CISSP Study Guide
- 1st Edition - July 26, 2010
- Imprint: Syngress
- Authors: Joshua Feldman, Seth Misenar, Eric Conrad
- Language: English
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 5 6 4 - 6
CISSP Study Guide serves as a review for those who want to take the Certified Information Systems Security Professional (CISSP) exam and obtain CISSP certification. The exam is… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteCISSP Study Guide serves as a review for those who want to take the Certified Information Systems Security Professional (CISSP) exam and obtain CISSP certification. The exam is designed to ensure that someone who is handling computer security in a company has a standardized body of knowledge. The book is composed of 10 domains of the Common Body of Knowledge. In each section, it defines each domain. It also provides tips on how to prepare for the exam and take the exam. It also contains CISSP practice quizzes to test ones knowledge. The first domain provides information about risk analysis and mitigation. It also discusses security governance. The second domain discusses different techniques for access control, which is the basis for all the security disciplines. The third domain explains the concepts behind cryptography, which is a secure way of communicating that is understood only by certain recipients. Domain 5 discusses security system design, which is fundamental for operating the system and software security components. Domain 6 is a critical domain in the Common Body of Knowledge, the Business Continuity Planning, and Disaster Recovery Planning. It is the final control against extreme events such as injury, loss of life, or failure of an organization. Domains 7, 8, and 9 discuss telecommunications and network security, application development security, and the operations domain, respectively. Domain 10 focuses on the major legal systems that provide a framework in determining the laws about information system.
- Clearly Stated Exam Objectives
- Unique Terms / Definitions
- Exam Warnings
- Helpful Notes
- Learning By Example
- Stepped Chapter Ending Questions
- Self Test Appendix
- Detailed Glossary
- Web Site (http://booksite.syngress.com/companion/conrad) Contains Two Practice Exams and Ten Podcasts-One for Each Domain
This study guide and the CISSP certification are aimed at information security professionals with at least 5 years of relevant experience.
Acknowledgments
About the authors
Chapter 1 Introduction
How to Prepare for the Exam
The Notes Card Approach
Practice Tests
Read the Glossary
Readiness Checklist
How to Take the Exam
Steps to Becoming a CISSP
Exam Logistics
How to Take the Exam
After the Exam
Good Luck!
Chapter 2 Domain 1: Information security governance and risk management
Unique Terms and Definitions
Introduction
Cornerstone Information Security Concepts
Confidentiality, Integrity, and Availability
Identity and Authentication, Authorization, and Accountability
Risk Analysis
Assets
Threats and Vulnerabilities
Risk = Threat × Vulnerability
Impact
Risk Analysis Matrix
Calculating Annualized Loss Expectancy
Total Cost of Ownership
Return on Investment
Risk Choices
Qualitative and Quantitative Risk Analysis
The Risk Management Process
Information Security Governance
Security Policy and Related Documents
Security Awareness and Training
Roles and Responsibilities
Compliance with Laws and Regulations
Privacy
Due Care and Due Diligence
Best Practice
Outsourcing and Offshoring
Auditing and Control Frameworks
Certification and Accreditation
Ethics
The (ISC)2 © Code of Ethics
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 3 Domain 2: Access control
Unique Terms and Definitions
Introduction
Cornerstone Access Control Concepts
The CIA triad
Identification and AAA
Subjects and objects
Access Control Models
Discretionary Access Controls (DAC)
Mandatory Access Controls (MAC)
Non-Discretionary Access Control
Content and Context-Dependent Access Controls
Centralized Access Control
Decentralized Access Control
Access Control Protocols and Frameworks
Procedural Issues for Access Control
Labels, Clearance, Formal Access Approval, and Need to Know
Rule-Based Access Controls
Access Control Lists
Access Control Defensive Categories and Types
Preventive
Detective
Corrective
Recovery
Deterrent
Compensating
Comparing Access Controls
Authentication Methods
Type 1 Authentication: Something You Know
Type 2 Authentication: Something You Have
Type 3 Authentication: Something You Are
Someplace You Are
Access Control Technologies
Single Sign-On (SSO)
Kerberos
SESAME
Security Audit Logs
Types of Attackers
Hackers
Black Hats and White Hats
Script Kiddies
Outsiders
Insiders
Hacktivist
Bots and BotNets
Phishers and Spear Phishers
Assessing Access Control
Penetration Testing
Vulnerability Testing
Security Audits
Security Assessments
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 4 Domain 3: Cryptography
Unique Terms and Definitions
Introduction
Cornerstone Cryptographic Concepts
Key Terms
Confidentiality, Integrity, Authentication, and Non-Repudiation
Confusion, Diffusion, Substitution, and Permutation
Cryptographic Strength
Monoalphabetic and Polyalphabetic Ciphers
Modular Math
Exclusive Or (XOR)
Types of Cryptography
