Wiley.com
Print this page Share

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition

ISBN: 978-1-119-04271-6
1080 pages
September 2015
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition (1119042712) cover image

Description

CISSP Study Guide -  fully updated for the 2015 CISSP Body of Knowledge

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition has been completely updated for the latest 2015 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.

Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:

  • Four unique 250 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
  • More than 650 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

Coverage of all of the exam topics in the book means you'll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
See More

Table of Contents

Introduction xxxiii

Assessment Test xlii

Chapter 1 Security Governance Through Principles and Policies 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 3

Confidentiality 4

Integrity 5

Availability 6

Other Security Concepts 8

Protection Mechanisms 12

Layering 12

Abstraction 12

Data Hiding 13

Encryption 13

Apply Security Governance Principles 13

Alignment of Security Function to Strategy, Goals, Mission, and Objectives 14

Organizational Processes 16

Security Roles and Responsibilities 22

Control Frameworks 23

Due Care and Due Diligence 24

Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines 25

Security Policies 25

Security Standards, Baselines, and Guidelines 26

Security Procedures 27

Understand and Apply Threat Modeling 28

Identifying Threats 30

Determining and Diagramming Potential Attacks 32

Performing Reduction Analysis 33

Prioritization and Response 34

Integrate Security Risk Considerations into Acquisition Strategy and Practice 35

Summary 36

Exam Essentials 38

Written Lab 41

Review Questions 42

Chapter 2 Personnel Security and Risk Management Concepts 47

Contribute to Personnel Security Policies 49

Employment Candidate Screening 52

Employment Agreements and Policies 53

Employment Termination Processes 54

Vendor, Consultant, and Contractor Controls 56

Compliance 57

Privacy 57

Security Governance 59

Understand and Apply Risk Management Concepts 60

Risk Terminology 61

Identify Threats and Vulnerabilities 63

Risk Assessment/Analysis 64

Risk Assignment/Acceptance 72

Countermeasure Selection and Assessment 73

Implementation 74

Types of Controls 75

Monitoring and Measurement 76

Asset Valuation 77

Continuous Improvement 78

Risk Frameworks 78

Establish and Manage Information Security Education, Training, and Awareness 81

Manage the Security Function 82

Summary 83

Exam Essentials 84

Written Lab 88

Review Questions 89

Chapter 3 Business Continuity Planning 93

Planning for Business Continuity 94

Project Scope and Planning 95

Business Organization Analysis 96

BCP Team Selection 96

Resource Requirements 98

Legal and Regulatory Requirements 100

Business Impact Assessment 101

Identify Priorities 101

Risk Identification 102

Likelihood Assessment 104

Impact Assessment 104

Resource Prioritization 106

Continuity Planning 107

Strategy Development 107

Provisions and Processes 108

Plan Approval 109

Plan Implementation 110

Training and Education 110

BCP Documentation 110

Continuity Planning Goals 111

Statement of Importance 111

Statement of Priorities 111

Statement of Organizational Responsibility 111

Statement of Urgency and Timing 112

Risk Assessment 112

Risk Acceptance/Mitigation 112

Vital Records Program 113

Emergency-Response Guidelines 113

Maintenance 114

Testing and Exercises 114

Summary 114

Exam Essentials 115

Written Lab 117

Review Questions 118

Chapter 4 Laws, Regulations, and Compliance 123

Categories of Laws 124

Criminal Law 124

Civil Law 126

Administrative Law 126

Laws 127

Computer Crime 127

Intellectual Property 132

Licensing 138

Import/Export 139

Privacy 139

Compliance 146

Contracting and Procurement 147

Summary 148

Exam Essentials 149

Written Lab 151

Review Questions 152

Chapter 5 Protecting Security of Assets 157

Classifying and Labeling Assets 158

Defining Sensitive Data 158

Defining Classifications 160

Defining Data Security Requirements 163

Understanding Data States 164

Managing Sensitive Data 165

Protecting Confidentiality with Cryptography 172

Identifying Data Roles 174

Data Owners 174

System Owners 175

Business/Mission Owners 176

Data Processors 176

Administrators 177

Custodians 178

Users 178

Protecting Privacy 178

Using Security Baselines 179

Scoping and Tailoring 180

Selecting Standards 180

Summary 181

Exam Essentials 182

Written Lab 183

Review Questions 184

