(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th EditionISBN: 978-1-119-47593-4
1104 pages
May 2018
|
Description
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:
- Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
- More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
- A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam
Coverage of all of the exam topics in the book means you'll be ready for:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Table of Contents
Introduction xxxiii
Assessment Test xlii
Chapter 1 Security Governance Through Principles and Policies 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Evaluate and Apply Security Governance Principles 14
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 26
Understand and Apply Threat Modeling Concepts and Methodologies 30
Apply Risk-Based Management Concepts to the Supply Chain 38
Summary 40
Exam Essentials 42
Written Lab 44
Review Questions 45
Chapter 2 Personnel Security and Risk Management Concepts 49
Personnel Security Policies and Procedures 51
Security Governance 62
Understand and Apply Risk Management Concepts 63
Establish and Maintain a Security Awareness, Education, and Training Program 86
Manage the Security Function 87
Summary 88
Exam Essentials 89
Written Lab 92
Review Questions 93
Chapter 3 Business Continuity Planning 97
Planning for Business Continuity 98
Project Scope and Planning 99
Business Impact Assessment 105
Continuity Planning 111
Plan Approval and Implementation 114
Summary 119
Exam Essentials 119
Written Lab 120
Review Questions 121
Chapter 4 Laws, Regulations, and Compliance 125
Categories of Laws 126
Laws 129
Compliance 149
Contracting and Procurement 150
Summary 151
Exam Essentials 152
Written Lab 153
Review Questions 154
Chapter 5 Protecting Security of Assets 159
Identify and Classify Assets 160
Determining Ownership 178
Using Security Baselines 186
Summary 187
Exam Essentials 188
Written Lab 189
Review Questions 190
Chapter 6 Cryptography and Symmetric Key Algorithms 195
Historical Milestones in Cryptography 196
Cryptographic Basics 198
Modern Cryptography 214
Symmetric Cryptography 219
Cryptographic Lifecycle 228
Summary 229
Exam Essentials 229
Written Lab 231
Review Questions 232
Chapter 7 PKI and Cryptographic Applications 237
Asymmetric Cryptography 238
Hash Functions 242
Digital Signatures 246
Public Key Infrastructure 249
Asymmetric Key Management 253
Applied Cryptography 254
Cryptographic Attacks 265
Summary 268
Exam Essentials 269
Written Lab 270
Review Questions 271
Chapter 8 Principles of Security Models, Design, and Capabilities 275
Implement and Manage Engineering Processes Using Secure Design Principles 276
Understand the Fundamental Concepts of Security Models 281
Select Controls Based On Systems Security Requirements 295
Understand Security Capabilities of Information Systems 309
Summary 311
Exam Essentials 312
Written Lab 313
Review Questions 314
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 319
Assess and Mitigate Security Vulnerabilities 320
Client-Based Systems 342
Server-Based Systems 346
Database Systems Security 347
Distributed Systems and Endpoint Security 350
Internet of Things 358
Industrial Control Systems 359
Assess and Mitigate Vulnerabilities in Web-Based Systems 360
Assess and Mitigate Vulnerabilities in Mobile Systems 365
Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 375
Essential Security Protection Mechanisms 379
Common Architecture Flaws and Security Issues 384
Summary 390
Exam Essentials 391
Written Lab 394
Review Questions 395
Chapter 10 Physical Security Requirements 399
Apply Security Principles to Site and Facility Design 400
Implement Site and Facility Security Controls 403
Implement and Manage Physical Security 422
Summary 431
Exam Essentials 432
Written Lab 434
Review Questions 435
Chapter 11 Secure Network Architecture and Securing Network Components 439
OSI Model 440
TCP/IP Model 451
Converged Protocols 470
Wireless Networks 472
Secure Network Components 486
Cabling, Wireless, Topology, Communications, and Transmission Media Technology 495
Summary 513
Exam Essentials 514
Written Lab 516
Review Questions 517
Chapter 12 Secure Communications and Network Attacks 521
Network and Protocol Security Mechanisms 522
Secure Voice Communications 525
Multimedia Collaboration 529
Manage Email Security 530
Remote Access Security Management 536
Virtual Private Network 540
Virtualization 546
Network Address Translation 549
Switching Technologies 553
WAN Technologies 556
Miscellaneous Security Control Characteristics 561
Security Boundaries 563
Prevent or Mitigate Network Attacks 564
Summary 569
Exam Essentials 571
Written Lab 573
Review Questions 574
Chapter 13 Managing Identity and Authentication 579
Controlling Access to Assets 580
Comparing Identification and Authentication 584