History of Cryptography
Egyptian Hieroglyphics
Spartan Scytale
Caesar Cipher and other Rotation Ciphers
Vigenère Cipher
Cipher Disk
Jefferson Disks
Book Cipher and Running-Key Cipher
Codebooks
One-Time Pad
Hebern Machines and Purple
Cryptography Laws
Symmetric Encryption
Stream and Block Ciphers
Initialization Vectors and Chaining
Data Encryption Standard
International Data Encryption Algorithm (IDEA)
Advanced Encryption Standard (AES)
Blowfish and Twofish
RC5 and RC6
Asymmetric Encryption
Asymmetric Methods
Hash Functions
Collisions
MD5
Secure Hash Algorithm
HAVAL
Cryptographic Attacks
Brute Force
Known Plaintext
Chosen Plaintext and Adaptive Chosen Plaintext
Chosen Ciphertext and Adaptive Chosen Ciphertext
Meet-in-the-middle Attack
Known Key
Differential Cryptanalysis
Linear Cryptanalysis
Side-channel Attacks
Birthday Attack
Key Clustering
Implementing Cryptography
Digital Signatures
HMAC
CBC-MAC
Public Key Infrastructure
IPsec
SSL and TLS
PGP
S/MIME
Escrowed Encryption
Steganography
Digital Watermarks
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 5 Domain 4: Physical (Environmental) security
Unique Terms and Definitions
Introduction
Perimeter Defenses
Fences
Gates
Bollards
Lights
CCTV
Locks
Smart Cards and Magnetic Stripe Cards
Tailgating/piggybacking
Mantraps and Turnstiles
Contraband Checks
Motion Detectors and Other Perimeter Alarms
Doors and Windows
Walls, floors, and ceilings
Guards
Dogs
Restricted Areas and Escorts
Site Selection, Design, and Configuration
Site Selection Issues
Site Design and Configuration Issues
System Defenses
Asset Tracking
Port Controls
Drive and Tape Encryption
Media Storage and Transportation
Media Cleaning and Destruction
Environmental Controls
Electricity
HVAC
Heat, Flame, and Smoke Detectors
Safety Training and Awareness
ABCD Fires and Suppression
Types of Fire Suppression Agents
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 6 Domain 5: Security architecture and design
Unique Terms and Definitions
Introduction
Secure System Design Concepts
Layering
Abstraction
Security Domains
The Ring Model
Open and Closed Systems
Secure Hardware Architecture
The System Unit and Motherboard
The Computer Bus
The CPU
Memory
Memory Protection
Secure Operating System and Software Architecture
The Kernel
Users and File Permissions
Virtualization
Thin Clients
System Vulnerabilities, Threats, and Countermeasures
Emanations
Covert Channels
Buffer Overflows
TOCTOU/Race Conditions
Backdoors
Malicious Code (Malware)
Server-Side Attacks
Client-Side Attacks
Web Application Attacks
Mobile Device Attacks
Database Security
Countermeasures
Security Models
Reading Down and Writing Up
State Machine model
Bell-LaPadula model
Lattice-Based Access Controls
Integrity Models
Information Flow Model
Chinese Wall Model
Noninterference
Take-Grant
Access Control Matrix
Zachman Framework for Enterprise Architecture
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Modes of Operation
Evaluation Methods, Certification, and Accreditation
The Orange Book
ITSEC
The International Common Criteria
PCI-DSS
Certification and Accreditation
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 7 Domain 6: Business continuity and disaster recovery planning
Unique Terms and Definitions
Introduction
BCP and DRP Overview and Process
Business Continuity Planning (BCP)
Disaster Recovery Planning (DRP)
Relationship between BCP and DRP
Disasters or disruptive Events
The Disaster Recovery Process
Developing a BCP/DRP
Project Initiation
Scoping the Project
Assessing the Critical State
Conduct Business Impact Analysis (BIA)
Identify Preventive Controls
Recovery Strategy
Related Plans
Plan Approval
Backups and Availability
Hardcopy Data
Electronic Backups
Software Escrow
DRP Testing, Training, and Awareness
DRP Testing
Training
Awareness
Continued BCP/DRP Maintenance
Change Management
BCP/DRP Mistakes
Specific BCP/DRP Frameworks
NIST SP 800-34
ISO/IEC-27031
BS-25999
BCI
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 8 Domain 7: Telecommunications and network security
Unique Terms and Definitions
Introduction
Network Architecture and Design
Network Defense-in-Depth
Fundamental Network Concepts
The OSI Model
The TCP/IP Model
Encapsulation
Network Access, Internet and Transport Layer Protocols and Concepts
Application Layer TCP/IP Protocols and Concepts
Layer 1 Network Cabling
LAN Technologies and Protocols
LAN Physical Network Topologies
WAN Technologies and Protocols
Network Devices and Protocols
Repeaters and Hubs
Bridges
Switches
TAPs
Routers
Firewalls
Modem
DTE/DCE and CSU/DSU
Intrusion Detection Systems and Intrusion Prevention Systems
Honeypots
Network Attacks
Network Scanning Tools
Secure Communications
Authentication Protocols and Frameworks
VPN
VoIP
Wireless Local Area Networks
RFID
Remote Access
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 9 Domain 8: Application development security
Unique Terms and Definitions
Introduction
Programming Concepts
Machine Code, Source Code, and Assemblers
Compilers, Interpreters, and Bytecode
Procedural and Object-Oriented Languages
Fourth-generation Programming Language
Computer-Aided Software Engineering (CASE)
Top-Down versus Bottom-Up Programming
Types of Publicly Released Software
Application Development Methods
Waterfall Model
