Table of Contents

Introduction 3

The Goals of the CISSP Certification 3

Sponsoring Bodies 3

Stated Goals 4

The Value of the CISSP Certification 4

To the Security Professional 4

To the Enterprise 5

The Common Body of Knowledge 5

Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity) 5

Asset Security (Protecting Security of Assets) 6

Security Engineering (Engineering and Management of Security) 6

Communication and Network Security (Designing and Protecting Network Security) 7

Identity and Access Management (Controlling Access and Managing Identity) 7

Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) 7

Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery) 8

Software Development Security (Understanding, Applying, and Enforcing Software Security) 8

Steps to Becoming a CISSP 9

Qualifying for the Exam 9

Signing Up for the Exam 9

About the CISSP Exam 10

Chapter 1 Security and Risk Management 14

Security Terms 15

CIA 15

Confidentiality 15

Integrity 16

Availability 16

Default Stance 16

Defense in Depth 16

Job Rotation 17

Separation of Duties 17

Security Governance Principles 17

Security Function Alignment 18

Organizational Strategy and Goals 19

Organizational Mission and Objectives 19

Business Case 19

Security Budget, Metrics, and Effectiveness 20

Resources 20

Organizational Processes 21

Acquisitions and Divestitures 21

Governance Committees 23

Security Roles and Responsibilities 23

Board of Directors 23

Management 24

Audit Committee 25

Data Owner 25

Data Custodian 25

System Owner 25

System Administrator 25

Security Administrator 26

Security Analyst 26

Application Owner 26

Supervisor 26

User 26

Auditor 26

Control Frameworks 27

ISO/IEC 27000 Series 27

Zachman Framework 30

The Open Group Architecture Framework (TOGAF) 31

Department of Defense Architecture Framework (DoDAF) 31

British Ministry of Defence Architecture Framework (MODAF) 31

Sherwood Applied Business Security Architecture (SABSA) 31

Control Objectives for Information and Related Technology (CobiT) 32

National Institute of Standards and Technology (NIST) Special Publication (SP) 33

Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework 34

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) 34

Information Technology Infrastructure Library (ITIL) 34

Six Sigma 36

Capability Maturity Model Integration (CMMI) 37

CCTA Risk Analysis and Management Method (CRAMM) 37

Top-Down Versus Bottom-Up Approach 38

Security Program Life Cycle 38

Due Care 39

Due Diligence 39

Compliance 40

Legislative and Regulatory Compliance 41

Privacy Requirements Compliance 42

Legal and Regulatory Issues 42

Computer Crime Concepts 42

Computer-Assisted Crime 43

Computer-Targeted Crime 43

Incidental Computer Crime 43

Computer Prevalence Crime 43

Hackers Versus Crackers 44

Computer Crime Examples 44

Major Legal Systems 45

Civil Code Law 45

Common Law 46

Criminal Law 46

Civil/Tort Law 46

Administrative/Regulatory Law 46

Customary Law 47

Religious Law 47

Mixed Law 47

Licensing and Intellectual Property 47

Patent 47

Trade Secret 48

Trademark 49

Copyright 49

Software Piracy and Licensing Issues 50

Internal Protection 51

Digital Rights Management (DRM) 51

Import/Export Controls 51

Trans-Border Data Flow 52

Privacy 52

Personally Identifiable Information (PII) 52

Laws and Regulations 53

Data Breaches 58

Professional Ethics 59

(ISC)2 Code of Ethics 59

Computer Ethics Institute 59

Internet Architecture Board 60

Organizational Ethics 60

Security Documentation 60

Policies 61

Organizational Security Policy 62

System-Specific Security Policy 63

Issue-Specific Security Policy 63

Policy Categories 63

Standards 64

Baselines 64

Guidelines 64

Procedures 64

Business Continuity 64

Business Continuity and Disaster Recovery Concepts 65

Disruptions 65

Disasters 66

Disaster Recovery and the Disaster Recovery Plan (DRP) 67

Continuity Planning and the Business Continuity Plan (BCP) 67

Business Impact Analysis (BIA) 67

Contingency Plan 67

Availability 68

Reliability 68

Project Scope and Plan 68

Personnel Components 68

Project Scope 69

Business Continuity Steps 69

Business Impact Analysis Development 70

Identify Critical Processes and Resources 71

Identify Outage Impacts, and Estimate Downtime 71

Identify Resource Requirements 72

Identify Recovery Priorities 72

Recoverability 73

Fault Tolerance 73

Personnel Security Policies 73

Employment Candidate Screening 73

Employment Agreement and Policies 75

Employment Termination Policies 75

Vendor, Consultant, and Contractor Controls 76

Compliance 76

Privacy 76

Risk Management Concepts 77

Vulnerability 77

Threat 77

Threat Agent 77

Risk 77

Exposure 77

Countermeasure 78

Risk Management Policy 78

Risk Management Team 79

Risk Analysis Team 79

Risk Assessment 79

Information and Asset (Tangible/Intangible) Value and Costs 81

Identify Threats and Vulnerabilities 82

Risk Assessment/Analysis 82

Countermeasure (Safeguard) Selection 84

Total Risk Versus Residual Risk 85

Handling Risk 85

Implementation 86

Access Control Categories 86

Compensative 87

Corrective 87

Detective 87

Deterrent 87

Directive 87

Preventive 87

Recovery 88

Access Control Types 88

Administrative (Management) Controls 88

Logical (Technical) Controls 90

Physical Controls 91

Control Assessment, Monitoring, and Measurement 92

Reporting and Continuous Improvement 92

Risk Frameworks 93

Threat Modeling 93

Identifying Threats 94

Potential Attacks 96

Remediation Technologies and Processes 96

Security Risks in Acquisitions 97

Hardware, Software, and Services 97

Third-Party Governance 97

Onsite Assessment 98

Document Exchange/Review 98

Process/Policy Review 98

Other Third-Party Governance Issues 98

Minimum Security Requirements 98

Minimum Service-Level Requirements 99

Security Education, Training, and Awareness 100

Levels Required 100

Periodic Review 101

Exam Preparation Tasks 101

Review All Key Topics 101

Complete the Tables and Lists from Memory 102

Define Key Terms 102

Answer Review Questions 103

Answers and Explanations 107

Chapter 2 Asset Security 113

Asset Security Concepts 114

Data Policy 114

Roles and Responsibilities 115

Data Owner 116

Data Custodian 116

Data Quality 116

Data Documentation and Organization 117

Classify Information and Assets 118

Sensitivity and Criticality 119

Commercial Business Classifications 119

Military and Government Classifications 120

Information Life Cycle 121

Databases 122

DBMS Architecture and Models 122

Database Interface Languages 124

Data Warehouses and Data Mining 125

Database Maintenance 126

Database Threats 126

Data Audit 127

Asset Ownership 128

Data Owners 128

System Owners 129

Business/Mission Owners 129

Asset Management 129

Redundancy and Fault Tolerance 130

Backup and Recovery Systems 130

Identity and Access Management 130

RAID 131

SAN 135

NAS 135

HSM 135

Network and Resource Management 136

Asset Privacy 137

Data Processors 137

Data Storage and Archiving 137

Data Remanence 138

Collection Limitation 139

Data Retention 140

Data Security and Controls 141

Data Security 141

Data at Rest 141

Data in Transit 141

Data Access and Sharing 142

Baselines 142

Scoping and Tailoring 143

Standards Selection 144

Crytography 146

Link Encryption 147

End-to-End Encryption 147

Asset Handling Requirements 147

Marking, Labeling, and Storing 148

Destruction 148

Exam Preparation Tasks 148

Review All Key Topics 148

Complete the Tables and Lists from Memory 149

Define Key Terms 149

Answers and Explanations 152

Chapter 3 Security Engineering 157

Engineering Using Secure Design Principles 158

Security Model Concepts 161

Confidentiality, Integrity, and Availability 161

Security Modes 161

Dedicated Security Mode 162

System High Security Mode 162

Compartmented Security Mode 162

Multilevel Security Mode 162

Assurance 163

Defense in Depth 163

Security Model Types 163

Security Model Types 163

State Machine Models 164

Multilevel Lattice Models 164

Matrix-Based Models 164

Non-inference Models 165

Information Flow Models 165

Security Models 165

Bell-LaPadula Model 166

Biba Model 167

Clark-Wilson Integrity Model 168

Lipner Model 169

Brewer-Nash (Chinese Wall) Model 169

Graham-Denning Model 169

Harrison-Ruzzo-Ullman Model 169

System Architecture Steps 170

ISO/IEC 42010:2011 170

Computing Platforms 171

Mainframe/Thin Clients 171

Distributed Systems 171

Middleware 172

Embedded Systems 172

Mobile Computing 172

Virtual Computing 172

Security Services 173

Boundary Control Services 173

Access Control Services 173

Integrity Services 174

Cryptography Services 174

Auditing and Monitoring Services 174

System Components 174

CPU and Multiprocessing 174

Memory and Storage 175

Input/Output Devices 177

Operating Systems 178

Multitasking 179

Memory Management 180

System Security Evaluation Models 180

TCSEC 181

Rainbow Series 181

Orange Book 181

Red Book 184

ITSEC 184

Common Criteria 186

Security Implementation Standards 187

ISO/IEC 27001 188

ISO/IEC 27002 189

Payment Card Industry Data Security Standard (PCI-DSS) 190

Controls and Countermeasures 190

Security Capabilities of Information Systems 191

Memory Protection 191

Virtualization 191

Trusted Platform Module (TPM) 192

Interfaces 193

Fault Tolerance 193

Certification and Accreditation 193

Security Architecture Maintenance 194

Vulnerabilities of Security Architectures, Designs, and Solution Elements 194

Client-Based 195

Server-Based 196

Data Flow Control 196

Database Security 196

Inference 197

Aggregation 197

Contamination 197

Data Mining Warehouse 197

Distributed Systems 197

Cloud Computing 198

Grid Computing 199

Peer-to-Peer Computing 199

Large-Scale Parallel Data Systems 201

Cryptographic Systems 201

Industrial Control Systems 202

Vulnerabilities in Web-Based Systems 203

Maintenance Hooks 203

Time-of-Check/Time-of-Use Attacks 204

Web-Based Attacks 204

XML 204

SAML 204

OWASP 205

Vulnerabilities in Mobile Systems 205

Vulnerabilities in Embedded Devices and Cyber-Physical Systems 208

Cryptography 209

Cryptography Concepts 209

Cryptographic Life Cycle 211

Cryptography History 211

Julius Caesar and the Caesar Cipher 212

Vigenere Cipher 213

Kerckhoff’s Principle 214

World War II Enigma 214

Lucifer by IBM 215

Cryptosystem Features 215

Authentication 215

Confidentiality 215

Integrity 216

Authorization 216

Non-repudiation 216

Key Management 216

Cryptographic Types 217

Running Key and Concealment Ciphers 217

Substitution Ciphers 218

Transposition Ciphers 219

Symmetric Algorithms 219

Stream-based Ciphers 220

