CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th EditionISBN: 978-1-119-04271-6
1080 pages
October 2015
|
Description
CISSP Study Guide - fully updated for the 2015 CISSP Body of Knowledge
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition has been completely updated for the latest 2015 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:
- Four unique 250 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
- More than 650 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
- A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam
Coverage of all of the exam topics in the book means you'll be ready for:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Table of Contents
Introduction xxxiii
Assessment Test xlii
Chapter 1 Security Governance Through Principles and Policies 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 3
Apply Security Governance Principles 13
Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines 25
Understand and Apply Threat Modeling 28
Integrate Security Risk Considerations into Acquisition Strategy and Practice 35
Summary 36
Exam Essentials 38
Written Lab 41
Review Questions 42
Chapter 2 Personnel Security and Risk Management Concepts 47
Contribute to Personnel Security Policies 49
Security Governance 59
Understand and Apply Risk Management Concepts 60
Establish and Manage Information Security Education, Training, and Awareness 81
Manage the Security Function 82
Summary 83
Exam Essentials 84
Written Lab 88
Review Questions 89
Chapter 3 Business Continuity Planning 93
Planning for Business Continuity 94
Project Scope and Planning 95
Business Impact Assessment 101
Continuity Planning 107
Plan Approval and Implementation 109
Summary 114
Exam Essentials 115
Written Lab 117
Review Questions 118
Chapter 4 Laws, Regulations, and Compliance 123
Categories of Laws 124
Laws 127
Compliance 146
Contracting and Procurement 147
Summary 148
Exam Essentials 149
Written Lab 151
Review Questions 152
Chapter 5 Protecting Security of Assets 157
Classifying and Labeling Assets 158
Identifying Data Roles 174
Protecting Privacy 178
Summary 181
Exam Essentials 182
Written Lab 183
Review Questions 184
Chapter 6 Cryptography and Symmetric Key Algorithms 189
Historical Milestones in Cryptography 190
Cryptographic Basics 192
Modern Cryptography 208
Symmetric Cryptography 214
Cryptographic Life Cycle 222
Summary 222
Exam Essentials 223
Written Lab 225
Review Questions 226
Chapter 7 PKI and Cryptographic Applications 231
Asymmetric Cryptography 232
Hash Functions 236
Digital Signatures 240
Public Key Infrastructure 242
Asymmetric Key Management 246
Applied Cryptography 247
Cryptographic Attacks 258
Summary 261
Exam Essentials 261
Written Lab 264
Review Questions 265
Chapter 8 Principles of Security Models, Design, and Capabilities 269
Implement and Manage Engineering Processes Using Secure Design Principles 270
Understand the Fundamental Concepts of Security Models 275
Select Controls and Countermeasures Based on Systems Security Evaluation Models 289
Understand Security Capabilities of Information Systems 303
Summary 305
Exam Essentials 305
Written Lab 307
Review Questions 308
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 313
Assess and Mitigate Security Vulnerabilities 314
Client-Based 337
Server Based 341
Database Security 341
Distributed Systems 344
Industrial Control Systems 348
Assess and Mitigate Vulnerabilities in Web-Based Systems 349
Assess and Mitigate Vulnerabilities in Mobile Systems 350
Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 360
Essential Security Protection Mechanisms 364
Common Architecture Flaws and Security Issues 369
Summary 375
Exam Essentials 376
Written Lab 379
Review Questions 380
Chapter 10 Physical Security Requirements 385
Apply Secure Principles to Site and Facility Design 386
Design and Implement Physical Security 389
Implement and Manage Physical Security 407
Summary 415
Exam Essentials 416
Written Lab 420
Review Questions 421
Chapter 11 Secure Network Architecture and Securing Network Components 425
OSI Model 426
TCP/IP Model 437
Converged Protocols 452
Wireless Networks 454
General Wi-Fi Security Procedure 462
Cabling, Wireless, Topology, and Communications Technology 473
Summary 490
Exam Essentials 490
Written Lab 494
Review Questions 495
Chapter 12 Secure Communications and Network Attacks 499
Network and Protocol Security Mechanisms 500
Secure Voice Communications 503
Multimedia Collaboration 507
Manage Email Security 508
Remote Access Security Management 513
Virtual Private Network 517
Virtualization 523
Network Address Translation 525
Switching Technologies 530
WAN Technologies 532
Miscellaneous Security Control Characteristics 537
Security Boundaries 539
Prevent or Mitigate Network Attacks 539
Summary 545
Exam Essentials 546
Written Lab 549
Review Questions 550
Chapter 13 Managing Identity and Authentication 555