Chapter 6 Cryptography and Symmetric Key Algorithms 189

Historical Milestones in Cryptography 190

Caesar Cipher 190

American Civil War 191

Ultra vs. Enigma 192

Cryptographic Basics 192

Goals of Cryptography 192

Cryptography Concepts 194

Cryptographic Mathematics 196

Ciphers 201

Modern Cryptography 208

Cryptographic Keys 208

Symmetric Key Algorithms 209

Asymmetric Key Algorithms 210

Hashing Algorithms 213

Symmetric Cryptography 214

Data Encryption Standard 214

Triple DES 216

International Data Encryption Algorithm 217

Blowfish 217

Skipjack 217

Advanced Encryption Standard 218

Symmetric Key Management 219

Cryptographic Life Cycle 222

Summary 222

Exam Essentials 223

Written Lab 225

Review Questions 226

Chapter 7 PKI and Cryptographic Applications 231

Asymmetric Cryptography 232

Public and Private Keys 232

RSA 233

El Gamal 235

Elliptic Curve 235

Hash Functions 236

SHA 237

MD2 238

MD4 238

MD5 239

Digital Signatures 240

HMAC 241

Digital Signature Standard 242

Public Key Infrastructure 242

Certificates 243

Certificate Authorities 243

Certificate Generation and Destruction 245

Asymmetric Key Management 246

Applied Cryptography 247

Portable Devices 247

Email 248

Web Applications 249

Digital Rights Management 252

Networking 255

Cryptographic Attacks 258

Summary 261

Exam Essentials 261

Written Lab 264

Review Questions 265

Chapter 8 Principles of Security Models, Design, and Capabilities 269

Implement and Manage Engineering Processes Using Secure Design Principles 270

Objects and Subjects 271

Closed and Open Systems 271

Techniques for Ensuring Confidentiality, Integrity, and Availability 272

Controls 274

Trust and Assurance 274

Understand the Fundamental Concepts of Security Models 275

Trusted Computing Base 276

State Machine Model 278

Information Flow Model 279

Noninterference Model 279

Take-Grant Model 280

Access Control Matrix 280

Bell-LaPadula Model 282

Biba Model 284

Clark-Wilson Model 286

Brewer and Nash Model (aka Chinese Wall) 287

Goguen-Meseguer Model 288

Sutherland Model 288

Graham-Denning Model 288

Select Controls and Countermeasures Based on Systems Security Evaluation Models 289

Rainbow Series 290

ITSEC Classes and Required Assurance and Functionality 295

Common Criteria 296

Industry and International Security Implementation Guidelines 299

Certification and Accreditation 300

Understand Security Capabilities of Information Systems 303

Memory Protection 303

Virtualization 303

Trusted Platform Module 303

Interfaces 304

Fault Tolerance 304

Summary 305

Exam Essentials 305

Written Lab 307

Review Questions 308

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 313

Assess and Mitigate Security Vulnerabilities 314

Hardware 315

Input/Output Structures 335

Firmware 336

Client-Based 337

Applets 337

Local Caches 339

Server Based 341

Database Security 341

Aggregation 341

Inference 342

Data Mining and Data Warehousing 342

Data Analytics 343

Large-Scale Parallel Data Systems 344

Distributed Systems 344

Cloud Computing 346

Grid Computing 347

Peer to Peer 348

Industrial Control Systems 348

Assess and Mitigate Vulnerabilities in Web-Based Systems 349

Assess and Mitigate Vulnerabilities in Mobile Systems 350

Device Security 352

Application Security 355

BYOD Concerns 357

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 360

Examples of Embedded and Static Systems 360

Methods of Securing 362

Essential Security Protection Mechanisms 364

Technical Mechanisms 364

Security Policy and Computer Architecture 367

Policy Mechanisms 367

Common Architecture Flaws and Security Issues 369

Covert Channels 369

Attacks Based on Design or Coding Flaws and Security Issues 370

Programming 373

Timing, State Changes, and Communication Disconnects 373

Technology and Process Integration 374

Electromagnetic Radiation 374

Summary 375

Exam Essentials 376

Written Lab 379

Review Questions 380

Chapter 10 Physical Security Requirements 385

Apply Secure Principles to Site and Facility Design 386

Secure Facility Plan 387

Site Selection 387

Visibility 388

Natural Disasters 388

Facility Design 388

Design and Implement Physical Security 389

Equipment Failure 390

Wiring Closets 391

Server Rooms 393

Media Storage Facilities 394

Evidence Storage 395

Restricted and Work Area Security (e.g., Operations Centers) 395

Datacenter Security 396

Utilities and HVAC Considerations 399

Water Issues (e.g., Leakage, Flooding) 402

Fire Prevention, Detection, and Suppression 402

Implement and Manage Physical Security 407

Perimeter (e.g., Access Control and Monitoring) 407

Internal Security (e.g., Escort Requirements/Visitor Control, Keys, and Locks) 409

