0%

CISSP Exam Cram, Fifth Edition, is the perfect study guide to help you pass the new eight domain version of the CISSP exam. It provides coverage and practice questions for every exam topic, including substantial new coverage of encryption, cloud security, information lifecycles, security management/governance, and more. The book contains an extensive set of preparation tools, such as quizzes, Exam Alerts, and two practice exams, while the companion websites test engine provides real-time practice and feedback.

Covers the critical information youll need to pass the CISSP exam!

  • Enforce foundational security operations concepts

  • Apply reliable authentication, authorization, and accountability

  • Design security architectures that can be verified, certified, and accredited

  • Understand the newest attacks and countermeasures

  • Use encryption to safeguard data, systems, and networks

  • Systematically plan and test business continuity/disaster recovery programs

  • Protect todays cloud, web, and database applications

  • Address global compliance issues, from privacy to computer forensics

  • Develop software that is secure throughout its entire lifecycle

  • Implement effective security governance and risk management

  • Use best-practice policies, procedures, guidelines, and controls

  • Ensure strong operational controls, from background checks to security audits

Table of Contents

  1. Cover Page
  2. About This eBook
  3. Title Page
  4. Copyright Page
  5. Credits
  6. Contents at a Glance
  7. Table of Contents
  8. About the Author
  9. About the Technical Reviewer
  10. Dedication
  11. Acknowledgments
  12. We Want to Hear from You!
  13. Reader Services
  14. Introduction
    1. How to Prepare for the Exam
    2. Practice Tests
    3. Taking a Certification Exam
    4. Arriving at the Exam Location
    5. In the Testing Center
    6. After the Exam
    7. Retaking a Test
    8. Tracking Your CISSP Status
    9. About This Book
    10. The Chapter Elements
    11. Other Book Elements
    12. Chapter Contents
    13. Companion Website
    14. Accessing the Pearson Test Prep Practice Test Software and Questions
    15. Accessing the Pearson Test Prep Software Online
    16. Accessing the Pearson Test Prep Software Offline
    17. Customizing Your Exams
    18. Updating Your Exams
    19. Contacting the Author
    20. Assessing Your Readiness for the CISSP Exam
    21. Security Professionals in the Real World
    22. The Ideal CISSP Candidate
    23. Put Yourself to the Test
    24. Your Educational Background
    25. Testing Your Exam Readiness
    26. After the Exam
  15. Chapter 1 The CISSP Certification Exam
    1. Introduction
    2. Assessing Exam Readiness
    3. Exam Topics
    4. Taking the Exam
    5. Examples of CISSP Test Questions
    6. Answer to Multiple-Choice Question
    7. Answer to Drag and Drop Question
    8. Answer to Hotspot Question
    9. Question-Handling Strategies
    10. Mastering the Inner Game
    11. Need to Know More?
  16. Chapter 2 Understanding Asset Security
    1. Introduction
    2. Basic Security Principles
    3. Data Management: Determining and Maintaining Ownership
    4. Data Governance Policies
    5. Roles and Responsibilities
    6. Data Ownership
    7. Data Custodians
    8. Data Documentation and Organization
    9. Data Warehousing
    10. Data Mining
    11. Knowledge Management
    12. Data Standards
    13. Data Lifecycle Control
    14. Data Audits
    15. Data Storage and Archiving
    16. Data Security, Protection, Sharing, and Dissemination
    17. Privacy Impact Assessment
    18. Information Handling Requirements
    19. Record Retention and Destruction
    20. Data Remanence and Decommissioning
    21. Classifying Information and Supporting Asset Classification
    22. Data Classification
    23. Military Data Classification
    24. Public/Private Data Classification
    25. Asset Management and Governance
    26. Software Licensing
    27. The Equipment Lifecycle
    28. Determining Data Security Controls
    29. Data at Rest
    30. Data in Transit
    31. Endpoint Security
    32. Baselines
    33. Exam Prep Questions
    34. Answers to Exam Prep Questions
    35. Need to Know More?