Controlling Access to Assets 556
Comparing Identification and Authentication 560
Implementing Identity Management 573
Managing the Identity and Access Provisioning Life Cycle 582
Summary 585
Exam Essentials 586
Written Lab 588
Review Questions 589
Chapter 14 Controlling and Monitoring Access 593
Comparing Access Control Models 594
Understanding Access Control Attacks 604
Summary 621
Exam Essentials 622
Written Lab 624
Review Questions 625
Chapter 15 Security Assessment and Testing 629
Building a Security Assessment and Testing Program 630
Performing Vulnerability Assessments 634
Testing Your Software 643
Implementing Security Management Processes 649
Summary 650
Exam Essentials 651
Written Lab 653
Review Questions 654
Chapter 16 Managing Security Operations 659
Applying Security Operations Concepts 661
Provisioning and Managing Resources 670
Managing Configuration 678
Managing Change 680
Managing Patches and Reducing Vulnerabilities 684
Summary 688
Exam Essentials 689
Written Lab 691
Review Questions 692
Chapter 17 Preventing and Responding to Incidents 697
Managing Incident Response 698
Implementing Preventive Measures 704
Logging, Monitoring, and Auditing 731
Summary 748
Exam Essentials 750
Written Lab 754
Review Questions 755
Chapter 18 Disaster Recovery Planning 759
The Nature of Disaster 760
Understand System Resilience and Fault Tolerance 770
Recovery Strategy 775
Recovery Plan Development 784
Training, Awareness, and Documentation 792
Testing and Maintenance 793
Summary 795
Exam Essentials 795
Written Lab 797
Review Questions 798
Chapter 19 Incidents and Ethics 803
Investigations 804
Major Categories of Computer Crime 812
Incident Handling 817
Ethics 826
Summary 829
Exam Essentials 830
Written Lab 832
Review Questions 833
Chapter 20 Software Development Security 837
Introducing Systems Development Controls 838
Establishing Databases and Data Warehousing 860
Storing Data and Information 869
Understanding Knowledge-based Systems 870
Summary 873
Exam Essentials 874
Written Lab 875
Review Questions 876
Chapter 21 Malicious Code and Application Attacks 881
Malicious Code 882
Password Attacks 895
Application Attacks 899
Web Application Security 901
Reconnaissance Attacks 905
Masquerading Attacks 907
Summary 908
Exam Essentials 909
Written Lab 910
Review Questions 911
Appendix A Answers to Review Questions 915
Chapter 1: Security Governance Through Principles and Policies 916
Chapter 2: Personnel Security and Risk Management Concepts 917
Chapter 3: Business Continuity Planning 918
Chapter 4: Laws, Regulations, and Compliance 920
Chapter 5: Protecting Security of Assets 922
Chapter 6: Cryptography and Symmetric Key Algorithms 924
Chapter 7: PKI and Cryptographic Applications 926
Chapter 8: Principles of Security Models, Design, and Capabilities 927
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 929
Chapter 10: Physical Security Requirements 931
Chapter 11: Secure Network Architecture and Securing Network Components 932
Chapter 12: Secure Communications and Network Attacks 933
Chapter 13: Managing Identity and Authentication 935
Chapter 14: Controlling and Monitoring Access 937
Chapter 15: Security Assessment and Testing 939
Chapter 16: Managing Security Operations 940
Chapter 17: Preventing and Responding to Incidents 943
Chapter 18: Disaster Recovery Planning 946
Chapter 19: Incidents and Ethics 948
Chapter 20: Software Development Security 949
Chapter 21: Malicious Code and Application Attacks 950
Appendix B Answers to Written Labs 953
Chapter 1: Security Governance Through Principles and Policies 954
Chapter 2: Personnel Security and Risk Management Concepts 954
Chapter 3: Business Continuity Planning 955
Chapter 4: Laws, Regulations, and Compliance 956
Chapter 5: Protecting Security of Assets 956
Chapter 6: Cryptography and Symmetric Key Algorithms 957
Chapter 7: PKI and Cryptographic Applications 958
Chapter 8: Principles of Security Models, Design, and Capabilities 958
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 959
Chapter 10: Physical Security Requirements 959
Chapter 11: Secure Network Architecture and Securing Network Components 960
Chapter 12: Secure Communications and Network Attacks 960
Chapter 13: Managing Identity and Authentication 961
Chapter 14: Controlling and Monitoring Access 962
Chapter 15: Security Assessment and Testing 962
Chapter 16: Managing Security Operations 963
Chapter 17: Preventing and Responding to Incidents 963
Chapter 18: Disaster Recovery Planning 964
Chapter 19: Incidents and Ethics 965
Chapter 20: Software Development Security 965
Chapter 21: Malicious Code and Application Attacks 966
Index 967
Author Information
James Michael Stewart, CISSP, CEH, CHFI, Security+, has focused on security, certification, and various operating systems for more than 20 years. He teaches numerous job skill and certification courses.
