CISSP Cert Guide: (Certification Guide)

Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning. Master the latest CISSP exam topics Assess your knowledge with chapter-ending quizzes Review key concepts with exam preparation tasks Practice with realistic exam questions Get practical guidance for test taking strategies CISSP Cert Guide, Fourth Edition is a comprehensive exam study guide. Leading IT certification experts Robin Abernathy and Darren Hayes share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan. The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time. This study guide helps you master all the topics on the CISSP exam, including Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security

Table of Contents:
Introduction xlvii Chapter 1 Security and Risk Management 5 Security Terms 6     CIA 6     Auditing and Accounting 7     Non-repudiation 8     Default Security Posture 8     Defense in Depth 9     Abstraction 10     Data Hiding 10     Encryption 10 Security Governance Principles 10     Security Function Alignment 12     Organizational Processes 14     Organizational Roles and Responsibilities 16     Security Control Frameworks 20     Due Care and Due Diligence 38 Compliance 38     Contractual, Legal, Industry Standards, and Regulatory Compliance 40     Privacy Requirements Compliance 40 Legal and Regulatory Issues 41     Computer Crime Concepts 41     Major Legal Systems 43     Licensing and Intellectual Property 46     Cyber Crimes and Data Breaches 50     Import/Export Controls 51     Trans-Border Data Flow 51     Privacy 52 Investigation Types 62     Operations/Administrative 63     Criminal 63     Civil 64     Regulatory 64     Industry Standards 64     eDiscovery 67 Professional Ethics 67      (ISC)2 Code of Ethics 67     Computer Ethics Institute 68     Internet Architecture Board 68     Organizational Code of Ethics 69 Security Documentation 69     Policies 70     Processes 72     Procedures 72     Standards 73     Guidelines 73     Baselines 73 Business Continuity 73     Business Continuity and Disaster Recovery Concepts 73     Scope and Plan 77     BIA Development 81 Personnel Security Policies and Procedures 85     Candidate Screening and Hiring 85     Employment Agreements and Policies 87     Employee Onboarding and Offboarding Policies 88     Vendor, Consultant, and Contractor Agreements and Controls 88     Compliance Policy Requirements 89     Privacy Policy Requirements 89     Job Rotation 89     Separation of Duties 89 Risk Management Concepts 90     Asset and Asset Valuation 90     Vulnerability 91     Threat 91     Threat Agent 91     Exploit 91     Risk 91     Exposure 92     Countermeasure 92     Risk Appetite 92     Attack 93     Breach 93     Risk Management Policy 94     Risk Management Team 94     Risk Analysis Team 94     Risk Assessment 95     Implementation 100     Control Categories 100     Control Types 102     Controls Assessment, Monitoring, and Measurement 108     Reporting and Continuous Improvement 108     Risk Frameworks 109     A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128 Geographical Threats 129     Internal Versus External Threats 129     Natural Threats 130     System Threats 131     Human-Caused Threats 133     Politically Motivated Threats 135 Threat Modeling 137     Threat Modeling Concepts 138     Threat Modeling Methodologies 138     Identifying Threats 141     Potential Attacks 142     Remediation Technologies and Processes 143 Security Risks in the Supply Chain 143     Risks Associated with Hardware, Software, and Services 144     Third-Party Assessment and Monitoring 144     Minimum Service-Level and Security Requirements 145     Service-Level Requirements 146 Security Education, Training, and Awareness 147     Levels Required 147     Methods and Techniques 148     Periodic Content Reviews 148 Review All Key Topics 148 Complete the Tables and Lists from Memory 150 Define Key Terms 150 Answers and Explanations 157 Chapter 2 Asset Security 165 Asset Security Concepts 166     Asset and Data Policies 166     Data Quality 167     Data Documentation and Organization 168 Identify and Classify Information and Assets 169     Data and Asset Classification 170     Sensitivity and Criticality 170     Private Sector Data