CONTENTS
Foreword
Acknowledgments
Chapter 1 Becoming a CISSP
Why Become a CISSP?
The CISSP Exam
CISSP: A Brief History
How Do You Sign Up for the Exam?
What Does This Book Cover?
Tips for Taking the CISSP Exam
How to Use This Book
Questions
Answers
Chapter 2 Information Security Governance and Risk Management
Fundamental Principles of Security
Availability
Integrity
Confidentiality
Balanced Security
Security Definitions
Control Types
Security Frameworks
ISO/IEC 27000 Series
Enterprise Architecture Development
Security Controls Development
COSO
Process Management Development
Functionality vs. Security
Security Management
Risk Management
Who Really Understands Risk Management?
Information Risk Management Policy
The Risk Management Team
Risk Assessment and Analysis
Risk Analysis Team
The Value of Information and Assets
Costs That Make Up the Value
Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
Risk Analysis Approaches
Qualitative Risk Analysis
Protection Mechanisms
Putting It Together
Total Risk vs. Residual Risk
Handling Risk
Outsourcing
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Information Classification
Classifications Levels
Classification Controls
Layers of Responsibility
Board of Directors
Executive Management
Chief Information Officer
Chief Privacy Officer
Chief Security Officer
Security Steering Committee
Audit Committee
Data Owner
Data Custodian
System Owner
Security Administrator
Security Analyst
Application Owner
Supervisor
Change Control Analyst
Data Analyst
Process Owner
Solution Provider
User
Product Line Manager
Auditor
Why So Many Roles?
Personnel Security
Hiring Practices
Termination
Security-Awareness Training
Degree or Certification?
Security Governance
Metrics
Summary
Quick Tips
Questions
Answers
Chapter 3 Access Control
Access Controls Overview
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability
Identification and Authentication
Password Management
Authorization
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Access Control Techniques and Technologies
Rule-Based Access Control
Constrained User Interfaces
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Access Control Administration
Centralized Access Control Administration
Decentralized Access Control Administration
Access Control Methods
Access Control Layers
Administrative Controls
Physical Controls
Technical Controls
Accountability
Review of Audit Information
Protecting Audit Data and Log Information
Keystroke Monitoring
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
Intrusion Detection
Intrusion Prevention Systems
Threats to Access Control
Dictionary Attack
Brute Force Attacks
Spoofing at Logon
Phishing and Pharming
Threat Modeling
Summary
Quick Tips
Questions
Answers
Chapter 4 Security Architecture and Design
Computer Security
System Architecture
Computer Architecture
The Central Processing Unit
Multiprocessing
Operating System Components
Memory Types
Virtual Memory
Input/Output Device Management
CPU Architecture
Operating System Architectures
Virtual Machines
System Security Architecture
Security Policy
Security Architecture Requirements
Security Models
State Machine Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Information Flow Model
Noninterference Model
Lattice Model
Brewer and Nash Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Security Modes of Operation
Dedicated Security Mode
System High-Security Mode
Compartmented Security Mode
Multilevel Security Mode
Trust and Assurance
Systems Evaluation Methods
Why Put a Product Through Evaluation?
The Orange Book
The Orange Book and the Rainbow Series
The Red Book
Information Technology Security Evaluation Criteria
Common Criteria
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Summary
Quick Tips
Questions
Answers
Chapter 5 Physical and Environmental Security
Introduction to Physical Security
The Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Protecting Assets
Internal Support Systems
Electric Power
Environmental Issues
Ventilation
Fire Prevention, Detection, and Suppression
Perimeter Security
Facility Access Control
Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Testing and Drills
Summary
Quick Tips
Questions
Answers
Chapter 6 Telecommunications and Network Security
Telecommunications
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
TCP/IP Model
TCP
IP Addressing
IPv6
Layer 2 Security Standards
Types of Transmission
Analog and Digital
Asynchronous and Synchronous
Broadband and Baseband
Cabling
Coaxial Cable
Twisted-Pair Cable
Fiber-Optic Cable
Cabling Problems
Networking Foundations
Network Topology
Media Access Technologies
Network Protocols and Services
Domain Name Service
E-mail Services
Network Address Translation
Routing Protocols
Networking Devices
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Proxy Servers
Honeypot
Unified Threat Management
Cloud Computing
Intranets and Extranets
Metropolitan Area Networks
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Remote Connectivity
Dial-up Connections
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Wireless Technologies
Wireless Communications
WLAN Components
Wireless Standards
War Driving for WLANs
Satellites
Mobile Wireless Communication
Mobile Phone Security
Summary
Quick Tips
Questions
Answers
Chapter 7 Cryptography
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