Implementing Identity Management 602
Managing the Identity and Access Provisioning Lifecycle 611
Summary 614
Exam Essentials 615
Written Lab 617
Review Questions 618
Chapter 14 Controlling and Monitoring Access 623
Comparing Access Control Models 624
Understanding Access Control Attacks 635
Summary 653
Exam Essentials 654
Written Lab 656
Review Questions 657
Chapter 15 Security Assessment and Testing 661
Building a Security Assessment and Testing Program 662
Performing Vulnerability Assessments 668
Testing Your Software 681
Implementing Security Management Processes 688
Summary 690
Exam Essentials 691
Written Lab 692
Review Questions 693
Chapter 16 Managing Security Operations 697
Applying Security Operations Concepts 698
Securely Provisioning Resources 710
Managing Configuration 718
Managing Change 719
Managing Patches and Reducing Vulnerabilities 723
Summary 728
Exam Essentials 729
Written Lab 731
Review Questions 732
Chapter 17 Preventing and Responding to Incidents 737
Managing Incident Response 738
Implementing Detective and Preventive Measures 745
Logging, Monitoring, and Auditing 773
Summary 790
Exam Essentials 792
Written Lab 795
Review Questions 796
Chapter 18 Disaster Recovery Planning 801
The Nature of Disaster 802
Understand System Resilience and Fault Tolerance 812
Recovery Strategy 818
Recovery Plan Development 827
Training, Awareness, and Documentation 835
Testing and Maintenance 836
Summary 838
Exam Essentials 838
Written Lab 839
Review Questions 840
Chapter 19 Investigations and Ethics 845
Investigations 846
Major Categories of Computer Crime 857
Ethics 861
Summary 864
Exam Essentials 864
Written Lab 865
Review Questions 866
Chapter 20 Software Development Security 871
Introducing Systems Development Controls 872
Establishing Databases and Data Warehousing 895
Storing Data and Information 904
Understanding Knowledge-Based Systems 906
Summary 909
Exam Essentials 909
Written Lab 910
Review Questions 911
Chapter 21 Malicious Code and Application Attacks 915
Malicious Code 916
Password Attacks 929
Application Attacks 933
Web Application Security 935
Reconnaissance Attacks 940
Masquerading Attacks 941
Summary 942
Exam Essentials 943
Written Lab 944
Review Questions 945
Appendix A Answers to Review Questions 949
Chapter 1: Security Governance Through Principles and Policies 950
Chapter 2: Personnel Security and Risk Management Concepts 951
Chapter 3: Business Continuity Planning 952
Chapter 4: Laws, Regulations, and Compliance 954
Chapter 5: Protecting Security of Assets 956
Chapter 6: Cryptography and Symmetric Key Algorithms 958
Chapter 7: PKI and Cryptographic Applications 960
Chapter 8: Principles of Security Models, Design, and Capabilities 961
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 963
Chapter 10: Physical Security Requirements 965
Chapter 11: Secure Network Architecture and Securing Network Components 966
Chapter 12: Secure Communications and Network Attacks 968
Chapter 13: Managing Identity and Authentication 969
Chapter 14: Controlling and Monitoring Access 971
Chapter 15: Security Assessment and Testing 973
Chapter 16: Managing Security Operations 975
Chapter 17: Preventing and Responding to Incidents 977
Chapter 18: Disaster Recovery Planning 980
Chapter 19: Investigations and Ethics 981
Chapter 20: Software Development Security 983
Chapter 21: Malicious Code and Application Attacks 984
Appendix B Answers to Written Labs 987
Chapter 1: Security Governance Through Principles and Policies 988
Chapter 2: Personnel Security and Risk Management Concepts 988
Chapter 3: Business Continuity Planning 989
Chapter 4: Laws, Regulations, and Compliance 990
Chapter 5: Protecting Security of Assets 991
Chapter 6: Cryptography and Symmetric Key Algorithms 991
Chapter 7: PKI and Cryptographic Applications 992
Chapter 8: Principles of Security Models, Design, and Capabilities 992
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 993
Chapter 10: Physical Security Requirements 994
Chapter 11: Secure Network Architecture and Securing Network Components 994
Chapter 12: Secure Communications and Network Attacks 995
Chapter 13: Managing Identity and Authentication 996
Chapter 14: Controlling and Monitoring Access 996
Chapter 15: Security Assessment and Testing 997
Chapter 16: Managing Security Operations 997
Chapter 17: Preventing and Responding to Incidents 998
Chapter 18: Disaster Recovery Planning 999
Chapter 19: Investigations and Ethics 999
Chapter 20: Software Development Security 1000
Chapter 21: Malicious Code and Application Attacks 1000
Index 1001
Author Information
ABOUT THE AUTHORS
Mike Chapple, PhD, CISSP, Security+, CISA, CySA+ is Associate Teaching Professor of IT, Analytics and Operations at the University of Notre Dame. He is a leading expert on cybersecurity certification and runs CertMike.com.