Summary 415

Exam Essentials 416

Written Lab 420

Review Questions 421

Chapter 11 Secure Network Architecture and Securing Network Components 425

OSI Model 426

History of the OSI Model 427

OSI Functionality 427

Encapsulation/Deencapsulation 428

OSI Layers 429

TCP/IP Model 437

TCP/IP Protocol Suite Overview 438

Converged Protocols 452

Content Distribution Networks 453

Wireless Networks 454

Securing Wireless Access Points 454

Securing the SSID 456

Conducting a Site Survey 457

Using Secure Encryption Protocols 458

Determining Antenna Placement 461

Antenna Types 461

Adjusting Power Level Controls 461

Using Captive Portals 462

General Wi-Fi Security Procedure 462

Secure Network Components 463

Network Access Control 464

Firewalls 465

Endpoint Security 469

Other Network Devices 469

Cabling, Wireless, Topology, and Communications Technology 473

Network Cabling 473

Network Topologies 477

Wireless Communications and Security 480

LAN Technologies 485

Summary 490

Exam Essentials 490

Written Lab 494

Review Questions 495

Chapter 12 Secure Communications and Network Attacks 499

Network and Protocol Security Mechanisms 500

Secure Communications Protocols 501

Authentication Protocols 502

Secure Voice Communications 503

Voice over Internet Protocol (VoIP) 503

Social Engineering 504

Fraud and Abuse 505

Multimedia Collaboration 507

Remote Meeting 508

Instant Messaging 508

Manage Email Security 508

Email Security Goals 509

Understand Email Security Issues 510

Email Security Solutions 511

Remote Access Security Management 513

Plan Remote Access Security 515

Dial-Up Protocols 516

Centralized Remote Authentication Services 517

Virtual Private Network 517

Tunneling 518

How VPNs Work 519

Common VPN Protocols 520

Virtual LAN 522

Virtualization 523

Virtual Software 523

Virtual Networking 524

Network Address Translation 525

Private IP Addresses 526

Stateful NAT 527

Static and Dynamic NAT 528

Automatic Private IP Addressing 528

Switching Technologies 530

Circuit Switching 530

Packet Switching 531

Virtual Circuits 532

WAN Technologies 532

WAN Connection Technologies 534

Dial-Up Encapsulation Protocols 536

Miscellaneous Security Control Characteristics 537

Transparency 537

Verify Integrity 537

Transmission Mechanisms 538

Security Boundaries 539

Prevent or Mitigate Network Attacks 539

DoS and DDoS 540

Eavesdropping 541

Impersonation/Masquerading 542

Replay Attacks 542

Modification Attacks 542

Address Resolution Protocol Spoofing 542

DNS Poisoning, Spoofing, and Hijacking 543

Hyperlink Spoofing 544

Summary 545

Exam Essentials 546

Written Lab 549

Review Questions 550

Chapter 13 Managing Identity and Authentication 555

Controlling Access to Assets 556

Comparing Subjects and Objects 557

Types of Access Control 557

The CIA Triad 560

Comparing Identification and Authentication 560

Registration and Proofing of Identity 561

Authorization and Accountability 561

Authentication Factors 563

Passwords 564

Smartcards and Tokens 566

Biometrics 568

Multifactor Authentication 572

Device Authentication 572

Implementing Identity Management 573

Single Sign-On 573

Credential Management Systems 578

Integrating Identity Services 579

Managing Sessions 579

AAA Protocols 580

Managing the Identity and Access Provisioning Life Cycle 582

Provisioning 582

Account Review 583

Account Revocation 584

Summary 585

Exam Essentials 586

Written Lab 588

Review Questions 589

Chapter 14 Controlling and Monitoring Access 593

Comparing Access Control Models 594

Comparing Permissions, Rights, and Privileges 594

Understanding Authorization Mechanisms 595

Defining Requirements with a Security Policy 596

Implementing Defense in Depth 597

Discretionary Access Controls 598

Nondiscretionary Access Controls 598

Understanding Access Control Attacks 604

Risk Elements 605

Identifying Assets 605

Identifying Threats 607

Identifying Vulnerabilities 609

Common Access Control Attacks 610

Summary of Protection Methods 619

Summary 621

Exam Essentials 622

Written Lab 624

Review Questions 625

Chapter 15 Security Assessment and Testing 629

