The CISSP certification is the most prestigious, globally-recognized, vendor neutral exam for information security professionals. The newest edition of this acclaimed study guide is aligned to cover all of the material included in the newest version of the exam's Common Body of Knowledge. The ten domains are covered completely and as concisely as possible with an eye to acing the exam. Each of the ten domains has its own chapter that includes specially designed pedagogy to aid the test-taker in passing the exam, including: Clearly stated exam objectives; Unique terms/Definitions; Exam Warnings; Learning by Example; Hands-On Exercises; Chapter ending questions. Furthermore, special features include: two practice exams; tiered chapter ending questions that allow for a gradual learning curve; and a self-test appendix. It provides the most complete and effective study guide to prepare you for passing the CISSP exam - contains only what you need to pass the test, with no fluff. Eric Conrad has prepared hundreds of professionals for passing the CISSP exam through SANS, a popular and well-known organization for information security professionals. It covers all of the new information in the Common Body of Knowledge updated in January 2012, and also provides two practice exams, tiered end-of-chapter questions for a gradual learning curve, and a complete self-test appendix.
Acknowledgments xvii
About the authors xix
Chapter 1 Introduction 1 (8)
How to Prepare for the Exam 2 (2)
The CISSP exam is a management exam 2 (1)
The notes card approach 2 (1)
Practice tests 3 (1)
Read the glossary 3 (1)
Readiness checklist 3 (1)
Taking the Exam 4 (3)
Steps to becoming a CISSP 4 (1)
Computer-based testing (CBT) 4 (1)
How to take the exam 5 (1)
After the exam 6 (1)
Good Luck! 7 (2)
Chapter 2 Domain 1: Access Control 9 (54)
Unique Terms and Definitions 9 (1)
Introduction 9 (1)
Cornerstone Information Security Concepts 10 (7)
Confidentiality, integrity, and 11 (2)
availability
Identity and authentication, 13 (2)
authorization, and accountability (AAA)
Non-repudiation 15 (1)
Least privilege and need to know 15 (1)
Subjects and objects 16 (1)
Defense in depth 16 (1)
Access Control Models 17 (7)
Discretionary Access Control (DAC) 17 (1)
Mandatory Access Control (MAC) 18 (1)
Non-discretionary access control 18 (1)
Content- and context-dependent access 19 (1)
controls
Centralized access control 20 (1)
Decentralized access control 20 (1)
Access provisioning lifecycle 21 (1)
Access control protocols and frameworks 22 (2)
Procedural Issues for Access Control 24 (3)
Labels, clearance, formal access 24 (2)
approval, and need to know
Rule-based access controls 26 (1)
Access control lists 27 (1)
Access Control Defensive Categories and 27 (2)
Types
Preventive 27 (1)
Detective 28 (1)
Corrective 28 (1)
Recovery 28 (1)
Deterrent 28 (1)
Compensating 28 (1)
Comparing access controls 29 (1)
Authentication Methods 29 (13)
Type 1 authentication: something you 30 (5)
know
Type 2 authentication: something you 35 (1)
have
Type 3 authentication: something you are 36 (1)
Biometric fairness, psychological 37 (5)
comfort, and safety
Access Control Technologies 42 (6)
Single sign-on (SSO) 42 (1)
Federated identity management 43 (1)
Kerberos 43 (4)
Sesame 47 (1)
Security audit logs 47 (1)
Types of Attackers 48 (6)