  17. Chapter 3 Security and Risk Management
    1. Introduction
    2. Security Governance
    3. U.S. Legal System and Laws
    4. Relevant U.S. Laws and Regulations
    5. International Legal Systems and Laws
    6. International Laws to Protect Intellectual Property
    7. Global Legal and Regulatory Issues
    8. Computer Crime and Hackers
    9. Sexual Harassment
    10. U.S. Governance
    11. Health Insurance Portability and Accountability Act (HIPAA)
    12. Gramm-Leach-Bliley Act (GLBA)
    13. Federal Information Security Management Act (FISMA)
    14. Sarbanes-Oxley Act (SOX)
    15. National Institute of Standards and Technology (NIST)
    16. Federal Information Processing Standards (FIPS)
    17. International Governance
    18. Risk Management Concepts
    19. Risk Management Frameworks
    20. Risk Assessment
    21. Risk Management Team
    22. Asset Identification and Valuation
    23. Threats Analysis
    24. Quantitative Assessments
    25. Qualitative Assessments
    26. Selecting Countermeasures
    27. Threat Modeling Concepts and Methodologies
    28. Threat Modeling Steps
    29. Threat Modeling Tools and Methodologies
    30. Managing Risk with the Supply Chain and Third Parties
    31. Reducing Risk in Organization Processes
    32. Identifying and Prioritizing Business Continuity Requirements Based on Risk
    33. Project Management and Initiation
    34. Business Impact Analysis
    35. Assessing Potential Loss
    36. Developing and Implementing Security Policy
    37. Security Policy
    38. Advisory Policy
    39. Informative Policy
    40. Regulatory Policy
    41. Standards
    42. Baselines
    43. Guidelines
    44. Procedures
    45. Types of Controls
    46. Administrative Controls
    47. Technical Controls
    48. Physical Controls
    49. Access Control Categories
    50. Implementing Personnel Security
    51. New-Hire Agreements and Policies
    52. Separation of Duties
    53. Job Rotation
    54. Least Privilege
    55. Mandatory Vacations
    56. Termination
    57. Security Education, Training, and Awareness
    58. Security Awareness
    59. Social Engineering
    60. Professional Ethics Training and Awareness
    61. (ISC)2 Code of Ethics
    62. Computer Ethics Institute
    63. Internet Architecture Board
    64. NIST SP 800-14
    65. Common Computer Ethics Fallacies
    66. Regulatory Requirements for Ethics Programs
    67. Exam Prep Questions
    68. Answers to Exam Prep Questions
    69. Need to Know More?
  18. Chapter 4 Security Architecture and Engineering
    1. Introduction
    2. Secure Design Guidelines and Governance Principles
    3. Enterprise Architecture
    4. Regulatory Compliance and Process Control
    5. Fundamental Concepts of Security Models
    6. Central Processing Unit
    7. Storage Media
    8. RAM
    9. ROM
    10. Secondary Storage
    11. I/O Bus Standards
    12. Virtual Memory and Virtual Machines
    13. Computer Configurations
    14. Security Architecture
    15. Protection Rings
    16. Trusted Computing Base
    17. Open and Closed Systems
    18. Security Modes of Operation
    19. Operating States
    20. Recovery Procedures
    21. Process Isolation
    22. Common Formal Security Models
    23. State Machine Model
    24. Information Flow Model
    25. Noninterference Model
    26. Confidentiality
    27. Bell-LaPadula Model
    28. Integrity
    29. Biba Model
    30. Clark-Wilson Model
    31. Take-Grant Model
    32. Brewer and Nash Model
    33. Other Models
    34. Product Security Evaluation Models
    35. The Rainbow Series
    36. The Orange Book: Trusted Computer System Evaluation Criteria
    37. The Red Book: Trusted Network Interpretation
    38. Information Technology Security Evaluation Criteria (ITSEC)
    39. Common Criteria
    40. System Validation
    41. Certification and Accreditation
    42. Vulnerabilities of Security Architectures
    43. Buffer Overflows
    44. Backdoors
    45. State Attacks
    46. Covert Channels
    47. Incremental Attacks
    48. Emanations
    49. Web-Based Vulnerabilities
    50. Mobile System Vulnerabilities
    51. Cryptography
    52. Algorithms
    53. Cipher Types and Methods
    54. Symmetric Encryption
    55. Data Encryption Standard (DES)
