Sybex

Home Certification IT Administration Architecture & Design
3D Animation & CGI Internet Marketing
Print this page Share

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition

ISBN: 978-1-119-47593-4
1104 pages
May 2018
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition (1119475937) cover image

Description

NOTE: The CISSP objectives this book covered were issued in 2018. For coverage of the most recent CISSP objectives effective in April 2021, please look for the latest edition of this guide: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition (ISBN: 9781119786238).

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.

Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:

  • Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
  • More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

Coverage of all of the exam topics in the book means you'll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
See More

Table of Contents

Introduction xxxiii

Assessment Test xlii

Chapter 1 Security Governance Through Principles and Policies 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2

Evaluate and Apply Security Governance Principles 14

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 26

Understand and Apply Threat Modeling Concepts and Methodologies 30

Apply Risk-Based Management Concepts to the Supply Chain 38

Summary 40

Exam Essentials 42

Written Lab 44

Review Questions 45

Chapter 2 Personnel Security and Risk Management Concepts 49

Personnel Security Policies and Procedures 51

Security Governance 62

Understand and Apply Risk Management Concepts 63

Establish and Maintain a Security Awareness, Education, and Training Program 86

Manage the Security Function 87

Summary 88

Exam Essentials 89

Written Lab 92

Review Questions 93

Chapter 3 Business Continuity Planning 97

Planning for Business Continuity 98

Project Scope and Planning 99

Business Impact Assessment 105

Continuity Planning 111

Plan Approval and Implementation 114

Summary 119

Exam Essentials 119

Written Lab 120

Review Questions 121

Chapter 4 Laws, Regulations, and Compliance 125

Categories of Laws 126

Laws 129

Compliance 149

Contracting and Procurement 150

Summary 151

Exam Essentials 152

Written Lab 153

Review Questions 154

Chapter 5 Protecting Security of Assets 159

Identify and Classify Assets 160

Determining Ownership 178

Using Security Baselines 186

Summary 187

Exam Essentials 188

Written Lab 189

Review Questions 190

Chapter 6 Cryptography and Symmetric Key Algorithms 195

Historical Milestones in Cryptography 196

Cryptographic Basics 198

Modern Cryptography 214

Symmetric Cryptography 219

Cryptographic Lifecycle 228

Summary 229

Exam Essentials 229

Written Lab 231

Review Questions 232

Chapter 7 PKI and Cryptographic Applications 237

Asymmetric Cryptography 238

Hash Functions 242

Digital Signatures 246

Public Key Infrastructure 249

Asymmetric Key Management 253

Applied Cryptography 254

Cryptographic Attacks 265

Summary 268

Exam Essentials 269

Written Lab 270

Review Questions 271

Chapter 8 Principles of Security Models, Design, and Capabilities 275

Implement and Manage Engineering Processes Using Secure Design Principles 276

Understand the Fundamental Concepts of Security Models 281

Select Controls Based On Systems Security Requirements 295

Understand Security Capabilities of Information Systems 309

Summary 311

Exam Essentials 312

Written Lab 313

Review Questions 314

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 319

Assess and Mitigate Security Vulnerabilities 320

Client-Based Systems 342

Server-Based Systems 346

Database Systems Security 347

Distributed Systems and Endpoint Security 350

Internet of Things 358

Industrial Control Systems 359

Assess and Mitigate Vulnerabilities in Web-Based Systems 360

Assess and Mitigate Vulnerabilities in Mobile Systems 365

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 375

Essential Security Protection Mechanisms 379

Common Architecture Flaws and Security Issues 384

Summary 390

Exam Essentials 391

Written Lab 394

Review Questions 395

Chapter 10 Physical Security Requirements 399

Apply Security Principles to Site and Facility Design 400

Implement Site and Facility Security Controls 403

Implement and Manage Physical Security 422

Summary 431

Exam Essentials 432

Written Lab 434

Review Questions 435

Chapter 11 Secure Network Architecture and Securing Network Components 439

OSI Model 440

TCP/IP Model 451

Converged Protocols 470

Wireless Networks 472

Secure Network Components 486

Cabling, Wireless, Topology, Communications, and Transmission Media Technology 495

