Index

Numbers

1G cell phone technology, 306

2G cell phone technology, 306

3DES (3Data Encryption Standard), 206, 215216

3G cell phone technology, 306

4G cell phone technology, 306

5G cell phone technology, 307

10 Commandments of Computer Ethics, 139140

10 Steps to Cyber Security, 86

802.1AE (MACsec) security standard, 259260

802.1AR security standard, 260

802.11 wireless networks/standards

802.11a wireless standard, 310

802.11ac wireless standard, 310

802.11b wireless standard, 310

802.11g wireless standard, 310

802.11i wireless standard, 310

802.11n wireless standard, 310

802.16 wireless standard, 310

1998 Directive on Data Protection, 76

A

AAL (Authenticator Assurance Levels), 360

ABAC (Attribute-Based Access Control), 387388

absolute addressing, 163

acceptable risk, 104, 105

acceptance testing/implementation, SDLC, 569571

access controls, 129130

attacks/threats, 438

access aggregation, 438439

password attacks, 439442

unauthorized access, 438

networks, 321322

DMZ, 324325

firewalls, 322, 481

NAT, 325

packet filters, 322

proxy servers, 322324

stateful firewalls, 322

zero trust, 325

operational security, 471

physical, 240, 495497

remote access, 326, 476

CHAP, 326

EAP, 326328

IPsec, 329330

PAP, 326

PPP, 326

RADIUS, 328

TACACS, 328329

restricted access/work area security, 241

access/identity management, 342, 358359, 377

accountability, 343

authentication, 342343, 358361

AAL, 360

biometrics, 370375

card-based authentication, 369370

CHAP, 390

digital certificates, 370

EAP, 390

FIM, 358360

IAL, 360

IDaaS, 358360

MS-CHAPv2, 390

multifactor authentication, 375

OAuth, 362

OpenID, 362

PAP, 390

passwords, 363367

SAML, 361362

strong authentication, 375

tokens, 367368

two-factor authentication, 375

authorization, 343, 382

ABAC, 387388

audits, 394396

CDAC, 389

centralized access control, 390393

DAC, 382383

decentralized access control, 393394

IDS, 396401, 510511, 512513

IPS, 384, 401

keystroke monitoring, 402403

LBAC, 389

MAC, 383385

monitoring access, 394396

NAC, 401402

RBAC, 385387

rule-based access control, 388

SIEM, 401

employee access control, 355

biometrics, 358, 370375

card keys/badges, 355356

RFID tags, 342, 357

silent hostage (duress) alarms, 356

smart/dumb cards, 356

federation, 377

Kerberos, 378381

least privilege, 343

lifecycles, 376

perimeter physical control systems, 344

bollards, 346347

CCTV cameras, 348349, 496

deadman doors, 346

dogs, 350

fences, 343

gates, 345346

guards, 350

lighting, 349350

locks, 351355

mantraps, 346

turnstiles, 346

physical access controls, 342343, 344348

profile management, 377

SESAME, 381

SPML, 378

SSO, 343, 378

user provisioning, 376

WS-Security, 377

XML, 377

access logs, 416

account management, 469

access controls, 471

clipping levels, 471472

database administrators, 469

job rotation, 471

least privilege, 471

network administrators, 469

privileged entities, 470471

quality assurance specialists, 469

reasonably prudent person rule, 472473

security architects, 469

separation of duties, 469470, 471

system administrators, 469

systems analysts, 469

accountability, 343, 487489

accreditation, 195, 571

ace locks, 352

ACL (Access Control Lists), 382383, 388

acquisition, digital forensics, 516, 517519

active sniffing, 432

ActiveX programming language, 590

activity blockers, 484

adhesion, contracts of, 53

administrative controls, 128

administrative (regulatory) law, U.S. legal system/laws, 71

administrators, system, 469

advisor groups, security, data management, 34

advisory policies, 125

AES (Advanced Encryption Standard), 217

aggregation

access, 438439

databases, 583, 584

agile development, software, 577578

aging, passwords, 364

AH (Authentication Headers), 329

AI (Artificial Intelligence), 587588

AIC. See CIA triad

alarms, 509510

IDS, 510511, 512513

monitoring/detection, 511512

silent hostage (duress) alarms, 356

ALE (Annual Loss Expectancy), 97, 9899, 106

algorithms

cryptographic, 204, 206207

asymmetric cryptography, 207

symmetric algorithms, 207

DSA, 236, 237

hashing algorithms, 205, 231233, 237

CBC-MAC, 234

CMAC, 235

HAVAL, 234

HMAC, 234

MAC, 234235

SHA-1, 233

SHA-2, 233

SHA-3, 234

IDEA, 210

LUC algorithm, 222

MD algorithms, 233

Rivest cipher algorithms, 210211, 218

RSA algorithm, 222

alpha testing, 570

ALU (Arithmetic Logic Units), 158

analytics

BIA, 117119

MTD, 122

potential loss assessments, 119122

qualitative ranking, 120121

quantitative ranking, 121122

questionnaires, 119121

risk reduction process, 121122

comparative analysis, passwords, 439

cost-benefit analysis of risk management, 106

data analytics, 37

digital forensics, 517, 520521

FRAP, 102

frequency analysis, 299

MITRE Risk Matrix, 106

payback analysis, 564

risk factor analysis, 87

root causes analyses, 415

threats, 9396

traffic analysis, 437

anomaly-based IDS, 399400

answers, CISSP exams

drag-and-drop questions, 26

hotspot questions, 26

multiple-choice questions, 26

strategies for answering, 27

anti-malware, telecommunications control, 483484

antivirus software, 60

applets, 595

application controls, 561562

application layer

OSI network model, 256

TCP/IP network model, 267271, 316320

application-level proxies, 323324

application servers, 169

applications

logs, 416

security testing, 420

transaction monitoring, 489490

whitelisting, 60

APT (Advanced Persistent Threats), 450

architecture security and engineering, 152, 170

accreditation, 195

certification, 194195

computer/device configurations, 168170

CPU, 158163

cryptography, 203

3DES, 215216

AES, 217

algorithms, 204, 206207

asymmetric encryption, 205, 207, 218224, 237

attacks, 237240

authentication, 203204, 230231

block ciphers, 205, 207208

ciphertext, 204

confidentiality, 203

cryptanalysis, 205

CSS, 238

DES, 211215

digital signatures, 205, 235236, 237

DRM, 205

encryption, 203, 204

hashing algorithms, 205, 231236, 237

hybrid encryption, 224225

integrity, 204, 230231

Kerckhoff’s Principle, 238

key management, 205

keys, 204

MD algorithms, 233

nonces, 206207

nonrepudiation, 204

plaintext, 204

pseudorandom numbers, 206207

s-boxes, 208

steganography, 205

stream ciphers, 205, 208

symmetric encryption, 205, 208211, 223224, 237

defense in depth design process, 152153

design guidelines, 152155

EA, 155157

frameworks, 154155

fundamentals, overview, 158

I/O bus standards, 166167

open/closed systems, 175

operating states, 177178

PKI, 153, 225226

CA, 226

client’s role, 229230

CRL, 227

digital certificates, 227229

RA, 226227

process control, 157158

process isolation, 179

product security evaluation models, 189

Common Criteria (ISO 15408), 192194

CTCPEC, 190

ITSEC, 191192

Rainbow Series, The, 189191

TCSEC, 189190, 191192

protection rings, 170172

recovery procedures, 178, 486487

regulatory compliance, 157158

security models, 179, 189

Bell-LaPadula model, 182184

Biba model, 185186

Brewer and Nash model, 188

Clark-Wilson model, 187

Graham-Denning model, 188

Harrison-Ruzzo-Ullman model, 188

information flow model, 182

Lattice model, 188

Lipner model, 188

noninterference model, 182

state machine model, 180181

Take-Grant model, 188

security modes of operation, 176177

site/facility controls, 240241

storage media, 163

CD, 165

direct-access storage, 165

DVD, 166

flash memory storage, 166

I/O bus standards, 166167

optical media, 165

RAM, 163164, 167168

ROM, 164165

secondary storage, 165166

sequential storage, 165

software, 165

SSD, 166

swap partitions, 167168

system validation, 194

TCB, 172175

TPM chips, 154

virtual memory, 167168

VM, 168

vulnerabilities, 195196

backdoors, 197

buffer overflows, 196, 200, 595596

covert channels, 197198

