Table of Contents
Introduction
CHAPTER 1: The CISSP Certification Exam
Introduction
Assessing Exam Readiness
Taking the Exam
Examples of CISSP Test Questions
Answer to Multiple-Choice Question
Answer to Drag and Drop Question
Answer to Hotspot Question
Exam Strategy
Question-Handling Strategies
Mastering the Inner Game
Need to Know More?
CHAPTER 2: Logical Asset Security
Introduction
Basic Security Principles
Data Management: Determine and Maintain Ownership
Data Governance Policy
Roles and Responsibility
Data Ownership
Data Custodians
Data Documentation and Organization
Data Warehousing
Data Mining
Knowledge Management
Data Standards
Data Lifecycle Control
Data Audit
Data Storage and Archiving
Data Security, Protection, Sharing, and Dissemination
Privacy Impact Assessment
Information Handling Requirements
Data Retention and Destruction
Data Remanence and Decommissioning
Classifying Information and Supporting Assets
Data Classification
Asset Management and Governance
Software Licensing
Equipment Lifecycle
Determine Data Security Controls
Data at Rest
Data in Transit
Endpoint Security
Baselines
Laws, Standards, Mandates and Resources
United States Resources
International Resources
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 3: Physical Asset Security
Introduction
Physical Security Risks
Natural Disasters
Man-Made Threats
Technical Problems
Facility Concerns and Requirements
CPTED
Area Concerns
Location
Construction
Doors, Walls, Windows, and Ceilings
Asset Placement
Physical Port Controls
Perimeter Controls
Fences
Gates
Bollards
CCTV Cameras
Lighting
Guards and Dogs
Locks
Employee Access Control
Badges, Tokens, and Cards
Biometric Access Controls
Environmental Controls
Heating, Ventilating, and Air Conditioning
Electrical Power
Uninterruptible Power Supply
Equipment Life Cycle
Fire Prevention, Detection, and Suppression
Fire-Detection Equipment
Fire Suppression
Alarm Systems
Intrusion Detection Systems
Monitoring and Detection
Exam Prep Questions
Answers to Exam Prep Questions
Suggested Reading and Resources
CHAPTER 4: Security and Risk Management
Introduction
Security Governance
Third-Party Governance
Organization Processes
Protection of Intellectual Properly
Privacy Laws and Protection of Personal Information
Relevant Laws and Regulations
United States Legal System and Laws
International Legal Systems and Laws
Computer Crime and Hackers
Sexual Harassment
Risk Management Concepts
Risk Management Frameworks
Risk Assessment
Countermeasure Selection
Develop and Implement Security Policy
Security Policy
Standards
Baselines
Guidelines
Procedures
Types of Controls
Administrative Controls
Technical Controls
Physical Controls
Access Control Categories
Implement Personnel Security
New-Hire Agreements and Policies
Separation of Duties
Job Rotation
Least Privilege
Mandatory Vacations
Termination
Security Education, Training, and Awareness
Security Awareness
Social Engineering
Professional Ethics Training and Awareness
ISC2 Code of Ethics
Computer Ethics Institute
Internet Architecture Board
NIST SP 800-14
Common Computer Ethics Fallacies
Regulatory Requirements for Ethics Programs
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 5: Security Engineering
Introduction
Fundamental Concepts of Security Models
Central Processing Unit
Storage Media
I/O Bus Standards
Virtual Memory and Virtual Machines
Computer Configurations
Security Architecture
Protection Rings
Trusted Computer Base
Open and Closed Systems
Security Modes of Operation
Operating States
Recovery Procedures
Process Isolation
Common Formal Security Models
State Machine Model
Information Flow Model
Noninterference Model
Confidentiality
Integrity
Other Models
Product Security Evaluation Models
The Rainbow Series
Information Technology Security Evaluation Criteria
Common Criteria
System Validation
Certification and Accreditation
Security Guidelines and Governance
Enterprise Architecture
Regulatory Compliance and Process Control
Vulnerabilities of Security Architectures
Buffer Overflow
Back Doors
State Attacks
Covert Channels
Incremental Attacks
Emanations
Web-based Vulnerabilities
Mobile System Vulnerabilities
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 6: The Application and Use of Cryptography
Introduction
Cryptographic Basics
History of Encryption
Steganography
Steganography Operation
Digital Watermark
Algorithms
Cipher Types and Methods
Symmetric Encryption
Data Encryption Standard
Triple-DES
Advanced Encryption Standard (AES)
International Data Encryption Algorithm
Rivest Cipher Algorithms
Asymmetric Encryption
Diffie-Hellman
RSA
El Gamal
Elliptical Curve Cryptosystem
Merkle-Hellman Knapsack
Review of Symmetric and Asymmetric Cryptographic Systems
Hybrid Encryption
Integrity and Authentication
Hashing and Message Digests
Digital Signatures
Cryptographic System Review
Public Key Infrastructure
Certificate Authority
Registration Authority
Certificate Revocation List
Digital Certificates
The Client’s Role in PKI
Email Protection Mechanisms
Pretty Good Privacy
Other Email Security Applications
Securing TCP/IP with Cryptographic Solutions
Application/Process Layer Controls
Host to Host Layer Controls
Internet Layer Controls
Network Access Layer Controls
Link and End-to-End Encryption
Cryptographic Attacks