    56. Electronic Codebook (ECB) Mode
    57. Cipher Block Chaining (CBC) Mode
    58. Cipher Feedback (CFB) Mode
    59. Output Feedback (OFB) Mode
    60. Counter (CTR) Mode
    61. Triple DES (3DES)
    62. Advanced Encryption Standard (AES)
    63. International Data Encryption Algorithm (IDEA)
    64. Rivest Cipher Algorithms
    65. Asymmetric Encryption
    66. Diffie-Hellman
    67. RSA
    68. El Gamal
    69. Elliptical Curve Cryptosystem (ECC)
    70. Merkle-Hellman Knapsack
    71. Review of Symmetric and Asymmetric Cryptographic Systems
    72. Hybrid Encryption
    73. Public Key Infrastructure and Key Management
    74. Certificate Authorities
    75. Registration Authorities
    76. Certificate Revocation Lists
    77. Digital Certificates
    78. The Client’s Role in PKI
    79. Integrity and Authentication
    80. Hashing and Message Digests
    81. MD Series
    82. SHA-1/2
    83. SHA-3
    84. HAVAL
    85. Message Authentication Code (MAC)
    86. HMAC
    87. CBC-MAC
    88. CMAC
    89. Digital Signatures
    90. DSA
    91. Cryptographic System Review
    92. Cryptographic Attacks
    93. Site and Facility Security Controls
    94. Exam Prep Questions
    95. Answers to Exam Prep Questions
    96. Need to Know More?
  19. Chapter 5 Communications and Network Security
    1. Introduction
    2. Secure Network Design
    3. Network Models and Standards
    4. OSI Model
    5. Physical Layer
    6. Data Link Layer
    7. Network Layer
    8. Transport Layer
    9. Session Layer
    10. Presentation Layer
    11. Application Layer
    12. OSI Summary
    13. Encapsulation/De-encapsulation
    14. TCP/IP
    15. Network Access Layer
    16. Internet Layer
    17. Internet Protocol (IP)
    18. Internet Control Message Protocol (ICMP)
    19. Address Resolution Protocol (ARP)
    20. Internet Group Management Protocol (IGMP)
    21. Host-to-Host (Transport) Layer
    22. Transmission Control Protocol (TCP)
    23. User Datagram Protocol (UDP)
    24. Comparing and Contrasting UDP and TCP
    25. Application Layer
    26. LANs and Their Components
    27. LAN Communication Protocols
    28. Network Topologies
    29. Bus Topology
    30. Mesh Topology
    31. Fully Connected Topology
    32. LAN Cabling
    33. Network Types
    34. Network Storage
    35. Communication Standards
    36. Network Equipment
    37. Repeaters
    38. Hubs
    39. Bridges
    40. Switches
    41. Mirrored Ports and Network Taps
    42. VLANs
    43. Routers
    44. Gateways
    45. Routing
    46. WANs and Their Components
    47. Packet Switching
    48. Synchronous Optical Network (SONET)
    49. X.25
    50. Frame Relay
    51. Asynchronous Transfer Mode (ATM)
    52. Circuit Switching
    53. Plain Old Telephone Service (POTS)
    54. Integrated Services Digital Network (ISDN)
    55. T-Carrier
    56. Digital Subscriber Line (DSL)
    57. Cable Internet Access
    58. Other WAN Technologies
    59. Cloud Computing
    60. Software-Defined WAN (SD-WAN)
    61. Securing Email Communications
    62. Pretty Good Privacy (PGP)
    63. Other Email Security Applications
    64. Securing Voice and Wireless Communications
    65. Secure Communications History
    66. Voice over IP (VoIP)
    67. VoIP Vulnerabilities
    68. Cell Phones
    69. 802.11 Wireless Networks and Standards
    70. Wireless Topologies
    71. Wireless Standards
    72. Bluetooth
    73. Wireless LAN Components
    74. Wireless Protection Mechanisms
    75. Other Wireless Technologies
    76. Securing TCP/IP with Cryptographic Solutions
    77. Application/Process Layer Controls
    78. Host-to-Host Layer Controls
    79. Internet Layer Controls
    80. Network Access Layer Controls
    81. Link and End-to-End Encryption
    82. Network Access Control Devices
    83. Firewalls
    84. Packet Filters
    85. Stateful Firewalls
    86. Proxy Servers
    87. Demilitarized Zone (DMZ)
    88. Network Address Translation (NAT)
    89. Remote Access
    90. Point-to-Point Protocol (PPP)
    91. Password Authentication Protocol (PAP)
    92. Challenge Handshake Authentication Protocol (CHAP)
    93. Extensible Authentication Protocol (EAP)
    94. Remote Authentication Dial-in User Service (RADIUS)