data diddling, 198

database attacks, 201202

emanations, 198199

incremental attacks, 198

maintenance hooks, 197

mobile system vulnerabilities, 202203

salami attacks, 198

SQL injections, 201202, 586

state attacks, 197

Van Eck Phreaking, 199, 492

web-based vulnerabilities, 199202

wireless vulnerabilities, 202

architectures

CORBA, 592

OS, 174175

archive bits, 536537

area concerns, facility/site security controls, 497

ARO (Annual Rate of Occurrence), 97, 9899

ARP (Address Resolution Protocol), 260

poisoning, 436

TCP/IP network model, 263264

assemblers, 589

assessing

exam readiness, 2021

potential loss, 119122

risk. See separate entry

security, 412

application security testing, 420

audits, 412415

blackbox testing, 420

code reviews, 425

coverage, 413414

DAST, 425

DoS testing, 420

Fagan inspections, 426

fuzz testing, 426

graybox testing, 420

IAST, 425

integer overflow, 426427

KPI, 414415

KRI, 415

log reviews, 415418

misuse case testing, 426

outsider testing, 420

penetration testing, 257263

physical security testing, 420

RASP, 425

root causes analyses, 415

sampling plans, 413414

SAST, 425

scanning networks, 418419

social engineering testing, 421

stress testing, 420

synthetic transactions, 426

techniques/methods, 424427

vulnerability scanning, 419

war dialing, 420421

whitebox testing, 420

wireless network testing, 420

vulnerabilities, 419

assessing risk, 88

assets, 88, 9193

controls, 9596

hacker insurance, 93

high-impact assets, 9293

high-risk assets, 9293

identifying assets, 9193

losses, 94

probabilistic risk assessment, 87

qualitative assessments, 102, 103104

Delphi technique, 102

FRAP, 102

IAM, 102

impact scale, 100101

NIST 800–53, 102103

performing, 103

results, 101102

steps of, 101

quantitative assessments, 97, 103104

ALE, 97, 9899, 106

ARO, 97, 9899

calculations, 9799

formulas, 99100

SLE, 97, 98100

SATAN vulnerability assessment tool, 138139

steps of assessment, 90

threat analysis, 9396

threats, 89

vulnerabilities, 89, 9596

Asset Protection Triad (CIA triad), 30, 3132

availability, 31

confidentiality, 30

integrity, 31

assets

governance, 5152

high-impact assets, 9293

high-risk assets, 9293

identifying, 9193, 107

management, 5152, 473

“CACPA”, 48

change management, change management, 474475

classifying, 4748

cloud computing, 477478

configuration management, 474475

inventories, 4748

media management, 476477

remote access, 476

software licensing, 5254

system hardening, 473474

trusted recovery, 475476

placement, facility/site security controls, 501502

risk assessments, 88

valuation, 9193

assisted password resets, 365

asymmetric encryption, 205, 207, 218220, 237

Diffie-Hellman key exchanges, 220222

ECC, 223

El Gamal, 223

Knapsack, 223

LUC algorithm, 222

RSA algorithm, 222

XTR public key cryptosystem, 222

asymmetric mode, processors, 160

asynchronous tokens, 367368

ATA (Advanced Technology Attachments), 166

ATBASH, 299

ATM (Asynchronous Transfer Mode), 291

ATO (Authorization To Operate), 111

attacks/threats, 431

access controls, 438

access aggregation, 438439

password attacks, 439442

unauthorized access, 438

APT, 450

ARP poisoning, 436

backdoors, 447449

booters, 434

botnets, 434436

brute-force cracking, 441

buffer overflows, 595596

crypters, 448449

database attacks, 437

DDoS attacks, 433434

DNS spoofing, 437

DoS attacks, 433

dumpster diving, 444

eavesdropping, 442

email bombing, 437

exploit kits, 450

financial attacks, 596597

human-caused threats, 494495

hybrid attacks, 440

identity theft, 443

impersonation attacks, 444

IOC, 597

logic bombs, 446447, 596597

malicious software, 444445

APT, 450

backdoors, 447449

crypters, 448449

exploit kits, 450

logic bombs, 446447

packers, 448

ransomware, 450451

rootkits, 449450

success attacks, 450

Trojans, 447449

viruses, 445446

worms, 446

wrappers, 448

methodologies of attacks, 430431

packers, 448

pharming attacks, 437

phishing, 443

phreaking, 492

piggybacking, 444

pretexting, 443444

rainbow tables, 441442

ransomware, 450451

rootkits, 449450

session hijacking, 431432

shoulder surfing, 442, 444

smishing, 308, 443

sniffing, 432

social engineering attacks, 443444

spear phishing, 443

spoofing attacks, 442, 444

success attacks, 450

tailgating, 444

traffic analysis, 437

Trojans, 447449

Van Eck Phreaking, 199, 492

vectors, computer crime/hackers, 77

virus hoaxes, 444

viruses, 445446, 597598

war driving, 437

whaling, 443

wiretapping, 433, 437

worms, 446, 597598

wrappers, 448

zero-day vulnerabilities, 437

attenuation, cabling, 280

attributes, databases, 583

auditors, data management, 35

audits

auditing controls, 487489

data, 39

employees, 548

identity/access management, 394396

logs, 416

penetration testing/assessments, 412415

SAS 70, 112

AUP (Acceptable Use Policies), 128, 471

authentication, 342343, 358361

AAL, 360

AH, 329

biometrics, 370371, 374375

CER, 372

facial recognition, 373

FAR, 371

fingerprint recognition, 373374

FRR, 371

hand geometry recognition, 372

iris recognition, 373

retina pattern recognition, 373

Type I errors, 371

Type II errors, 371

voice recognition, 373

card-based authentication, 369370

CHAP, 326, 390

cryptography, 203204, 230231

digital certificates, 370

digital forensics, 516517, 520

EAP, 320, 326328, 390

encryption, 58

FIM, 358360

IAL, 360

IDaaS, 358360

IMAP, 269

MAC, 234235

CBC-MAC, 234

CMAC, 235

HMAC, 234

MFA, 202

MS-CHAPv2, 390

OAuth, 362

OpenID, 362

PAP, 326, 390

passwords, 363364, 367

aging, 364

assisted password resets, 365

attempts, 364

clipping levels, 364

cognitive passwords, 366367

complexity, 364

composition, 364

cracking, 366

dynamic passwords, 365366

history, 364

length, 364

OTP, 367

passphrases, 365

self-service password resets, 365

session management, 364

single-use passwords, 365366

static passwords, 365366

storing, 364

synchronization, 365

threshold levels, 364

SAML, 361362

strong authentication, 375

tokens, 367

asynchronous tokens, 367368

synchronous tokens, 367368

authorization, 343, 382

ABAC, 387388

audits, 394396

CDAC, 389

centralized access control, 390

CHAP, 390

Diameter, 393

EAP, 390

MS-CHAPv2, 390

PAP, 390

RADIUS, 391392

TACACS, 392

DAC, 382383

decentralized access control, 393394

IDS, 396397, 510511, 512513

anomaly-based IDS, 399400

HIDS, 398, 512

NIDS, 397398, 512

rule-based IDS, 400

sensor placement, 400401

signature-based IDS, 399

IPS, 384, 401

keystroke monitoring, 402403

LBAC, 389

MAC, 383385

monitoring access, 394396

NAC, 401402

RBAC, 385387

rule-based access control, 388

SIEM, 401

AS (Autonomous Systems), 289

availability

backups, 31

CIA triad, 31

avoiding risk, 105

awareness, employees, 134136

disaster recovery plans, 545

ethics training/awareness, 137138

10 Commandments of Computer Ethics, 139140

common fallacies, 141142

Computer Ethics Institute, 139140

IAB, 140141

(ISC)2 Code of Ethics, 138139

ISOC, 140141

NIST SP 8014, 141

regulatory requirements, 142143

RFC 1087, 140141

B

backdoors, 197, 447449

background checks, 131

backups, 31

choosing, 539541

cloud computing, 539

continuous backups, 538

data replication, 538

database shadowing, 538

differential backups, 536537

disaster recovery, 534541

electronic vaulting, 539

full backups, 536

incremental backups, 537

remote journaling, 539

RPO, 539541

RTO, 539541

SAN, 539

tape rotation schemes, 537538

validating, 458

badges, employee access control, 355356

banners, warning, 489

baseband transmissions, cabling, 275

baselines

NIST-800–52, 6162

NIST-800–53, 6061

risk management, 126

scoping, 6061, 62

supplementation, 62

tailoring, 6162

bastion hosts, 324

bathtub curves, 486487

BCP (Business Continuity Plans)