Summary 513

Exam Essentials 514

Written Lab 516

Review Questions 517

Chapter 12 Secure Communications and Network Attacks 521

Network and Protocol Security Mechanisms 522

Secure Voice Communications 525

Multimedia Collaboration 529

Manage Email Security 530

Remote Access Security Management 536

Virtual Private Network 540

Virtualization 546

Network Address Translation 549

Switching Technologies 553

WAN Technologies 556

Miscellaneous Security Control Characteristics 561

Security Boundaries 563

Prevent or Mitigate Network Attacks 564

Summary 569

Exam Essentials 571

Written Lab 573

Review Questions 574

Chapter 13 Managing Identity and Authentication 579

Controlling Access to Assets 580

Comparing Identification and Authentication 584

Implementing Identity Management 602

Managing the Identity and Access Provisioning Lifecycle 611

Summary 614

Exam Essentials 615

Written Lab 617

Review Questions 618

Chapter 14 Controlling and Monitoring Access 623

Comparing Access Control Models 624

Understanding Access Control Attacks 635

Summary 653

Exam Essentials 654

Written Lab 656

Review Questions 657

Chapter 15 Security Assessment and Testing 661

Building a Security Assessment and Testing Program 662

Performing Vulnerability Assessments 668

Testing Your Software 681

Implementing Security Management Processes 688

Summary 690

Exam Essentials 691

Written Lab 692

Review Questions 693

Chapter 16 Managing Security Operations 697

Applying Security Operations Concepts 698

Securely Provisioning Resources 710

Managing Configuration 718

Managing Change 719

Managing Patches and Reducing Vulnerabilities 723

Summary 728

Exam Essentials 729

Written Lab 731

Review Questions 732

Chapter 17 Preventing and Responding to Incidents 737

Managing Incident Response 738

Implementing Detective and Preventive Measures 745

Logging, Monitoring, and Auditing 773

Summary 790

Exam Essentials 792

Written Lab 795

Review Questions 796

Chapter 18 Disaster Recovery Planning 801

The Nature of Disaster 802

Understand System Resilience and Fault Tolerance 812

Recovery Strategy 818

Recovery Plan Development 827

Training, Awareness, and Documentation 835

Testing and Maintenance 836

Summary 838

Exam Essentials 838

Written Lab 839

Review Questions 840

Chapter 19 Investigations and Ethics 845

Investigations 846

Major Categories of Computer Crime 857

Ethics 861

Summary 864

Exam Essentials 864

Written Lab 865

Review Questions 866

Chapter 20 Software Development Security 871

Introducing Systems Development Controls 872

Establishing Databases and Data Warehousing 895

Storing Data and Information 904

Understanding Knowledge-Based Systems 906

Summary 909

Exam Essentials 909

Written Lab 910

Review Questions 911

Chapter 21 Malicious Code and Application Attacks 915

Malicious Code 916

Password Attacks 929

Application Attacks 933

Web Application Security 935

Reconnaissance Attacks 940

Masquerading Attacks 941

Summary 942

Exam Essentials 943

Written Lab 944

Review Questions 945

Appendix A Answers to Review Questions 949

Chapter 1: Security Governance Through Principles and Policies 950

Chapter 2: Personnel Security and Risk Management Concepts 951

Chapter 3: Business Continuity Planning 952

Chapter 4: Laws, Regulations, and Compliance 954

Chapter 5: Protecting Security of Assets 956

Chapter 6: Cryptography and Symmetric Key Algorithms 958

Chapter 7: PKI and Cryptographic Applications 960

Chapter 8: Principles of Security Models, Design, and Capabilities 961

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 963

Chapter 10: Physical Security Requirements 965

Chapter 11: Secure Network Architecture and Securing Network Components 966

Chapter 12: Secure Communications and Network Attacks 968

Chapter 13: Managing Identity and Authentication 969

Chapter 14: Controlling and Monitoring Access 971

Chapter 15: Security Assessment and Testing 973

Chapter 16: Managing Security Operations 975

Chapter 17: Preventing and Responding to Incidents 977

Chapter 18: Disaster Recovery Planning 980

Chapter 19: Investigations and Ethics 981

Chapter 20: Software Development Security 983

Chapter 21: Malicious Code and Application Attacks 984

Appendix B Answers to Written Labs 987

Chapter 1: Security Governance Through Principles and Policies 988