Mike Chapple, PhD, CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. He oversees information security, data governance, IT architecture, project management, strategic planning, and product management functions.
Darril Gibson, CISSP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.
Errata
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
Chapter | Page | Details | Date | Print Run |
---|---|---|---|---|
Introduction | xI | Error in Text www.sybex.com/go/cissp7e should be sybextestbanks.wiley.com |
5 Oct 2015 | |
Introduction | xIi | Error in Text www.sybex.com/go/cissp7e should be sybextestbanks.wiley.com |
5 Oct 2015 | |
xliii | Errata in Text Question 6, Option c currently reads: Stateful inspection Should read: Circuit level gateway Note: Page xliii, assessment test |
1-Dec-16 | ||
Introduction | xxxvii | Errata in Text Introduction, page: xxxvii, paragraph before the note, last 2 sentences: "Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport." Needs to be changed to: "(ISC)2 no longer allows dictionaries of any kind during the exam, this exclusion applies to translation dictionaries as well." |
19-Jul-17 | |
21 | Error in Text In Figure 1.5, Currently Reads: "Pulbic." Should Read: "Public" |
04 Nov 2015 | ||
27 | Errata in text P 27, add the following sentence as the new third sentence in the second paragraph following the heading 'Security Standards, Baselines, and Guidelines' (the heading itself if on page 26): A baseline is a more operationally focused form of a standard. It takes the goals of a security policy and the requirements of the standards and defines them specifically in the baseline as a rule against which to implement and compare IT systems. |
25-Jun-18 | ||
1 | 31 | Errata in Text Last paragraph currently reads: Attempting to identity each Should read: Attempting to identify each |
20-Jan-16 | |
3 | 109 | Errata in text The Header 'Plan Approval' should be 'Plan Approval and Implementation' (Heading Level should be H1) |
20-Jan-16 | |
3 | 109 | Errata in text Insert the heading 'Plan Approval' before the last paragraph of the page i.e., after Tip Heading level should be H2 |
20-Jan-16 | |
3 | 110 | Errata in text The header 'BCP Documentation' should be in Heading level H2 |
20-Jan-16 | |
3 | 111 | Errata in text The Heading 'Continuity Planning Goals' should be reduced to Heading Level H3 The Heading 'Statement of Importance' should be reduced to Heading Level H3 The Heading 'Statement of Priorities' should be reduced to Heading Level H3 The Heading 'Statement of Organizational Responsibility' should be reduced to Heading Level H3 |
20-Jan-16 | |
3 | 112 | Errata in text The Heading 'Statement of Urgency and Timing' should be reduced to Heading Level H3 The Heading 'Risk Assessment' should be reduced to Heading Level H3 The Heading 'Risk Acceptance/Mitigation' should be reduced to Heading Level H3 |
20-Jan-16 | |
3 | 113 | Errata in text The Heading 'Vital Records Program' should be reduced to Heading Level H3 The Heading 'Emergency-Response Guidelines' should be reduced to Heading Level H3 |
20-Jan-16 | |
3 | 114 | Errata in text The heading 'Maintenance' should be reduced to Heading Level H3 The heading 'Testing and Exercises' should be reduced to Heading Level H3 |
20-Jan-16 | |
6 | 219 | Errata in Text Table 6.2 in Blowfish row with the 2nd and 3rd columns (block size and key size) currently reads: Variable 1-448 Should Read: 64 32-448 |
20-Jan-16 | |
226 | Errata in Text In Question 6, Choice C currently reads: Availability Should read: Authentication |
11-Jan-17 | ||
3 | 105 | Errata in Text Chapter 3, page 105 $11,667 should be $10,500 in two places. |
19-Jul-17 | |
6 | 224 | Errata in Text In Chapter 6, on page 224, in the second-to-last Exam Essential The Data Encryption Standard operates in four modes: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output Feedback (OFB) mode. Should be: The Data Encryption Standard operates in five modes: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode. |
19-Jul-17 | |
7 | 234 | Errata in Text The text in list 3b currently reads: (n – 1) Should read: ( p – 1) |
10-Jan-17 | |
7 | 234 | Errata in Text The text in list 4 currently reads: Find a number, d , such that ( ed - 1) mod (p - 1)(q - 1) = 0 Should read: Find a number, d , such that ( ed - 1) mod (p - 1)(q - 1) = 1 |
10-Jan-17 | |
7 | 235 | Errata in text Currently the entry for RSA reads: 1,088 bits Should Read: 1,024 bits |
28-Mar-16 | |
7 | 235 | Errata in Text Chapter 7 page 235, 4th line, in description of Moore's law: "18 months" Should be "two years" |
4-Aug-17 | |