BIA, 117119

MTD, 122

potential loss assessments, 119122

qualitative ranking, 120121

quantitative ranking, 121122

questionnaires, 119121

risk reduction process, 121122

corrective controls, 117

detective controls, 117

DRP, 113115

preventive controls, 117

project management/initiation, 116117

reputations, 122123

BEAST cryptographic attack, 240

Bell-LaPadula security model, 182184

beta/pilot testing, 570

BIA (Business Impact Analysis), 117119

MTD, 122

potential loss assessments, 119122

qualitative ranking, 120121

quantitative ranking, 121122

questionnaires, 119121

risk reduction process, 121122

Biba security model, 185186

biometrics, 358, 370371, 374375

CER, 372

facial recognition, 373

FAR, 371

fingerprint recognition, 373374

FRR, 371

hand geometry recognition, 372

iris recognition, 373

retina pattern recognition, 373

Type I errors, 371

Type II errors, 371

voice recognition, 373

birthday attacks, 239

blackbox testing, 420, 570

blacklists, 480

block ciphers, 205, 207208

blockers, activity, 484

Blowfish, 210

blue boxes, 482

BlueBorne, 312

Bluejacking, 312

Bluetooth technologies, 311312

bollards, perimeter physical control systems, 346347

bombing email, 437

book ciphers, 302303

Boolean operators, 208

booters, 434

BootP (Bootstrap Protocol), 269

bot herders, 435

botnets, 434436

BPA (Business Partnership Agreements), 112

BREACH cryptographic attack, 240

breaches, data, 7677

Brewer and Nash security model, 188

bridges, 282

broadband transmissions, cabling, 275

broken configuration management, database vulnerabilities, 586

browsers, unpatched browsers, mobile system vulnerabilities, 203

brute-force cracking, 441

buffer overflows, 196, 200, 586, 595596

bulletproof hosting, 450

Bullrun, 331

bump keys, 354

Burp Proxy Attack tool, 200

bus topologies, 272

buses

FireWire (IEEE 1394) interfaces, 167

HBA, 41

I/O bus standards, 166167

ISA, 166

northbridges, 166

PCI, 166

PCIe, 166

SATA, 166

SCSI, 167

southbridges, 166

Thunderbolt interfaces, 167

USB, 167

business continuity, 458459

business process recovery strategies, 524525

business reference model, FEA frameworks, 156

BYOD policies, 169

BYOT controls, 202203

bytecode, 595

C

C programming language, 590

C# programming language, 590

C+ programming language, 590

C++ programming language, 590

CA (Certificate Authorities), 226

CaaS (Communication-as-a-Service), 477

cable Internet access, 293294

cabling

attenuation, 280

baseband transmissions, 275

broadband transmissions, 275

coaxial cables, 275277

fiber-optic cables, 277

LAN, 275278

multimode fiber cables, 277

plenum-grade cables, 277

single-mode cables, 277

“CACPA”, 48

Caesar’s cipher, 298299

CAIN. See CIA triad

CALEA (Communications Assistance for Law Enforcement Act), 433

call trees, 542

caller ID spoofing, 308

CAM (Content-Addressable Memory), 283

Camellia, 211

cameras, CCTV, 348349, 496

CAN (Campus Area Networks), 278

capability tables, 388

card keys, employee access control, 355356

card-based authentication, 369370

CASE model, software development, 576577

CAST (Carlisle Adams/Stafford Tavares), 211

categorization

record retention policies, 45

threats, 107

CBC mode, DES, 213

CBC-MAC (Cipher Block Chaining-MAC), 234

CBK (Common Body of Knowledge), 21

CCTV cameras, perimeter physical control systems, 348349

CD (Compact Discs), 165

CDAC (Content-Dependent Access Control), 389

CDN (Content Delivery Networks), 324

ceilings, facility/site security controls, 498501

cell phones, 306308

centralized access control, 390

CHAP, 390

Diameter, 393

EAP, 390

MS-CHAPv2, 390

PAP, 390

RADIUS, 391392

TACACS, 392

CER (Crossover Error Rates), 372

certificates, digital, 227229, 370

certification

architecture security and engineering, 194195

CISSP exams, 20

(ISC)2 website, 28

software development, 571

X.509 certificates, 370

CFAA (Computer Fraud and Abuse Act) of 1986, 72

CFB mode, DES, 213

change control, 36

change detection, 597

change management, 474475, 580582

changeovers, software, 572

channels, ISDN, 291292

CHAP (Challenge-Handshake Authentication Protocol), 326, 390

checklists, disaster recovery, 521522

checks, software, 561562

chief security officers, data management, 34

chosen ciphertext, 238

chosen plaintext, 238

CIA triad, 30, 3132

availability, 31

confidentiality, 30

integrity, 31

cipher locks, 352353

ciphers, 205

block ciphers, 205, 207208

s-boxes, 208

stream ciphers, 205, 208

ciphertext, 204

chosen ciphertext, 238

ciphertext-only attacks, 238

CIR (Committed Information Rates), 290

circuit switching, WAN, 291294

circuit-level proxies, 323

CISC (Complex Instruction Set Computers), 160

CISSP exams

answering

drag-and-drop questions, 26

hotspot questions, 26

multiple-choice questions, 26

strategies for answering, 27

assessing readiness, 2021

CBK, 21

certification, 20

fees, 20

(ISC)2 website, 2122, 23

mastering, 2728

online resources, 28

passing score, 20

questions, types of, 24

answer strategies, 27

drag-and-drop questions, 24, 26

hotspot questions, 25, 26

multiple-choice questions, 24, 26

taking exams, 2223

terminology, 28

topics, 21

civil law, U.S. legal system/laws, 71

Clark-Wilson security model, 187

classification approach, knowledge management, 38

classification, record retention policies, 45

classifying

assets, 4748

data, 4950

commercial data, 51

military data, 50, 51

private data, 51

public data, 51

sensitivity, 50

click-wrap license agreements, 53

clipping levels, 364, 365, 471472

clock speeds, CPU, 159

cloning cell phones, 307

closed/open systems, 175

cloud computing, 294295

asset management, 477478

backups, 539

cloud-based storage, 3940

CSA, STAR ratings, 85

clustering

keys, 239

servers, 530, 533

CMAC (Cipher-based MAC), 235

CMMI model, software development, 578579

coaxial cables, 275, 277

COBIT (Control Objectives for Information and Related Technologies), 39, 413

coding

assemblers, 589

compilers, 589

interpreters, 590

mobile code, 595

OOP, 591592

programming languages, 588590

reviewing, 425

scripting languages, 590

cognitive passwords, 366367

cold sites, disaster recovery, 527

collaboration, multimedia, 331332

combination locks, 351352

commercial data classification, 51

Common Criteria (ISO 15408), product security evaluation models, 192194

common law, 71

communications

attacks, 77

CaaS, 477

email security, 296297

frequency analysis, 299

full duplex communication, 280

half duplex communication, 280

LAN protocols, 271272

loss, 495

security, 298

802.11 wireless networks/standards, 308316

ATBASH, 299

Bluetooth technologies, 311312

book ciphers, 302303

Caesar’s cipher, 298299

cell phones, 306308

concealment ciphers, 302

DECT, 315

Enigma machine, 303

Feistel network, 303

frequency analysis, 299

history, 298304

polyalphabetic ciphers, 299300

Purple machine, 303, 304

quantum cryptography, 304

running key ciphers, 302303

substitution ciphers, 301302

TCP/IP network model, 316320

Vernam ciphers, 303

Vigenere ciphers, 300301

VoIP, 304306

WAP, 315316

WEP, 313315

simplex communication, 280

telecommunications equipment, 281

community clouds, 478

comparative analysis, passwords, 439

compartmentalized systems, MAC, 385

compartmented operation mode, 176

compilers, 589

completeness checks, 562

compliance, data governance policies, 33

computer crime/hackers, 76

attack methodologies, 430431

attack vectors, 77

communications attacks, 77

corporate spies, 78

crackers, 7778

cyberterrorists/cybercriminals, 78

