Table of Contents
Introduction
CHAPTER 1:
The CISSP Certification Exam
Introduction
Assessing Exam Readiness
Exam Topics
Taking the Exam
Examples of CISSP Test Questions
Answer to Multiple-Choice Question
Answer to Drag and Drop Question
Answer to Hotspot Question
Question-Handling Strategies
Mastering the Inner Game
Need to Know More?
CHAPTER 2:
Understanding Asset Security
Introduction
Basic Security Principles
Data Management: Determining and Maintaining Ownership
Data Governance Policies
Roles and Responsibilities
Data Ownership
Data Custodians
Data Documentation and Organization
Data Warehousing
Data Mining
Knowledge Management
Data Standards
Data Lifecycle Control
Data Audits
Data Storage and Archiving
Data Security, Protection, Sharing, and Dissemination
Privacy Impact Assessment
Information Handling Requirements
Record Retention and Destruction
Data Remanence and Decommissioning
Classifying Information and Supporting Asset Classification
Data Classification
Asset Management and Governance
Software Licensing
The Equipment Lifecycle
Determining Data Security Controls
Data at Rest
Data in Transit
Endpoint Security
Baselines
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 3:
Security and Risk Management
Introduction
Security Governance
U.S. Legal System and Laws
Relevant U.S. Laws and Regulations
International Legal Systems and Laws
International Laws to Protect Intellectual Property
Global Legal and Regulatory Issues
Computer Crime and Hackers
Sexual Harassment
U.S. Governance
International Governance
Risk Management Concepts
Risk Management Frameworks
Risk Assessment
Risk Management Team
Selecting Countermeasures
Threat Modeling Concepts and Methodologies
Threat Modeling Steps
Threat Modeling Tools and Methodologies
Managing Risk with the Supply Chain and Third Parties
Reducing Risk in Organization Processes
Identifying and Prioritizing Business Continuity Requirements Based on Risk
Project Management and Initiation
Business Impact Analysis
Developing and Implementing Security Policy
Security Policy
Standards
Baselines
Guidelines
Procedures
Types of Controls
Administrative Controls
Technical Controls
Physical Controls
Access Control Categories
Implementing Personnel Security
New-Hire Agreements and Policies
Separation of Duties
Job Rotation
Least Privilege
Mandatory Vacations
Termination
Security Education, Training, and Awareness
Security Awareness
Social Engineering
Professional Ethics Training and Awareness
(ISC)2 Code of Ethics
Computer Ethics Institute
Internet Architecture Board
NIST SP 800-14
Common Computer Ethics Fallacies
Regulatory Requirements for Ethics Programs
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 4:
Security Architecture and Engineering
Introduction
Secure Design Guidelines and Governance Principles
Enterprise Architecture
Regulatory Compliance and Process Control
Fundamental Concepts of Security Models
Central Processing Unit
Storage Media
I/O Bus Standards
Virtual Memory and Virtual Machines
Computer Configurations
Security Architecture
Protection Rings
Trusted Computing Base
Open and Closed Systems
Security Modes of Operation
Operating States
Recovery Procedures
Process Isolation
Common Formal Security Models
State Machine Model
Information Flow Model
Noninterference Model
Confidentiality
Integrity
Other Models
Product Security Evaluation Models
The Rainbow Series
Information Technology Security Evaluation Criteria (ITSEC)
Common Criteria
System Validation
Certification and Accreditation
Vulnerabilities of Security Architectures
Buffer Overflows
Backdoors
State Attacks
Covert Channels
Incremental Attacks
Emanations
Web-Based Vulnerabilities
Mobile System Vulnerabilities
Cryptography
Algorithms
Cipher Types and Methods
Symmetric Encryption
Data Encryption Standard (DES)
Triple DES (3DES)
Advanced Encryption Standard (AES)
International Data Encryption Algorithm (IDEA)
Rivest Cipher Algorithms
Asymmetric Encryption
Diffie-Hellman
RSA
El Gamal
Elliptical Curve Cryptosystem (ECC)
Merkle-Hellman Knapsack
Review of Symmetric and Asymmetric Cryptographic Systems
Hybrid Encryption
Public Key Infrastructure and Key Management
Certificate Authorities
Registration Authorities
Certificate Revocation Lists
Digital Certificates
The Client’s Role in PKI
Integrity and Authentication
Hashing and Message Digests
Digital Signatures
Cryptographic System Review
Cryptographic Attacks
Site and Facility Security Controls
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 5:
Communications and Network Security
Introduction
Secure Network Design
Network Models and Standards
OSI Model
Encapsulation/De-encapsulation
TCP/IP
Network Access Layer
Internet Layer
Host-to-Host (Transport) Layer
Application Layer
LANs and Their Components
LAN Communication Protocols
Network Topologies
LAN Cabling
Network Types
Network Storage
Communication Standards
Network Equipment
Repeaters
Hubs
Bridges
Switches
Mirrored Ports and Network Taps
VLANs
Routers
Gateways
Routing
WANs and Their Components
Packet Switching
Circuit Switching
Cloud Computing
Software-Defined WAN (SD-WAN)
Securing Email Communications
Pretty Good Privacy (PGP)
Other Email Security Applications
Securing Voice and Wireless Communications
Secure Communications History
Voice over IP (VoIP)
Cell Phones
802.11 Wireless Networks and Standards