Hackers 48 (1)
Black hats and white hats 49 (1)
Script kiddies 49 (1)
Outsiders 50 (1)
Insiders 51 (1)
Hacktivist 51 (1)
Bots and botnets 52 (1)
Phishers and spear phishers 53 (1)
Assessing Access Control 54 (3)
Penetration testing 54 (2)
Vulnerability testing 56 (1)
Security audits 57 (1)
Security assessments 57 (1)
Summary of Exam Objectives 57 (1)
Self Test 58 (2)
Self-Test Quick Answer Key 60 (3)
Chapter 3 Domain 2: Telecommunications and 63 (80)
Network Security
Unique Terms and Definitions 63 (1)
Introduction 63 (1)
Network Architecture and Design 64 (36)
Network defense-in-depth 64 (1)
Fundamental network concepts 64 (3)
The OSI Model 67 (2)
TCP/IP model 69 (1)
Encapsulation 70 (1)
Network Access, Internet and Transport 71 (14)
Layer Protocols, and Concepts
Application layer TCP/IP protocols and 85 (4)
concepts
Layer 1. Network Cabling 89 (3)
LAN technologies and protocols 92 (2)
LAN Physical Network Topologies 94 (2)
WAN technologies and protocols 96 (4)
Network Devices and Protocols 100 (23)
Repeaters and hubs 100 (1)
Bridges 100 (1)
Switches 101 (2)
Network taps 103 (1)
Routers 103 (5)
Firewalls 108 (6)
DTE/DCE and CSU/DSU 114 (1)
Intrusion detection systems and 115 (3)
intrusion prevention systems
Endpoint security 118 (2)
Honeypots 120 (1)
Network attacks 121 (1)
Network scanning tools 122 (1)
Secure Communications 123 (14)
Authentication protocols and frameworks 123 (3)
VPN 126 (2)
VoIP 128 (1)
Wireless Local Area Networks 129 (5)
Remote access 134 (3)
Summary of Exam Objectives 137 (1)
Self Test 138 (2)
Self Test Quick Answer Key 140 (3)
Chapter 4 Domain 3: Information Security 143 (26)
Governance and Risk Management
Unique Terms and Definitions 143 (1)
Introduction 143 (1)
Risk Analysis 144 (10)
Assets 144 (1)
Threats and vulnerabilities 144 (1)
Risk = Threat × Vulnerability 145 (2)
Calculating Annualized Loss Expectancy 147 (1)
Total Cost of Ownership 148 (1)
Return on Investment 149 (1)
Budget and metrics 150 (1)
Risk choices 151 (2)
The Risk Management Process 153 (1)
Information Security Governance 154 (11)
Security policy and related documents 154 (3)
Roles and responsibilities 157 (1)
Personnel security 158 (2)
Compliance with laws and regulations 160 (1)
Due care and due diligence 161 (1)
Best practice 161 (1)
Auditing and control frameworks 162 (2)
Certification and Accreditation 164 (1)
Summary of Exam Objectives 165 (1)
Self Test 165 (2)
Self Test Quick Answer Key 167 (2)
Chapter 5 Domain 4: Software Development 169 (44)
Security
Unique Terms and Definitions 169 (1)
Introduction 169 (1)
Programming Concepts 170 (5)
Machine code, source code, and 170 (1)
assemblers
Compilers, interpreters, and bytecode 171 (1)
Procedural and object-oriented languages 171 (2)
Fourth-generation programming language 173 (1)
Computer-aided software engineering 173 (1)
(CASE)
Top-down versus bottom-up programming 173 (1)
Types of publicly released software 174 (1)
Application Development Methods 175 (11)
Waterfall model 176 (1)
Sashimi model 177 (2)
Agile software development 179 (1)
Spiral 180 (1)
Rapid application development (RAD) 181 (1)
Prototyping 181 (1)
SDLC 182 (4)
Software escrow 186 (1)
Object-Orientated Design and Programming 186 (6)
Object-oriented programming (OOP) 186 (5)
Object-oriented analysis (OOA) and 191 (1)