Block Ciphers 221

Initialization Vectors (IVs) 221

Asymmetric Algorithms 221

Hybrid Ciphers 222

Substitution Ciphers 223

One-Time Pads 223

Steganography 224

Symmetric Algorithms 224

Digital Encryption Standard (DES) and Triple DES (3DES) 225

DES Modes 225

Triple DES (3DES) and Modes 228

Advanced Encryption Standard (AES) 228

IDEA 229

Skipjack 229

Blowfish 229

Twofish 230

RC4/RC5/RC6 230

CAST 230

Asymmetric Algorithms 231

Diffie-Hellman 231

RSA 232

El Gamal 233

ECC 233

Knapsack 233

Zero Knowledge Proof 233

Public Key Infrastructure 234

Certification Authority (CA) and Registration Authority (RA) 234

OCSP 235

Certificates 235

Certificate Revocation List (CRL) 236

PKI Steps 236

Cross-Certification 236

Key Management Practices 237

Digital Signatures 245

Digital Rights Management (DRM) 246

Message Integrity 246

Hashing 247

One-Way Hash 248

MD2/MD4/MD5/MD6 249

SHA/SHA-2/SHA-3 250

HAVAL 250

RIPEMD-160 251

Tiger 251

Message Authentication Code 251

HMAC 251

CBC-MAC 252

CMAC 252

Salting 252

Cryptanalytic Attacks 253

Ciphertext-Only Attack 254

Known Plaintext Attack 254

Chosen Plaintext Attack 254

Chosen Ciphertext Attack 254

Social Engineering 255

Brute Force 255

Differential Cryptanalysis 255

Linear Cryptanalysis 255

Algebraic Attack 255

Frequency Analysis 255

Birthday Attack 256

Dictionary Attack 256

Replay Attack 256

Analytic Attack 256

Statistical Attack 256

Factoring Attack 257

Reverse Engineering 257

Meet-in-the-Middle Attack 257

Geographical Threats 257

Internal Versus External Threats 257

Natural Threats 257

Hurricanes/Tropical Storms 258

Tornadoes 258

Earthquakes 258

Floods 258

System Threats 259

Electrical 259

Communications 259

Utilities 260

Human-Caused Threats 260

Explosions 261

Fire 261

Vandalism 262

Fraud 262

Theft 262

Collusion 262

Politically Motivated Threats 262

Strikes 263

Riots 263

Civil Disobedience 263

Terrorist Acts 263

Bombing 264

Site and Facility Design 264

Layered Defense Model 264

CPTED 264

Natural Access Control 264

Natural Surveillance 265

Natural Territorials Reinforcement 265

Physical Security Plan 265

Deter Criminal Activity 265

Delay Intruders 266

Detect Intruders 266

Assess Situation 266

Respond to Intrusions and Disruptions 266

Facility Selection Issues 266

Visibility 266

Surrounding Area and External Entities 267

Accessibility 267

Construction 267

Internal Compartments 268

Computer and Equipment Rooms 268

Building and Internal Security 269

Doors 269

Door Lock Types 269

Turnstiles and Mantraps 270

Locks 270

Biometrics 271

Glass Entries 272

Visitor Control 272

Equipment Rooms 273

Work Areas 273

Secure Data Center 273

Restricted Work Area 273

Media Storage Facilities 274

Evidence Storage 274

Environmental Security 274

Fire Protection 274

Fire Detection 274

Fire Suppression 275

Power Supply 276

Types of Outages 276

Preventive Measures 277

HVAC 277

Water Leakage and Flooding 278

Environmental Alarms 278

Equipment Security 278

Corporate Procedures 278

Tamper Protection 278

Encryption 279

Inventory 279

Physical Protection of Security Devices 279

Tracking Devices 279

Portable Media Procedures 280

Safes, Vaults, and Locking 280

Exam Preparation Tasks 280

Review All Key Topics 280

Complete the Tables and Lists from Memory 282

Define Key Terms 282

Answer Review Questions 283

Answers and Explanations 288

Chapter 4 Communication and Network Security 293

Secure Network Design Principles 294

OSI Model 294

Application Layer 295

Presentation Layer 295

Session Layer 296

Transport Layer 296

Network Layer 296

Data Link Layer 297

Physical Layer 297

TCP/IP Model 298

Application Layer 299

Transport Layer 300

Internet Layer 302

Link Layer 304

Encapsulation 304

IP Networking 305

Common TCP/UDP Ports 305

Logical and Physical Addressing 307

IPv4 307

IP Classes 308

Public Versus Private IP Addresses 309

NAT 310

IPv4 Versus IPv6 310

MAC Addressing 311

Network Transmission 311

Analog Versus Digital 311

Asynchronous Versus Synchronous 312

Broadband Versus Baseband 313

Unicast, Multicast, and Broadcast 314

Wired Versus Wireless 315

Network Types 315

LAN 315

Intranet 316

Extranet 316

MAN 316

WAN 317

Protocols and Services 317

ARP 317

DHCP 318

DNS 319

FTP, FTPS, SFTP 319

HTTP, HTTPS, SHTTP 320

ICMP 320

IMAP 321

LDAP 321

NAT 321

NetBIOS 321

NFS 321

PAT 321

POP 322

CIFS/SMB 322

SMTP 322

SNMP 322

Multi-Layer Protocols 322

Converged Protocols 323

FCoE 324

MPLS 324

VoIP 325

iSCSI 325

Wireless Networks 326

FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 326

802.11 Techniques 326

Cellular or Mobile Wireless Techniques 327

Satellites 327

WLAN Structure 328

Access Point 328

SSID 328

Infrastructure Mode Versus Ad Hoc Mode 328

WLAN Standards 329

802.11 329

802.11a 329

802.11ac 329

802.11b 329

802.11f 329

802.11g 330

802.11n 330

Bluetooth 330

Infrared 330

Near Field Communication (NFC) 331

WLAN Security 331

Open System Authentication 331

Shared Key Authentication 331

WEP 331

WPA 332

WPA2 332

Personal Versus Enterprise 332

SSID Broadcast 333

MAC Filter 333

Communications Cryptography 333

Link Encryption 333

End-to-End Encryption 334

Email Security 334

PGP 335

MIME and S/MIME 335

Quantum Cryptography 336

Internet Security 336

Remote Access 336

SSL/TLS 337

HTTP, HTTPS, and S-HTTP 337

SET 337

Cookies 338

SSH 338

IPsec 338

Secure Network Components 339

Hardware 339

Network Devices 340

Network Routing 351

Transmission Media 354

Cabling 354

Network Topologies 358

Network Technologies 362

WAN Technologies 369

Network Access Control Devices 374

Quarantine/Remediation 376

Firewalls/Proxies 376

Endpoint Security 376

Content Distribution Networks 377

Secure Communication Channels 377

Voice 377

Multimedia Collaboration 377

Remote Meeting Technology 378

Instant Messaging 378

Remote Access 379

Remote Connection Technologies 379

VPN Screen Scraper 388

Virtual Application/Desktop 388

Telecommuting 388

Virtualized Networks 389

SDN 389

Virtual SAN 389

Guest Operating Systems 390

Network Attacks 390

Cabling 390

Noise 390

Attenuation 391

Crosstalk 391

Eavesdropping 391

Network Component Attacks 391

Non-Blind Spoofing 392

Blind Spoofing 392

Man-in-the-Middle Attack 392

MAC Flooding Attack 392

802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack 393

Double-Encapsulated 802.1Q/Nested VLAN Attack 393

ARP Attack 393

ICMP Attacks 393

Ping of Death 394

Smurf 394

Fraggle 394

ICMP Redirect 394

Ping Scanning 395

Traceroute Exploitation 395

DNS Attacks 395

DNS Cache Poisoning 395

DoS 396

DDoS 396

DNSSEC 396

URL Hiding 397

Domain Grabbing 397

Cybersquatting 397

Email Attacks 397

Email Spoofing 397

Spear Phishing 398

Whaling 398

Spam 398

Wireless Attacks 399

Wardriving 399

Warchalking 399

Remote Attacks 399

Other Attacks 400

SYN ACK Attacks 400

Session Hijacking 400

Port Scanning 400

Teardrop 401

IP Address Spoofing 401

Exam Preparation Tasks 401

Review All Key Topics 401

Define Key Terms 402

Answer Review Questions 404

Answers and Explanations 406

Chapter 5 Identity and Access Management 409

Access Control Process 410

Identify Resources 410

Identify Users 410

Identify the Relationships Between Resources and Users 411

Physical and Logical Access to Assets 411

Access Control Administration 412

Centralized 412

Decentralized 412

Provisioning Life Cycle 413

Information 413

Systems 413

Devices 414

Facilities 414

Identification and Authentication Concepts 415

Five Factors for Authentication 415

Knowledge Factors 416

Ownership Factors 420

Characteristic Factors 422

Location Factors 427

Time Factors 427

Identification and Authentication Implementation 427

Separation of Duties 427

Least Privilege/Need-to-Know 428

Default to No Access 429

Directory Services 429

Single Sign-on 430

Kerberos 431

SESAME 433

Federated Identity Management 433

Security Domains 434

Session Management 434

Registration and Proof of Identity 434

Credential Management Systems 435

Accountability 436

Auditing and Reporting 437

Identity as a Service (IDaaS) Implementation 438

Third-Party Identity Services Implementation 439

Authorization Mechanisms 439

Access Control Models 439

Discretionary Access Control 440

Mandatory Access Control 440

Role-Based Access Control 440

Rule-Based Access Control 441

Content-Dependent Versus Context-Dependent 441

Access Control Matrix 442

Access Control Policies 442

Access Control Threats 443