Building a Security Assessment and Testing Program 630

Security Testing 630

Security Assessments 631

Security Audits 632

Performing Vulnerability Assessments 634

Vulnerability Scans 634

Penetration Testing 642

Testing Your Software 643

Code Review and Testing 644

Interface Testing 646

Misuse Case Testing 648

Test Coverage Analysis 648

Implementing Security Management Processes 649

Log Reviews 649

Account Management 649

Backup Verification 650

Key Performance and Risk Indicators 650

Summary 650

Exam Essentials 651

Written Lab 653

Review Questions 654

Chapter 16 Managing Security Operations 659

Applying Security Operations Concepts 661

Need to Know and Least Privilege 661

Separation of Duties and Responsibilities 663

Job Rotation 666

Mandatory Vacations 666

Monitor Special Privileges 667

Managing the Information Life Cycle 668

Service Level Agreements 669

Addressing Personnel Safety 670

Provisioning and Managing Resources 670

Managing Hardware and Software Assets 671

Protecting Physical Assets 672

Managing Virtual Assets 672

Managing Cloud-based Assets 673

Media Management 675

Managing Configuration 678

Baselining 678

Using Images for Baselining 678

Managing Change 680

Security Impact Analysis 682

Versioning 683

Configuration Documentation 683

Managing Patches and Reducing Vulnerabilities 684

Patch Management 684

Vulnerability Management 685

Common Vulnerabilities and Exposures 688

Summary 688

Exam Essentials 689

Written Lab 691

Review Questions 692

Chapter 17 Preventing and Responding to Incidents 697

Managing Incident Response 698

Defining an Incident 698

Incident Response Steps 699

Implementing Preventive Measures 704

Basic Preventive Measures 705

Understanding Attacks 705

Intrusion Detection and Prevention Systems 715

Specific Preventive Measures 721

Logging, Monitoring, and Auditing 731

Logging and Monitoring 731

Egress Monitoring 740

Auditing to Assess Effectiveness 742

Security Audits and Reviews 745

Reporting Audit Results 746

Summary 748

Exam Essentials 750

Written Lab 754

Review Questions 755

Chapter 18 Disaster Recovery Planning 759

The Nature of Disaster 760

Natural Disasters 761

Man-made Disasters 765

Understand System Resilience and Fault Tolerance 770

Protecting Hard Drives 771

Protecting Servers 772

Protecting Power Sources 773

Trusted Recovery 773

Quality of Service 775

Recovery Strategy 775

Business Unit and Functional Priorities 776

Crisis Management 777

Emergency Communications 777

Workgroup Recovery 778

Alternate Processing Sites 778

Mutual Assistance Agreements 782

Database Recovery 783

Recovery Plan Development 784

Emergency Response 785

Personnel and Communications 786

Assessment 787

Backups and Offsite Storage 787

Software Escrow Arrangements 790

External Communications 791

Utilities 791

Logistics and Supplies 791

Recovery vs. Restoration 791

Training, Awareness, and Documentation 792

Testing and Maintenance 793

Read-Through Test 793

Structured Walk-Through 794

Simulation Test 794

Parallel Test 794

Full-Interruption Test 794

Maintenance 794

Summary 795

Exam Essentials 795

Written Lab 797

Review Questions 798

Chapter 19 Incidents and Ethics 803

Investigations 804

Investigation Types 804

Evidence 806

Investigation Process 810

Major Categories of Computer Crime 812

Military and Intelligence Attacks 813

Business Attacks 814

Financial Attacks 814

Terrorist Attacks 815

Grudge Attacks 815

Thrill Attacks 817

Incident Handling 817

Common Types of Incidents 818

Response Teams 820

Incident Response Process 821

Interviewing Individuals 824

Incident Data Integrity and Retention 825

Reporting and Documenting Incidents 825

Ethics 826

(ISC)2 Code of Ethics 827

Ethics and the Internet 828

Summary 829

Exam Essentials 830

Written Lab 832

Review Questions 833

Chapter 20 Software Development Security 837

Introducing Systems Development Controls 838

Software Development 838

Systems Development Life Cycle 844

Life Cycle Models 847

Gantt Charts and PERT 853

Change and Configuration Management 853

The DevOps Approach 855

Application Programming Interfaces 856

Software Testing 857

Code Repositories 858

