In Memory of Shon Harris
Foreword
Acknowledgments
From the Author
Why Become a CISSP?
Chapter 1 Security and Risk Management
Fundamental Principles of Security
Availability
Integrity
Confidentiality
Balanced Security
Security Definitions
Control Types
Security Frameworks
ISO/IEC 27000 Series
Enterprise Architecture Development
Security Controls Development
Process Management Development
Functionality vs. Security
The Crux of Computer Crime Laws
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
International Issues
Types of Legal Systems
Intellectual Property Laws
Trade Secret
Copyright
Trademark
Patent
Internal Protection of Intellectual Property
Software Piracy
Privacy
The Increasing Need for Privacy Laws
Laws, Directives, and Regulations
Employee Privacy Issues
Data Breaches
U.S. Laws Pertaining to Data Breaches
Other Nations’ Laws Pertaining to Data Breaches
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Risk Management
Holistic Risk Management
Information Systems Risk Management Policy
The Risk Management Team
The Risk Management Process
Threat Modeling
Vulnerabilities
Threats
Attacks
Reduction Analysis
Risk Assessment and Analysis
Risk Analysis Team
The Value of Information and Assets
Costs That Make Up the Value
Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
Risk Analysis Approaches
Qualitative Risk Analysis
Protection Mechanisms
Putting It Together
Total Risk vs. Residual Risk
Handling Risk
Outsourcing
Risk Management Frameworks
Categorize Information System
Select Security Controls
Implement Security Controls
Assess Security Controls
Authorize Information System
Monitor Security Controls
Business Continuity and Disaster Recovery
Standards and Best Practices
Making BCM Part of the Enterprise Security Program
BCP Project Components
Personnel Security
Hiring Practices
Termination
Security-Awareness Training
Degree or Certification?
Security Governance
Metrics
Ethics
The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 2 Asset Security
Information Life Cycle
Acquisition
Use
Archival
Disposal
Information Classification
Classifications Levels
Classification Controls
Layers of Responsibility
Executive Management
Data Owner
Data Custodian
System Owner
Security Administrator
Supervisor
Change Control Analyst
Data Analyst
User
Auditor
Why So Many Roles?
Retention Policies
Developing a Retention Policy
Protecting Privacy
Data Owners
Data Processers
Data Remanence
Limits on Collection
Protecting Assets
Data Security Controls
Media Controls
Data Leakage
Data Leak Prevention
Protecting Other Assets
Protecting Mobile Devices
Paper Records
Safes
Summary
Quick Tips
Questions
Answers
Chapter 3 Security Engineering
System Architecture
Computer Architecture
The Central Processing Unit
Multiprocessing
Memory Types
Operating Systems
Process Management
Memory Management
Input/Output Device Management
CPU Architecture Integration
Operating System Architectures
Virtual Machines
System Security Architecture
Security Policy
Security Architecture Requirements
Security Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Noninterference Model
Brewer and Nash Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Systems Evaluation
Common Criteria
Why Put a Product Through Evaluation?
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
Distributed System Security
Cloud Computing
Parallel Computing
Databases
Web Applications
Mobile Devices
Cyber-Physical Systems
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Cryptography in Context
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
Services of Cryptosystems
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems
Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD4
MD5
SHA
Attacks Against One-Way Hash Functions
Digital Signatures
Digital Signature Standard
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Key Management
Key Management Principles
Rules for Keys and Key Management
Trusted Platform Module
TPM Uses
Attacks on Cryptography
Ciphertext-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks
Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Social Engineering Attacks
Meet-in-the-Middle Attacks
Site and Facility Security
The Site Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Protecting Assets
Protecting Mobile Devices
Using Safes
Internal Support Systems
Electric Power
Environmental Issues
Fire Prevention, Detection, and Suppression
Summary
Quick Tips
Questions
Answers
Chapter 4 Communication and Network Security
Telecommunications
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
Multilayer Protocols
TCP/IP Model
TCP
IP Addressing
IPv6
Layer 2 Security Standards
Converged Protocols
Types of Transmission
Analog and Digital
Asynchronous and Synchronous
Broadband and Baseband
Cabling
Coaxial Cable
Twisted-Pair Cable
Fiber-Optic Cable
Cabling Problems
Networking Foundations
Network Topology
Media Access Technologies
Transmission Methods
Network Protocols and Services
Domain Name Service
E-mail Services
Network Address Translation
Routing Protocols
Networking Devices
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Proxy Servers
Honeypot
Unified Threat Management
Content Distribution Networks
Software Defined Networking
Intranets and Extranets
Metropolitan Area Networks
Metro Ethernet
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Remote Connectivity
Dial-up Connections
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Wireless Networks
Wireless Communications Techniques