James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has focused on security, certification, networking, and various operating systems for more than 25 years. He teaches numerous job skill and certification focused courses. He has authored or coauthored more than 75 books.
Darril Gibson, CISSP, Security+, CASP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.
Errata
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
Chapter | Page | Details | Date | Print Run |
---|---|---|---|---|
Introduction | xxxiv | Errata in text Under Prequalifications, second sentence, Change recent IT or IS degree. To recent IT or IS degree or an approved security certification (see www.isc2.org for details). |
12-7-18 | |
Introduction | xxxvi | Errata in text First paragraph, final sentence Change CISSP-CAT format. To CISSP-CAT format in English. |
12-7-18 | |
Introduction | xxxvi | Errata in text Second paragraph, Change The refreshed CISSP exam will be available To The refreshed CISSP exam is available |
12-7-18 | |
Introduction | xxxvii | Errata in text Replace the paragraph beginning with "If English is not your first language?" with the following. If English is not your first language, you may register for one of several other language versions of the exam (when applicable). Or, if you choose to use the English version of the exam you may reference the translated (ISC)2 Certification Acronym and (ISC)2 Certification Terms glossaries, a complete list of acronyms and terms you may encounter during your (ISC)2 exam which is available from www.isc2.org. Finally, (ISC)2 exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam. |
26-11-18 | |
Introduction | xxxvii | Errata in text Introduction, page xxxvii, 2nd paragraph under Advice on Taking the Exam Incorrect: It is not clear from (ISC)2's description of the CISSP-CAT format whether guessing is a good strategy in every case, but it does seem to be a better strategy than skipping questions. We recommend you attempt to eliminate as many answer selections as possible before making a guess, and consider skipping the question instead of randomly guessing only if you are unable to eliminate any answer options. Make educated guesses from a reduced set of options to increase your chance of getting a question correct. Correct: Question skipping is no longer allowed on the CISSP exam, and you're also not allowed to jump around, so one way or another, you have to come up with your best answer. We recommend you attempt to eliminate as many answer selections as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct. |
06-Feb-2020 | |
Introduction | xxxviii | Errata in text Under "Completing the Certification Process", change 90 days to 9 months. |
7-Dec-2018 | |
Introduction | xl | Errata in text Under The Elements of This Study Guide. Move “Chapter Review Questions” paragraph to below that of the “Summaries” paragraph. |
12-7-18 | |
Introduction | xli | Errata in text Under Bonus Practice Exams, the URL at the end of the paragraph should be www.wiley.com/go/cissptestprep |
12-7-18 | |
Answers to Assessment Test | li | Errata in text Answer #37 Add "The key element in this question is the term 'or' which focuses your attention on the one-way nature of a turnstile, as opposed to the bi-directional nature of a man-trap." |
14/3/2019 | |
1 | 16 | Errata in text chief information security officer (CISO)" needs italics |
14/3/2019 | |
1 | 21 | Errata in text Chapter 1, page 21: In the definition of "Top Secret" "cause grave damage to national security" should be "cause exceptionally grave damage to national security" In the definition of "Secret" "cause critical damage to national security." should be "cause serious damage to national security." In the definition of "Confidential" "cause serious damage to national security." Should be "cause damage to national security." |
8-Feb-2020 | |
1 | 28 | Errata in text Add the following sentence as the new third sentence in the second paragraph under "Security Standards, Baselines, and Guidelines": "A baseline is a more operationally focused form of a standard. It takes the goals of a security policy and the requirements of the standards and defines them specifically in the baseline as a rule against which to implement and compare IT systems." |
5-6-18 | |
2 | 61 | Errata in text Chapter 2, Page: 61, paragraph after the note LC internet Should be internet |
7-Feb-19 | |
2 | 80 | Errata in text From the Preventative section, delete "presence of security cameras or closed-circuit television (CCTV)," |