Service-Level Agreements 859

Software Acquisition 860

Establishing Databases and Data Warehousing 860

Database Management System Architecture 861

Database Transactions 864

Security for Multilevel Databases 866

ODBC 868

Storing Data and Information 869

Types of Storage 869

Storage Threats 870

Understanding Knowledge-based Systems 870

Expert Systems 870

Neural Networks 872

Decision Support Systems 872

Security Applications 873

Summary 873

Exam Essentials 874

Written Lab 875

Review Questions 876

Chapter 21 Malicious Code and Application Attacks 881

Malicious Code 882

Sources of Malicious Code 882

Viruses 883

Logic Bombs 889

Trojan Horses 889

Worms 890

Spyware and Adware 893

Countermeasures 893

Password Attacks 895

Password Guessing 895

Dictionary Attacks 896

Social Engineering 897

Countermeasures 898

Application Attacks 899

Buffer Overflows 899

Time of Check to Time of Use 900

Back Doors 900

Escalation of Privilege and Rootkits 900

Web Application Security 901

Cross-Site Scripting (XSS) 901

SQL Injection 902

Reconnaissance Attacks 905

IP Probes 905

Port Scans 906

Vulnerability Scans 906

Dumpster Diving 906

Masquerading Attacks 907

IP Spoofing 907

Session Hijacking 908

Summary 908

Exam Essentials 909

Written Lab 910

Review Questions 911

Appendix A Answers to Review Questions 915

Chapter 1: Security Governance Through Principles and Policies 916

Chapter 2: Personnel Security and Risk Management Concepts 917

Chapter 3: Business Continuity Planning 918

Chapter 4: Laws, Regulations, and Compliance 920

Chapter 5: Protecting Security of Assets 922

Chapter 6: Cryptography and Symmetric Key Algorithms 924

Chapter 7: PKI and Cryptographic Applications 926

Chapter 8: Principles of Security Models, Design, and Capabilities 927

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 929

Chapter 10: Physical Security Requirements 931

Chapter 11: Secure Network Architecture and Securing Network Components 932

Chapter 12: Secure Communications and Network Attacks 933

Chapter 13: Managing Identity and Authentication 935

Chapter 14: Controlling and Monitoring Access 937

Chapter 15: Security Assessment and Testing 939

Chapter 16: Managing Security Operations 940

Chapter 17: Preventing and Responding to Incidents 943

Chapter 18: Disaster Recovery Planning 946

Chapter 19: Incidents and Ethics 948

Chapter 20: Software Development Security 949

Chapter 21: Malicious Code and Application Attacks 950

Appendix B Answers to Written Labs 953

Chapter 1: Security Governance Through Principles and Policies 954

Chapter 2: Personnel Security and Risk Management Concepts 954

Chapter 3: Business Continuity Planning 955

Chapter 4: Laws, Regulations, and Compliance 956

Chapter 5: Protecting Security of Assets 956

Chapter 6: Cryptography and Symmetric Key Algorithms 957

Chapter 7: PKI and Cryptographic Applications 958

Chapter 8: Principles of Security Models, Design, and Capabilities 958

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 959

Chapter 10: Physical Security Requirements 959

Chapter 11: Secure Network Architecture and Securing Network Components 960

Chapter 12: Secure Communications and Network Attacks 960

Chapter 13: Managing Identity and Authentication 961

Chapter 14: Controlling and Monitoring Access 962

Chapter 15: Security Assessment and Testing 962

Chapter 16: Managing Security Operations 963

Chapter 17: Preventing and Responding to Incidents 963

Chapter 18: Disaster Recovery Planning 964

Chapter 19: Incidents and Ethics 965

Chapter 20: Software Development Security 965

Chapter 21: Malicious Code and Application Attacks 966

Appendix C About the Additional Study Tools 967

Additional Study Tools 968

Sybex Test Engine 968

Electronic Flashcards 968

PDF of Glossary of Terms 968

Adobe Reader 968

System Requirements 969

Using the Study Tools 969

Troubleshooting 969

Customer Care 970

Index 971

See More

Author Information

James Michael Stewart, CISSP, CEH, CHFI, Security+, has focused on security, certification, and various operating systems for more than 20 years. He teaches numerous job skill and certification courses.