Chapter 2: Personnel Security and Risk Management Concepts 988

Chapter 3: Business Continuity Planning 989

Chapter 4: Laws, Regulations, and Compliance 990

Chapter 5: Protecting Security of Assets 991

Chapter 6: Cryptography and Symmetric Key Algorithms 991

Chapter 7: PKI and Cryptographic Applications 992

Chapter 8: Principles of Security Models, Design, and Capabilities 992

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 993

Chapter 10: Physical Security Requirements 994

Chapter 11: Secure Network Architecture and Securing Network Components 994

Chapter 12: Secure Communications and Network Attacks 995

Chapter 13: Managing Identity and Authentication 996

Chapter 14: Controlling and Monitoring Access 996

Chapter 15: Security Assessment and Testing 997

Chapter 16: Managing Security Operations 997

Chapter 17: Preventing and Responding to Incidents 998

Chapter 18: Disaster Recovery Planning 999

Chapter 19: Investigations and Ethics 999

Chapter 20: Software Development Security 1000

Chapter 21: Malicious Code and Application Attacks 1000

Index 1001

See More

Author Information

ABOUT THE AUTHORS

Mike Chapple, PhD, CISSP, Security+, CISA, CySA+ is Associate Teaching Professor of IT, Analytics and Operations at the University of Notre Dame. He is a leading expert on cybersecurity certification and runs CertMike.com.

James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has focused on security, certification, networking, and various operating systems for more than 25 years. He teaches numerous job skill and certification focused courses. He has authored or coauthored more than 75 books.

Darril Gibson, CISSP, Security+, CASP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.

See More

Errata

Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.

ChapterPageDetailsDatePrint Run
Introduction xxxiv Errata in text
Under Prequalifications, second sentence,
Change
recent IT or IS degree.

To
recent IT or IS degree or an approved security certification (see www.isc2.org for details).
12-7-18
Introduction xxxvi Errata in text
First paragraph, final sentence
Change
CISSP-CAT format.

To
CISSP-CAT format in English.
12-7-18
Introduction xxxvi Errata in text
Second paragraph,
Change
The refreshed CISSP exam will be available

To
The refreshed CISSP exam is available
12-7-18
Introduction xxxvii Errata in text
Replace the paragraph beginning with "If English is not your first language?" with the following.
If English is not your first language, you may register for one of several other language versions of the exam (when applicable). Or, if you choose to use the English version of the exam you may reference the translated (ISC)2 Certification Acronym and (ISC)2 Certification Terms glossaries, a complete list of acronyms and terms you may encounter during your (ISC)2 exam which is available from www.isc2.org.
Finally, (ISC)2 exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam.
26-11-18
Introduction xxxvii Errata in text
Introduction, page xxxvii, 2nd paragraph under Advice on Taking the Exam
Incorrect:
It is not clear from (ISC)2's description of the CISSP-CAT format whether guessing is a good strategy in every case, but it does seem to be a better strategy than skipping questions. We recommend you attempt to eliminate as many answer selections as possible before making a guess, and consider skipping the question instead of randomly guessing only if you are unable to eliminate any answer options. Make educated guesses from a reduced set of options to increase your chance of getting a question correct.
Correct:
Question skipping is no longer allowed on the CISSP exam, and you're also not allowed to jump around, so one way or another, you have to come up with your best answer. We recommend you attempt to eliminate as many answer selections as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct.
06-Feb-2020
Introduction xxxviii Errata in text
Under "Completing the Certification Process", change 90 days to 9 months.
7-Dec-2018
Introduction xl Errata in text
Under The Elements of This Study Guide.
Move “Chapter Review Questions” paragraph to below that of the “Summaries” paragraph.
12-7-18
Introduction xli Errata in text
Under Bonus Practice Exams, the URL at the end of the paragraph should be www.wiley.com/go/cissptestprep
12-7-18
Answers to Assessment Test li Errata in text
Answer #37