data breaches, 7677

disgruntled employees, 78

hacker researchers, 428, 429

hactivism, 142, 428

insurance, 93

investigating computer crimes, 452, 459, 513

business continuity, 458459

digital forensics, 461465

disaster recovery, 458459

incident response, 453458, 514

interviews/interrogations, 459460

jurisdictions, 452453

search and seizure/surveillance, 459

IOCE, 516

law enforcement/security conferences, 79

logical attacks, 77

nation-state hackers, 78

organized crime, 428

personnel security attacks, 77

phreakers, 308, 430, 482, 492

physical security attacks, 77

script kiddies, 78

skilled hackers, 428

social engineering attacks, 77

threat actors, 78

computer/device configurations, 168170

Computer Ethics Institute, 139140

computer forensics, 515

continuous lighting, 349

concealment ciphers, 302

conferences

security conferences, computer crime/hackers, 79

web conferencing, 331

confidentiality

CIA triad, 30

cryptography, 203

security models, 182

configurations

broken configuration management, database vulnerabilities, 586

computers/devices, 168170

email, 479480

lockdowns, 60

managing, 474475

sealing, 56

construction, facility/site security controls, 498

contact smart cards, 369

contactless smart cards, 369

continuity plans, 458459

BCP

BIA, 117123

corrective controls, 117

detective controls, 117

DRP, 113115

preventive controls, 117

project management/initiation, 116117

reputations, 122123

DRP, 113115

continuous backups, 538

contracts of adhesion, 53

control units, 158

control zones, 198199, 492

controls, 127128, 130

access controls, 129130

administrative controls, 128

application controls, 561562

BYOT controls, 202203

corrective controls, 568

data center controls, 241

detective controls, 568

employee access control, 355

biometrics, 358, 370375

card keys/badges, 355356

RFID tags, 342, 357

silent hostage (duress) alarms, 356

smart/dumb cards, 356

environmental controls/HVAC, 241, 501

fire prevention/detection/suppression controls, 241, 501, 505506

fire suppression, 507509

fire-detection equipment, 506507

logical security controls, 152

perimeter physical control systems, 344, 493

bollards, 346347

CCTV cameras, 348349, 496

deadman doors, 346

dogs, 350

fences, 343

gates, 345346

guards, 350

lighting, 349350

locks, 351355

mantraps, 346

turnstiles, 346

physical access controls, 240, 342343, 495496

CPTED, 496497

perimeter physical control systems, 344348, 493

physical controls, 129, 152

preventive controls, 568

risk assessments, 9596

security policies, levels of control, 124

server room controls, 241

site/facility security controls, 240241

software, 561562

technical controls, 129

convergence, network, 304

COOP (Continuity Of Operations Plan), 111

copyrights

DMCA, 5354

intellectual property, 74

CORBA (Common Object Request Broker Architecture), 592

cordless phones, 308

corporate spies, 78, 428

Corpus Juris Civilis, 73

corrective controls, 117, 568

COSO (Committee for Sponsoring Organizations of Treadway Commission), 142

costs

cost-benefit analysis, risk management, 106

data governance policies, 33

risk versus levels of control, 105106

countermeasures, risk management

acceptable risk, 103105

avoiding risk, 105

cost of risk versus levels of control, 105106

mitigating risk, 105

residual risk, 105106

risk reports, 106

tolerating risk, 103104, 105

coverage, penetration testing, 413414

covert channels, 197198

“CP SOW”, 47

CPTED (Crime Prevention Through Environmental Design), 496497

CPU (Central Processing Units), 158

advancements, 159

ALU, 158

categorizing, 160

CISC, 160

clock speeds, 159

control units, 158

input, 160

interrupts, 162

I/O bus standards, 166167

memory, 159

MIPS, 159

multiprocessor systems, 160

multithreaded programs, 161

PID, 161

problem state, 159, 160

processes, 161

ready state, 159

RISC, 160

scalar processors, 160

superscalar processors, 160

supervisor state, 159, 160

threads, 161

transistors, 159

wait state, 159

crackers, 7778

cracking passwords, 366, 439442

credential stuffing, 439

credit/debit cards, PCI-DSS, 4243

CRIME cryptographic attack, 240

crime triangles, 452

criminal law, U.S. legal system/laws, 71

CRL (Certificate Revocation Lists), 227

Cross-Site Scripting (XSS), 199, 200

cryptanalysis, 205

differential cryptanalysis, 238

linear cryptanalysis, 238

crypters, 448449

cryptography, 153, 203

3DES, 215216

AES, 217

algorithms, 204, 206207

asymmetric cryptography, 207

symmetric algorithms, 207

asymmetric encryption, 205, 207, 218220, 237

Diffie-Hellman key exchanges, 220222

ECC, 223

El Gamal, 223

Knapsack, 223

LUC algorithm, 222

RSA algorithm, 222

XTR public key cryptosystem, 222

ATBASH, 299

attacks, 237240

authentication, 203204, 230231

block ciphers, 205, 207208

book ciphers, 302303

Caesar’s cipher, 298299

ciphertext, 204

concealment ciphers, 302

confidentiality, 203

cryptanalysis, 205

CSS, 238

DES, 211212

CFB mode, 213

CTR mode, 214215

ECB mode, 212213

OFB mode, 214

digital signatures, 205, 235236, 237

DRM, 205

encryption, 203, 204, 298304

3DES, 215216

AES, 217

asymmetric encryption, 207, 218224, 237

DES, 211215

end-to-end encryption, 320321

hybrid encryption, 224225

IDEA, 210, 218

link-to-link encryption, 321

OSI network model, 256

RC2, 218

RC4, 210, 218

RC5, 210211, 218

Rijndael, 210, 217

swIPe, 320

symmetric encryption, 205, 208211, 223224, 237

tunneling protocols, 5758, 319, 320

U.S. Government, 237

Enigma machine, 303

Feistel network, 303

frequency analysis, 299

hashing algorithms, 205, 231233, 237

CBC-MAC, 234

CMAC, 235

HAVAL, 234

HMAC, 234

MAC, 234235

SHA-1, 233

SHA-2, 233

SHA-3, 234

hybrid encryption, 224225

integrity, 204, 230231

Kerckhoff’s Principle, 238

key management, 205

keys, 204

MD algorithms, 233

nonces, 206207

nonrepudiation, 204

PKI, 153, 225226

CA, 226

client’s role, 229230

CRL, 227

digital certificates, 227229

RA, 226227

plaintext, 204

polyalphabetic ciphers, 299300

pseudorandom numbers, 206207

Purple machine, 303, 304

quantum cryptography, 304

running key ciphers, 302303

s-boxes, 208

steganography, 205

stream ciphers, 205, 208

substitution ciphers, 301302

symmetric cryptography, 207

symmetric encryption, 205, 208211, 223224, 237

TCP/IP network model, 316320

TPM chips, 154

Vernam ciphers, 303

Vigenere ciphers, 300301

Cryptolocker cryptographic attack, 240

CSA (Cloud Security Alliance), STAR ratings, 85

CSMA/CA (Carrier-Sense Multiple Access/Collision Avoidance), 273

CSMA/CD (Carrier-Sense Multiple Access/Collision Detection), 273274

CSRF (Cross-Site Request Forgery), 199, 200

CSS (Content Scrambling System), 238

CTCPEC (Canadian Trusted Computer Product Evaluation Criteria), 190

CTR mode, DES, 214215

custodians, data, 34, 36, 136

customary law, 73

Cyber Security, 10 Steps to, 86

Cybersecurity Strategy of the European Union, 86

cyberterrorists/cybercriminals, 78

D

DAC (Discretionary Access Control), 382383

DASD (Direct Access Storage Devices), 532

DAST (Dynamic Application Security Testing), 425

data analytics, 37

data and information recovery strategies, 534

data at rest, encryption, 5557

data audits, 39

data breaches, 7677

data center controls, 241

data classification, 4950

commerical data, 51

military data, 50, 51

private data, 51

public data, 51

sensitivity, 50

data controls, 36

data custodians, 34, 36, 136

data diddling, 198

data disposal, 46

data documentation, 36

data governance policies, 3233

data in transit, encryption, 5759