Securing TCP/IP with Cryptographic Solutions
Application/Process Layer Controls
Host-to-Host Layer Controls
Internet Layer Controls
Network Access Layer Controls
Link and End-to-End Encryption
Network Access Control Devices
Firewalls
Demilitarized Zone (DMZ)
Remote Access
Point-to-Point Protocol (PPP)
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS)
Internet Protocol Security (IPsec)
Message Privacy and Multimedia Collaboration
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 6:
Identity and Access Management
Introduction
Perimeter Physical Control Systems
Fences
Gates
Bollards
Additional Physical Security Controls
CCTV Cameras
Lighting
Guards and Dogs
Locks
Employee Access Control
Badges, Tokens, and Cards
Biometric Access Controls
Identification, Authentication, and Authorization
Authentication Techniques
Identity Management Implementation
Single Sign-On (SSO)
Kerberos
SESAME
Authorization and Access Control Techniques
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control
Rule-Based Access Control
Other Types of Access Control
Centralized and Decentralized Access Control Models
Centralized Access Control
Decentralized Access Control
Audits and Monitoring
Monitoring Access and Usage
Intrusion Detection Systems (IDSs)
Intrusion Prevention Systems (IPSs)
Network Access Control (NAC)
Keystroke Monitoring
Exam Prep Questions
Answers to Exam Prep Questions
Suggesting Reading and Resources
CHAPTER 7:
Security Assessment and Testing
Introduction
Security Assessments and Penetration Test Strategies
Audits
Root Cause Analyses
Log Reviews
Network Scanning
Vulnerability Scans and Assessments
Penetration Testing
Test Techniques and Methods
Security Threats and Vulnerabilities
Threat Actors
Attack Methodologies
Network Security Threats and Attack Techniques
Session Hijacking
Sniffing
Wiretapping
DoS and DDoS Attacks
Botnets
Other Network Attack Techniques
Access Control Threats and Attack Techniques
Unauthorized Access
Access Aggregation
Password Attacks
Spoofing
Eavesdropping and Shoulder Surfing
Identity Theft
Social-Based Threats and Attack Techniques
Malicious Software Threats and Attack Techniques
Viruses
Worms
Logic Bombs
Backdoors and Trojans
Rootkits
Exploit Kits
Advanced Persistent Threats (APTs)
Ransomware
Investigating Computer Crime
Computer Crime Jurisdiction
Incident Response
Disaster Recovery and Business Continuity
Investigations
Search, Seizure, and Surveillance
Interviews and Interrogations
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 8:
Security Operations
Introduction
Foundational Security Operations Concepts
Managing Users and Accounts
Privileged Entities
Controlling Access
Clipping Levels
Resource Protection
Due Care and Due Diligence
Asset Management
System Hardening
Change and Configuration Management
Trusted Recovery
Remote Access
Media Management, Retention, and Destruction
Telecommunication Controls
Cloud Computing
Email
Whitelisting, Blacklisting, and Graylisting
Firewalls
Phone, Fax, and PBX
Anti-malware
Honeypots and Honeynets
Patch Management
System Resilience, Fault Tolerance, and Recovery Controls
Recovery Controls
Monitoring and Auditing Controls
Auditing User Activity
Monitoring Application Transactions
Security Information and Event Management (SIEM)
Network Access Control
Keystroke Monitoring
Emanation Security
Perimeter Security Controls and Risks
Natural Disasters
Human-Caused Threats
Technical Problems
Facility Concerns and Requirements
CPTED
Area Concerns
Location
Construction
Doors, Walls, Windows, and Ceilings
Asset Placement
Environmental Controls
Heating, Ventilating, and Air Conditioning
Electrical Power
Uninterruptible Power Supplies (UPSs)
Equipment Lifecycle
Fire Prevention, Detection, and Suppression
Fire-Detection Equipment
Fire Suppression
Alarm Systems
Intrusion Detection Systems (IDSs)
Monitoring and Detection
Intrusion Detection and Prevention Systems
Investigations and Incidents
Incident Response
Digital Forensics, Tools, Tactics, and Procedures
Standardization of Forensic Procedures
Digital Forensics
The Disaster Recovery Lifecycle
Teams and Responsibilities
Recovery Strategy
Fault Tolerance
Backups
Plan Design and Development
Implementation
Testing
Monitoring and Maintenance
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
CHAPTER 9:
Software Development Security
Introduction
Integrating Security into the Development Lifecycle
Avoiding System Failure
The Software Development Lifecycle
Development Methodologies
The Waterfall Model
The Spiral Model
Joint Application Development (JAD)
Rapid Application Development (RAD)
Incremental Development
Prototyping
Modified Prototype Model (MPM)
Computer-Aided Software Engineering (CASE)
Agile Development Methods
Maturity Models
Scheduling
Change Management
Database Management
Database Terms
Integrity
Transaction Processing
Database Vulnerabilities and Threats
Artificial Intelligence and Expert Systems
Programming Languages, Secure Coding Guidelines, and Standards
Object-Oriented Programming
CORBA
Security of the Software Environment
Mobile Code
Buffer Overflow
Financial Attacks
Change Detection
Viruses and Worms
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Practice Exam I
Practice Exam II
Answers to Practice Exam I
Answers to Practice Exam II
Glossary
Index