Add "The key element in this question is the term 'or' which focuses your attention on the one-way nature of a turnstile, as opposed to the bi-directional nature of a man-trap."
14/3/2019
1 16 Errata in text
chief information security officer (CISO)" needs italics
14/3/2019
1 21 Errata in text
Chapter 1, page 21:
In the definition of "Top Secret"
"cause grave damage to national security" should be "cause exceptionally grave damage to national security"
In the definition of "Secret"
"cause critical damage to national security." should be "cause serious damage to national security."
In the definition of "Confidential"
"cause serious damage to national security." Should be "cause damage to national security."
8-Feb-2020
1 28 Errata in text
Add the following sentence as the new third sentence in the second
paragraph under "Security Standards, Baselines, and Guidelines":

"A baseline is a more operationally focused form of a standard. It
takes the goals of a security policy and the requirements of the
standards and defines them specifically in the baseline as a rule
against which to implement and compare IT systems."
5-6-18
2 61 Errata in text
Chapter 2, Page: 61, paragraph after the note

LC internet

Should be
internet
7-Feb-19
2 80 Errata in text
From the Preventative section, delete "presence of security cameras or closed-circuit television (CCTV),"
20-Nov-18
2 82 Errata in text
In second paragraph
Change
Note that the discussion of qualitative versus quantitative risk
analysis in the next section may clarify this issue.

To
Note that the discussion of qualitative versus quantitative risk
analysis earlier in this chapter may clarify this issue.
12-7-18
2 94 Errata in text
Question 10, change answer D to "Vulnerabilities".
20-Nov-18
3 113 Errata in text
At the "Alternate Sites" section, Add to end

"Typically an alternate site associated with disaster recovery planning (DRP) rather than BCP. Being aware of the potential need for an alternate site can occur during BCP development, but the triggering of use of an alternate site is often due to the full interruption of mission critical processes which is categorized as a disaster and thus falls under the DRP."
14/3/2019
3 121 Errata in text
question 3, change answer B to "Review and validation of the business organization analysis"
20-Nov-18
3 122 Errata in text
Question 11.
Martin recently completed a thorough quantitative risk assessment for his organization. Which one of the following risks is least likely to be adequately addressed by his assessment?
1. Downtime from data center flooding
2. Cost of recovery from denial of service attack
3. Reputational damage from data breach
4. Remediation costs from ransomware attack
6/12/18
4 131 Errata in text
3rd paragraph the word "MIT student" has to be deleted.
14-Sep-19
4 137 Errata in text
They provide a period of 20 years during which the inventor is granted
exclusive rights to use the invention (whether directly or via licensing
agreements).
to
They provide a period of 20 years (from the date of initial application)
during which the inventor is granted exclusive rights to use the
invention (whether directly or via licensing agreements).
15-Jun-18
4 148 Errata in text
Chapter 4, page 148, the first bullet under the GDPR section,
Incorrect
A data breach notification requirement that mandates that companies
inform authorities of serious data breaches within 24 hours

Correction
24 hours should be changed to 72 hours.
7/1/19
4 152 Errata in text
Exam Essentials, in the paragraph starting with
"Understand the various types of software license agreements."
change "Click-wrap" to "click-through".
14/3/2019
5 166 Errata in text
4th line down, "Public" in parentheses should be removed
14/3/2019
5 179 Errata in text
2nd line down, "(CEO)" conflicts with "chief operating officer".
14/3/2019
5 182 Errata in text
3rd line down, " uploading" should be "upholding".
14/3/2019
201 Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle".
3-May-18
6 222 Errata in text
Change the sentence DES-EEE3 has an effective key length of 168 bits.
to
Mathematically, DES-EEE3 should have an effective key length of 168 bits. However, known attacks against this algorithm reduce the effective strength to 112 bits.
After the next sentence (ending in "with a decryption operation.")
add
This mode is vulnerable to the same type of attack as DES-EEE3 and, therefore, has an effective key strength of 112 bits.
After the sentence Both the third and fourth....112 bits
add
If an attacker is able to conduct a known plaintext attack against these two variants, the effective strength may be reduced to as low as 80 bits, depending upon the number of ciphertext/plaintext pairs available.
Strike the paragraph "These four variants...equally secure."
26-11-18
6 224 Errata in text
second line from top of page part of the paragraph following Skipjack heading on the previous page, remove word "four" so the statement reads as: "...supports the same modes of operation supported by DES..."
14/3/2019
234 Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18
7 257 Errata in text
Incorrect
As with SSL, TLS uses TCP port 443.