data labeling, 44

data lifecycle control, 38

data link layer, OSI network model, 253254

data management, 32

auditors, 35

chief security officers, 34

data audits, 39

data custodians, 34, 36

data documentation, 36

data governance policies, 3233

data lifecycle control, 38

data mining, 37

data organization, 36

data owners, 34

data ownership, 35, 36

data standards, 38

data storage, 3942

data warehouses, 37

developers, 34

information security steering committees, 34

knowledge management, 38

responsibilities, 3435

roles, 3435

security advisor groups, 34

senior management, 34

users, 34

data mining, 37

data organization, 36

data owners

data management, 34

identification, 36

ILM, 35

data ownership, 35

data privacy, PIA, 4344

Data Protection Authority, 75

data purges, 46

data recovery procedures, 178, 486487

data reference model, FEA frameworks, 156

data remanence, 4647

data replication, 538

data sanitization, 4647, 476477

data security

authentication, 58

defense in depth, 56

email protocols, 58

encryption, 55

authentication, 58

data at rest, 5557

data in transit, 5759

end-to-end encryption, 59

IPsec, 5758

keys, 5657

link encryption, 5859

SED, 56

TPM chips, 5556

tunneling protocols, 5758

VPN, 5758

endpoint security, 5960

FTP, 57

HTTP, 57

insecure protocols, 57

IPsec, 5758

ISO/IEC 17799, 42

PCI-DSS, 4243

Privacy Rights Clearinghouse, 42

SMTP, 57

Telnet, 57

tunneling protocols, 5758

VPN, 5758

zero-trust environments, 59

data standards, 38

data storage, 364

cloud-based storage, 3940

DASD, 532

data disposal, 46

data sanitization, 4647

evidence storage controls, 241

information handling requirements, 4445

labeling data, 44

MAID, 532533

NAS, 3940

record retention policies, 45

SAN, 3942, 278280

SASD, 532

data warehouses, 37

database servers, 169

databases, 580582

administrators, 469

aggregation, 583, 584

attacks, 201202, 437

attributes, 583

development security, 583585

AI, 587588

buffer overflows, 595596

change detection, 597

CORBA, 592

expert systems, 587588

integrity, 585

mobile code, 595

OOP, 591592

programming languages, 588590

transaction processing, 585

vulnerabilities, 586587

fields, 583

foreign keys, 583

granularity, 583

hierarchical database management systems, 582

inference, 583, 584585

knowledge bases, 587

managing, 582583

network database management systems, 582

object-relational database systems, 583

primary keys, 584

RDBMS, 582583

relations, 583

shadowing, 538

schemas, 584

scripting languages, 590

tuples, 583

unpatched databases, 586

views, 584

vulnerabilities, 586587

DCS (Distributed Control Systems), 169

DDoS attacks, 433434

DDP (Data De-Duplication), 42

DDR (Double Data Rates), 164

deadman doors, perimeter physical control systems, 346

debit/credit cards, PCI-DSS, 4243

decentralized access control, 393394

decommissioning hardware, 4647

DECT (Digital Enhanced Cordless Telecommunication), 315

dedicated (single-state) operating systems, 177

dedicated operation mode, 176

de-encapsulation, OSI network model, 258

default routes, 288

defense in depth, 56, 152153

degaussing, 4647, 477

Delphi technique, qualitative assessments, 102

deprovisioning/provisioning, identity/access management, 376

DES (Data Encryption Standard), 206, 210, 211212

CBC mode, 213

CFB mode, 213

CTR mode, 214215

ECB mode, 212213

OFB mode, 214

DES EDE2, 216

DES EDE3, 216

DES EEE2, 216

DES EEE3, 216

design guidelines, architecture security, 152155

design specifications, software, 566

destroying media/hardware, 477

detection, alarms, 511512

detective controls, 414, 568

detective controls, BCP, 117

developers, data management, 34

development methodologies, software

agile development, 577578

CASE model, 576577

CMMI model, 578579

IDEAL model, 579

incremental development, 575

JAD model, 575

maturity models, 578579

MPM model, 576

prototyping, 575576

RAD model, 575

spiral model, 574

waterfall model, 573

development security, databases, 583585

AI, 587588

buffer overflows, 595596

change detection, 597

CORBA, 592

expert systems, 587588

integrity, 585

mobile code, 595

OOP, 591592

programming languages, 588590

transaction processing, 585

vulnerabilities, 586587

development security, software, 560

buffer overflows, 595596

change detection, 597

change management, 580582

CORBA, 592

database management, 582583

environment security, 592595

lifecycles, 560561

mobile code, 595

OOP, 591592

programming languages, 588590

scheduling, 580

SDLC, 563

acceptance testing/implementation, 569571

building/development, 567569

design specifications, 566

development methodologies, 573579

disposal, 572

ERD, 565566

functional requirements/planning, 565566

operations/maintenance, 571572

project initiation, 564565

reverse engineering, 569

stages of, 563564

system failure, avoiding, 561562

application controls, 561562

avoiding system failure, 562

checks, 561562

device/computer configurations, 168170

device locks, 353

diagramming, potential attacks, 107

dialing, war, 420421

dialing systems, outband, 542

Diameter, centralized access control, 393

dictionary cracking, 439440

differential backups, 536537

differential cryptanalysis, 238

Diffie-Hellman key exchanges, 220222

digital certificates, 227229, 370

digital forensics, 515516

acquisition, 516, 517519

analytics, 517, 520521

authentication, 516517, 520

procedures, 516

stages of, 515

types of, 514515

digital signatures, 205, 235236, 237

direct OS commands, web-based vulnerabilities, 199

direct-access storage, 165

Directive on Data Protection, 1998, 76

directory traversal attacks, 199

disaster recovery, 458459, 493494

awareness, 545

backups, 534541

business process recovery strategies, 524525

checklists, 521522

cold sites, 527

data and information recovery strategies, 534

employee services, 543544

facility recovery strategies, 525528

fault tolerance, 530534

flat tires, 522523

hot sites, 525526

implementing plans, 544545

insurance, 544

interfacing with external groups, 542543

lifecycle of, 521523

maintaining plans, 547548

mobile sites, 527528

monitoring recovery plans, 547548

operations recovery strategies, 529532

organizational functions and recovery times, 535536

personnel mobilization, 542

plan design/development, 541544

reciprocal agreements, 528

redundant sites, 527

strategies, 524532

subscription services, 525527

supply recovery strategies, 525528

teams/responsibilities, 523

tertiary sites, 525

testing recovery plans, 546547

user recovery strategies, 528529

warm sites, 526

discovery scans, networks, 418

disgruntled employees, computer crime/hackers, 78

disk encryption, 60

disposal

data, 36, 46

software, 572

distance-vector protocols, 288289

distributed computing, 533534

diving, dumpster, 444

DMA, I/O using DMA, 162

DMCA (Digital Millennium Copyright Act), 5354

DMZ (Demilitarized Zones), 324325

DNS (Domain Name System), 268

DNS spoofing, 437

DNSSEC (Domain Name System Security), 268

documentation

ATO, 111

BCP

BIA, 117123

corrective controls, 117

detective controls, 117

DRP, 113115

preventive controls, 117

project management/initiation, 116117

reputations, 122123

BIA questionnaires, 119121

BPA, 112

COOP, 111

data, 36

DRP, 113115

IA, 111

ISA, 110

MOU, 111

NDA, 112

OLA, 111

risk reports, 106

SAS 70, 112

security policies, 124

SLA, 111, 495

UA, 111

dogs, perimeter physical control systems, 350

doors, facility/site security controls, 498501

DoS (Denial of Service)