7 | 258 | Errata in Text The first sentence in the first main paragraph currently reads: "Another commonly used wireless security standard, IEEE 802.1x, provides..." Should read: "Another commonly used security standard, IEEE 802.1x, provides..." |
20-Jan-16 | |
258 | Errata in text The last sentence and bullet at the bottom of this page should be changed to: There are two modifications that attackers can make to enhance the effectiveness of a brute-force attack:
|
29-Mar-16 | ||
7 | 268 | Errata in Text Question 19, option C currently reads: Skipjack Should read: Elliptic Curve Cryptography |
10-Jan-17 | |
327 | Errata in Text Pg 327 - section for EPROM: Add new sentences between the first and second sentences: "There are two main sub-categories of EEPOM, namely UVEPROM and EEPROM (see next item). UVEPOMs can be erased with a light." Replace final EPROM with UVEPROM in same paragraph. In the EEPROM definition, delete the first two sentences. Alter remaining 3rd sentence from "A more flexible, friendly alternative is..." to "A more flexible, friendly alternative to UVEPROM is...". Delete final sentence referring to removing from computer. |
1-Feb-17 | ||
9 | 341 | Errata in Text The text currently reads: "Management of data flow ensures not only efficient transmission with minimal delays or latency, but also reliable throughput using hashing and protection confidentiality with encryption." Should read: "Management of data flow ensures not only efficient transmission with minimal delays or latency, but also reliable throughput using hashing and confidentiality protection with encryption." |
18-Jan-17 | |
376 | Errata in Text The text currently reads: EPROM Should read: EPROM/UVEPROM replace EPROM with EPROM/UVEPROM |
1-Feb-17 | ||
10 | 394 | Errata in Text The text currently reads: "A basement with limited access or an interior room with no windows and only one entry/exit point makes an excellent substitute when an empty vault isn?t available." Shoudl read: "An interior room with limited access, no windows, and only one entry/exit point makes an excellent substitute when an empty vault isn't available." |
18-Jan-17 | |
10 | 397 | Errata in text Currently Reads: (These are discussed in more detail in the previous section,"Motion Detectors," and later in the section "Intrusion Alarms.") Should Read: (These are discussed in more detail in the later sections "Motion Detectors," and "Intrusion Alarms.") |
19-May-16 | |
11 | 432 | Errata in Text Chapter 11, page 432, before the next to last paragraph which begins: "The Data Link layer..." please add the following additional paragraph: ARP is carried as the payload of an Ethernet frame. Since Ethernet is layer 2, it makes sense to consider ARP layer 3. However, ARP does not operate as a true Layer 3 protocol as it does not use a source/destination addressing scheme to direct communications in its header (similar to IP headers), instead it is dependent upon Ethernet's source and destination MAC addresses. Thus, ARP is not a true layer 3. ARP is also not truely a full layer 2 protocol either as it depends upon Ethernet to serve as its transportation host, thus at best it is a dependent layer 2 protocol. The OSI model is a conceptual model and not a exacting description of how real protocols operate. Thus, ARP does not fit cleanly in the OSI organization. It would be best located at layer 2.5 (i.e. between layers 2 and 3). But for the CISSP exam, consider it a layer 2 protocol. |
19-Jul-17 | |
439 | Errata in Text In 'Transport Layer Protocols' Currently Reads: "Since port numbers are 16-digit binary numbers, the total number of ports is 216, or 65,536" Should Read: "Since port numbers are 16-digit binary numbers, the total number of ports is 2^16 , or 65,536" |
04-Jan-16 | ||
11 | 442 | Errata in Text Box at the bottom currently reads: However, the last six (URG, ACK, PHS, RST, SYN, and FIN) Should read: However, the last six (URG, ACK, PSH, RST, SYN, and FIN) |
20-Jan-16 | |
11 | 462 | Errata in Text Under section "Captive portals" currently reads: accessible use policy Should read: acceptable use policy |
20-Jan-16 | |
11 | 491 | Errata in Text At the bottom, currently reads: Versions include 802.11a (2 MB), 802.11b (11 MB), and 802.11g (54 MB). Should read: Versions include 802.11 (2 Mbps), 802.11a (54 Mbps), 802.11b (11 Mbps), 802.11g (54 Mbps), 802.11n (600 Mbps), and 802.11ac (1.3+ Mbps). |
20-Jan-16 | |
12 | 521 | Errata in text In Table 12.1: The entries in the Protocols Supported column should be: PPP PPP/SLIP PPP IP only |
31-Mar-16 | |