Correct
As with HTTPS over SSL, HTTPS over TLS uses TCP port 443.
25-6-18
7 271 Errata in text
Question 1 should be,

Brian computes the digest of a single sentence of text using a SHA-2
hash function. He then changes a single character of the sentence and
computes the hash value again. Which one of the following
statements is true about the new hash value?

A. The new hash value will be one character different from the old hash value.
B. The new hash value will share at least 50% of the characters of the old hash value.
C. The new hash value will be unchanged.
D. The new hash value will be completely different from the old hash value.
25-6-18
8 289 Errata in text
In the - Real World Scenario- titled -Lattice-Based Access Control-
change this original sentence from:
Thus, a subject that falls between the private and sensitive labels
in a commercial scheme that reads bottom up as public, sensitive,
private, proprietary, and confidential can access only public and
sensitive data but not private, proprietary, or confidential data.
To the following:
Thus, a subject using a computer labeled as private and sensitive in
a commercial scheme (that reads bottom up as public, sensitive, private,
proprietary, and confidential) can access only private and
sensitive data but not public, proprietary, or confidential data.
In this example, the computer has a LUB as the division between
private and proprietary and a GLB as the division between public
and sensitive.
18-Sep 2018
8 301 Errata in text
Under ITSEC Classes and Required Assurance and Functionality heading, change the first ITSEC to "Information Technology Security Evaluation Criteria (ITSEC)".
20-Nov-18
8 304 Errata in text
Table 8.3 section listed as EAL6 the description reads: "...probability of cover channels...". Should read: "...probability of covert channels...".
14/3/2019
8 307 Errata in text
Under Accreditation, after DAA add "(The RMF now defines the DAA as the Authorization Official (AO) for internal accreditation and as the Security Control Assessor (SCA) for external accreditation. The old or new means of addressing this function may be present on the CISSP exam.)"
14/3/2019
9 344 Errata in text
Chapter 9, Change Page 344, under Local Caches
Incorrect
If the false reply is received by the client before the valid reply,
then the false reply is used to populate the ARP cache and the valid
reply is discarded as being outside an open query.

Should be
ARP cache is updated each time an ARP reply is received. The attacker
will time their attack to ensure the false or poisoned ARP response/reply
will update the targeted system's ARP cache with the invalid and mis-directing
ARP mapping of the valid IP address and the incorrect/invalid MAC address.
14-Feb-19
9 350 Errata in text
Change "A variation of AMP is massive parallel processing (MPP), where numerous SMP systems..." to "A variation of AMP is massive parallel processing (MPP), where numerous AMP systems..."
20-Nov-18
9 355 Errata in text
Delete the 3rd paragraph from the last paragraph, starting out with,
“Cloud computing is a natural extension and evolution of virtualization, the internet”
12-7-18
9 359 Errata in text
Under "Industrial Control Systems", second paragraph, first sentence, replace "plans" with "plants".
14/3/2019
9 360 Errata in text
Security Association Markup Language (SAML)
Should be
Security Assertion Markup Language (SAML)
14-Sep-19
9 363 Errata in text
Security Association Markup Language (SAML)
Should be
Security Assertion Markup Language (SAML)
14-Sep-19
9 383 Errata in Text
expand "APIs" to "Application Programming Interfaces (APIs)".
14-June-2019
9 389 Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18
9 397 Errata in text
Q16. The final statement of this question is missing. Please include
(Select all that apply) after the end of the question.
Please find the below for reference:
....in order to prevent or protect against XSS?(Select all that apply)
22-Jun-18
10 417 Errata in text
Chapter 10, page 417 Under the Fire Prevention, Detection, and Suppression section, second paragraph, the three corners of the fire triangle

fire, heat and oxygen.
Should be
fuel, heat and oxygen.
16/1/19
10 425 Errata in Text
add new sentence after "...respond to every situation." - "While this is considered a disadvantage, the lack of knowledge of the scope of the operations within a facility can also be considered an advantage as this supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information."
14-June-2019
10 427 Errata in text
Under "Motion Detectors" replace first two sub-sentences with:
"A motion detector monitors for significant or meaningful changes
in the digital pattern of a monitored area."