    95. Terminal Access Controller Access Control System (TACACS)
    96. Internet Protocol Security (IPsec)
    97. Message Privacy and Multimedia Collaboration
    98. Exam Prep Questions
    99. Answers to Exam Prep Questions
    100. Need to Know More?
  20. Chapter 6 Identity and Access Management
    1. Introduction
    2. Perimeter Physical Control Systems
    3. Fences
    4. Gates
    5. Bollards
    6. Additional Physical Security Controls
    7. CCTV Cameras
    8. Lighting
    9. Guards and Dogs
    10. Locks
    11. Lock Picking
    12. Employee Access Control
    13. Badges, Tokens, and Cards
    14. RFID Tags
    15. Biometric Access Controls
    16. Identification, Authentication, and Authorization
    17. Authentication Techniques
    18. Something You Know (Type 1): Passwords and PINs
    19. Something You Have (Type 2): Tokens, Cards, and Certificates
    20. Something You Are (Type 3): Biometrics
    21. Strong Authentication
    22. Identity Management Implementation
    23. Single Sign-On (SSO)
    24. Kerberos
    25. SESAME
    26. Authorization and Access Control Techniques
    27. Discretionary Access Control (DAC)
    28. Mandatory Access Control (MAC)
    29. Role-Based Access Control (RBAC)
    30. Attribute-Based Access Control
    31. Rule-Based Access Control
    32. Other Types of Access Control
    33. Centralized and Decentralized Access Control Models
    34. Centralized Access Control
    35. RADIUS
    36. TACACS
    37. Diameter
    38. Decentralized Access Control
    39. Audits and Monitoring
    40. Monitoring Access and Usage
    41. Intrusion Detection Systems (IDSs)
    42. Network-Based Intrusion Detection Systems (NIDSs)
    43. Host-Based Intrusion Detection Systems (HIDSs)
    44. Signature-Based, Anomaly-Based, and Rule-Based IDS Engines
    45. Sensor Placement
    46. Intrusion Prevention Systems (IPSs)
    47. Network Access Control (NAC)
    48. Keystroke Monitoring
    49. Exam Prep Questions
    50. Answers to Exam Prep Questions
    51. Suggesting Reading and Resources
  21. Chapter 7 Security Assessment and Testing
    1. Introduction
    2. Security Assessments and Penetration Test Strategies
    3. Audits
    4. Root Cause Analyses
    5. Log Reviews
    6. Network Scanning
    7. Vulnerability Scans and Assessments
    8. Penetration Testing
    9. Test Techniques and Methods
    10. Security Threats and Vulnerabilities
    11. Threat Actors
    12. Attack Methodologies
    13. Network Security Threats and Attack Techniques
    14. Session Hijacking
    15. Sniffing
    16. Wiretapping
    17. DoS and DDoS Attacks
    18. Botnets
    19. Other Network Attack Techniques
    20. Access Control Threats and Attack Techniques
    21. Unauthorized Access
    22. Access Aggregation
    23. Password Attacks
    24. Dictionary Cracking
    25. Brute-Force Cracking
    26. Rainbow Tables
    27. Spoofing
    28. Eavesdropping and Shoulder Surfing
    29. Identity Theft
    30. Social-Based Threats and Attack Techniques
    31. Malicious Software Threats and Attack Techniques
    32. Viruses
    33. Worms
    34. Logic Bombs
    35. Backdoors and Trojans
    36. Wrappers, Packers, and Crypters
    37. Rootkits
    38. Exploit Kits
    39. Advanced Persistent Threats (APTs)
    40. Ransomware
    41. Investigating Computer Crime
    42. Computer Crime Jurisdiction
    43. Incident Response
    44. The Incident Response Team
    45. The Incident Response Process
    46. Incident Response and Results
    47. Disaster Recovery and Business Continuity
    48. Investigations
    49. Search, Seizure, and Surveillance
    50. Interviews and Interrogations
    51. Exam Prep Questions
    52. Answers to Exam Prep Questions
    53. Need to Know More?
  22. Chapter 8 Security Operations
    1. Introduction
    2. Foundational Security Operations Concepts
    3. Managing Users and Accounts
    4. Privileged Entities
    5. Controlling Access
    6. Clipping Levels
    7. Resource Protection
    8. Due Care and Due Diligence
    9. Asset Management
    10. System Hardening
    11. Change and Configuration Management
    12. Trusted Recovery
    13. Remote Access
    14. Media Management, Retention, and Destruction
    15. Telecommunication Controls