12 | 521 | Errata in text Add the following note after table 12.1: The VPN protocols which encapsulate PPP are able to support any sub-protocol compatible with PPP, which includes IPv4, IPv6, IPX, and AppleTalk. |
31-Mar-16 | |
12 | 526 | Errata in Text In the NOTE section: "PAT can theoretically support 65,536 (232) " Should be: PAT can theoretically support 65,536 (2^16) |
20-Jan-16 | |
12 | 542 | Errata in Text Chapter 12, Pg 542 first sentence under Address Resolution Protocol Spoofing Network Layer (layer 3) Should be Data Link Layer (Layer 2) |
19-Jul-17 | |
13 | 595 | Errata in Text Paragraph beginning with bolded Privileges reads: Privileges are the combination of rights and privileges. Should read: Privileges are the combination of rights and permissions. |
20-Jan-16 | |
14 | 625 | Errata in Text Question 1 currently reads the word as 'explicit' Should read as 'implicit' |
08-Feb-16 | |
13 | 580 | Errata in Text Chapter 13: Pg 580, 2nd paragraph under AAA Protocols, first sentence should be: These AAA protocols use the access control elements of authentication, authorization, and accountability as described earlier in this chapter. |
19-Jul-17 | |
16 | 674 | Errata in Text The text currently reads: The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The three cloud models available are public, private, hybrid, and community. Should Read: The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The four cloud models available are public, private, hybrid, and community. |
25-Jan-17 | |
16 | 674 | Errata in Text The text currently reads: Software as a Service (SaaS) SaaS models provide fully functional applications typically accessible via a web browser. For example, Google's Gmail is a SaaS application. The CSP is responsible for all maintenance of the IaaS services. Consumers do not manage or control any of the cloud-based assets. Should read: Software as a Service (SaaS) SaaS models provide fully functional applications typically accessible via a web browser. For example, Google's Gmail is a SaaS application. The CSP is responsible for all maintenance of the SaaS services. Consumers do not manage or control any of the cloud-based assets. |
25-Jan-17 | |
16 | 689 | Errata in Text paragraph beginning "Cloud-based assets include any resources stored in the cloud." Platform as a Service (SaaS) offerings Should be Platform as a Service (PaaS) offerings |
19-Apr-17 | |
17 | 699 | Errata in text Chapter 17 - Preventing and Responding to Incidents Currently Reads: Figure 17.1 shows the five steps involved in.. Should Read: Figure 17.1 shows the seven steps involved in.. |
13-May-16 | |
19 | 817 | Errata in Text The text currently reads: They organize themselves loosely into groups with names like Anonymous and Lolzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required. Should read: They organize themselves loosely into groups with names like Anonymous and Lulzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required. |
25-Jan-17 | |
20 | 868 | Errata in Text First paragraph, last sentence currently reads: see the sidebar "Inference" later in this chapter. Should read: see "Inference" which was covered in chapter 9. |
20-Jan-16 | |
21 | 909 | Errata in Text In 4th paragraph 'Trap doors' should be 'back doors' |
04-Jan-16 | |
929 | Errata in Text change #7 from "EPROMs" to "EPROMs (more specifically the UVEPROM sub-set)" |
1-Feb-17 | ||
2 | 28 | Errata in tex In the last sentence of paragraph 2 on page 28 "? there are fewer guidelines than policies..." Should be "...there are fewer guidelines than procedures..." |
1-Feb-18 | |
Appendix C | 968 | Errata in Text The Note should be changed to read: If your copy of the book contains appendix C, please note that the download and installation instructions in this appendix refer to an older version of the Sybex Study Tools. These are now hosted online and will run in your browser without requiring downloading or installation. Instructions for registering and accessing them are found at sybextestbanks.wiley.com. |
18-Jan-17 | |
1 | 9 | Errata in text last sentence before AAA Services box: or role-based access control (RBAC); Should be or role-based access control (RBAC or role-BAC); |
26-Sep-17 | |
2 | 82 | Errata in text 4th paragraph, 6th line, change being to begin |
31-July-17 | |
8 | 274 | Errata in text under Control heading, 2nd paragraph, next to last sentence: This is called rule-based access control (RBAC) Should be This is called rule-based access control (RBAC or rule-BAC) |
26-Sep-17 | |
6 | 195 | Errata in text Third line in that page 'n' in '2n' should be superscript as in 2n |
13-Mar-2018 |