"An infrared (PIR (passive infra-red)) or heat-based motion detector
monitors for significant or meaningful changes in the heat levels and
patterns in a monitored area."
7/1/19
10 436 Errata in text
Q10, question text, replace the word "failure" with "a false positive".
December 12, 2019
10 437 Errata in text
Q17. Replace with the below content:
Which of the following statements are not true in regards to static electricity?
A. Electrostatic discharge can damage most computing components.
B. Static charge accumulation is more prevalent when there is high humidity.
C. Static discharge from a person to a metal object can be over 1,000 volts.
D. Static electricity is not managed by the deployment of a UPS.
22-Jun-18
10 437 Errata in text
Q14 - change must to may.
22-Jun-18
11 444 Errata in Text
figure 11.4,change the three occurrences of "data stream" to "protocol data unit (PDU)".
14-June-2019
11 446 Errata in text
http://standards.ieee.org/regauth/oui/index.shtml
should be
https://standards.ieee.org/products-services/regauth/index.html
14-Sep-19
11 448 Errata in text
In the last sentence under routing protocols
common examples of link state routing protocols are Open Shortest Path First (OSPF) and Interior Gateway Routing Protocol (IGRP)
Should be changed to:
common examples of link state routing protocols are Open Shortest Path First (OSPF) and OSI's Intermediate System - Intermediate System (IS-IS).
26-11-18
11 462 Errata in text
On the line for "File Transfer Protocol (FTP)" change bold from "TCP Ports 20 (Passive Data)/Ephemeral (Active Data) and 21 (Control Connection)" to "TCP Ports 20 (Active Data)/Ephemeral (Passive Data) and 21 (Control Connection)"
20-Nov-18
11 462 Errata in text
on SSL line, change "HTTP Encryption" to "HTTPS SSL/TLS Encryption".
14/3/2019
465 Errata in text
on page 465,
Incorrect
Packet sniffing and other attacks are discussed in more detail in Chapter 13.

Correct
Eavesdropping and other attacks are discussed in more detail at the end of Chapter 12.
1-Feb-19
11 483 Errata in text
Under War Chalking. Last sentence,
replace
war dialing

with
war driving
12-7-18
11 497 Errata in text
Chapter 11, Pg 497, heading "Baseband and Broadband Cables" – last sentence of the first paragraph (in parentheses), change to "(Note that 100BaseTX is the technical nomenclature for FastEthernet, i.e. 100 MB Ethernet, but even modern Ethernet labeled as 1000BaseT or 1GBaseT is effectively just a faster form of 100BaseTX. 100BaseTX is implemented using a standard Cat 5, 5e, or 6 UTP or STP cable, where only 2 pairs (4 conductors) are actually in use. One twisted pair is used for receiving, the other for transmitting. Typically the orange and green pairs (pins 1 & 2 and 3 & 6 based on the TIA/EIA-568-B wiring standard))."
February 14, 2020
11 505 Errata in text
Chapter 11, Page 505, Table 11.10: "HSPDA" should be "HSDPA"
14-Feb-2020
11 515 Errata in Text
in "Understand 802.11...", "1.3+ Mbps" Should be "1.3+ Gbps".
14-June-2019
11 517 Errata in text
Question 2, option B change to

Adding a header and possibly a footer to data as it moves down the OSI stack
7/1/19
11 518 Errata in text
Q 12, change question to: "What type of firewall evaluates the context of network traffic to make allow and deny decisions?"
14/3/2019
11 519 Errata in text
Question 16, change answer A from WAP to "802.1x".
20-Nov-18
12 523 Errata in text
3rd paragraph under “Secure Communications Protocols”
Kerberos is discussed further in Chapter 13, “Cryptography and Symmetric Key Algorithms.”