Services of Cryptosystems
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
The Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems
The Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD2
MD4
MD5
Attacks Against One-Way Hash Functions
Digital Signatures
Digital Signature Standard
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Key Management
Key Management Principles
Rules for Keys and Key Management
Trusted Platform Module
TPM Uses
Link Encryption vs. End-to-End Encryption
E-mail Standards
Multipurpose Internet Mail Extension
Pretty Good Privacy
Internet Security
Start with the Basics
Attacks
Ciphertext-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks
Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Social Engineering Attacks
Meet-in-the-Middle Attacks
Summary
Quick Tips
Questions
Answers
Chapter 8 Business Continuity and Disaster Recovery Planning
Business Continuity and Disaster Recovery
Standards and Best Practices
Making BCM Part of the Enterprise Security Program
BCP Project Components
Scope of the Project
BCP Policy
Project Management
Business Continuity Planning Requirements
Business Impact Analysis (BIA)
Interdependencies
Preventive Measures
Recovery Strategies
Business Process Recovery
Facility Recovery
Supply and Technology Recovery
Choosing a Software Backup Facility
End-User Environment
Data Backup Alternatives
Electronic Backup Solutions
High Availability
Insurance
Recovery and Restoration
Developing Goals for the Plans
Implementing Strategies
Testing and Revising the Plan
Checklist Test
Structured Walk-Through Test
Simulation Test
Parallel Test
Full-Interruption Test
Other Types of Training
Emergency Response
Maintaining the Plan
Summary
Quick Tips
Questions
Answers
Chapter 9 Legal, Regulations, Investigations, and Compliance
The Many Facets of Cyberlaw
The Crux of Computer Crime Laws
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
International Issues
Types of Legal Systems
Intellectual Property Laws
Trade Secret
Copyright
Trademark
Patent
Internal Protection of Intellectual Property
Software Piracy
Privacy
The Increasing Need for Privacy Laws
Laws, Directives, and Regulations
Liability and Its Ramifications
Personal Information
Hacker Intrusion
Third-Party Risk
Contractual Agreements
Procurement and Vendor Processes
Compliance
Investigations
Incident Management
Incident Response Procedures
Computer Forensics and Proper Collection of Evidence
International Organization on Computer Evidence
Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
The Forensics Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Interviewing and Interrogating
A Few Different Attack Types
Cybersquatting
Ethics
The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 10 Software Development Security
Software’s Importance
Where Do We Place Security?
Different Environments Demand Different Security
Environment versus Application
Functionality versus Security
Implementation and Default Issues
System Development Life Cycle
Initiation
Acquisition/Development
Implementation
Operations/Maintenance
Disposal
Software Development Life Cycle
Project Management
Requirements Gathering Phase
Design Phase
Development Phase
Testing/Validation Phase
Release/Maintenance Phase
Secure Software Development Best Practices
Software Development Models
Build and Fix Model
Waterfall Model
V-Shaped Model (V-Model)
Prototyping
Incremental Model
Spiral Model
Rapid Application Development
Agile Model
Capability Maturity Model Integration
Change Control
Software Configuration Management
Programming Languages and Concepts
Assemblers, Compilers, Interpreters
Object-Oriented Concepts
Distributed Computing
Distributed Computing Environment
CORBA and ORBs
COM and DCOM
Java Platform, Enterprise Edition
Service-Oriented Architecture
Mobile Code
Java Applets
ActiveX Controls
Web Security
Specific Threats for Web Environments
Web Application Security Principles
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
Expert Systems/Knowledge-Based Systems
Artificial Neural Networks
Malicious Software (Malware)
Viruses
Worms
Rootkit
Spyware and Adware
Botnets
Logic Bombs
Trojan Horses
Antivirus Software
Spam Detection
Antimalware Programs
Summary
Quick Tips
Questions
Answers
Chapter 11 Security Operations
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Assurance Levels
Operational Responsibilities
Unusual or Unexplained Occurrences
Deviations from Standards
Unscheduled Initial Program Loads (aka Rebooting)
Asset Identification and Management
System Controls
Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Configuration Management
Change Control Process
Change Control Documentation
Media Controls
Data Leakage
Network and Resource Availability
Mean Time Between Failures
Mean Time to Repair
Single Points of Failure
Backups
Contingency Planning
Mainframes
E-mail Security
How E-mail Works
Facsimile Security
Hack and Attack Methods
Vulnerability Testing
Penetration Testing
Wardialing
Other Vulnerability Types
Postmortem
Summary
Quick Tips
Questions
Answers
Appendix A Comprehensive Questions
Answers
Appendix B About the Download
Downloading the Total Tester
Total Tester System Requirements
Installing and Running Total Tester
About Total Tester CISSP Practice Exam Software
Media Center Download
Cryptography Video Sample
Technical Support
Glossary
Index