Mike Chapple, PhD, CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. He oversees information security, data governance, IT architecture, project management, strategic planning, and product management functions.

Darril Gibson, CISSP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.

See More

Errata

Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.

ChapterPageDetailsDatePrint Run
Introduction xI Error in Text
www.sybex.com/go/cissp7e
should be
sybextestbanks.wiley.com
5 Oct 2015
Introduction xIi Error in Text
www.sybex.com/go/cissp7e
should be
sybextestbanks.wiley.com
5 Oct 2015
xliii Errata in Text
Question 6, Option c currently reads:
Stateful inspection
Should read:
Circuit level gateway
Note: Page xliii, assessment test
1-Dec-16
Introduction xxxvii Errata in Text
Introduction, page: xxxvii, paragraph before the note, last 2 sentences:
"Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport."
Needs to be changed to:
"(ISC)2 no longer allows dictionaries of any kind during the exam, this exclusion applies to translation dictionaries as well."
19-Jul-17
21 Error in Text
In Figure 1.5,

Currently Reads:
"Pulbic."

Should Read:
"Public"
04 Nov 2015
1 31 Errata in Text
Last paragraph currently reads:
Attempting to identity each

Should read:
Attempting to identify each
20-Jan-16
3 109 Errata in text
The Header 'Plan Approval' should be 'Plan Approval and Implementation'

(Heading Level should be H1)
20-Jan-16
3 109 Errata in text
Insert the heading 'Plan Approval' before the last paragraph of the page i.e., after Tip

Heading level should be H2
20-Jan-16
3 110 Errata in text
The header 'BCP Documentation' should be in Heading level H2
20-Jan-16
3 111 Errata in text
The Heading 'Continuity Planning Goals' should be reduced to Heading Level H3

The Heading 'Statement of Importance' should be reduced to Heading Level H3

The Heading 'Statement of Priorities' should be reduced to Heading Level H3

The Heading 'Statement of Organizational Responsibility' should be reduced to Heading Level H3
20-Jan-16
3 112 Errata in text
The Heading 'Statement of Urgency and Timing' should be reduced to Heading Level H3

The Heading 'Risk Assessment' should be reduced to Heading Level H3

The Heading 'Risk Acceptance/Mitigation' should be reduced to Heading Level H3
20-Jan-16
3 113 Errata in text
The Heading 'Vital Records Program' should be reduced to Heading Level H3

The Heading 'Emergency-Response Guidelines' should be reduced to Heading Level H3

20-Jan-16
3 114 Errata in text
The heading 'Maintenance' should be reduced to Heading Level H3

The heading 'Testing and Exercises' should be reduced to Heading Level H3
20-Jan-16
6 219 Errata in Text
Table 6.2 in Blowfish row with the 2nd and 3rd columns (block size and key size) currently reads:

Variable 1-448

Should Read:
64 32-448
20-Jan-16
226 Errata in Text
In Question 6, Choice C currently reads:
Availability
Should read:
Authentication
11-Jan-17
3 105 Errata in Text
Chapter 3, page 105
$11,667 should be $10,500 in two places.
19-Jul-17
6 224 Errata in Text
In Chapter 6, on page 224, in the second-to-last Exam Essential
The Data Encryption Standard operates in four modes: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output Feedback (OFB) mode.
Should be:
The Data Encryption Standard operates in five modes: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode.
19-Jul-17
7 234 Errata in Text
The text in list 3b currently reads:
(n – 1)
Should read:
( p – 1)
10-Jan-17
7 234 Errata in Text
The text in list 4 currently reads:
Find a number, d , such that ( ed - 1) mod (p - 1)(q - 1) = 0
Should read:
Find a number, d , such that ( ed - 1) mod (p - 1)(q - 1) = 1
10-Jan-17
7 235 Errata in text
Currently the entry for RSA reads: 1,088 bits

Should Read: 1,024 bits
28-Mar-16
7 235 Errata in Text
Chapter 7 page 235, 4th line, in description of Moore's law:
"18 months"
Should be
"two years"
4-Aug-17
7 258 Errata in Text
The first sentence in the first main paragraph currently reads:

"Another commonly used wireless security standard, IEEE 802.1x, provides..."