Classifications 175     Military and Government Data Classifications 176 Information and Asset Handling Requirements 177     Marking, Labeling, and Storing 178     Destruction 178 Provision Resources Securely 179     Asset Inventory and Asset Management 179 Data Life Cycle 180     Databases 182     Roles and Responsibilities 188     Data Collection and Limitation 191     Data Location 192     Data Maintenance 192     Data Retention 193     Data Remanence and Destruction 193     Data Audit 194 Asset Retention 195 Data Security Controls 197     Data Security 197     Data States 197     Data Access and Sharing 198     Data Storage and Archiving 199     Baselines 200     Scoping and Tailoring 201     Standards Selection 201     Data Protection Methods 202 Review All Key Topics 205 Define Key Terms 205 Answers and Explanations 207 Chapter 3 Security Architecture and Engineering 213 Engineering Processes Using Secure Design Principles 214     Objects and Subjects 215     Closed Versus Open Systems 215     Threat Modeling 215     Least Privilege 216     Defense in Depth 216     Secure Defaults 216     Fail Securely 217     Separation of Duties (SoD) 217     Keep It Simple 218     Zero Trust 218     Privacy by Design 218     Trust but Verify 219     Shared Responsibility 219 Security Model Concepts 220     Confidentiality, Integrity, and Availability 220     Confinement 220     Bounds 221     Isolation 221     Security Modes 221     Security Model Types 222     Security Models 226     System Architecture Steps 230     ISO/IEC 42010:2011 231     Computing Platforms 231     Security Services 234     System Components 235 System Security Evaluation Models 244     TCSEC 245     ITSEC 248     Common Criteria 250     Security Implementation Standards 252     Controls and Countermeasures 255 Certification and Accreditation 256 Control Selection Based on Systems Security Requirements 256 Security Capabilities of Information Systems 257     Memory Protection 257     Trusted Platform Module 258     Interfaces 259     Fault Tolerance 259     Policy Mechanisms 260     Encryption/Decryption 260 Security Architecture Maintenance 261 Vulnerabilities of Security Architectures, Designs, and Solution Elements 261     Client-Based Systems 262     Server-Based Systems 263     Database Systems 264     Cryptographic Systems 265     Industrial Control Systems 265     Cloud-Based Systems 268     Large-Scale Parallel Data Systems 274     Distributed Systems 275     Grid Computing 275     Peer-to-Peer Computing 275     Internet of Things 276     Microservices 280     Containerization 281     Serverless Systems 281     High-Performance Computing Systems 282     Edge Computing Systems 282     Virtualized Systems 283 Vulnerabilities in Web-Based Systems 283     Maintenance Hooks 284     Time-of-Check/Time-of-Use Attacks 284     Web-Based Attacks 285     XML 285     SAML 285     OWASP 286 Vulnerabilities in Mobile Systems 286     Device Security 287     Application Security 287     Mobile Device Concerns 287     NIST SP 800-164 290 Vulnerabilities in Embedded Systems 291 Cryptographic Solutions 292     Cryptography Concepts 292     Cryptography History 294     Cryptosystem Features 298     NIST SP 800-175A and B 299     Cryptographic Mathematics 300     Cryptographic Life Cycle 302 Cryptographic Types 304     Running Key and Concealment Ciphers 305     Substitution Ciphers 305     Transposition Ciphers 307     Symmetric Algorithms 308     Asymmetric Algorithms 310     Hybrid Ciphers 311     Elliptic Curves 312     Quantum Cryptography 312 Symmetric Algorithms 312     DES and 3DES 313     AES 316     IDEA 317     Skipjack 317     Blowfish 317     Twofish 318     RC4/RC5/RC6/RC7 318     CAST 318 Asymmetric Algorithms 319     Diffie-Hellman 320     RSA 320     El Gamal 321     ECC 321     Knapsack 322     Zero-Knowledge Proof 322 Public Key Infrastructure and Digital Certificates 322     Certificate Authority and Registration Authority 323     Certificates 323     Certificate Life Cycle 324     Certificate Revocation List 327     OCSP 327     PKI Steps 327     Cross-Certification 328 Key Management Practices 328 Message Integrity 332     Hashing 333     Message Authentication Code 337     Salting 339 Digital Signatures and Non-repudiation 339     