20-Nov-18 | |
2 | 82 | Errata in text In second paragraph Change Note that the discussion of qualitative versus quantitative risk analysis in the next section may clarify this issue. To Note that the discussion of qualitative versus quantitative risk analysis earlier in this chapter may clarify this issue. |
12-7-18 | |
2 | 94 | Errata in text Question 10, change answer D to "Vulnerabilities". |
20-Nov-18 | |
3 | 113 | Errata in text At the "Alternate Sites" section, Add to end "Typically an alternate site associated with disaster recovery planning (DRP) rather than BCP. Being aware of the potential need for an alternate site can occur during BCP development, but the triggering of use of an alternate site is often due to the full interruption of mission critical processes which is categorized as a disaster and thus falls under the DRP." |
14/3/2019 | |
3 | 121 | Errata in text question 3, change answer B to "Review and validation of the business organization analysis" |
20-Nov-18 | |
3 | 122 | Errata in text Question 11. Martin recently completed a thorough quantitative risk assessment for his organization. Which one of the following risks is least likely to be adequately addressed by his assessment? 1. Downtime from data center flooding 2. Cost of recovery from denial of service attack 3. Reputational damage from data breach 4. Remediation costs from ransomware attack |
6/12/18 | |
4 | 131 | Errata in text 3rd paragraph the word "MIT student" has to be deleted. |
14-Sep-19 | |
4 | 137 | Errata in text They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (whether directly or via licensing agreements). to They provide a period of 20 years (from the date of initial application) during which the inventor is granted exclusive rights to use the invention (whether directly or via licensing agreements). |
15-Jun-18 | |
4 | 148 | Errata in text Chapter 4, page 148, the first bullet under the GDPR section, Incorrect A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours Correction 24 hours should be changed to 72 hours. |
7/1/19 | |
4 | 152 | Errata in text Exam Essentials, in the paragraph starting with "Understand the various types of software license agreements." change "Click-wrap" to "click-through". |
14/3/2019 | |
5 | 166 | Errata in text 4th line down, "Public" in parentheses should be removed |
14/3/2019 | |
5 | 179 | Errata in text 2nd line down, "(CEO)" conflicts with "chief operating officer". |
14/3/2019 | |
5 | 182 | Errata in text 3rd line down, " uploading" should be "upholding". |
14/3/2019 | |
201 | Errata in text "The Kerchoff Principle" should be "The Kerckhoffs's Principle". |
3-May-18 | ||
6 | 222 | Errata in text Change the sentence DES-EEE3 has an effective key length of 168 bits. to Mathematically, DES-EEE3 should have an effective key length of 168 bits. However, known attacks against this algorithm reduce the effective strength to 112 bits. After the next sentence (ending in "with a decryption operation.") add This mode is vulnerable to the same type of attack as DES-EEE3 and, therefore, has an effective key strength of 112 bits. After the sentence Both the third and fourth....112 bits add If an attacker is able to conduct a known plaintext attack against these two variants, the effective strength may be reduced to as low as 80 bits, depending upon the number of ciphertext/plaintext pairs available. Strike the paragraph "These four variants...equally secure." |
26-11-18 | |
6 | 224 | Errata in text second line from top of page part of the paragraph following Skipjack heading on the previous page, remove word "four" so the statement reads as: "...supports the same modes of operation supported by DES..." |
14/3/2019 | |
234 | Errata in text "The Kerchoff Principle" should be "The Kerckhoffs's Principle" |
3-May-18 | ||
7 | 257 | Errata in text Incorrect As with SSL, TLS uses TCP port 443. Correct As with HTTPS over SSL, HTTPS over TLS uses TCP port 443. |
25-6-18 | |
7 | 271 | Errata in text Question 1 should be, Brian computes the digest of a single sentence of text using a SHA-2 hash function. He then changes a single character of the sentence and computes the hash value again. Which one of the following statements is true about the new hash value? A. The new hash value will be one character different from the old hash value. B. The new hash value will share at least 50% of the characters of the old hash value. C. The new hash value will be unchanged. D. The new hash value will be completely different from the old hash value. |