    16. Cloud Computing
    17. Email
    18. Whitelisting, Blacklisting, and Graylisting
    19. Firewalls
    20. Phone, Fax, and PBX
    21. Anti-malware
    22. Honeypots and Honeynets
    23. Patch Management
    24. System Resilience, Fault Tolerance, and Recovery Controls
    25. Recovery Controls
    26. Monitoring and Auditing Controls
    27. Auditing User Activity
    28. Monitoring Application Transactions
    29. Security Information and Event Management (SIEM)
    30. Network Access Control
    31. Keystroke Monitoring
    32. Emanation Security
    33. Perimeter Security Controls and Risks
    34. Natural Disasters
    35. Human-Caused Threats
    36. Technical Problems
    37. Facility Concerns and Requirements
    38. CPTED
    39. Area Concerns
    40. Location
    41. Construction
    42. Doors, Walls, Windows, and Ceilings
    43. Asset Placement
    44. Environmental Controls
    45. Heating, Ventilating, and Air Conditioning
    46. Electrical Power
    47. Uninterruptible Power Supplies (UPSs)
    48. Equipment Lifecycle
    49. Fire Prevention, Detection, and Suppression
    50. Fire-Detection Equipment
    51. Fire Suppression
    52. Water Sprinklers
    53. Halon
    54. Alarm Systems
    55. Intrusion Detection Systems (IDSs)
    56. Monitoring and Detection
    57. Intrusion Detection and Prevention Systems
    58. Investigations and Incidents
    59. Incident Response
    60. Digital Forensics, Tools, Tactics, and Procedures
    61. Standardization of Forensic Procedures
    62. Digital Forensics
    63. Acquisition
    64. Authentication
    65. Analysis
    66. The Disaster Recovery Lifecycle
    67. Teams and Responsibilities
    68. Recovery Strategy
    69. Business Process Recovery
    70. Facility and Supply Recovery
    71. User Recovery
    72. Operations Recovery
    73. Fault Tolerance
    74. Data and Information Recovery
    75. Backups
    76. Full Backups
    77. Differential Backups
    78. Incremental Backups
    79. Tape Rotation Schemes
    80. Other Data Backup Methods
    81. Plan Design and Development
    82. Personnel Mobilization
    83. Interface with External Groups
    84. Employee Services
    85. Insurance
    86. Implementation
    87. Awareness and Training
    88. Testing
    89. Monitoring and Maintenance
    90. Exam Prep Questions
    91. Answers to Exam Prep Questions
    92. Need to Know More?
  23. Chapter 9 Software Development Security
    1. Introduction
    2. Integrating Security into the Development Lifecycle
    3. Avoiding System Failure
    4. Checks and Application Controls
    5. Failure States
    6. The Software Development Lifecycle
    7. Project Initiation
    8. Functional Requirements and Planning
    9. Software Design Specifications
    10. Software Development and Build
    11. Acceptance Testing and Implementation
    12. Operations/Maintenance
    13. Disposal
    14. Development Methodologies
    15. The Waterfall Model
    16. The Spiral Model
    17. Joint Application Development (JAD)
    18. Rapid Application Development (RAD)
    19. Incremental Development
    20. Prototyping
    21. Modified Prototype Model (MPM)
    22. Computer-Aided Software Engineering (CASE)
    23. Agile Development Methods
    24. Maturity Models
    25. Scheduling
    26. Change Management
    27. Database Management
    28. Database Terms
    29. Integrity
    30. Transaction Processing
    31. Database Vulnerabilities and Threats
    32. Artificial Intelligence and Expert Systems
    33. Programming Languages, Secure Coding Guidelines, and Standards
    34. Object-Oriented Programming
    35. CORBA
    36. Security of the Software Environment
    37. Mobile Code
    38. Buffer Overflow
    39. Financial Attacks
    40. Change Detection
    41. Viruses and Worms
    42. Exam Prep Questions
    43. Answers to Exam Prep Questions
    44. Need to Know More?
  24. Practice Exam I
    1. Practice Exam Questions
  25. Practice Exam II
    1. Practice Exam Questions
  26. Answers to Practice Exam I
  27. Answers to Practice Exam II
  28. Glossary
  29. Index
  30. Where are the companion content files? - Register
  31. Inside Front Cover
  32. Inside Back Cover
  33. Code Snippets
44.204.94.166