Should read:

"Another commonly used security standard, IEEE 802.1x, provides..."
20-Jan-16
258 Errata in text
The last sentence and bullet at the bottom of this page should be changed to:
There are two modifications that attackers can make to enhance the effectiveness of a brute-force attack:
  • Rainbow tables provide precomputed values for cryptographic hashes. These are commonly used for cracking passwords stored on a system in hashed form.

  • Specialized, scalable computing hardware designed specifically for the conduct of brute-force attacks may greatly increase the efficiency of this approach.
29-Mar-16
7 268 Errata in Text
Question 19, option C currently reads:
Skipjack
Should read:
Elliptic Curve Cryptography
10-Jan-17
327 Errata in Text
Pg 327 - section for EPROM:
Add new sentences between the first and second sentences: "There are two main sub-categories of EEPOM, namely UVEPROM and EEPROM (see next item). UVEPOMs can be erased with a light."
Replace final EPROM with UVEPROM in same paragraph.
In the EEPROM definition, delete the first two sentences. Alter remaining 3rd sentence from "A more flexible, friendly alternative is..." to "A more flexible, friendly alternative to UVEPROM is...". Delete final sentence referring to removing from computer.
1-Feb-17
9 341 Errata in Text
The text currently reads:
"Management of data flow ensures not only efficient transmission with minimal delays or latency, but also reliable throughput using hashing and protection confidentiality with encryption."
Should read:
"Management of data flow ensures not only efficient transmission with minimal delays or latency, but also reliable throughput using hashing and confidentiality protection with encryption."
18-Jan-17
376 Errata in Text
The text currently reads:
EPROM
Should read:
EPROM/UVEPROM
replace EPROM with EPROM/UVEPROM
1-Feb-17
10 394 Errata in Text
The text currently reads:
"A basement with limited access or an interior room with no windows and only one entry/exit point makes an excellent substitute when an empty vault isn?t available."
Shoudl read:
"An interior room with limited access, no windows, and only one entry/exit point makes an excellent substitute when an empty vault isn't available."
18-Jan-17
10 397 Errata in text
Currently Reads:

(These are discussed in more detail in the previous section,"Motion Detectors," and later in the section "Intrusion Alarms.")

Should Read:

(These are discussed in more detail in the later sections "Motion Detectors," and "Intrusion Alarms.")
19-May-16
11 432 Errata in Text
Chapter 11, page 432, before the next to last paragraph which begins: "The Data Link layer..."
please add the following additional paragraph:
ARP is carried as the payload of an Ethernet frame. Since Ethernet is layer 2, it makes sense to consider ARP layer 3. However, ARP does not operate as a true Layer 3 protocol as it does not use a source/destination addressing scheme to direct communications in its header (similar to IP headers), instead it is dependent upon Ethernet's source and destination MAC addresses. Thus, ARP is not a true layer 3. ARP is also not truely a full layer 2 protocol either as it depends upon Ethernet to serve as its transportation host, thus at best it is a dependent layer 2 protocol. The OSI model is a conceptual model and not a exacting description of how real protocols operate. Thus, ARP does not fit cleanly in the OSI organization. It would be best located at layer 2.5 (i.e. between layers 2 and 3). But for the CISSP exam, consider it a layer 2 protocol.
19-Jul-17
439 Errata in Text
In 'Transport Layer Protocols'

Currently Reads:

"Since port numbers are 16-digit binary numbers, the total number of ports is 216, or 65,536"

Should Read:

"Since port numbers are 16-digit binary numbers, the total number of ports is 2^16 , or 65,536"
04-Jan-16
11 442 Errata in Text
Box at the bottom currently reads:
However, the last six (URG, ACK, PHS, RST, SYN, and FIN)

Should read:
However, the last six (URG, ACK, PSH, RST, SYN, and FIN)
20-Jan-16
11 462 Errata in Text
Under section "Captive portals" currently reads:
accessible use policy

Should read:
acceptable use policy
20-Jan-16
11 491 Errata in Text
At the bottom, currently reads:
Versions include 802.11a (2 MB), 802.11b (11 MB), and 802.11g (54 MB).