Password Threats 443

Dictionary Attack 443

Brute-Force Attack 444

Social Engineering Threats 444

Phishing/Pharming 444

Shoulder Surfing 445

Identity Theft 445

Dumpster Diving 445

DoS/DDoS 445

Buffer Overflow 446

Mobile Code 446

Malicious Software 446

Spoofing 447

Sniffing and Eavesdropping 447

Emanating 447

Backdoor/Trapdoor 448

Prevent or Mitigate Access Control Threats 448

Exam Preparation Tasks 449

Review All Key Topics 449

Define Key Terms 449

Review Questions 450

Answers and Explanations 452

Chapter 6 Security Assessment and Testing 455

Assessment and Testing Strategies 456

Security Control Testing 456

Vulnerability Assessment 456

Penetration Testing 457

Log Reviews 459

NIST SP 800-92 460

Synthetic Transactions 464

Code Review and Testing 464

Misuse Case Testing 465

Test Coverage Analysis 466

Interface Testing 466

Collect Security Process Data 466

NIST SP 800-137 467

Account Management 467

Management Review 468

Key Performance and Risk Indicators 468

Backup Verification Data 469

Training and Awareness 469

Disaster Recovery and Business Continuity 470

Analyze and Report Test Outputs 470

Internal and Third-Party Audits 470

Exam Preparation Tasks 472

Review All Key Topics 472

Define Key Terms 472

Review Questions 473

Answers and Explanations 475

Chapter 7 Security Operations 480

Investigations 481

Forensic and Digital Investigations 481

Identify Evidence 482

Preserve and Collect Evidence 483

Examine and Analyze Evidence 484

Present Findings 484

Decide 484

IOCE/SWGDE and NIST 484

Crime Scene 485

MOM 486

Chain of Custody 486

Interviewing 487

Evidence 487

Five Rules of Evidence 488

Types of Evidence 488

Surveillance, Search, and Seizure 490

Media Analysis 491

Software Analysis 491

Network Analysis 492

Hardware/Embedded Device Analysis 492

Investigation Types 493

Operations 493

Criminal 493

Civil 493

Regulatory 494

eDiscovery 494

Logging and Monitoring Activities 494

Audit and Review 494

Intrusion Detection and Prevention 495

Security Information and Event Management (SIEM) 496

Continuous Monitoring 496

Egress Monitoring 496

Resource Provisioning 497

Asset Inventory 497

Configuration Management 498

Physical Assets 500

Virtual Assets 500

Cloud Assets 501

Applications 501

Security Operations Concepts 501

Need to Know/Least Privilege 501

Managing Accounts, Groups, and Roles 501

Separation of Duties 502

Job Rotation 503

Sensitive Information Procedures 503

Record Retention 504

Monitor Special Privileges 504

Information Life Cycle 504

Service-Level Agreements 505

Resource Protection 505

Protecting Tangible and Intangible Assets 505

Facilities 505

Hardware 506

Software 506

Information Assets 507

Asset Management 507

Redundancy and Fault Tolerance 507

Backup and Recovery Systems 508

Identity and Access Management 508

Media Management 509

Media History 513

Media Labeling and Storage 514

Sanitizing and Disposing of Media 514

Network and Resource Management 515

Incident Management 516

Event Versus Incident 516

Incident Response Team and Incident Investigations 516

Rules of Engagement, Authorization, and Scope 517

Incident Response Procedures 517

Incident Response Management 518

Detect 518

Respond 518

Mitigate 519

Report 519

Recover 519

Remediate 520

Lessons Learned and Review 520

Preventive Measures 520

Clipping Levels 520

Deviations from Standards 520

Unusual or Unexplained Events 521

Unscheduled Reboots 521

Unauthorized Disclosure 521

Trusted Recovery 521

Trusted Paths 521

Input/Output Controls 522

System Hardening 522

Vulnerability Management Systems 522

IDS/IPS 523

Firewalls 523

Whitelisting/Blacklisting 523

Third-Party Security Services 523

Sandboxing 524

Honeypots/Honeynets 524

Anti-malware/Antivirus 524

Patch Management 524

Change Management Processes 525

Recovery Strategies 526

Redundant Systems, Facilities, and Power 526

Fault-Tolerance Technologies 526

Insurance 527

Data Backup 527

Fire Detection and Suppression 527

High Availability 528

Quality of Service 528

System Resilience 529

Create Recovery Strategies 529

Categorize Asset Recovery Priorities 530

Business Process Recovery 530

Facility Recovery 531

Supply and Technology Recovery 534

User Environment Recovery 537

Data Recovery 537

Training Personnel 541

Disaster Recovery 541

Response 542

Personnel 542

Damage Assessment Team 543

Legal Team 543

Media Relations Team 543

Recovery Team 543

Relocation Team 543

Restoration Team 544

Salvage Team 544

Security Team 544

Communications 544

Assessment 544

Restoration 545

Training and Awareness 545

Testing Recovery Plans 545

Read-Through Test 546

Checklist Test 546

Table-Top Exercise 546

Structured Walk-Through Test 547

Simulation Test 547

Parallel Test 547

Full-Interruption Test 547

Functional Drill 547

Evacuation Drill 547

Business Continuity Planning and Exercises 547

Physical Security 548

Perimeter Security 548

Gates and Fences 549

Perimeter Intrusion Detection 550

Lighting 552

Patrol Force 553

Access Control 553

Building and Internal Security 554

Personnel Privacy and Safety 554

Duress 554

Travel 555

Monitoring 555

Exam Preparation Tasks 555

Review All Key Topics 555

Define Key Terms 556

Answer Review Questions 557

Answers and Explanations 560

Chapter 8 Software Development Security 565

Software Development Concepts 566

Machine Languages 566

Assembly Languages and Assemblers 566

High-Level Languages, Compilers, and Interpreters 566

Object-Oriented Programming 567

Polymorphism 568

Polyinstantiation 568

Encapsulation 568

Cohesion 569

Coupling 569

Data Structures 569

Distributed Object-Oriented Systems 569

CORBA 569

COM and DCOM 570

OLE 570

Java 570

SOA 571

Mobile Code 571

Java Applets 571

ActiveX 571

Security in the System and Software Development Life Cycle 572

System Development Life Cycle 572

Initiate 572

Acquire/Develop 573

Implement 573

Operate/Maintain 573

Dispose 574

Software Development Life Cycle 574

Plan/Initiate Project 575

Gather Requirements 575

Design 576

Develop 576

Test/Validate 576

Release/Maintain 577

Certify/Accredit 578

Change Management and Configuration Management/Replacement 578

Software Development Methods and Maturity Models 578

Build and Fix 579

Waterfall 580

V-Shaped 580

Prototyping 582

Modified Prototype Model (MPM) 582

Incremental 582

Spiral 583

Agile 583

Rapid Application Development (RAD) 584

Joint Analysis Development (JAD) 585

Cleanroom 585

Structured Programming Development 585

Exploratory Model 586

Computer-Aided Software Engineering (CASE) 586

Component-Based Development 586

CMMI 586

ISO 9001:2015/90003:2014 587

Integrated Product Team 588

Security Controls in Development 589

Software Development Security Best Practices 589

WASC 590

OWASP 590

BSI 590

ISO/IEC 27000 590

Software Environment Security 591

Source Code Issues 591

Buffer Overflow 591

Escalation of Privileges 593

Backdoor 593

Rogue Programmers 594

Covert Channel 594

Object Reuse 594

Mobile Code 594

Time of Check/Time of Use (TOC/TOU) 595

Source Code Analysis Tools 595

Code Repository Security 595

Application Programming Interface Security 596

Software Threats 596

Malware 596

Malware Protection 600

Scanning Types 601

Security Policies 601

Software Protection Mechanisms 601

Assess Software Security Effectiveness 602

Auditing and Logging 603

Risk Analysis and Mitigation 603

Regression and Acceptance Testing 604

Security Impact of Acquired Software 604

Exam Preparation Tasks 605

Review All Key Topics 605

Define Key Terms 605

Answer Review Questions 606

Answers and Explanations 609

Glossary 613

Appendix A Memory Tables 671

Appendix B Memory Tables Answer Key 683

TOC, 9780789755186, 5/2/2016

Introduction 3

The Goals of the CISSP Certification 3

Sponsoring Bodies 3

Stated Goals 4

The Value of the CISSP Certification 4

To the Security Professional 4

To the Enterprise 5

The Common Body of Knowledge 5

Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity) 5

Asset Security (Protecting Security of Assets) 6

Security Engineering (Engineering and Management of Security) 6

Communication and Network Security (Designing and Protecting Network Security) 7

Identity and Access Management (Controlling Access and Managing Identity) 7

Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) 7

Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery) 8

Software Development Security (Understanding, Applying, and Enforcing Software Security) 8