Should be
Kerberos is discussed further in Chapter 13, “Managing Identity and Authentication”
12 524 Errata in Text
under CHAP, "CHAP encrypts usernames and passwords" Should be "CHAP protects passwords from being sent in cleartext."
14-June-2019
12 533 Errata in text
Under the heading Email Security Solutions:
The last sentence of first paragraph, please delete, We'll
22-Jun-18
12 533 Errata in text
Chapter 12, Page 533, second sentence: "STMP" should be "SMTP"
February 14, 2020
12 535 Errata in text
First full paragraph, First sentence
Please change email repudiation filtering. to email reputation filtering.
22-Jun-18
12 560 Errata in text
Change "...Synchronous Transport Signals (STS) of SDH and/or the
Synchronous Transport Modules (STM) of SONET." to "...Synchronous
Transport Signals (STS) of SONET and/or the Synchronous Transport
Modules (STM) of SDH."
20-Nov-18
12 560 Errata in Text
2nd paragraph, "51.48" Should be "51.84".
14-June-2019
12 561 Errata in Text
after HDLC, add this paragraph from 7th edition which was unintentionally omitted: "High Speed Serial Interface (HSSI) High Speed Serial Interface is a DTE/DCE interface standard that defines how multiplexors and routers connect to high-speed network carrier services such as ATM or Frame Relay. A multiplexor is a device that transmits multiple communications or signals over a single cable or virtual circuit. HSSI defines the electrical and physical characteristics of the interfaces or connection points and thus operates at OSI layer 1 (the Physical layer)."
14-June-2019
13 582 Errata in text
Chapter 13, Pg 582, near bottom, the paragraph starting with "Preventative Access Controls" replace final sentence of that paragraph with:
"Examples of preventive access controls include fences, locks, biometrics, mantraps, separation-of-duties policies, job rotation policies, data classification, access control methods, encryption, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems."
27-Feb-2020
13 587 Errata in text
In the sentence "duplicate fingerprint on a gummi bear", Gummy is spelled wrongly (Gummi)
8-6-18
13 606 Errata in Text
beginning of the last bullet (OAuth 2.0) OAuth 2.0 (OAuth implying open authentication).... It should read as OAuth 2.0 (OAuth implying open authorization)....
14-June-2019
13 609 Errata in text
Chapter 13 Pg 609, first full paragraph, last sentence, replace "log on"
with
"authenticate".
27-Feb-2020
14 655 Errata in text
Salts add additional bits to a password before salting it and help thwart rainbow table attacks.
should be
Salting adds additional bits to a password before hashing it and helps thwart rainbow table attacks.
26-11-18
15 675 Errata in text
Please replace the below text which are in lower case with the
mentioned text in upper case.
Replace lpr with LPR/LPD
22-Jun-18
15 and Answers appendix 696 & 974 Errata in text
Question 19, change "Fagin" to "Fagan".
20-Nov-18
15 696 Errata in text
In question no. 19, Fagin inspection should be Fagan inspection
8-6-18
17 782 Errata in text
Under heading: Network-Based DLP, Second Sentence:
edge of the negative to scan
should be changed to
edge of the network to scan
26-11-18
17 786 Errata in text
2nd paragraph following the heading High-Level Administrator Groups
Please change the first sentence from this
Some groups have such high privileges that even in organizations with
tens of thousands of users, their membership is limited to a very few people.

To this
Some groups have such high privileges that even in organizations with
tens of thousands of users, their membership is limited.
7/1/19
17 786 Errata in text
2nd paragraph following the heading High-Level Administrator Groups
Please change the sentence from
This group has so much power that membership is often restricted to
only two or three high-level administrators.

To this
This group has so much power that Microsoft recommends it contains no
users on a day-to-day basis. Administrators are only added to the group when the privileges are needed.
7/1/19
17 790 Errata in text
chapter 17, Pg 790: Summary, first sentence: "incidence"
should be
"incident"
27-Feb-2020
18 817 Errata in text
Chapter 18, page 817
Under the heading of Quality of Service.
Quality of service (QoS) controls protect the integrity of data networks under load.

should be
Quality of service (QoS) controls protect the availability of data networks under load.
21/1/19
19 868 Errata in text
Question 14: Change "Parole" to "Parol"
20-Nov-18
20 887 Errata in text
First line of list in SW-CMM and IDEAL Model Memorization sidebar
Initiating should be Initial
7/1/19
20 887 Errata in text
chapter 20, Pg 887: Section "SW-CMM and IDEAL Model Memorization" – the bottom right option
should be
"Optimizing", not "Optimized", also the top left "Initial' should be "Initiating" (this would cause the top line of this chart to read "Initiating Initial").
27-Feb-2020
20 897-898 Errata in text
under the section for Primary Keys, the last sentence referring to Figure 20.8
"Customer ID" should be "Company ID" in this sentence.
7/1/19
20 903 Errata in text
Second paragraph. First sentence.

