggesting Reading and Resources........................................................115
Chapter 4:
Cryptography...............................................................................117
Introduction ............................................................................................118
Cryptographic Basics ..............................................................................118
History of Encryption ............................................................................121
Steganography ........................................................................................126
Steganography Operation .............................................................127
Digital Watermark ........................................................................128
Algorithms...............................................................................................128
Cipher Types and Methods ....................................................................130
Symmetric Encryption ...........................................................................131
Data Encryption Standard ............................................................133
Triple-DES ....................................................................................136
Advanced Encryption Standard ....................................................138
International Data Encryption Algorithm....................................138
Rivest Cipher Algorithms .............................................................139
Asymmetric Encryption..........................................................................139
Diffie-Hellman ..............................................................................141
RSA ................................................................................................142
El Gamal........................................................................................143
Elliptical Curve Cryptosystem......................................................144
Merkle-Hellman Knapsack ...........................................................144
Review of Symmetric and Asymmetric Cryptographic Systems .145
Hybrid Encryption .................................................................................145
Integrity and Authentication ..................................................................146
Hashing and Message Digests ......................................................147
Digital Signatures..........................................................................150
Cryptographic System Review......................................................151
Public Key Infrastructure .......................................................................151
Certificate Authority .....................................................................152
Registration Authority...................................................................152
Certificate Revocation List ...........................................................153
Digital Certificates ........................................................................153
The Client’s Role in PKI ..............................................................155
Email Protection Mechanisms ...............................................................156
Pretty Good Privacy......................................................................156
Other Email Security Applications...............................................157
Securing TCP/IP with Cryptographic Solutions..................................157
Application/Process Layer Controls.............................................158
Host to Host Layer Controls........................................................159
Internet Layer Controls ................................................................160
Network Access Layer Controls ...................................................161
Link and End to End Encryption.................................................162
Cryptographic Attacks............................................................................163
Exam Prep Questions .............................................................................166
Answers to Exam Prep Questions..........................................................168
Need to Know More?.............................................................................170
Chapter 5:
Security Architecture and Models ......................................................171
Introduction ............................................................................................172
Computer System Architecture..............................................................172
Central Processing Unit................................................................172
Storage Media................................................................................175
I/O Bus Standards .........................................................................178
Virtual Memory and Virtual Machines.........................................178
Computer Configurations.............................................................179
Security Architecture..............................................................................180
Protection Rings............................................................................180
Trusted Computer Base ................................................................182
Open and Closed Systems.............................................................185
Security Modes of Operation........................................................185
Operating States ............................................................................186
Recovery Procedures.....................................................................187
Process Isolation............................................................................188
Security Models of Control....................................................................188
State Machine Model ....................................................................189
Confidentiality...............................................................................190
Integrity .........................................................................................191
Other Models ................................................................................194
Documents and Guidelines ....................................................................195
The Rainbow Series ......................................................................195
The Red Book: Trusted Network Interpretation.........................197
Information Technology Security Evaluation Criteria ................198
Common Criteria..........................................................................199
British Standard 7799....................................................................200
System Validation ...................................................................................200
Certification and Accreditation.....................................................201
Governance and Enterprise Architecture.....................................202
Security Architecture Threats................................................................204
Buffer Overflow.............................................................................204
Back Doors ....................................................................................205
Asynchronous Attacks ...................................................................205
Covert Channels............................................................................205
Incremental Attacks.......................................................................206
Exam Prep Questions .............................................................................207
Answers to Exam Prep Questions..........................................................209
Need to Know More?.............................................................................211
Chapter 6:
Telecommunications and Network Security...........................................213
Introduction ............................................................................................214
Network Models and Standards.............................................................214
OSI Model.....................................................................................215
Encapsulation/De-encapsulation ..................................................221
TCP/IP ...................................................................................................222
Network Access Layer...................................................................222
Internet Layer................................................................................223
Host-to-Host (Transport) Layer...................................................226
Application Layer ..........................................................................229
LANs and Their Components...............................................................232
LAN Communication Protocols ..................................................233
Network Topologies......................................................................233
LAN Cabling.................................................................................236
Network Types ..............................................................................238
Communication Standards.....................................................................239
Network Equipment...............................................................................240
Repeaters........................................................................................240