DSS 340     Non-repudiation 340 Applied Cryptography 340     Link Encryption Versus End-to-End Encryption 340     Email Security 340     Internet Security 341 Cryptanalytic Attacks 341     Ciphertext-Only Attack 342     Known Plaintext Attack 342     Chosen Plaintext Attack 342     Chosen Ciphertext Attack 342     Social Engineering 342     Brute Force 343     Differential Cryptanalysis 343     Linear Cryptanalysis 343     Algebraic Attack 343     Frequency Analysis 343     Birthday Attack 344     Dictionary Attack 344     Replay Attack 344     Analytic Attack 344     Statistical Attack 344     Factoring Attack 344     Reverse Engineering 344     Meet-in-the-Middle Attack 345     Ransomware Attack 345     Side-Channel Attack 345     Implementation Attack 345     Fault Injection 345     Timing Attack 346     Pass-the-Hash Attack 346 Digital Rights Management 346     Document DRM 347     Music DRM 347     Movie DRM 347     Video Game DRM 348     E-book DRM 348 Site and Facility Design 348     Layered Defense Model 348     CPTED 348     Physical Security Plan 350     Facility Selection Issues 351 Site and Facility Security Controls 353     Doors 353     Locks 355     Biometrics 356     Type of Glass Used for Entrances 356     Visitor Control 357     Wiring Closets/Intermediate Distribution Facilities 357     Restricted and Work Areas 357     Environmental Security and Issues 358     Equipment Physical Security 362 Review All Key Topics 364 Complete the Tables and Lists from Memory 366 Define Key Terms 366 Answers and Explanations 372 Chapter 4 Communication and Network Security 377 Secure Network Design Principles 378     OSI Model 378     TCP/IP Model 383 IP Networking 389     Common TCP/UDP Ports 389     Logical and Physical Addressing 391     IPv4 392     Network Transmission 399     IPv6 403     Network Types 416 Protocols and Services 421     ARP/RARP 422     DHCP/BOOTP 423     DNS 424     FTP, FTPS, SFTP, and TFTP 424     HTTP, HTTPS, and S-HTTP 425     ICMP 425     IGMP 426     IMAP 426     LDAP 426     LDP 426     NAT 426     NetBIOS 426     NFS 427     PAT 427     POP 427     CIFS/SMB 427     SMTP 427     SNMP 427     SSL/TLS 428     Multilayer Protocols 428 Converged Protocols 429     FCoE 429     MPLS 430     VoIP 431     iSCSI 431 Wireless Networks 431     FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432     WLAN Structure 435     WLAN Standards 436     WLAN Security 439 Communications Cryptography 445     Link Encryption 445     End-to-End Encryption 446     Email Security 446     Internet Security 448 Secure Network Components 450     Hardware 450     Transmission Media 471     Network Access Control Devices 491     Endpoint Security 493     Content-Distribution Networks 494 Secure Communication Channels 495     Voice 495     Multimedia Collaboration 495     Remote Access 497     Data Communications 507     Virtualized Networks 507 Network Attacks 509     Cabling 509     Network Component Attacks 510     ICMP Attacks 512     DNS Attacks 514     Email Attacks 516     Wireless Attacks 518     Remote Attacks 519     Other Attacks 519 Review All Key Topics 521 Define Key Terms 522 Answers and Explanations 529 Chapter 5 Identity and Access Management (IAM) 535 Access Control Process 536     Identify Resources 536     Identify Users 536     Identify the Relationships Between Resources and Users 537 Physical and Logical Access to Assets 537     Access Control Administration 538     Information 539     Systems 539     Devices 540     Facilities 540     Applications 541 Identification and Authentication Concepts 541     NIST SP 800-63 542     Five Factors for Authentication 546     Single-Factor Versus Multifactor Authentication 557     Device Authentication 557 Identification and Authentication Implementation 558     Separation of Duties 558     Least Privilege/Need-to-Know 559     Default to No Access 560     Directory Services 560     Single Sign-on 561     Session Management 566     Registration, Proof, and Establishment of Identity 566     Credential Management Systems 567     Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568     Accountability 568     Just-In-Time (JIT) 570 Identity as a Service (IDaaS) Implementation 571 Third-Party Identity Services Integration 571 Authorization