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 7: Communications and Network Security
Introduction
Secure Network Design
Network Models and Standards
OSI Model
Encapsulation/De-encapsulation
TCP/IP
Network Access Layer
Internet Layer
Host-to-Host (Transport) Layer
Application Layer
LANs and Their Components
LAN Communication Protocols
Network Topologies
LAN Cabling
Network Types
Network Storage
Communication Standards
Network Equipment
Repeaters
Hubs
Bridges
Switches
Mirrored Ports and Network Taps
VLANs
Routers
Gateways
Routing
WANs and Their Components
Packet Switching
Circuit Switching
Cloud Computing
Voice Communications and Wireless Communications
Voice over IP
Cell Phones
802.11 Wireless Networks and Standards
Network Access Control Devices
Firewalls
Demilitarized Zone
Firewall Design
Remote Access
Point-to-Point Protocol
Remote Authentication Dial-in User Service
Terminal Access Controller Access Control System
IPsec
Message Privacy and Multimedia Collaboration
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 8: Identity and Access Management
Introduction
Identification, Authentication, and Authorization of People and Devices
Authentication Techniques
Identity Management Implementation
Single Sign-On
Kerberos
Sesame
Authorization and Access Control Techniques
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Other Types of Access Controls
Access Control Models
Centralized Access Control
Decentralized Access Control
Audit and Monitoring
Monitoring Access and Usage
Intrusion Detection Systems
Intrusion Prevention Systems
Network Access Control
Keystroke Monitoring
Exam Prep Questions
Answers to Exam Prep Questions
Suggesting Reading and Resources
CHAPTER 9: Security Assessment and Testing
Introduction
Security Assessments and Penetration Test Strategies
Audits
Vulnerability Assessments
Penetration Testing
Test Techniques and Methods
Security Threats and Vulnerabilities
Threat Actors
Attack Methodologies
Network Security Threats and Attack Techniques
Session Hijacking
Sniffing
Wiretapping
DoS Attacks
Distributed Denial of Service
Botnets
Other Network Attack Techniques
Access Control Threats and Attack Techniques
Unauthorized Access
Access Aggregation
Password Attacks
Spoofing
Eavesdropping and Shoulder Surfing
Identity Theft
Social-based Threats and Attack Techniques
Malicious Software Threats and Attack Techniques
Viruses
Worms
Logic Bombs
Backdoors and Trojans
Rootkits
Crimeware Kits
Advanced Persistent Threats
Ransomware
How Computer Crime Has Changed
Well-Known Computer Crimes and Criminals
Investigating Computer Crime
Computer Crime Jurisdiction
Incident Response
Forensics
Standardization of Forensic Procedures
Computer Forensics
Investigations
Search, Seizure, and Surveillance
Interviews and Interrogations
Honeypots and Honeynets
Evidence Types
Trial
The Evidence Life-Cycle
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 10: Security Operations
Introduction
Foundational Security Operations Concepts
Managing Users and Accounts
Privileged Entities
Controlling Access
Clipping Levels
Resource Protection
Due Care and Due Diligence
Asset Management
System Hardening
Change and Configuration Management
Trusted Recovery
Remote Access
Media Management, Retention, and Destruction
Telecommunication Controls
Cloud Computing
Email
Whitelisting, Blacklisting, and Graylisting
Fax
PBX
Anti-malware
Honeypots and Honeynets
Patch Management
System Resilience, Fault Tolerance, and Recovery Controls
Backups
Fault Tolerance
RAID
Recovery Controls
Monitoring and Auditing Controls
Auditing User Activity
Monitoring Application Transactions
Security Information and Event Management (SIEM)
Network Access Control
Keystroke Monitoring
Emanation Security
Controlling Physical Access
Intrusion Detection Systems
Network-Based Intrusion Detection Systems
Host-Based Intrusion-Detection Systems
Signature-Based, Anomaly-Based, and Rule-Based IDS Engines
Intrusion Prevention Systems
Responding to Operational Security Incidents
Incident Response
The Disaster Recovery Life Cycle
Teams and Responsibilities
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 11: Software Development Security
Introduction
Software Development
Avoiding System Failure
The System Development Lifecycle
Development Methods
The Waterfall Model
The Spiral Model
Joint Application Development
Rapid Application Development
Incremental Development
Prototyping
Modified Prototype Model (MPM)
Computer-Aided Software Engineering
Agile Development Methods
Capability Maturity Model
Scheduling
Change Management
Programming Languages
Object-Oriented Programming
CORBA
Database Management
Database Terms
Integrity
Transaction Processing
Artificial Intelligence and Expert Systems
Security of the Software Environment
Mobile Code
Buffer Overflow
Financial Attacks
Change Detection
Viruses
Worms
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 12: Business Continuity Planning
Introduction
Threats to Business Operations
Business Continuity Planning (BCP)
Project Management and Initiation
Business Impact Analysis
Recovery Strategy
Plan Design and Development
Implementation
Testing
Monitoring and Maintenance
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Practice Exam I
Answers to Practice Exam I
Practice Exam II
Answers to Practice Exam II
Glossary
Index