25-6-18 | |
8 | 289 | Errata in text In the - Real World Scenario- titled -Lattice-Based Access Control- change this original sentence from: Thus, a subject that falls between the private and sensitive labels in a commercial scheme that reads bottom up as public, sensitive, private, proprietary, and confidential can access only public and sensitive data but not private, proprietary, or confidential data. To the following: Thus, a subject using a computer labeled as private and sensitive in a commercial scheme (that reads bottom up as public, sensitive, private, proprietary, and confidential) can access only private and sensitive data but not public, proprietary, or confidential data. In this example, the computer has a LUB as the division between private and proprietary and a GLB as the division between public and sensitive. |
18-Sep 2018 | |
8 | 301 | Errata in text Under ITSEC Classes and Required Assurance and Functionality heading, change the first ITSEC to "Information Technology Security Evaluation Criteria (ITSEC)". |
20-Nov-18 | |
8 | 304 | Errata in text Table 8.3 section listed as EAL6 the description reads: "...probability of cover channels...". Should read: "...probability of covert channels...". |
14/3/2019 | |
8 | 307 | Errata in text Under Accreditation, after DAA add "(The RMF now defines the DAA as the Authorization Official (AO) for internal accreditation and as the Security Control Assessor (SCA) for external accreditation. The old or new means of addressing this function may be present on the CISSP exam.)" |
14/3/2019 | |
9 | 344 | Errata in text Chapter 9, Change Page 344, under Local Caches Incorrect If the false reply is received by the client before the valid reply, then the false reply is used to populate the ARP cache and the valid reply is discarded as being outside an open query. Should be ARP cache is updated each time an ARP reply is received. The attacker will time their attack to ensure the false or poisoned ARP response/reply will update the targeted system's ARP cache with the invalid and mis-directing ARP mapping of the valid IP address and the incorrect/invalid MAC address. |
14-Feb-19 | |
9 | 350 | Errata in text Change "A variation of AMP is massive parallel processing (MPP), where numerous SMP systems..." to "A variation of AMP is massive parallel processing (MPP), where numerous AMP systems..." |
20-Nov-18 | |
9 | 355 | Errata in text Delete the 3rd paragraph from the last paragraph, starting out with, “Cloud computing is a natural extension and evolution of virtualization, the internet” |
12-7-18 | |
9 | 359 | Errata in text Under "Industrial Control Systems", second paragraph, first sentence, replace "plans" with "plants". |
14/3/2019 | |
9 | 360 | Errata in text Security Association Markup Language (SAML) Should be Security Assertion Markup Language (SAML) |
14-Sep-19 | |
9 | 363 | Errata in text Security Association Markup Language (SAML) Should be Security Assertion Markup Language (SAML) |
14-Sep-19 | |
9 | 383 | Errata in Text expand "APIs" to "Application Programming Interfaces (APIs)". |
14-June-2019 | |
9 | 389 | Errata in text TOCTTOU is spelled wrongly as TOCTOU |
12-6-18 | |
9 | 397 | Errata in text Q16. The final statement of this question is missing. Please include (Select all that apply) after the end of the question. Please find the below for reference: ....in order to prevent or protect against XSS?(Select all that apply) |
22-Jun-18 | |
10 | 417 | Errata in text Chapter 10, page 417 Under the Fire Prevention, Detection, and Suppression section, second paragraph, the three corners of the fire triangle fire, heat and oxygen. Should be fuel, heat and oxygen. |
16/1/19 | |
10 | 425 | Errata in Text add new sentence after "...respond to every situation." - "While this is considered a disadvantage, the lack of knowledge of the scope of the operations within a facility can also be considered an advantage as this supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information." |
14-June-2019 | |
10 | 427 | Errata in text Under "Motion Detectors" replace first two sub-sentences with: "A motion detector monitors for significant or meaningful changes in the digital pattern of a monitored area." "An infrared (PIR (passive infra-red)) or heat-based motion detector monitors for significant or meaningful changes in the heat levels and patterns in a monitored area." |
7/1/19 | |
10 | 436 | Errata in text Q10, question text, replace the word "failure" with "a false positive". |