Sashimi Model
Agile Software Development
Spiral
Rapid Application Development (RAD)
Prototyping
SDLC
Software Escrow
Object-Orientated Design and Programming
Object-Oriented Programming (OOP)
Object Request Brokers
Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)
Software Vulnerabilities, Testing, and Assurance
Software Vulnerabilities
Software Testing Methods
Disclosure
Software Capability Maturity Model (CMM)
Databases
Types of Databases
Database Integrity
Database Replication and Shadowing
Data Warehousing and Data Mining
Artificial Intelligence
Expert Systems
Artificial Neural Networks
Bayesian Filtering
Genetic Algorithms and Programming
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 10 Domain 9: Operations security
Unique Terms and Definitions
Introduction
Administrative Security
Administrative Personnel Controls
Privilege Monitoring
Sensitive Information/Media Security
Sensitive Information
Asset Management
Configuration Management
Change Management
Continuity of Operations
Service Level Agreements (SLA)
Fault Tolerance
Incident Response Management
Methodology
Types of attacks
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Chapter 11 Domain 10: Legal regulations, investigations, and compliance
Unique Terms and Definitions
Introduction
Major Legal Systems
Civil Law (legal system)
Common Law
Religious Law
Other Systems
Criminal, Civil, and Administrative Law
Criminal Law
Civil Law
Administrative Law
Information Security Aspects of Law
Computer Crime
Intellectual Property
Import/export Restrictions
Privacy
Liability
Legal Aspects of Investigations
Digital Forensics
Incident Response
Evidence
Evidence Integrity
Chain of Custody
Reasonable Searches
Entrapment and enticement
Important Laws and Regulations
U.S. Computer Fraud and Abuse Act
USA PATRIOT Act
HIPAA
United States Breach Notification Laws
Ethics
Computer Ethics Institute
IAB’s Ethics and the Internet
The (ISC)2 © Code of Ethics
Summary of Exam Objectives
Self Test
Self Test Quick Answer Key
Appendix: Self test
Glossary
Index
- Edition: 1
- Published: July 26, 2010
- Imprint: Syngress
- No. of pages: 640
- Language: English
- eBook ISBN: 9781597495646
JF
Joshua Feldman
Joshua Feldman (CISSP) is Senior Vice President for Security Technology at the Radian Group – a real estate and mortgage insurance conglomerate. His mission is focused on protecting over 10M US consumer financial records. He is the executive responsible for all aspects of Radian’s technical security program. Previous security roles included work at Moody’s Credit Ratings, Corning Inc, and the US Department of Defense and Department of State.
In 2008, Joshua was Eric's student when studying for the CISSP exam and was so impressed with Eric’s mastery of the materials that he invited Eric to work with him at the DoD. Quickly after starting work, Eric invited Seth. That project ran successfully for over eight years – a testament to the value brought for US military cyber professionals.
Joshua got his start in the cyber security field when he left his public-school science teaching position in 1997 and began working for Network Flight Recorder (NFR, Inc.), a small Washington, DC based startup making the first generation of Network Intrusion Detection Systems. He has a Bachelor’s of Science from the University of Maryland and a Master’s in Cyber Operations from National Defense University. He currently resides in Philadelphia with his little dog, Jacky-boy.
Affiliations and expertise
Senior Vice President for Security Technology, Radian Group, Wayne, PA, USASM
Seth Misenar
Seth Misenar (CISSP®, GSE, GDSA, GDAT, GMON, GCDA, GCIH, GCIA, GCFA) is a Fellow with the SANS Institute and also serves as Principal Consultant for Jackson, Mississippi-based Context Security, LLC. His cyber security background includes research, host-based and network intrusion detection, architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and a state government agency’s HIPAA and information security officer. He has partnered with the SANS Institute for over 15 years, teaching and authoring courseware and facilitating instructor development. Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College.
Affiliations and expertise
Fellow, SANS Institute, Bethesda, MD, USA; Principal Consultant, Context Security, LLC., Jackson, MI, USAEC
Eric Conrad
Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GMON, GISP), is a SANS fellow and Chief Technology Officer of Backshore Communications, which provides threat hunting, penetration testing, incident handling, and intrusion detection consulting services. Eric started his professional career in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare, in positions ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He is coauthor of MGT414: SANS Training Program for the CISSP Certification, SEC511: Continuous Monitoring and Security Operations, and SEC542: Web App Penetration Testing and Ethical Hacking. Eric graduated from the SANS Technology Institute with a Master of Science degree in Information Security Engineering.
Affiliations and expertise
Fellow, SANS Institute, Bethesda, MD, USA; Chief Technology Officer, Backshore Communications LLC., Peaks Island, ME, USARead CISSP Study Guide on ScienceDirect