Hubs...............................................................................................240
Bridges ...........................................................................................240
Switches .........................................................................................241
Routers...........................................................................................242
Brouters .........................................................................................243
Gateways........................................................................................243
Routing....................................................................................................244
WANs and Their Components..............................................................246
Packet Switching ...........................................................................246
Circuit Switching...........................................................................248
Voice Communications and Wireless Communications.......................251
Voice over IP .................................................................................251
Cell Phones....................................................................................252
802.11 Wireless Networks and Standards....................................253
Network Security....................................................................................261
Firewalls.........................................................................................261
Demilitarized Zone .......................................................................263
Firewall Design..............................................................................264
Remote Access ........................................................................................265
Point-to-Point Protocol................................................................265
Virtual Private Networks ..............................................................266
Remote Authentication Dial-in User Service ..............................267
Terminal Access Controller Access Control System....................267
IPSec ..............................................................................................268
Message Privacy......................................................................................268
Threats to Network Security .................................................................269
DoS Attacks ...................................................................................269
Disclosure Attacks .........................................................................270
Destruction, Alteration, or Theft .................................................271
Exam Prep Questions .............................................................................274
Answers to Exam Prep Questions..........................................................277
Need to Know More?.............................................................................278
Chapter 7:
Business Continuity and Disaster Recovery Planning...............................279
Introduction ............................................................................................280
Threats to Business Operations .............................................................280
Disaster Recovery and Business Continuity Management ...................281
Project Management and Initiation..............................................283
Business Impact Analysis...............................................................285
Recovery Strategy..........................................................................290
Plan Design and Development .....................................................303
Implementation .............................................................................306
Testing............................................................................................307
Monitoring and Maintenance .......................................................309
Disaster Life Cycle .................................................................................310
Teams and Responsibilities ...........................................................312
Exam Prep Questions .............................................................................314
Answers to Exam Prep Questions..........................................................316
Need to Know More?.............................................................................318
Chapter 8:
Legal, Regulations, Compliance, and Investigations ...............................319
Introduction ............................................................................................320
United States Legal System and Laws...................................................320
International Legal Systems and Laws ..................................................321
International Property Laws ..................................................................323
Piracy and Issues with Copyrights................................................323
Privacy Laws and Protection of Personal Information .........................325
Privacy Impact Assessment ...........................................................327
Computer Crime Laws...........................................................................328
Ethics.......................................................................................................328
ISC2 Code of Ethics ......................................................................329
Computer Ethics Institute ............................................................330
Internet Architecture Board..........................................................331
NIST 800-14 .................................................................................332
Computer Crime and Criminals ............................................................332
Pornography ..................................................................................335
Well-Known Computer Crimes ............................................................335
How Computer Crime Has Changed....................................................336
Attack Vectors .........................................................................................338
Keystroke Logging........................................................................338
Wiretapping...................................................................................339
Spoofing Attacks............................................................................339
Manipulation Attacks ....................................................................340
Social Engineering ........................................................................341
Dumpster Diving...........................................................................341
Investigating Computer Crime ..............................................................342
Computer Crime Jurisdiction .......................................................343
Incident Response .........................................................................343
Forensics .................................................................................................347
Standardization of Forensic Procedures.......................................349
Computer Forensics ......................................................................349
Investigations ..........................................................................................354
Search, Seizure, and Surveillance .................................................354
Interviews and Interrogations .......................................................355
Honeypots and Honeynets ...........................................................355
Evidence Types..............................................................................356
Trial .........................................................................................................357
The Evidence Life Cycle ..............................................................358
Exam Prep Questions .............................................................................359
Answers to Exam Prep Questions..........................................................362
Need to Know More?.............................................................................364
Chapter 9:
Applications and Systems-Development Security ...................................365
Introduction ............................................................................................366
System Development..............................................................................366
Avoiding System Failure ...............................................................367
The System Development Life Cycle ..........................................369
System Development Methods ..............................................................376
The Waterfall Model ....................................................................376
The Spiral Model ..........................................................................376
Joint Application Development ....................................................377
Rapid Application Development...................................................377
Incremental Development ............................................................377
Prototyping....................................................................................378
Computer-Aided Software Engineering.......................................378
Agile Development Methods ........................................................378
Capability Maturity Model ...........................................................379