December 12, 2019 | |
10 | 437 | Errata in text Q17. Replace with the below content: Which of the following statements are not true in regards to static electricity? A. Electrostatic discharge can damage most computing components. B. Static charge accumulation is more prevalent when there is high humidity. C. Static discharge from a person to a metal object can be over 1,000 volts. D. Static electricity is not managed by the deployment of a UPS. |
22-Jun-18 | |
10 | 437 | Errata in text Q14 - change must to may. |
22-Jun-18 | |
11 | 444 | Errata in Text figure 11.4,change the three occurrences of "data stream" to "protocol data unit (PDU)". |
14-June-2019 | |
11 | 446 | Errata in text http://standards.ieee.org/regauth/oui/index.shtml should be https://standards.ieee.org/products-services/regauth/index.html |
14-Sep-19 | |
11 | 448 | Errata in text In the last sentence under routing protocols common examples of link state routing protocols are Open Shortest Path First (OSPF) and Interior Gateway Routing Protocol (IGRP) Should be changed to: common examples of link state routing protocols are Open Shortest Path First (OSPF) and OSI's Intermediate System - Intermediate System (IS-IS). |
26-11-18 | |
11 | 462 | Errata in text On the line for "File Transfer Protocol (FTP)" change bold from "TCP Ports 20 (Passive Data)/Ephemeral (Active Data) and 21 (Control Connection)" to "TCP Ports 20 (Active Data)/Ephemeral (Passive Data) and 21 (Control Connection)" |
20-Nov-18 | |
11 | 462 | Errata in text on SSL line, change "HTTP Encryption" to "HTTPS SSL/TLS Encryption". |
14/3/2019 | |
465 | Errata in text on page 465, Incorrect Packet sniffing and other attacks are discussed in more detail in Chapter 13. Correct Eavesdropping and other attacks are discussed in more detail at the end of Chapter 12. |
1-Feb-19 | ||
11 | 483 | Errata in text Under War Chalking. Last sentence, replace war dialing with war driving |
12-7-18 | |
11 | 497 | Errata in text Chapter 11, Pg 497, heading "Baseband and Broadband Cables" – last sentence of the first paragraph (in parentheses), change to "(Note that 100BaseTX is the technical nomenclature for FastEthernet, i.e. 100 MB Ethernet, but even modern Ethernet labeled as 1000BaseT or 1GBaseT is effectively just a faster form of 100BaseTX. 100BaseTX is implemented using a standard Cat 5, 5e, or 6 UTP or STP cable, where only 2 pairs (4 conductors) are actually in use. One twisted pair is used for receiving, the other for transmitting. Typically the orange and green pairs (pins 1 & 2 and 3 & 6 based on the TIA/EIA-568-B wiring standard))." |
February 14, 2020 | |
11 | 505 | Errata in text Chapter 11, Page 505, Table 11.10: "HSPDA" should be "HSDPA" |
14-Feb-2020 | |
11 | 515 | Errata in Text in "Understand 802.11...", "1.3+ Mbps" Should be "1.3+ Gbps". |
14-June-2019 | |
11 | 517 | Errata in text Question 2, option B change to Adding a header and possibly a footer to data as it moves down the OSI stack |
7/1/19 | |
11 | 518 | Errata in text Q 12, change question to: "What type of firewall evaluates the context of network traffic to make allow and deny decisions?" |
14/3/2019 | |
11 | 519 | Errata in text Question 16, change answer A from WAP to "802.1x". |
20-Nov-18 | |
12 | 523 | Errata in text 3rd paragraph under “Secure Communications Protocols” Kerberos is discussed further in Chapter 13, “Cryptography and Symmetric Key Algorithms.” Should be Kerberos is discussed further in Chapter 13, “Managing Identity and Authentication” |
||
12 | 524 | Errata in Text under CHAP, "CHAP encrypts usernames and passwords" Should be "CHAP protects passwords from being sent in cleartext." |
14-June-2019 | |
12 | 533 | Errata in text Under the heading Email Security Solutions: The last sentence of first paragraph, please delete, We'll |
22-Jun-18 | |
12 | 533 | Errata in text Chapter 12, Page 533, second sentence: "STMP" should be "SMTP" |
February 14, 2020 | |
12 | 535 | Errata in text First full paragraph, First sentence Please change email repudiation filtering. to email reputation filtering. |
22-Jun-18 | |
12 | 560 | Errata in text Change "...Synchronous Transport Signals (STS) of SDH and/or the Synchronous Transport Modules (STM) of SONET." to "...Synchronous Transport Signals (STS) of SONET and/or the Synchronous Transport Modules (STM) of SDH." |
20-Nov-18 | |
12 | 560 | Errata in Text 2nd paragraph, "51.48" Should be "51.84". |
14-June-2019 | |