attacks, 305, 433, 586

testing, 420

doxing, 428

drag-and-drop questions, CISSP exams, 24, 26

DRAM (Dynamic Random-Access Memory), 163164

DREAD, threat modeling, 109

drive wiping, 47, 477

driving, war, 437

DRM (Digital Rights Management), 205

DROWN cryptographic attack, 240

DRP (Disaster Recovery Plans), 113115

DSA (Digital Signature Algorithms), 236, 237

DSL (Digital Subscriber Line), 293

DSSS (Direct-Sequence Spread Spectrum), 308

due care, 72, 472473

due diligence, 72, 472473

dumb cards, employee access control, 356

dumpster diving, 444

duplicate checks, 562

duress (silent hostage) alarms, 356

duties, separation of, 131132, 469470, 471

DVD (Digital Video Discs), 166

dwell time, 308

dynamic NAT, 325

dynamic passwords, 365366

dynamic routing, 288

E

EA (Enterprise Architectures), 155

FEA frameworks, 156

ISO 27000 series standards, 157

SABSA, 156157

Zachman Framework, 155156

EAL (Evaluation Assurance Levels), 192193

EAP (Extensible Authentication Protocol), 320, 326328, 390

EAP-FAST, 327

EAP-LEAP, 327

EAP-MD5, 327

EAP-PEAP, 327

EAP-SIM, 327

EAP-TTLS, 327

eavesdropping, 306, 442

ECB mode, DES, 212213

ECC (Elliptical Curve Cryptosystem), 223

Economic Espionage Act of 1996, 72

educating employees, 134135

EGP (Exterior Gateway Protocol), 289

El Gamal, 223

electric lock pick guns, 355

electrical power, facility/site security controls, 503504

electronic vaulting, 539

email

asset management, 478

bombing attacks, 437

configurations, 479480

IMAP, 479

message privacy, 331332

POP, 479

security, 296297

SMTP, 268, 479

standard email protocols, data security, 58

emanations, 198199, 492

embedded devices, 169170

EMI (Electromagnetic Interference), 503

employees

access control, 355

biometrics, 358, 370375

card keys/badges, 355356

RFID tags, 342, 357

silent hostage (duress) alarms, 356

smart/dumb cards, 356

audits, 548

awareness, disaster recovery, 545

disaster recovery services, 543544

disgruntled employees, computer crime/hackers, 78

HIPAA, 7980

job descriptions, 547

performance reviews, 548

personnel security, 130

background checks, 131

educating employees, 134135

employee awareness, 134136

ethics training/awareness, 137143

job rotation, 132

least privilege, 132133

mandatory vacations, 133

NDA, 131

new-hire agreements/policies, 131

separation of duties, 131132

social engineering, 136137

social networking, 131

termination of employees, 133134

training employees, 134135

training, disaster recovery, 545

enabled features (unnecessary), database vulnerabilities, 586

encapsulation

OOP, 591

OSI network model, 256, 257258

encryption, 55, 203, 204

3DES, 206, 215216

AES, 217

asymmetric encryption, 207, 218220, 237

Diffie-Hellman key exchanges, 220222

ECC, 223

El Gamal, 223

Knapsack, 223

LUC algorithm, 222

RSA algorithm, 222

XTR public key cryptosystem, 222

ATBASH, 299

authentication, 58

Blowfish, 210

book ciphers, 302303

Caesar’s cipher, 298299

Camellia, 211

CAST, 211

concealment ciphers, 302

data at rest, 5557

data in transit, 5759

DES, 206, 210, 211212

CBC mode, 213

CFB mode, 213

CTR mode, 214215

ECB mode, 212213

OFB mode, 214

disk encryption, 60

end-to-end encryption, 59, 320321

Enigma machine, 303

Feistel network, 303

frequency analysis, 299

hybrid encryption, 224225

IDEA, 210, 218

IPsec, 5758

keys, 5657

link encryption, 5859

link-to-link encryption, 321

MARS, 211

OSI network model, 256

polyalphabetic ciphers, 299300

Purple machine, 303, 304

RC2, 218

RC4, 210, 218

RC5, 210211, 218

Rijndael, 210, 217

running key ciphers, 302303

SAFER, 211

SED, 56

Skipjack, 211

substitution ciphers, 301302

swIPe, 320

symmetric encryption, 205, 208211, 223224, 237

TPM chips, 5556

tunneling protocols, 5758

L2TP, 320

PPTP, 320

SSTP, 319

Twofish, 210

U.S. Government, 237

Vernam ciphers, 303

Vigenere ciphers, 300301

VPN, 5758

end-of-life provisions, 36

endpoint security, 5960

end-to-end encryption, 59, 320321

engineering and architecture security, 152, 170, 172175

accreditation, 195

certification, 194195

computer/device configurations, 168170

CPU, 158163

cryptography, 203

3DES, 215216

AES, 217

algorithms, 204, 206207

asymmetric encryption, 205, 207, 218224, 237

attacks, 237240

authentication, 203204, 230231

block ciphers, 205, 207208

ciphertext, 204

confidentiality, 203

cryptanalysis, 205

CSS, 238

DES, 211215

digital signatures, 205, 235236, 237

DRM, 205

encryption, 203, 204

hashing algorithms, 205, 231236, 237

hybrid encryption, 224225

integrity, 204, 230231

Kerckhoff’s Principle, 238

key management, 205

keys, 204

MD algorithms, 233

nonces, 206207

nonrepudiation, 204

plaintext, 204

pseudorandom numbers, 206207

s-boxes, 208

steganography, 205

stream ciphers, 205, 208

symmetric encryption, 205, 208211, 223224, 237

defense in depth design process, 152153

design guidelines, 152155

EA, 155157

frameworks, 154155

fundamentals, overview, 158

I/O bus standards, 166167

open/closed systems, 175

operating states, 177178

PKI, 153, 225226

CA, 226

client’s role, 229230

CRL, 227

digital certificates, 227229

RA, 226227

process control, 157158

process isolation, 179

product security evaluation models, 189

Common Criteria (ISO 15408), 192194

CTCPEC, 190

ITSEC, 191192

Rainbow Series, The, 189191

TCSEC, 189190, 191192

protection rings, 170172

recovery procedures, 178, 486487

regulatory compliance, 157158

security models, 179, 189

Bell-LaPadula model, 182184

Biba model, 185186

Brewer and Nash model, 188

Clark-Wilson model, 187

Graham-Denning model, 188

Harrison-Ruzzo-Ullman model, 188

information flow model, 182

Lattice model, 188

Lipner model, 188

noninterference model, 182

state machine model, 180181

Take-Grant model, 188

security modes of operation, 176177

site/facility controls, 240241

storage media, 163

CD, 165

direct-access storage, 165

DVD, 166

flash memory storage, 166

I/O bus standards, 166167

optical media, 165

RAM, 163164, 167168

ROM, 164165

secondary storage, 165166

sequential storage, 165

software, 165

SSD, 166

swap partitions, 167168

system validation, 194

TPM chips, 154

virtual memory, 167168

VM, 168

vulnerabilities, 195196

backdoors, 197

buffer overflows, 196, 200, 595596

covert channels, 197198

data diddling, 198

database attacks, 201202

emanations, 198199

incremental attacks, 198

maintenance hooks, 197

mobile system vulnerabilities, 202203

salami attacks, 198

SQL injections, 201202, 586

state attacks, 197

Van Eck Phreaking, 199, 492

web-based vulnerabilities, 199202

wireless vulnerabilities, 202

Enigma machine, 303

environmental controls/HVAC, 241, 501, 502503

EPO (Emergency Power Off), 504

equipment failure, 495

equipment lifecycles, 5455, 505

ERD (Entity Relationship Diagrams), 565566

escalation of privilege, 431, 586

ESP (Encapsulating Security Payloads), 329

Ethernet

FCoE, 41

frames, 271272

ethics training/awareness, 137138

10 Commandments of Computer Ethics, 139140

common fallacies, 141142

Computer Ethics Institute, 139140

IAB, 140141

(ISC)2 Code of Ethics, 138139

ISOC, 140141

NIST SP 8014, 141

regulatory requirements, 142143

RFC 1087, 140141

EU (Eurpoean Union)