Steps to Becoming a CISSP 9

Qualifying for the Exam 9

Signing Up for the Exam 9

About the CISSP Exam 10

Chapter 1 Security and Risk Management 14

Security Terms 15

CIA 15

Confidentiality 15

Integrity 16

Availability 16

Default Stance 16

Defense in Depth 16

Job Rotation 17

Separation of Duties 17

Security Governance Principles 17

Security Function Alignment 18

Organizational Strategy and Goals 19

Organizational Mission and Objectives 19

Business Case 19

Security Budget, Metrics, and Effectiveness 20

Resources 20

Organizational Processes 21

Acquisitions and Divestitures 21

Governance Committees 23

Security Roles and Responsibilities 23

Board of Directors 23

Management 24

Audit Committee 25

Data Owner 25

Data Custodian 25

System Owner 25

System Administrator 25

Security Administrator 26

Security Analyst 26

Application Owner 26

Supervisor 26

User 26

Auditor 26

Control Frameworks 27

ISO/IEC 27000 Series 27

Zachman Framework 30

The Open Group Architecture Framework (TOGAF) 31

Department of Defense Architecture Framework (DoDAF) 31

British Ministry of Defence Architecture Framework (MODAF) 31

Sherwood Applied Business Security Architecture (SABSA) 31

Control Objectives for Information and Related Technology (CobiT) 32

National Institute of Standards and Technology (NIST) Special Publication (SP) 33

Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework 34

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) 34

Information Technology Infrastructure Library (ITIL) 34

Six Sigma 36

Capability Maturity Model Integration (CMMI) 37

CCTA Risk Analysis and Management Method (CRAMM) 37

Top-Down Versus Bottom-Up Approach 38

Security Program Life Cycle 38

Due Care 39

Due Diligence 39

Compliance 40

Legislative and Regulatory Compliance 41

Privacy Requirements Compliance 42

Legal and Regulatory Issues 42

Computer Crime Concepts 42

Computer-Assisted Crime 43

Computer-Targeted Crime 43

Incidental Computer Crime 43

Computer Prevalence Crime 43

Hackers Versus Crackers 44

Computer Crime Examples 44

Major Legal Systems 45

Civil Code Law 45

Common Law 46

Criminal Law 46

Civil/Tort Law 46

Administrative/Regulatory Law 46

Customary Law 47

Religious Law 47

Mixed Law 47

Licensing and Intellectual Property 47

Patent 47

Trade Secret 48

Trademark 49

Copyright 49

Software Piracy and Licensing Issues 50

Internal Protection 51

Digital Rights Management (DRM) 51

Import/Export Controls 51

Trans-Border Data Flow 52

Privacy 52

Personally Identifiable Information (PII) 52

Laws and Regulations 53

Data Breaches 58

Professional Ethics 59

(ISC)2 Code of Ethics 59

Computer Ethics Institute 59

Internet Architecture Board 60

Organizational Ethics 60

Security Documentation 60

Policies 61

Organizational Security Policy 62

System-Specific Security Policy 63

Issue-Specific Security Policy 63

Policy Categories 63

Standards 64

Baselines 64

Guidelines 64

Procedures 64

Business Continuity 64

Business Continuity and Disaster Recovery Concepts 65

Disruptions 65

Disasters 66

Disaster Recovery and the Disaster Recovery Plan (DRP) 67

Continuity Planning and the Business Continuity Plan (BCP) 67

Business Impact Analysis (BIA) 67

Contingency Plan 67

Availability 68

Reliability 68

Project Scope and Plan 68

Personnel Components 68

Project Scope 69

Business Continuity Steps 69

Business Impact Analysis Development 70

Identify Critical Processes and Resources 71

Identify Outage Impacts, and Estimate Downtime 71

Identify Resource Requirements 72

Identify Recovery Priorities 72

Recoverability 73

Fault Tolerance 73

Personnel Security Policies 73

Employment Candidate Screening 73

Employment Agreement and Policies 75

Employment Termination Policies 75

Vendor, Consultant, and Contractor Controls 76

Compliance 76

Privacy 76

Risk Management Concepts 77

Vulnerability 77

Threat 77

Threat Agent 77

Risk 77

Exposure 77

Countermeasure 78

Risk Management Policy 78

Risk Management Team 79

Risk Analysis Team 79

Risk Assessment 79

Information and Asset (Tangible/Intangible) Value and Costs 81

Identify Threats and Vulnerabilities 82

Risk Assessment/Analysis 82

Countermeasure (Safeguard) Selection 84

Total Risk Versus Residual Risk 85

Handling Risk 85

Implementation 86

Access Control Categories 86

Compensative 87

Corrective 87

Detective 87

Deterrent 87

Directive 87

Preventive 87

Recovery 88

Access Control Types 88

Administrative (Management) Controls 88

Logical (Technical) Controls 90

Physical Controls 91

Control Assessment, Monitoring, and Measurement 92

Reporting and Continuous Improvement 92

Risk Frameworks 93

Threat Modeling 93

Identifying Threats 94

Potential Attacks 96

Remediation Technologies and Processes 96

Security Risks in Acquisitions 97

Hardware, Software, and Services 97

Third-Party Governance 97

Onsite Assessment 98

Document Exchange/Review 98

Process/Policy Review 98

Other Third-Party Governance Issues 98

Minimum Security Requirements 98

Minimum Service-Level Requirements 99

Security Education, Training, and Awareness 100

Levels Required 100

Periodic Review 101

Exam Preparation Tasks 101

Review All Key Topics 101

Complete the Tables and Lists from Memory 102

Define Key Terms 102

Answer Review Questions 103

Answers and Explanations 107

Chapter 2 Asset Security 113

Asset Security Concepts 114

Data Policy 114

Roles and Responsibilities 115

Data Owner 116

Data Custodian 116

Data Quality 116

Data Documentation and Organization 117

Classify Information and Assets 118

Sensitivity and Criticality 119

Commercial Business Classifications 119

Military and Government Classifications 120

Information Life Cycle 121

Databases 122

DBMS Architecture and Models 122

Database Interface Languages 124

Data Warehouses and Data Mining 125

Database Maintenance 126

Database Threats 126

Data Audit 127

Asset Ownership 128

Data Owners 128

System Owners 129

Business/Mission Owners 129

Asset Management 129

Redundancy and Fault Tolerance 130

Backup and Recovery Systems 130

Identity and Access Management 130

RAID 131

SAN 135

NAS 135

HSM 135

Network and Resource Management 136

Asset Privacy 137

Data Processors 137

Data Storage and Archiving 137

Data Remanence 138

Collection Limitation 139

Data Retention 140

Data Security and Controls 141

Data Security 141

Data at Rest 141

Data in Transit 141

Data Access and Sharing 142

Baselines 142

Scoping and Tailoring 143

Standards Selection 144

Crytography 146

Link Encryption 147

End-to-End Encryption 147

Asset Handling Requirements 147

Marking, Labeling, and Storing 148

Destruction 148

Exam Preparation Tasks 148

Review All Key Topics 148

Complete the Tables and Lists from Memory 149

Define Key Terms 149

Answers and Explanations 152

Chapter 3 Security Engineering 157

Engineering Using Secure Design Principles 158

Security Model Concepts 161

Confidentiality, Integrity, and Availability 161

Security Modes 161

Dedicated Security Mode 162

System High Security Mode 162

Compartmented Security Mode 162

Multilevel Security Mode 162

Assurance 163

Defense in Depth 163

Security Model Types 163

Security Model Types 163

State Machine Models 164

Multilevel Lattice Models 164

Matrix-Based Models 164

Non-inference Models 165

Information Flow Models 165

Security Models 165

Bell-LaPadula Model 166

Biba Model 167

Clark-Wilson Integrity Model 168

Lipner Model 169

Brewer-Nash (Chinese Wall) Model 169

Graham-Denning Model 169

Harrison-Ruzzo-Ullman Model 169

System Architecture Steps 170

ISO/IEC 42010:2011 170

Computing Platforms 171

Mainframe/Thin Clients 171

Distributed Systems 171

Middleware 172

Embedded Systems 172

Mobile Computing 172

Virtual Computing 172

Security Services 173

Boundary Control Services 173

Access Control Services 173

Integrity Services 174

Cryptography Services 174

Auditing and Monitoring Services 174

System Components 174

CPU and Multiprocessing 174

Memory and Storage 175

Input/Output Devices 177

Operating Systems 178

Multitasking 179

Memory Management 180

System Security Evaluation Models 180

TCSEC 181

Rainbow Series 181

Orange Book 181

Red Book 184

ITSEC 184

Common Criteria 186

Security Implementation Standards 187

ISO/IEC 27001 188

ISO/IEC 27002 189

Payment Card Industry Data Security Standard (PCI-DSS) 190

Controls and Countermeasures 190

Security Capabilities of Information Systems 191

Memory Protection 191

Virtualization 191

Trusted Platform Module (TPM) 192

Interfaces 193

Fault Tolerance 193

Certification and Accreditation 193

Security Architecture Maintenance 194

Vulnerabilities of Security Architectures, Designs, and Solution Elements 194

Client-Based 195

Server-Based 196

Data Flow Control 196

Database Security 196

Inference 197

Aggregation 197

Contamination 197

Data Mining Warehouse 197

Distributed Systems 197

Cloud Computing 198

Grid Computing 199

Peer-to-Peer Computing 199

Large-Scale Parallel Data Systems 201

Cryptographic Systems 201

Industrial Control Systems 202

Vulnerabilities in Web-Based Systems 203

Maintenance Hooks 203

Time-of-Check/Time-of-Use Attacks 204

Web-Based Attacks 204

XML 204

SAML 204

OWASP 205

Vulnerabilities in Mobile Systems 205

Vulnerabilities in Embedded Devices and Cyber-Physical Systems 208

Cryptography 209

Cryptography Concepts 209

Cryptographic Life Cycle 211

Cryptography History 211

Julius Caesar and the Caesar Cipher 212

Vigenere Cipher 213

Kerckhoff’s Principle 214

World War II Enigma 214

Lucifer by IBM 215

Cryptosystem Features 215

Authentication 215

Confidentiality 215