Mechanisms 572     Permissions, Rights, and Privileges 572     Access Control Models 572     Access Control Policies 580 Provisioning Life Cycle 580     Provisioning 581     User, System, and Service Account Access Review 582     Account Transfers 582     Account Revocation 583     Role Definition 583     Privilege Escalation 583 Access Control Threats 584     Password Threats 585     Social Engineering Threats 586     DoS/DDoS 588     Buffer Overflow 588     Mobile Code 588     Malicious Software 589     Spoofing 589     Sniffing and Eavesdropping 589     Emanating 590     Backdoor/Trapdoor 590     Access Aggregation 590     Advanced Persistent Threat 591 Prevent or Mitigate Access Control Threats 591 Review All Key Topics 592 Define Key Terms 593 Answers and Explanations 596 Chapter 6 Security Assessment and Testing 601 Design and Validate Assessment and Testing Strategies 602     Security Testing 602     Security Assessments 603     Red Team versus Blue Team 603     Security Auditing 604     Internal, External, and Third-party Security Assessment, Testing, and Auditing 604 Conduct Security Control Testing 605     Vulnerability Assessment 605     Penetration Testing 609     Log Reviews 611     Synthetic Transactions 616     Code Review and Testing 616     Misuse Case Testing 619     Test Coverage Analysis 619     Interface Testing 620 Collect Security Process Data 620     NIST SP 800-137 620     Account Management 621     Management Review and Approval 622     Key Performance and Risk Indicators 622     Backup Verification Data 623     Training and Awareness 623     Disaster Recovery and Business Continuity 624 Analyze Test Outputs and Generate a Report 624 Conduct or Facilitate Security Audits 624 Review All Key Topics 626 Define Key Terms 627 Answers and Explanations 630 Chapter 7 Security Operations 637 Investigations 638     Forensic and Digital Investigations 638     Evidence Collection and Handling 646     Digital Forensic Tools, Tactics, and Procedures 651 Logging and Monitoring Activities 654     Audit and Review 654     Log Types 655     Intrusion Detection and Prevention 656     Security Information and Event Management (SIEM) 656     Continuous Monitoring 657     Egress Monitoring 657     Log Management 658     Threat Intelligence 658     User and Entity Behavior Analytics (UEBA) 659 Configuration and Change Management 659     Resource Provisioning 661     Baselining 664     Automation 664 Security Operations Concepts 664     Need to Know/Least Privilege 664     Managing Accounts, Groups, and Roles 665     Separation of Duties and Responsibilities 666     Privilege Account Management 666     Job Rotation and Mandatory Vacation 666     Two-Person Control 667     Sensitive Information Procedures 667     Record Retention 667     Information Life Cycle 668     Service-Level Agreements 668 Resource Protection 669     Protecting Tangible and Intangible Assets 669     Asset Management 671 Incident Management 680     Event Versus Incident 680     Incident Response Team and Incident Investigations 681     Rules of Engagement, Authorization, and Scope 681     Incident Response Procedures 682     Incident Response Management 682     Detect 683     Respond 683     Mitigate 683     Report 684     Recover 684     Remediate 684     Review and Lessons Learned 684 Detective and Preventive Measures 684     IDS/IPS 685     Firewalls 685     Whitelisting/Blacklisting 685     Third-Party Security Services 686     Sandboxing 686     Honeypots/Honeynets 686     Anti-malware/Antivirus 686     Clipping Levels 686     Deviations from Standards 687     Unusual or Unexplained Events 687     Unscheduled Reboots 687     Unauthorized Disclosure 687     Trusted Recovery 688     Trusted Paths 688     Input/Output Controls 688     System Hardening 688     Vulnerability Management Systems 689     Machine Learning and Artificial Intelligence (AI)-Based Tools 689 Patch and Vulnerability Management 689 Recovery Strategies 690     Create Recovery Strategies 691     Backup Storage Strategies 699     Recovery and Multiple Site Strategies 700     Redundant Systems, Facilities, and Power 703     Fault-Tolerance Technologies 704     Insurance 704     Data Backup 705     Fire Detection and Suppression 705     High Availability 