Scheduling .....................................................................................380
Change Management..............................................................................380
Programming Languages .......................................................................382
Object-Oriented Programming ....................................................384
CORBA..........................................................................................385
Database Management ...........................................................................385
Database Terms .............................................................................386
Integrity .........................................................................................388
Transaction Processing..................................................................388
Data Warehousing.........................................................................388
Data Mining ..................................................................................389
Knowledge Management ..............................................................390
Artificial Intelligence and Expert Systems ...................................390
Malicious Code .......................................................................................391
Viruses............................................................................................391
Worms............................................................................................393
Spyware..........................................................................................394
Back Doors and Trapdoors ...........................................................394
Change Detection .........................................................................395
Malformed Input (SQL Injection)................................................395
Mobile Code..................................................................................396
Financial Attacks............................................................................396
Buffer Overflow.............................................................................397
Denial of Service ...........................................................................398
Distributed Denial of Service .......................................................399
Exam Prep Questions .............................................................................400
Answers to Exam Prep Questions..........................................................402
Need to Know More?.............................................................................404
Chapter 10:
Information Security and Risk Management Practices..............................405
Introduction ............................................................................................406
Basic Security Principles ........................................................................406
Security Management and Governance.................................................408
Asset Identification .................................................................................410
Risk Assessment ......................................................................................411
Risk Management..........................................................................412
Policies Development.............................................................................427
Security Policy...............................................................................428
Standards........................................................................................430
Baselines.........................................................................................430
Guidelines......................................................................................431
Procedures .....................................................................................431
Data Classification.........................................................................431
Implementation.......................................................................................434
Roles and Responsibility ...............................................................434
Security Controls...........................................................................436
Training and Education..........................................................................438
Security Awareness ........................................................................439
Social Engineering ........................................................................440
Auditing Your Security Infrastructure ...................................................441
The Risk of Poor Security Management...............................................442
Exam Prep Questions .............................................................................443
Answers to Exam Prep Questions..........................................................445
Need to Know More?.............................................................................447
Chapter 11:
Operations Security .......................................................................449
Introduction ............................................................................................450
Operational Security...............................................................................450
Employee Recruitment .................................................................451
New-Hire Orientation ..................................................................452
Separation of Duties......................................................................452
Job Rotation...................................................................................452
Least Privilege ...............................................................................453
Mandatory Vacations.....................................................................453
Termination ...................................................................................454
Accountability .........................................................................................454
Controls ..................................................................................................456
Security Controls...........................................................................456
Operational Controls ....................................................................458
Auditing and Monitoring .......................................................................465
Auditing .........................................................................................466
Monitoring Controls.....................................................................467
Clipping Levels..............................................................................468
Intrusion Detection .......................................................................469
Keystroke Monitoring...................................................................470
Antivirus.........................................................................................470
Facility Access Control..................................................................471
Telecommunication Controls.................................................................472
Fax..................................................................................................472
PBX................................................................................................473
Email..............................................................................................474
Backup, Fault Tolerance, and Recovery Controls .................................476
Backups ..........................................................................................477
Fault Tolerance..............................................................................478
RAID..............................................................................................480
Recovery Controls.........................................................................482
Security Assessments ..............................................................................483
Policy Reviews ...............................................................................484
Vulnerability Scanning ..................................................................484
Penetration Testing .......................................................................485
Operational Security Threats and Vulnerabilities.................................489
Common Attack Methodologies...................................................490
Attack Terms and Techniques .......................................................492
Exam Prep Questions .............................................................................494
Answers to Exam Prep Questions..........................................................497
Need to Know More?.............................................................................499
Chapter 12:
Practice Exam I ............................................................................501
Chapter 13:
Answers to Practice Exam I..............................................................515
Chapter 14:
Practice Exam II ...........................................................................531
Chapter 15:
Answers to Practice Exam II.............................................................545
Appendix A:
What’s on the CD ..........................................................................559
Index ........................................................................................563