Integrity 216

Authorization 216

Non-repudiation 216

Key Management 216

Cryptographic Types 217

Running Key and Concealment Ciphers 217

Substitution Ciphers 218

Transposition Ciphers 219

Symmetric Algorithms 219

Stream-based Ciphers 220

Block Ciphers 221

Initialization Vectors (IVs) 221

Asymmetric Algorithms 221

Hybrid Ciphers 222

Substitution Ciphers 223

One-Time Pads 223

Steganography 224

Symmetric Algorithms 224

Digital Encryption Standard (DES) and Triple DES (3DES) 225

DES Modes 225

Triple DES (3DES) and Modes 228

Advanced Encryption Standard (AES) 228

IDEA 229

Skipjack 229

Blowfish 229

Twofish 230

RC4/RC5/RC6 230

CAST 230

Asymmetric Algorithms 231

Diffie-Hellman 231

RSA 232

El Gamal 233

ECC 233

Knapsack 233

Zero Knowledge Proof 233

Public Key Infrastructure 234

Certification Authority (CA) and Registration Authority (RA) 234

OCSP 235

Certificates 235

Certificate Revocation List (CRL) 236

PKI Steps 236

Cross-Certification 236

Key Management Practices 237

Digital Signatures 245

Digital Rights Management (DRM) 246

Message Integrity 246

Hashing 247

One-Way Hash 248

MD2/MD4/MD5/MD6 249

SHA/SHA-2/SHA-3 250

HAVAL 250

RIPEMD-160 251

Tiger 251

Message Authentication Code 251

HMAC 251

CBC-MAC 252

CMAC 252

Salting 252

Cryptanalytic Attacks 253

Ciphertext-Only Attack 254

Known Plaintext Attack 254

Chosen Plaintext Attack 254

Chosen Ciphertext Attack 254

Social Engineering 255

Brute Force 255

Differential Cryptanalysis 255

Linear Cryptanalysis 255

Algebraic Attack 255

Frequency Analysis 255

Birthday Attack 256

Dictionary Attack 256

Replay Attack 256

Analytic Attack 256

Statistical Attack 256

Factoring Attack 257

Reverse Engineering 257

Meet-in-the-Middle Attack 257

Geographical Threats 257

Internal Versus External Threats 257

Natural Threats 257

Hurricanes/Tropical Storms 258

Tornadoes 258

Earthquakes 258

Floods 258

System Threats 259

Electrical 259

Communications 259

Utilities 260

Human-Caused Threats 260

Explosions 261

Fire 261

Vandalism 262

Fraud 262

Theft 262

Collusion 262

Politically Motivated Threats 262

Strikes 263

Riots 263

Civil Disobedience 263

Terrorist Acts 263

Bombing 264

Site and Facility Design 264

Layered Defense Model 264

CPTED 264

Natural Access Control 264

Natural Surveillance 265

Natural Territorials Reinforcement 265

Physical Security Plan 265

Deter Criminal Activity 265

Delay Intruders 266

Detect Intruders 266

Assess Situation 266

Respond to Intrusions and Disruptions 266

Facility Selection Issues 266

Visibility 266

Surrounding Area and External Entities 267

Accessibility 267

Construction 267

Internal Compartments 268

Computer and Equipment Rooms 268

Building and Internal Security 269

Doors 269

Door Lock Types 269

Turnstiles and Mantraps 270

Locks 270

Biometrics 271

Glass Entries 272

Visitor Control 272

Equipment Rooms 273

Work Areas 273

Secure Data Center 273

Restricted Work Area 273

Media Storage Facilities 274

Evidence Storage 274

Environmental Security 274

Fire Protection 274

Fire Detection 274

Fire Suppression 275

Power Supply 276

Types of Outages 276

Preventive Measures 277

HVAC 277

Water Leakage and Flooding 278

Environmental Alarms 278

Equipment Security 278

Corporate Procedures 278

Tamper Protection 278

Encryption 279

Inventory 279

Physical Protection of Security Devices 279

Tracking Devices 279

Portable Media Procedures 280

Safes, Vaults, and Locking 280

Exam Preparation Tasks 280

Review All Key Topics 280

Complete the Tables and Lists from Memory 282

Define Key Terms 282

Answer Review Questions 283

Answers and Explanations 288

Chapter 4 Communication and Network Security 293

Secure Network Design Principles 294

OSI Model 294

Application Layer 295

Presentation Layer 295

Session Layer 296

Transport Layer 296

Network Layer 296

Data Link Layer 297

Physical Layer 297

TCP/IP Model 298

Application Layer 299

Transport Layer 300

Internet Layer 302

Link Layer 304

Encapsulation 304

IP Networking 305

Common TCP/UDP Ports 305

Logical and Physical Addressing 307

IPv4 307

IP Classes 308

Public Versus Private IP Addresses 309

NAT 310

IPv4 Versus IPv6 310

MAC Addressing 311

Network Transmission 311

Analog Versus Digital 311

Asynchronous Versus Synchronous 312

Broadband Versus Baseband 313

Unicast, Multicast, and Broadcast 314

Wired Versus Wireless 315

Network Types 315

LAN 315

Intranet 316

Extranet 316

MAN 316

WAN 317

Protocols and Services 317

ARP 317

DHCP 318

DNS 319

FTP, FTPS, SFTP 319

HTTP, HTTPS, SHTTP 320

ICMP 320

IMAP 321

LDAP 321

NAT 321

NetBIOS 321

NFS 321

PAT 321

POP 322

CIFS/SMB 322

SMTP 322

SNMP 322

Multi-Layer Protocols 322

Converged Protocols 323

FCoE 324

MPLS 324

VoIP 325

iSCSI 325

Wireless Networks 326

FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 326

802.11 Techniques 326

Cellular or Mobile Wireless Techniques 327

Satellites 327

WLAN Structure 328

Access Point 328

SSID 328

Infrastructure Mode Versus Ad Hoc Mode 328

WLAN Standards 329

802.11 329

802.11a 329

802.11ac 329

802.11b 329

802.11f 329

802.11g 330

802.11n 330

Bluetooth 330

Infrared 330

Near Field Communication (NFC) 331

WLAN Security 331

Open System Authentication 331

Shared Key Authentication 331

WEP 331

WPA 332

WPA2 332

Personal Versus Enterprise 332

SSID Broadcast 333

MAC Filter 333

Communications Cryptography 333

Link Encryption 333

End-to-End Encryption 334

Email Security 334

PGP 335

MIME and S/MIME 335

Quantum Cryptography 336

Internet Security 336

Remote Access 336

SSL/TLS 337

HTTP, HTTPS, and S-HTTP 337

SET 337

Cookies 338

SSH 338

IPsec 338

Secure Network Components 339

Hardware 339

Network Devices 340

Network Routing 351

Transmission Media 354

Cabling 354

Network Topologies 358

Network Technologies 362

WAN Technologies 369

Network Access Control Devices 374

Quarantine/Remediation 376

Firewalls/Proxies 376

Endpoint Security 376

Content Distribution Networks 377

Secure Communication Channels 377

Voice 377

Multimedia Collaboration 377

Remote Meeting Technology 378

Instant Messaging 378

Remote Access 379

Remote Connection Technologies 379

VPN Screen Scraper 388

Virtual Application/Desktop 388

Telecommuting 388

Virtualized Networks 389

SDN 389

Virtual SAN 389

Guest Operating Systems 390

Network Attacks 390

Cabling 390

Noise 390

Attenuation 391

Crosstalk 391

Eavesdropping 391

Network Component Attacks 391

Non-Blind Spoofing 392

Blind Spoofing 392

Man-in-the-Middle Attack 392

MAC Flooding Attack 392

802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack 393

Double-Encapsulated 802.1Q/Nested VLAN Attack 393

ARP Attack 393

ICMP Attacks 393

Ping of Death 394

Smurf 394

Fraggle 394

ICMP Redirect 394

Ping Scanning 395

Traceroute Exploitation 395

DNS Attacks 395

DNS Cache Poisoning 395

DoS 396

DDoS 396

DNSSEC 396

URL Hiding 397

Domain Grabbing 397

Cybersquatting 397

Email Attacks 397

Email Spoofing 397

Spear Phishing 398

Whaling 398

Spam 398

Wireless Attacks 399

Wardriving 399

Warchalking 399

Remote Attacks 399

Other Attacks 400

SYN ACK Attacks 400

Session Hijacking 400

Port Scanning 400

Teardrop 401

IP Address Spoofing 401

Exam Preparation Tasks 401

Review All Key Topics 401

Define Key Terms 402

Answer Review Questions 404

Answers and Explanations 406

Chapter 5 Identity and Access Management 409

Access Control Process 410

Identify Resources 410

Identify Users 410

Identify the Relationships Between Resources and Users 411

Physical and Logical Access to Assets 411

Access Control Administration 412

Centralized 412

Decentralized 412

Provisioning Life Cycle 413

Information 413

Systems 413

Devices 414

Facilities 414

Identification and Authentication Concepts 415

Five Factors for Authentication 415

Knowledge Factors 416

Ownership Factors 420

Characteristic Factors 422

Location Factors 427

Time Factors 427

Identification and Authentication Implementation 427

Separation of Duties 427

Least Privilege/Need-to-Know 428

Default to No Access 429

Directory Services 429

Single Sign-on 430

Kerberos 431

SESAME 433

Federated Identity Management 433

Security Domains 434

Session Management 434

Registration and Proof of Identity 434