object-oriented design (OOD)
Software Vulnerabilities, Testing, and 192 (5)
Assurance
Software vulnerabilities 192 (2)
Software testing methods 194 (1)
Disclosure 195 (1)
Software Capability Maturity Model (CMM) 196 (1)
Software Change and Configuration 196 (1)
Management
Databases 197 (6)
Types of databases 198 (4)
Database integrity 202 (1)
Database replication and shadowing 202 (1)
Data warehousing and data mining 203 (1)
Artificial Intelligence 203 (3)
Expert systems 203 (1)
Artificial neural networks 204 (1)
Bayesian filtering 205 (1)
Genetic algorithms and programming 206 (1)
Summary of Exam Objectives 206 (1)
Self Test 207 (2)
Self Test Quick Answer Key 209 (4)
Chapter 6 Domain 5: Cryptography 213 (44)
Unique Terms and Definitions 213 (1)
Introduction 213 (1)
Cornerstone Cryptographic Concepts 213 (5)
Key terms 214 (1)
Confidentiality, integrity, 214 (1)
authentication, and non-repudiation
Confusion, diffusion, substitution, and 214 (1)
permutation
Cryptographic strength 215 (1)
Monoalphabetic and polyalphabetic 215 (1)
ciphers
Modular math 216 (1)
Exclusive Or (XOR) 216 (1)
Types of cryptography 217 (1)
Data at rest and data in motion 217 (1)
History of Cryptography 218 (10)
Egyptian hieroglyphics 218 (1)
Spartan scytale 218 (1)
Caesar cipher and other rotation ciphers 218 (1)
Vigenere cipher 219 (1)
Cipher disk 219 (1)
Jefferson disks 220 (2)
Book cipher and running-key cipher 222 (1)
Codebooks 223 (1)
One-time pad 224 (3)
Cryptography laws 227 (1)
Symmetric Encryption 228 (8)
Stream and block ciphers 228 (1)
Initialization vectors and chaining 228 (1)
DES 229 (4)
International Data Encryption Algorithm 233 (1)
Advanced Encryption Standard 233 (3)
Blowfish and Twofish 236 (1)
RC5 and RC6 236 (1)
Asymmetric Encryption 236 (2)
Asymmetric methods 236 (2)
Hash Functions 238 (1)
Collisions 238 (1)
MD5 239 (1)
Secure Hash Algorithm 239 (1)
Haval 239 (1)
Cryptographic Attacks 239 (5)
Brute force 239 (1)
Social engineering 240 (1)
Rainbow tables 240 (1)
Known plaintext 241 (1)
Chosen plaintext and adaptive chosen 241 (1)
plaintext
Chosen ciphertext and adaptive chosen 242 (1)
ciphertext
Meet-in-the-middle attack 242 (1)
Known key 242 (1)
Differential cryptanalysis 242 (1)
Linear cryptanalysis 243 (1)
Side-channel attacks 243 (1)
Implementation attacks 243 (1)
Birthday attack 243 (1)
Key clustering 244 (1)
Implementing Cryptography 244 (7)
Digital signatures 244 (1)
Message Authenticate Code 245 (1)
Public key infrastructure 246 (1)
SSL and TLS 247 (1)
IPsec 247 (1)
AH and ESP 248 (1)
IKE 249 (1)
PGP 249 (1)
S/MIME 249 (1)
Escrowed encryption 249 (1)
Steganography 250 (1)
Digital watermarks 251 (1)
Summary of Exam Objectives 251 (1)
Self Test 252 (2)
Self Test Quick Answer Key 254 (3)
Chapter 7 Domain 6: Security Architecture 257 (50)
and Design
Unique Terms and Definitions 257 (1)
Introduction 257 (1)
Secure System Design Concepts 258 (3)
Layering 258 (1)
Abstraction 258 (1)
Security domains 259 (1)
The ring model 259 (1)
Open and closed systems 260 (1)
Secure Hardware Architecture 261 (9)
The system unit and motherboard 261 (1)
The computer bus 261 (1)
The CPU 261 (3)
Memory 264 (2)
Memory protection 266 (4)
Secure Operating System and Software 270 (3)
Architecture
The kernel 270 (1)
Users and file permissions 270 (3)
Virtualization and Distributed Computing 273 (5)