1998 Directive on Data Protection, 76

Cybersecurity Strategy of the European Union, 86

Data Protection Authority, 75

right to be forgotten, 75

event logs, 416

evidence

hearsay evidence, U.S. legal system/laws, 72

storage controls, 241

exams, CISSP

answer strategies, 2427

assessing readiness, 2021

CBK, 21

certification, 20

drag-and-drop questions, 24, 26

fees, 20

hotspot questions, 25, 26

(ISC)2 website, 2122, 23

mastering, 2728

multiple-choice questions, 24, 26

online resources, 28

passing score, 20

taking exams, 2223

terminology, 28

topics, 21

types of questions, 24

existence checks, 562

expert systems, 587588

exploit kits, 450

extensive privileges, database vulnerabilities, 586

exterior gateway protocols, 289

external audits, 413

external groups (disaster recovery), interfacing with, 542543

F

facial recognition, 373

facility recovery strategies, 525528

facility/site security controls, 240241, 495496

area concerns, 497

asset placement, 498501

ceilings, 498501

construction, 498

CPTED, 496497

doors, 498501

electrical power, 503504

environmental controls/HVAC, 502503

equipment lifecycles, 505

location, 498

UPS, 504505

walls, 498501

windows, 498501

Fagan inspections, 426

failure states, 562

failures (system), avoiding, 561562

FAIR (Factor Analysis of Information Risk), 87

FAR (False Acceptance Rates), 371

Fast-Flux botnets, 435

fast-injection viruses, 597598

fault tolerance, 486

disaster recovery, 530534

RAID, 530532

faxes, operational security, 482

FCoE (Fibre Channel over Ethernet), 41

FCPA (Foreign Corrupt Practices Act), 142

FDA Resources of Data Management, 38

FEA frameworks, 156

Federal Sentencing Guidelines of 1991, 72

federation, identity/access management, 377

fees, CISSP exam, 20

Feistel network, 303

fences, perimeter physical control systems, 344345

FHSS (Frequency-Hopping Spread Spectrum), 308

fiber-optic cables, 277

field devices, 169

fields, databases, 583

file servers, 168169

filters, packet, 322

FIM (Federated Identity Management), 361

final testing, 570

financial attacks, 596597

fingerprint recognition, 373374

FIPS (Federal Information Processing Standards), 82

FIPS 199, 82

FIPS 200, 82

fire detectors, 501

fire escapes, 501

fire prevention/detection/suppression controls, 241, 501, 505506

fire suppression, 507509

fire-detection equipment, 506507

firewalls, 322, 481

FireWire (IEEE 1394) interfaces, 167

firing employees, 133134

FISMA (Federal Information Security Management Act), 81

flash memory storage, 166

flat tires, disaster recovery, 522523

foot-candles, 349

foreign government agents, threat actors, 429

foreign keys, databases, 583

forensics, digital, 515516

acquisition, 516, 517519

analytics, 517, 520521

authentication, 516517, 520

procedures, 516

stages of, 515

types of, 514515

FOUO, data classification, 50

frame relays, 290

frames, 258, 271272

frameworks

governance frameworks, 154155

ISO/IEC 19249, 154155

ITIL, 155

NIST Risk Management Framework, 87

Protection of Information in Computing Systems, The [ital]154

Zachman Framework, 155156

FRAP (Facilitated Risk Analysis Process), 102

fraud, CFAA of 1986, 72

FREAK cryptographic attack, 240

frequency analysis, 299

Fresnel lenses, 349

Friedman, William, 304

FRR (False Rejection Rates), 371

FSTP (FTP Secure), 317

FTP (File Transfer Protocol), 57, 267268, 324

full backups, 536

full duplex communication, 280

fully connected topologies, 275

function testing, 570

functional requirements/planning, SDLC, 565566

fuzz testing, 426

G

G8 (Group of Eight), 473

GAN (Global Area Networks), 278

Gannt chart, 580

gates, perimeter physical control systems, 345346

gateways, 287

gateway-to-gateway architectures, 330

gateway-to-gateway tunneling protocols, 58

generic smart cards, 369

GFS tape-rotation schemes, 537

glare protection, 350

GLBA (Gramm-Leach-Bliley Act), 80

global legal/regulatory issues, 7475

Data Protection Authority, 75

right to be forgotten, 75

governance, security, 70

computer crime/hackers, 76

attack vectors, 77

communications attacks, 77

corporate spies, 78

crackers, 7778

cyberterrorists/cybercriminals, 78

data breaches, 7677

disgruntled employees, 78

hactivism, 142

law enforcement/security conferences, 79

logical attacks, 77

nation-state hackers, 78

personnel security attacks, 77

physical security attacks, 77

script kiddies, 78

social engineering attacks, 77

threat actors, 78

global legal/regulatory issues, 7475

Data Protection Authority, 75

right to be forgotten, 75

holistic enterprise security systems, 71

international legal system/laws, 7273

1998 Directive on Data Protection, 76

Corpus Juris Civilis, 73

customary law, 73

halakha law, 73

intellectual property, 7374

mixed law systems, 73

Napoleonic law, 73

religious law, 73

sharia law, 73

policies, assets, 5152

privacy laws, 7576

sexual harassment, 79

U.S. legal system/laws

administrative (regulatory) law, 71

CFAA (Computer Fraud and Abuse Act) of 1986, 72

civil law, 71

common law, 71

criminal law, 71

due care, 72

due diligence, 72

Economic Espionage Act of 1996, 72

Federal Sentencing Guidelines of 1991, 72

hearsay evidence, 72

Identity Theft and Assumption Deterrence Act of 1998, 76

personal information websites, 76

Privacy Act of 1974, The, 75

privacy laws, 7576

stare decis, 71

U.S. Child Pornography Prevention Act of 1996, 72

U.S. Patriot Act of 2001, 72

governance frameworks, 154

ISO/IEC 19249, 154155

ITIL, 155

Protection of Information in Computing Systems, The [ital]154

governance policies, data, 3233

Graham-Denning security model, 188

granularity, databases, 583

graybox testing, 420

graylists, 480

grid computing, 533534

guards, perimeter physical control systems, 350

guidelines, risk management, 127

H

hackers/computer crime, 76

attack methodologies, 430431

attack vectors, 77

communications attacks, 77

corporate spies, 78

crackers, 7778

cyberterrorists/cybercriminals, 78

data breaches, 7677

disgruntled employees, 78

hacker researchers, 428, 429

hactivism, 142, 428

insurance, 93

investigating computer crimes, 452, 459, 513

business continuity, 458459

digital forensics, 461465

disaster recovery, 458459

incident response, 453458, 514

interviews/interrogations, 459460

jurisdictions, 452453

search and seizure/surveillance, 459

IOCE, 516

law enforcement/security conferences, 79

logical attacks, 77

nation-state hackers, 78

organized crime, 428

personnel security attacks, 77

phreakers, 308, 430, 482, 492

physical security attacks, 77

script kiddies, 78

skilled hackers, 428

social engineering attacks, 77

threat actors, 78

halakha law, 73

half duplex communication, 280

halon fire suppression, 508509

hand geometry recognition, 372

Hanoi, Tower of, 538

hard changeovers, software, 572

hard drives, SED, 56

hardware

bridges, 282

configuration lockdowns, 60

data sanitization, 476477

decommissioning, 4647

degaussing, 477

destroying, 477

disk encryption, 60

drive wiping, 47, 477

equipment lifecycles, 5455, 505

forensics, 515

gateways, 287

hubs, 281

keystroke loggers, 403

mirrored ports, 284

network taps, 284

repeaters, 281

routers, 285286

routine maintenance, 54

SED, 56

switches, 282283

technical support, 5455

zeroization, 477

zero-trust environments, 59

Harrison-Ruzzo-Ullman security model, 188

hashing algorithms, 205, 231233, 237

HAVAL, 234

MAC, 234235

CBC-MAC, 234

CMAC, 235

HMAC, 234

SHA-1, 233

SHA-2, 233

SHA-3, 234

HAVAL, 234

HBA (Hot Bus Adapters), 41

HDLC (Hugh-Level Data Link Control), 294

headers, 257

AH, 329

UDP, 266267

hearsay evidence, U.S. legal system/laws, 72

heuristic scanning, 483

HIDS (Host-Based Intrusion Detection Systems), 398, 512

hierarchical database management systems, 582

hierarchical designs, MAC, 385

high-impact assets, 9293

high-risk assets, 9293

hijacking sessions, 431432

HIPAA (Health Insurance Portability and Accountability Act), 7980

HMAC (Hash-based Message Authentication Code), 234

hoaxes, virus, 444

holistic enterprise security systems, 71

honeypots/honeynets, operational security, 484485

hopping, VLAN, 285

host-to-gateway architectures, 330

host-to-host architectures, 330

host-to-host (transport) layer, TCP/IP network model, 259260, 318319

TCP, 264266, 267

UDP, 264265, 266267

Host-to-LAN tunneling protocols, 58

hot fixes, 595

hot sites, disaster recovery, 525526

hotspot questions, CISSP exams, 25, 26

HR, need for, 128

HSSI (High-Speed Serial Interface), 294

HTML programming language, 590

HTTP (HyperText Transfer Protocol), 269, 324

data security, 57

S-HTTP, 317

hubs, 281

human-caused threats, 494495

HVAC/environmental controls, 241, 501, 502503

hybrid attacks, 440

hybrid clouds, 478

hybrid designs, MAC, 385

hybrid encryption, 224225

I

IA (Interoperability Agreements), 111

IaaS (Infrastructure-as-a-Service), 294295, 478

IAB (Internet Architecture Board), ethics training/awareness, 140141

IAL (Identity Assurance Levels), 360

IAM (INFOSEC Assessment Methodology), 102

IAST (Interactive Application Security Testing), 425

ICMP (Internet Control Message Protocol), TCP/IP network model, 263