12 | 561 | Errata in Text after HDLC, add this paragraph from 7th edition which was unintentionally omitted: "High Speed Serial Interface (HSSI) High Speed Serial Interface is a DTE/DCE interface standard that defines how multiplexors and routers connect to high-speed network carrier services such as ATM or Frame Relay. A multiplexor is a device that transmits multiple communications or signals over a single cable or virtual circuit. HSSI defines the electrical and physical characteristics of the interfaces or connection points and thus operates at OSI layer 1 (the Physical layer)." |
14-June-2019 | |
13 | 582 | Errata in text Chapter 13, Pg 582, near bottom, the paragraph starting with "Preventative Access Controls" replace final sentence of that paragraph with: "Examples of preventive access controls include fences, locks, biometrics, mantraps, separation-of-duties policies, job rotation policies, data classification, access control methods, encryption, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems." |
27-Feb-2020 | |
13 | 587 | Errata in text In the sentence "duplicate fingerprint on a gummi bear", Gummy is spelled wrongly (Gummi) |
8-6-18 | |
13 | 606 | Errata in Text beginning of the last bullet (OAuth 2.0) OAuth 2.0 (OAuth implying open authentication).... It should read as OAuth 2.0 (OAuth implying open authorization).... |
14-June-2019 | |
13 | 609 | Errata in text Chapter 13 Pg 609, first full paragraph, last sentence, replace "log on" with "authenticate". |
27-Feb-2020 | |
14 | 655 | Errata in text Salts add additional bits to a password before salting it and help thwart rainbow table attacks. should be Salting adds additional bits to a password before hashing it and helps thwart rainbow table attacks. |
26-11-18 | |
15 | 675 | Errata in text Please replace the below text which are in lower case with the mentioned text in upper case. Replace lpr with LPR/LPD |
22-Jun-18 | |
15 and Answers appendix | 696 & 974 | Errata in text Question 19, change "Fagin" to "Fagan". |
20-Nov-18 | |
15 | 696 | Errata in text In question no. 19, Fagin inspection should be Fagan inspection |
8-6-18 | |
17 | 782 | Errata in text Under heading: Network-Based DLP, Second Sentence: edge of the negative to scan should be changed to edge of the network to scan |
26-11-18 | |
17 | 786 | Errata in text 2nd paragraph following the heading High-Level Administrator Groups Please change the first sentence from this Some groups have such high privileges that even in organizations with tens of thousands of users, their membership is limited to a very few people. To this Some groups have such high privileges that even in organizations with tens of thousands of users, their membership is limited. |
7/1/19 | |
17 | 786 | Errata in text 2nd paragraph following the heading High-Level Administrator Groups Please change the sentence from This group has so much power that membership is often restricted to only two or three high-level administrators. To this This group has so much power that Microsoft recommends it contains no users on a day-to-day basis. Administrators are only added to the group when the privileges are needed. |
7/1/19 | |
17 | 790 | Errata in text chapter 17, Pg 790: Summary, first sentence: "incidence" should be "incident" |
27-Feb-2020 | |
18 | 817 | Errata in text Chapter 18, page 817 Under the heading of Quality of Service. Quality of service (QoS) controls protect the integrity of data networks under load. should be Quality of service (QoS) controls protect the availability of data networks under load. |
21/1/19 | |
19 | 868 | Errata in text Question 14: Change "Parole" to "Parol" |
20-Nov-18 | |
20 | 887 | Errata in text First line of list in SW-CMM and IDEAL Model Memorization sidebar Initiating should be Initial |
7/1/19 | |
20 | 887 | Errata in text chapter 20, Pg 887: Section "SW-CMM and IDEAL Model Memorization" – the bottom right option should be "Optimizing", not "Optimized", also the top left "Initial' should be "Initiating" (this would cause the top line of this chart to read "Initiating Initial"). |
27-Feb-2020 | |
20 | 897-898 | Errata in text under the section for Primary Keys, the last sentence referring to Figure 20.8 "Customer ID" should be "Company ID" in this sentence. |
7/1/19 | |
20 | 903 | Errata in text Second paragraph. First sentence. Says, "...which are discussed in the section "Aggregation" later in this chapter." Should say, "...which are discussed in the "Aggregation" section in chapter 9." |
7-Aug-19 | |