Should read:
Versions include 802.11 (2 Mbps), 802.11a (54 Mbps), 802.11b (11 Mbps), 802.11g (54 Mbps), 802.11n (600 Mbps), and 802.11ac (1.3+ Mbps).
20-Jan-16
12 521 Errata in text
In Table 12.1: The entries in the Protocols Supported column should be:

PPP
PPP/SLIP
PPP
IP only
31-Mar-16
12 521 Errata in text
Add the following note after table 12.1:

The VPN protocols which encapsulate PPP are able to support any sub-protocol compatible with PPP, which includes IPv4, IPv6, IPX, and AppleTalk.
31-Mar-16
12 526 Errata in Text
In the NOTE section:
"PAT can theoretically support 65,536 (232) "

Should be:
PAT can theoretically support 65,536 (2^16)
20-Jan-16
12 542 Errata in Text
Chapter 12, Pg 542 first sentence under Address Resolution Protocol Spoofing
Network Layer (layer 3)
Should be
Data Link Layer (Layer 2)
19-Jul-17
13 595 Errata in Text
Paragraph beginning with bolded Privileges reads:
Privileges are the combination of rights and privileges.

Should read:
Privileges are the combination of rights and permissions.
20-Jan-16
14 625 Errata in Text
Question 1 currently reads the word as 'explicit'

Should read as 'implicit'
08-Feb-16
13 580 Errata in Text
Chapter 13: Pg 580, 2nd paragraph under AAA Protocols, first sentence should be:
These AAA protocols use the access control elements of authentication, authorization, and accountability as described earlier in this chapter.
19-Jul-17
16 674 Errata in Text
The text currently reads:
The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The three cloud models available are public, private, hybrid, and community.
Should Read:
The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The four cloud models available are public, private, hybrid, and community.
25-Jan-17
16 674 Errata in Text
The text currently reads:
Software as a Service (SaaS) SaaS models provide fully functional applications typically accessible via a web browser. For example, Google's Gmail is a SaaS application. The CSP is responsible for all maintenance of the IaaS services. Consumers do not manage or control any of the cloud-based assets.
Should read:
Software as a Service (SaaS) SaaS models provide fully functional applications typically accessible via a web browser. For example, Google's Gmail is a SaaS application. The CSP is responsible for all maintenance of the SaaS services. Consumers do not manage or control any of the cloud-based assets.
25-Jan-17
16 689 Errata in Text
paragraph beginning "Cloud-based assets include any resources stored in the cloud."
Platform as a Service (SaaS) offerings
Should be
Platform as a Service (PaaS) offerings
19-Apr-17
17 699 Errata in text
Chapter 17 - Preventing and Responding to Incidents

Currently Reads:
Figure 17.1 shows the five steps involved in..

Should Read:
Figure 17.1 shows the seven steps involved in..
13-May-16
19 817 Errata in Text
The text currently reads:
They organize themselves loosely into groups with names like Anonymous and Lolzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required.
Should read:
They organize themselves loosely into groups with names like Anonymous and Lulzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required.
25-Jan-17
20 868 Errata in Text
First paragraph, last sentence currently reads:
see the sidebar "Inference" later in this chapter.

Should read:
see "Inference" which was covered in chapter 9.
20-Jan-16
21 909 Errata in Text
In 4th paragraph

'Trap doors' should be 'back doors'
04-Jan-16
929 Errata in Text
change #7 from "EPROMs" to "EPROMs (more specifically the UVEPROM sub-set)"
1-Feb-17
Appendix C 968 Errata in Text
The Note should be changed to read:
If your copy of the book contains appendix C, please note that the download and installation instructions in this appendix refer to an older version of the Sybex Study Tools. These are now hosted online and will run in your browser without requiring downloading or installation. Instructions for registering and accessing them are found at sybextestbanks.wiley.com.
18-Jan-17
2 82 Errata in text
4th paragraph, 6th line, change being to begin
31-July-17
1 9 Errata in text
last sentence before AAA Services box:
or role-based access control (RBAC);
Should be
or role-based access control (RBAC or role-BAC);
26-Sep-17
8 274 Errata in text
under Control heading, 2nd paragraph, next to last sentence:
This is called rule-based access control (RBAC)
Should be
This is called rule-based access control (RBAC or rule-BAC)
26-Sep-17
See More
Instructors Resources
Wiley Instructor Companion Site
Request a print evaluation copy
Contact us
See More
See Less

Learn more about

Back to Top