WLAN Components
Evolution of WLAN Security
Wireless Standards
Best Practices for Securing WLANs
Satellites
Mobile Wireless Communication
Network Encryption
Link Encryption vs. End-to-End Encryption
E-mail Encryption Standards
Internet Security
Network Attacks
Denial of Service
Sniffing
DNS Hijacking
Drive-by Download
Summary
Quick Tips
Questions
Answers
Chapter 5 Identity and Access Management
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability
Identification and Authentication
Authentication
Authorization
Federation
Identity as a Service
Integrating Identity Services
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Access Control Techniques and Technologies
Constrained User Interfaces
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Access Control Administration
Centralized Access Control Administration
Decentralized Access Control Administration
Access Control Methods
Access Control Layers
Administrative Controls
Physical Controls
Technical Controls
Accountability
Review of Audit Information
Protecting Audit Data and Log Information
Keystroke Monitoring
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
Intrusion Detection Systems
Intrusion Prevention Systems
Threats to Access Control
Dictionary Attack
Brute-Force Attacks
Spoofing at Logon
Phishing and Pharming
Summary
Quick Tips
Questions
Answers
Chapter 6 Security Assessment and Testing
Audit Strategies
Internal Audits
Third-Party Audits
Auditing Technical Controls
Vulnerability Testing
Penetration Testing
War Dialing
Other Vulnerability Types
Postmortem
Log Reviews
Synthetic Transactions
Misuse Case Testing
Code Reviews
Interface Testing
Auditing Administrative Controls
Account Management
Backup Verification
Disaster Recovery and Business Continuity
Security Training and Security Awareness Training
Key Performance and Risk Indicators
Reporting
Technical Reporting
Executive Summaries
Management Review
Before the Management Review
Reviewing Inputs
Management Actions
Summary
Quick Tips
Questions
Answers
Chapter 7 Security Operations
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Assurance Levels
Operational Responsibilities
Unusual or Unexplained Occurrences
Deviations from Standards
Unscheduled Initial Program Loads (aka Rebooting)
Configuration Management
Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Physical Security
Facility Access Control
Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Secure Resource Provisioning
Asset Inventory
Configuration Management
Provisioning Cloud Assets
Network and Resource Availability
Mean Time Between Failures
Mean Time to Repair
Single Points of Failure
Backups
Contingency Planning
Preventative Measures
Firewalls
Intrusion Detection and Prevention Systems
Antimalware
Patch Management
Honeypots
The Incident Management Process
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Disaster Recovery
Business Process Recovery
Facility Recovery
Supply and Technology Recovery
Choosing a Software Backup Facility
End-User Environment
Data Backup Alternatives
Electronic Backup Solutions
High Availability
Insurance
Recovery and Restoration
Developing Goals for the Plans
Implementing Strategies
Investigations
Computer Forensics and Proper Collection of Evidence
Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
The Forensic Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Interviewing Suspects
Liability and Its Ramifications
Liability Scenarios
Third-Party Risk
Contractual Agreements
Procurement and Vendor Processes
Compliance
Personal Safety Concerns
Summary
Quick Tips
Questions
Answers
Chapter 8 Software Development Security
Building Good Code
Where Do We Place Security?
Different Environments Demand Different Security
Environment vs. Application
Functionality vs. Security
Implementation and Default Issues
Software Development Life Cycle
Project Management
Requirements Gathering Phase
Design Phase
Development Phase
Testing/Validation Phase
Release/Maintenance Phase
Secure Software Development Best Practices
Software Development Models
Build and Fix Model
Waterfall Model
V-Shaped Model (V-Model)
Prototyping
Incremental Model
Spiral Model
Rapid Application Development
Agile Models
Integrated Product Team
DevOps
Capability Maturity Model Integration
Change Control
Software Configuration Management
Security of Code Repositories
Programming Languages and Concepts
Assemblers, Compilers, Interpreters
Object-Oriented Concepts
Other Software Development Concepts
Application Programming Interfaces
Distributed Computing
Distributed Computing Environment
CORBA and ORBs
COM and DCOM
Java Platform, Enterprise Edition
Service-Oriented Architecture
Mobile Code
Java Applets
ActiveX Controls
Web Security
Specific Threats for Web Environments
Web Application Security Principles
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
Malicious Software (Malware)
Viruses
Worms
Rootkit
Spyware and Adware
Botnets
Logic Bombs
Trojan Horses
Antimalware Software
Spam Detection
Antimalware Programs
Assessing the Security of Acquired Software
Summary
Quick Tips
Questions
Answers
Appendix A Comprehensive Questions
Answers
Appendix B About the Download
System Requirements
Total Tester Premium Practice Exam Software
Downloading Total Tester
Installing and Running Total Tester
Hotspot and Drag-and-Drop Questions
McGraw-Hill Professional Media Center Download
Technical Support
Total Seminars Technical Support
McGraw-Hill Education Content Support
Glossary
Index