904 | Errata in text Under heading "NoSQL", 3rd bullet, last sentence. "JavaSsript" misspelled, should be "JavaScript". |
3-May-18 | ||
20 | 906 | Errata in text in the paragraph starting on page 905 under Storage Threats and continuing on page 906, this sentence: Furthermore, systems that operate in a multilevel security environment should provide adequate controls to ensure that shared memory and storage resources are set up with fail-safe controls so that data from one classification level is not readable at a lower classification level. the word "fail-safe" should be "appropriate" |
14/3/2019 | |
21 | 919 | Errata in text In the paragraph beginning File Infector Viruses, change the end of the second sentence to For Windows-based systems, file infector viruses commonly affect executable files and scripts, such as those ending with .exe, .com, and .msc extensions. |
7/1/19 | |
21 | 919 | Errata in text 2nd full paragraph If you then open a Command tool and simply type GAME, Should read If you then open a Command prompt and simply type GAME, |
7/1/19 | |
21 | 920 | Errata in text chapter 21, Pg 920: Second paragraph "Service Injection Viruses" – winlogin.exe should be winlogon.exe |
27-Feb-2020 | |
21 | 934 | Errata in text In the sentence, The time of check to time of use (TOCTOU or TOC/TOU) issue is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Change TOCTOU to TOCTTOU |
12-6-18 | |
21 | 934 | Errata in text In the sentence, For example, if an operating system builds a comprehensive list of access permissions for a user upon logon and then consults that list throughout the logon session, a TOCTOU vulnerability exists. Change TOCTOU to TOCTTOU |
12-6-18 | |
21 | 945 | Errata in text In question 3B, change TOCTOU to TOCTTOU |
12-6-18 | |
Appendix A | 953 | Errata in text Answer for Ch 3, question 10 Please replace the final sentence with - This yields an ALE of $750,000. |
22-Jun-18 | |
Appendix A | 953 | Errata in text Chapter 3 answers, question 9 answer, final sentence, change to "This yields an ALE of $135,000." |
20-Nov-18 | |
Appendix A | 960 | Errata in text Answers to chapter 7 questions, question 1 new answer, Answer: D. It is not possible to determine the degree of difference between two inputs by comparing their hash values. Changing even a single character in the input to a hash function will result in completely different output. |
25-6-18 | |
Appendix A | 965 | Errata in text Q10 answer explanation, replace the word "failure" with "a false positive". |
December 12, 2019 | |
Appendix A | 966 | Errata in text Answer key for Ch 10, Q17, replace with: B. Static charge accumulation is more prevalent when there is low humidity. High humidity is the cause of condensation, not static charge accumulation. |
22-Jun-18 | |
Appendix 1 | 966 | Errata in text Answers appendix, pg 996, Ch 11, Question 2, change explanation to B. Encapsulation is adding a header and possibly a footer to data as it moves down the OSI stack. |
7/1/19 | |
Appendix A | 967 | Errata in text Chapter 11 answers: question answer 16, change to: A. 802.1x is an IEEE standard for authentication which is not strictly related to wireless use. |
20-Nov-18 | |
11 | 967 | Errata in text Q 12, change answer to: "B. Statefull inspection firewalls evaluate the state or the context of network traffic. By examining source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities." |
14/3/2019 | |
Appendix A | 974 | Errata in text In 19C, Fagan inspection is spelled wrongly as Fagin inspection |
12-6-18 | |
Appendix A | 985 | Errata in text Answer 3B, change TOCTOU to TOCTTOU |
12-6-18 | |
Index | 1002 | Errata in text TOCTTOU is spelled wrongly as TOCTOU |
12-6-18 | |
Index | 1004 | Errata in text TOCTTOU is spelled wrongly as TOCTOU |
12-6-18 | |
1013 | Errata in text "The Kerchoff Principle" should be "The Kerckhoffs's Principle" |
3-May-18 | ||
Index | 1017 | Errata in text In the index for Due Care and Due Diligence, it lists the page number as page 25, Due Care and Due Diligence are on the top of page 26. |
14/3/2019 | |
1024 | Errata in text "The Kerchoff Principle" should be "The Kerckhoffs's Principle" |
3-May-18 | ||
Index | 1034 | Errata in Text index entry "system hide mode" [2nd column, subentry of protection mechanisms in previous column] Should be "system high mode" |
14-June-2019 | |
Index | 1046 | Errata in text TOCTTOU is spelled wrongly as TOCTOU |
12-6-18 | |
badvert2 | 1052 | Errata in Text Change 1. Go to bit.ly/SybexTest. To 1. Go to www.wiley.com/go/sybextestprep |
15-Apr-2021 |