Says, "...which are discussed in the section "Aggregation" later in this chapter."
Should say, "...which are discussed in the "Aggregation" section in chapter 9."
7-Aug-19
904 Errata in text
Under heading "NoSQL", 3rd bullet, last sentence. "JavaSsript" misspelled, should be "JavaScript".
3-May-18
20 906 Errata in text
in the paragraph starting on page 905 under Storage Threats and continuing on page 906, this sentence:

Furthermore, systems that operate in a multilevel security environment should provide adequate controls to ensure that shared memory and storage resources are set up with fail-safe controls so that data from one classification level is not readable at a lower classification level.

the word "fail-safe" should be "appropriate"
14/3/2019
21 919 Errata in text
In the paragraph beginning File Infector Viruses, change the end of the second sentence to

For Windows-based systems, file infector viruses commonly affect
executable files and scripts, such as those ending with .exe, .com, and .msc extensions.
7/1/19
21 919 Errata in text
2nd full paragraph
If you then open a Command tool and simply type GAME,

Should read
If you then open a Command prompt and simply type GAME,
7/1/19
21 920 Errata in text
chapter 21, Pg 920: Second paragraph "Service Injection Viruses" – winlogin.exe
should be
winlogon.exe
27-Feb-2020
21 934 Errata in text
In the sentence, The time of check to time of use (TOCTOU or TOC/TOU)
issue is a timing vulnerability that occurs when a program checks
access permissions too far in advance of a resource request.

Change TOCTOU to TOCTTOU
12-6-18
21 934 Errata in text
In the sentence, For example, if an operating system builds a
comprehensive list of access permissions for a user upon logon and
then consults that list throughout the logon session, a TOCTOU
vulnerability exists.

Change TOCTOU to TOCTTOU
12-6-18
21 945 Errata in text
In question 3B, change TOCTOU to TOCTTOU
12-6-18
Appendix A 953 Errata in text
Answer for Ch 3, question 10
Please replace the final sentence with - This yields an ALE of $750,000.
22-Jun-18
Appendix A 953 Errata in text
Chapter 3 answers, question 9 answer, final sentence, change to "This
yields an ALE of $135,000."
20-Nov-18
Appendix A 960 Errata in text
Answers to chapter 7 questions, question 1 new answer,

Answer: D. It is not possible to determine the degree of difference
between two inputs by comparing their hash values. Changing even a
single character in the input to a hash function will result in
completely different output.
25-6-18
Appendix A 965 Errata in text
Q10 answer explanation, replace the word "failure" with "a false positive".
December 12, 2019
Appendix A 966 Errata in text
Answer key for Ch 10, Q17, replace with:
B. Static charge accumulation is more prevalent when there is low humidity. High humidity is the cause of condensation, not static charge accumulation.
22-Jun-18
Appendix 1 966 Errata in text
Answers appendix, pg 996, Ch 11, Question 2, change explanation to

B. Encapsulation is adding a header and possibly a footer to data as it moves down the OSI stack.
7/1/19
Appendix A 967 Errata in text
Chapter 11 answers: question answer 16, change to: A. 802.1x is an IEEE
standard for authentication which is not strictly related to wireless use.
20-Nov-18
11 967 Errata in text
Q 12, change answer to: "B. Statefull inspection firewalls evaluate the state or the context of network traffic. By examining source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities."
14/3/2019
Appendix A 974 Errata in text
In 19C, Fagan inspection is spelled wrongly as Fagin inspection
12-6-18
Appendix A 985 Errata in text
Answer 3B, change TOCTOU to TOCTTOU
12-6-18
Index 1002 Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18
Index 1004 Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18
1013 Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18
Index 1017 Errata in text
In the index for Due Care and Due Diligence, it lists the page number as page 25, Due Care and Due Diligence are on the top of page 26.
14/3/2019
1024 Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18
Index 1034 Errata in Text
index entry "system hide mode" [2nd column, subentry of protection mechanisms in previous column] Should be "system high mode"
14-June-2019
Index 1046 Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18
badvert2 1052 Errata in Text
Change
1. Go to bit.ly/SybexTest.

To
1. Go to www.wiley.com/go/sybextestprep
15-Apr-2021
See More
Instructors Resources
Wiley Instructor Companion Site
Request a print evaluation copy
Contact us
See More
See Less

Learn more about