705     Quality of Service 706     System Resilience 706 Disaster Recovery 706     Response 707     Personnel 707     Communications 709     Assessment 710     Restoration 710     Training and Awareness 710     Lessons Learned 710 Testing Disaster Recovery Plans 711     Read-Through Test 711     Checklist Test 712     Table-Top Exercise 712     Structured Walk-Through Test 712     Simulation Test 712     Parallel Test 712     Full-Interruption Test 712     Functional Drill 713     Evacuation Drill 713 Business Continuity Planning and Exercises 713 Physical Security 713     Perimeter Security Controls 713     Building and Internal Security Controls 719 Personnel Safety and Security 719     Duress 720     Travel 720     Monitoring 720     Emergency Management 721     Security Training and Awareness 721 Review All Key Topics 722 Define Key Terms 723 Answers and Explanations 727 Chapter 8 Software Development Security 733 Software Development Concepts 734     Machine Languages 734     Assembly Languages and Assemblers 734     High-Level Languages, Compilers, and Interpreters 734     Object-Oriented Programming 735     Distributed Object-Oriented Systems 737     Mobile Code 739 Security in the System and Software Development Life Cycle 743     System Development Life Cycle 743     Software Development Life Cycle 746     DevSecOps 750     Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750     Security Orchestration and Automated Response (SOAR) 751     Software Development Methods and Maturity Models 751     Operation and Maintenance 762     Integrated Product Team 763 Security Controls in Development 764     Software Development Security Best Practices 764     Software Environment Security 765     Source Code Analysis Tools 766     Code Repository Security 766     Software Threats 766     Software Protection Mechanisms 772 Assess Software Security Effectiveness 774     Auditing and Logging 774     Risk Analysis and Mitigation 774     Regression and Acceptance Testing 775 Security Impact of Acquired Software 775 Secure Coding Guidelines and Standards 776     Security Weaknesses and Vulnerabilities at the Source Code Level 776     Security of Application Programming Interfaces 780     Secure Coding Practices 780 Review All Key Topics 782 Define Key Terms 782 Answers and Explanations 786 Chapter 9 Final Preparation 791 Tools for Final Preparation 791     Pearson Test Prep Practice Test Engine and Questions on the Website 791     Customizing Your Exams 793     Updating Your Exams 794     Memory Tables 795     Chapter-Ending Review Tools 795 Suggested Plan for Final Review/Study 795 Summary 796 Online Elements Appendix A Memory Tables Appendix B Memory Tables Answer Key Glossary   9780137507474   TOC   9/19/2022

About the Author :
Robin M. Abernathy has been working in the IT certification preparation industry for more than 20 years. She has written and edited certification preparation materials for many (ISC)2, Microsoft, CompTIA, PMI, ITIL, ISACA, and GIAC certifications and holds multiple IT certifications from these vendors. Robin provides training on computer hardware and software, networking, security, and project management. Over the past decade, she has ventured into the traditional publishing industry by technically editing several publications and co-authoring Pearson’s CISSP Cert Guide and CASP+ Cert Guide and authoring Pearson’s Project+ Cert Guide. She presents at technical conferences and hosts webinars on IT certification topics. Dr. Darren R. Hayes has close to 20 years of academic and professional experience in computer security and digital forensics. He has authored numerous publications in these fields, including A Practical Guide to Digital Forensics Investigations, which is published by Pearson. He is Associate Professor at Pace University, where he is the founder and director of the Seidenberg Digital Forensics Research Lab. He holds numerous IT certifications in security and digital forensics and holds a PhD from Sapienza University in Italy and a doctorate from Pace University. Darren is also a professional digital forensics examiner and has supported both criminal and civil investigations over the past decade and a half. He has also been declared an expert witness in federal court.