Credential Management Systems 435

Accountability 436

Auditing and Reporting 437

Identity as a Service (IDaaS) Implementation 438

Third-Party Identity Services Implementation 439

Authorization Mechanisms 439

Access Control Models 439

Discretionary Access Control 440

Mandatory Access Control 440

Role-Based Access Control 440

Rule-Based Access Control 441

Content-Dependent Versus Context-Dependent 441

Access Control Matrix 442

Access Control Policies 442

Access Control Threats 443

Password Threats 443

Dictionary Attack 443

Brute-Force Attack 444

Social Engineering Threats 444

Phishing/Pharming 444

Shoulder Surfing 445

Identity Theft 445

Dumpster Diving 445

DoS/DDoS 445

Buffer Overflow 446

Mobile Code 446

Malicious Software 446

Spoofing 447

Sniffing and Eavesdropping 447

Emanating 447

Backdoor/Trapdoor 448

Prevent or Mitigate Access Control Threats 448

Exam Preparation Tasks 449

Review All Key Topics 449

Define Key Terms 449

Review Questions 450

Answers and Explanations 452

Chapter 6 Security Assessment and Testing 455

Assessment and Testing Strategies 456

Security Control Testing 456

Vulnerability Assessment 456

Penetration Testing 457

Log Reviews 459

NIST SP 800-92 460

Synthetic Transactions 464

Code Review and Testing 464

Misuse Case Testing 465

Test Coverage Analysis 466

Interface Testing 466

Collect Security Process Data 466

NIST SP 800-137 467

Account Management 467

Management Review 468

Key Performance and Risk Indicators 468

Backup Verification Data 469

Training and Awareness 469

Disaster Recovery and Business Continuity 470

Analyze and Report Test Outputs 470

Internal and Third-Party Audits 470

Exam Preparation Tasks 472

Review All Key Topics 472

Define Key Terms 472

Review Questions 473

Answers and Explanations 475

Chapter 7 Security Operations 480

Investigations 481

Forensic and Digital Investigations 481

Identify Evidence 482

Preserve and Collect Evidence 483

Examine and Analyze Evidence 484

Present Findings 484

Decide 484

IOCE/SWGDE and NIST 484

Crime Scene 485

MOM 486

Chain of Custody 486

Interviewing 487

Evidence 487

Five Rules of Evidence 488

Types of Evidence 488

Surveillance, Search, and Seizure 490

Media Analysis 491

Software Analysis 491

Network Analysis 492

Hardware/Embedded Device Analysis 492

Investigation Types 493

Operations 493

Criminal 493

Civil 493

Regulatory 494

eDiscovery 494

Logging and Monitoring Activities 494

Audit and Review 494

Intrusion Detection and Prevention 495

Security Information and Event Management (SIEM) 496

Continuous Monitoring 496

Egress Monitoring 496

Resource Provisioning 497

Asset Inventory 497

Configuration Management 498

Physical Assets 500

Virtual Assets 500

Cloud Assets 501

Applications 501

Security Operations Concepts 501

Need to Know/Least Privilege 501

Managing Accounts, Groups, and Roles 501

Separation of Duties 502

Job Rotation 503

Sensitive Information Procedures 503

Record Retention 504

Monitor Special Privileges 504

Information Life Cycle 504

Service-Level Agreements 505

Resource Protection 505

Protecting Tangible and Intangible Assets 505

Facilities 505

Hardware 506

Software 506

Information Assets 507

Asset Management 507

Redundancy and Fault Tolerance 507

Backup and Recovery Systems 508

Identity and Access Management 508

Media Management 509

Media History 513

Media Labeling and Storage 514

Sanitizing and Disposing of Media 514

Network and Resource Management 515

Incident Management 516

Event Versus Incident 516

Incident Response Team and Incident Investigations 516

Rules of Engagement, Authorization, and Scope 517

Incident Response Procedures 517

Incident Response Management 518

Detect 518

Respond 518

Mitigate 519

Report 519

Recover 519

Remediate 520

Lessons Learned and Review 520

Preventive Measures 520

Clipping Levels 520

Deviations from Standards 520

Unusual or Unexplained Events 521

Unscheduled Reboots 521

Unauthorized Disclosure 521

Trusted Recovery 521

Trusted Paths 521

Input/Output Controls 522

System Hardening 522

Vulnerability Management Systems 522

IDS/IPS 523

Firewalls 523

Whitelisting/Blacklisting 523

Third-Party Security Services 523

Sandboxing 524

Honeypots/Honeynets 524

Anti-malware/Antivirus 524

Patch Management 524

Change Management Processes 525

Recovery Strategies 526

Redundant Systems, Facilities, and Power 526

Fault-Tolerance Technologies 526

Insurance 527

Data Backup 527

Fire Detection and Suppression 527

High Availability 528

Quality of Service 528

System Resilience 529

Create Recovery Strategies 529

Categorize Asset Recovery Priorities 530

Business Process Recovery 530

Facility Recovery 531

Supply and Technology Recovery 534

User Environment Recovery 537

Data Recovery 537

Training Personnel 541

Disaster Recovery 541

Response 542

Personnel 542

Damage Assessment Team 543

Legal Team 543

Media Relations Team 543

Recovery Team 543

Relocation Team 543

Restoration Team 544

Salvage Team 544

Security Team 544

Communications 544

Assessment 544

Restoration 545

Training and Awareness 545

Testing Recovery Plans 545

Read-Through Test 546

Checklist Test 546

Table-Top Exercise 546

Structured Walk-Through Test 547

Simulation Test 547

Parallel Test 547

Full-Interruption Test 547

Functional Drill 547

Evacuation Drill 547

Business Continuity Planning and Exercises 547

Physical Security 548

Perimeter Security 548

Gates and Fences 549

Perimeter Intrusion Detection 550

Lighting 552

Patrol Force 553

Access Control 553

Building and Internal Security 554

Personnel Privacy and Safety 554

Duress 554

Travel 555

Monitoring 555

Exam Preparation Tasks 555

Review All Key Topics 555

Define Key Terms 556

Answer Review Questions 557

Answers and Explanations 560

Chapter 8 Software Development Security 565

Software Development Concepts 566

Machine Languages 566

Assembly Languages and Assemblers 566

High-Level Languages, Compilers, and Interpreters 566

Object-Oriented Programming 567

Polymorphism 568

Polyinstantiation 568

Encapsulation 568

Cohesion 569

Coupling 569

Data Structures 569

Distributed Object-Oriented Systems 569

CORBA 569

COM and DCOM 570

OLE 570

Java 570

SOA 571

Mobile Code 571

Java Applets 571

ActiveX 571

Security in the System and Software Development Life Cycle 572

System Development Life Cycle 572

Initiate 572

Acquire/Develop 573

Implement 573

Operate/Maintain 573

Dispose 574

Software Development Life Cycle 574

Plan/Initiate Project 575

Gather Requirements 575

Design 576

Develop 576

Test/Validate 576

Release/Maintain 577

Certify/Accredit 578

Change Management and Configuration Management/Replacement 578

Software Development Methods and Maturity Models 578

Build and Fix 579

Waterfall 580

V-Shaped 580

Prototyping 582

Modified Prototype Model (MPM) 582

Incremental 582

Spiral 583

Agile 583

Rapid Application Development (RAD) 584

Joint Analysis Development (JAD) 585

Cleanroom 585

Structured Programming Development 585

Exploratory Model 586

Computer-Aided Software Engineering (CASE) 586

Component-Based Development 586

CMMI 586

ISO 9001:2015/90003:2014 587

Integrated Product Team 588

Security Controls in Development 589

Software Development Security Best Practices 589

WASC 590

OWASP 590

BSI 590

ISO/IEC 27000 590

Software Environment Security 591

Source Code Issues 591

Buffer Overflow 591

Escalation of Privileges 593

Backdoor 593

Rogue Programmers 594

Covert Channel 594

Object Reuse 594

Mobile Code 594

Time of Check/Time of Use (TOC/TOU) 595

Source Code Analysis Tools 595

Code Repository Security 595

Application Programming Interface Security 596

Software Threats 596

Malware 596

Malware Protection 600

Scanning Types 601

Security Policies 601

Software Protection Mechanisms 601

Assess Software Security Effectiveness 602

Auditing and Logging 603

Risk Analysis and Mitigation 603

Regression and Acceptance Testing 604

Security Impact of Acquired Software 604

Exam Preparation Tasks 605

Review All Key Topics 605

Define Key Terms 605

Answer Review Questions 606

Answers and Explanations 609

Glossary 613

Appendix A Memory Tables 671

Appendix B Memory Tables Answer Key 683

TOC, 9780789755186, 5/2/2016