ICS (Industrial Control Systems), 169

IDaaS (Identity as a Service), 362363

IDEA (International Data Encryption Algorithm), 210, 218

IDEAL model, software development, 579

identifying assets, 9193, 107

identity theft, 443

Identity Theft and Assumption Deterrence Act of 1998, 76

identity/access management, 342, 358359, 377

accountability, 343

authentication, 342343, 358361

AAL, 360

biometrics, 370375

card-based authentication, 369370

CHAP, 390

digital certificates, 370

EAP, 390

FIM, 358360

IAL, 360

IDaaS, 358360

MS-CHAPv2, 390

multifactor authentication, 375

OAuth, 362

OpenID, 362

PAP, 390

passwords, 363367

SAML, 361362

strong authentication, 375

tokens, 367368

two-factor authentication, 375

authorization, 343, 382

ABAC, 387388

audits, 394396

CDAC, 389

centralized access control, 390393

DAC, 382383

decentralized access control, 393394

IDS, 396401, 510511, 512513

IPS, 384, 401

keystroke monitoring, 402403

LBAC, 389

MAC, 383385

monitoring access, 394396

NAC, 401402

RBAC, 385387

rule-based access control, 388

SIEM, 401

employee access control, 355

biometrics, 358, 370375

card keys/badges, 355356

RFID tags, 342, 357

silent hostage (duress) alarms, 356

smart/dumb cards, 356

federation, 377

Kerberos, 378381

least privilege, 343

lifecycles, 376

perimeter physical control systems, 344

bollards, 346347

CCTV cameras, 348349, 496

deadman doors, 346

dogs, 350

fences, 343

gates, 345346

guards, 350

lighting, 349350

locks, 351355

mantraps, 346

turnstiles, 346

physical access controls, 342343, 344348

profile management, 377

SESAME, 381

SPML, 378

SSO, 343, 378

user provisioning, 376

WS-Security, 377

XML, 377

IDS (Intrusion Detection Systems), 396397, 510511

anomaly-based IDS, 399400

HIDS, 398, 512

NIDS, 397398, 512

rule-based IDS, 400

sensor placement, 400401

signature-based IDS, 399

IEEE 1394 (FireWire) interfaces, 167

IGMP (Internet Group Management Protocol), TCP/IP network model, 264

IKE (Internet Key Exchange), 329330

ILM (Information Lifecycle Management), 35

IM (Instant Messaging), 331

images, digital forensics

primary images, 520

working images, 520

IMAP (Internet Message Authentication Protocol), 269, 479

impact scale, qualitative assessments, 100101

impersonation attacks, 444

implementing disaster recovery plans, 544545

incident response, computer crime investigations, 453458, 514

incremental attacks, 198

incremental backups, 537

incremental development, software, 575

inference

attacks, 321

databases, 583, 584585

information flow security model, 182

information handling requirements, data storage, 4445

information security steering committees, data management, 34

informative policies, 125126

insecure protocols, data security, 57

insecure/jailbroken devices, 203

insiders/disgruntled employees, 428

insurance

disaster recovery, 544

hackers/computer crime, 93

integer overflow, 426427

integrity

checking, 483

CIA triad, 31

cryptography, 204, 230231

databases, 585

digital forensics, authentication, 520

security models, 185188

intellectual property

copyrights, 74

international legal system/laws, 7374

service marks, 73

trade secrets, 7374

trademarks, 73

interface testing, 569

interfacing with external groups, disaster recovery, 542543

internal audits, 413

international governance standards, 86

10 Steps to Cyber Security, 86

Cybersecurity Strategy of the European Union, 86

ISO, 8385

ITIL, 8283

OECD, 8586

STAR ratings, CSA, 85

international legal system/laws, 7273

1998 Directive on Data Protection, 76

Corpus Juris Civilis, 73

customary law, 73

halakha law, 73

intellectual property, 7374

IOCE, 516

mixed law systems, 73

Napoleonic law, 73

religious law, 73

sharia law, 73

Internet layer, TCP/IP network model, 260, 319320

ARP, 263264

ICMP, 263

IGMP, 264

IP, 260262

interpreters, 590

interrogations/interviews, investigating computer crimes, 459460

interrupt-driven I/O, 162

interrupts, CPU, 162

interviews/interrogations, investigating computer crimes, 459460

intrusion detection, IDS, 396397, 510511

anomaly-based IDS, 399400

HIDS, 398, 512

NIDS, 397398, 512

rule-based IDS, 400

sensor placement, 400401

signature-based IDS, 399

inventories, assets, 4748

investigating computer crimes, 452

digital forensics, 461465

incident response, 453458, 514

IOCE, 516

jurisdictions, 452453

operational security, 513

I/O

bus standards, 166167

interrupt-driven I/O, 162

I/O using DMA, 162

memory-mapped I/O, 162

port-mapped I/O, 162

programmed I/O, 162

IOC (Indicators of Compromise), 597

IOCE (International Organization of Computer Evidence), 516

IoT (Internet of Things), 169170

IP (Internet Protocol)

SKIP, 319

swIPe, 320

TCP/IP network model, 260262

VoIP, 304306

IPS (Intrusion Prevention Systems), 384, 401

IPsec (IP Security), 5758, 329330

iris recognition, 373

ISA (Interconnection Security Agreements), 110, 166

(ISC)2

Code of Ethics, 138139

website, 2122, 23, 28

iSCSI (Internet Small Computer System Interface), 4041

ISDN (Integrated Services Digital Network), 291292

ISO (International Organization for Standardization)

ISO 9001, 84

ISO 15408 (Common Criteria), 192194

ISO 27001, 8485, 157

ISO 27002, 83, 157

ISO 27003, 157

ISO 27004, 84, 157

ISO 27005, 84, 157

ISO 27799, 84

ISO/IEC 17799, 42

ISO/IEC 19249, 154155

ISO/IEC 27002, sexual harassment, 79

ISOC (Internet Society), ethics training/awareness, 140141

isolating processes, 179

ITIL (Information Technology Infrastructure Library), 8283, 155

ITSEC (Information Technology Security Evaluation Criteria), 191192

J

JAD model, software development, 575

jailbroken/insecure devices, 203

Java programming language, 590, 595

JFK Records Act, 45

jobs

descriptions, 547

rotation, 132, 471

joins, LBAC, 389

journaling, remote, 539

jurisdictions, computer crime investigations, 452453

K

kanban, 578

Kerberos, 378381

Kerckhoff’s Principle, 238

kernels, security, 174

key cards, employee access control, 355356

keys

bumping, 354

clustering, 239

cryptographic keys, 204

Diffie-Hellman key exchanges, 220222

encryption keys, 5657

foreign keys, databases, 583

IKE, 329330

managing, 205

primary keys

databases, 584

ERD, 565

SKIP, 319

space, 206

symmetric encryption, 210

XTR public key cryptosystem, 222

keystroke monitoring, 402403, 491492

Knapsack, 223

knowledge bases, 587

knowledge management, 38

classification approach, 38

probabilistic approach, 38

statistical approach, 38

known plaintext attacks, 238

KPI (Key Performance Indicators), 414415

KRI (Key Risk Indicators), 415

L

L2TP (Layer 2 Tunneling Protocol), 320

labeling data, 44

LAN (Local Area Networks), 271, 278

cabling, 275278

communication protocols, 271272

Ethernet frames, 271272

tokens, 272

VLAN, 282, 284285

VXLAN, 284285

WLAN, 309, 312313

LAN-to-LAN tunneling protocols, 58

laptops, 169

Lattice security model, 188

law enforcement, computer crime/hackers, 79

law/legal compliance, data governance policies, 33

laws/legal systems

global legal/regulatory issues, 7475

Data Protection Authority, 75

right to be forgotten, 75

international legal system/laws, 7273

1998 Directive on Data Protection, 76

Corpus Juris Civilis, 73

customary law, 73

halakha law, 73

intellectual property, 7374

IOCE, 516

mixed law systems, 73

Napoleonic law, 73

religious law, 73

sharia law, 73

privacy laws, 7576

U.S. legal system/laws

administrative (regulatory) law, 71

CALEA, 433

CFAA (Computer Fraud and Abuse Act) of 1986, 72

civil law, 71

common law, 71

criminal law, 71

due care, 72

due diligence, 72

Economic Espionage Act of 1996, 72

FCPA, 142

Federal Sentencing Guidelines of 1991, 72

FIPS, 82

FISMA, 81

GLBA, 80

hearsay evidence, 72

HIPAA, 7980

Identity Theft and Assumption Deterrence Act of 1998, 76

keystroke monitoring, 492

NIST, 82

personal information websites, 76

Privacy Act of 1974, The, 75

privacy laws, 7576

SOX, 81, 142, 472

stare decis, 71

U.S. Child Pornography Prevention Act of 1996, 72

U.S. Patriot Act of 2001, 72

U.S. Securities Act of 1933, 472

LBAC (Lattice-Based Access Controls), 389

LDAP (Lightweight Directory Access Protocol), 270

leaks, memory, 164

least privilege, 132133, 343, 468, 471

levels of control, security policies, 124

liability, data governance policies, 33

licensing software, 5253

click-wrap license agreements, 53

contracts of adhesion, 53

DMCA, 5354

master license agreements, 53

shrink-wrap license agreements, 53

lifecycles

equipment, 5455, 505

software, 560561, 563

acceptance testing/implementation, 569571

building/development, 567569

design specifications, 566

ERD, 565566

functional requirements/planning, 565566

operations/maintenance, 571572

project initiation, 564565

reverse engineering, 569

stages of, 563564

lifestyle control, data, 38

lifetimes, session, 202

lighting, perimeter physical control systems, 349350

limit checks, 562

linear cryptanalysis, 238

link encryption, 5859

link-state protocols, 289

link-to-link encryption, 321

Lipner security model, 188

location

facility/site security controls, 498

redundancy, 41

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.213.75.78