Virtualization 273 (2)
Cloud computing 275 (1)
Grid computing 276 (1)
Peer to peer 276 (1)
Thin clients 277 (1)
System Vulnerabilities, Threats, and 278 (12)
Countermeasures
Emanations 278 (1)
Covert channels 278 (1)
Buffer overflows 279 (1)
TOCTOU/Race conditions 280 (1)
Backdoors 280 (1)
Malicious code (malware) 281 (1)
Server-side attacks 282 (1)
Client-side attacks 283 (1)
Web architecture and attacks 284 (2)
Mobile device attacks 286 (1)
Database security 287 (2)
Countermeasures 289 (1)
Security Models 290 (9)
Reading down and writing up 290 (1)
State machine model 291 (1)
Bell-LaPadula model 291 (1)
Lattice-based access controls 292 (1)
Integrity models 292 (2)
Information flow model 294 (1)
Chinese Wall model 294 (1)
Noninterference 295 (1)
Take-grant 295 (1)
Access control matrix 295 (1)
Zachman Framework for Enterprise 296 (1)
Architecture
Graham-Denning Model 297 (1)
Harrison-Ruzzo-Ullman Model 297 (1)
Modes of Operation 298 (1)
Evaluation Methods, Certification, and 299 (3)
Accreditation
The Orange Book 299 (1)
ITSEC 300 (1)
The International Common Criteria 301 (1)
PCI-DSS 302 (1)
Certification and accreditation 302 (1)
Summary of Exam Objectives 302 (1)
Self Test 303 (2)
Self Test Quick Answer Key 305 (2)
Chapter 8 Domain 7: Operations Security 307 (36)
Unique Terms and Definitions 307 (1)
Introduction 307 (1)
Administrative Security 308 (4)
Administrative Personnel Controls 308 (3)
Privilege monitoring 311 (1)
Sensitive Information and Media Security 312 (2)
Sensitive information 312 (2)
Asset Management 314 (5)
Configuration management 315 (3)
Change management 318 (1)
Continuity of Operations 319 (8)
Service Level Agreements (SLAs) 319 (1)
Fault tolerance 320 (7)
Incident Response Management 327 (10)
Methodology 328 (4)
Types of attacks 332 (5)
Summary of Exam Objectives 337 (3)
Self Test 340 (2)
Self Test Quick Answer Key 342 (1)
Chapter 9 Domain 8: Business Continuity and 343 (46)
Disaster Recovery Planning
Unique Terms and Definitions 343 (1)
Introduction 343 (1)
BCP and DRP Overview and Process 344 (11)
Business continuity planning (BCP) 344 (1)
Disaster recovery planning (DRP) 345 (1)
Relationship between BCP and DRP 345 (1)
Disasters or disruptive events 346 (7)
The disaster recovery process 353 (2)
Developing a BCP/DRP 355 (18)
Project initiation 355 (3)
Scoping the project 358 (1)
Assessing the critical state 359 (1)
Conduct Business Impact Analysis (BIA) 359 (5)
Identify preventive controls 364 (1)
Recovery strategy 364 (4)
Related plans 368 (5)
Plan approval 373 (1)
Backups and Availability 373 (4)
Hardcopy data 374 (1)
Electronic backups 374 (3)
Software escrow 377 (1)
DRP Testing, Training, and Awareness 377 (3)
DRP testing 377 (2)
Training 379 (1)
BCP/DRP Maintenance 380 (1)
Change management 380 (1)
BCP/DRP version control 380 (1)
BCP/DRP mistakes 381 (1)
Specific BCP/DRP Frameworks 381 (2)
NIST SP 800-34 381 (1)
ISO/IEC-27031 381 (1)
BS-25999 382 (1)
BCI 382 (1)
Summary of Exam Objectives 383 (1)
Self Test 383 (2)
Self Test Quick Answer Key 385 (4)
Chapter 10 Domain 9: Legal, Regulations, 389 (40)
Investigations, and Compliance
Unique Terms and Definitions 389 (1)
Introduction 390 (1)
Major legal systems 390 (1)
Civil law (legal system) 390 (1)
Common law 390 (1)
Religious law 391 (1)
Other systems 391 (1)
Criminal, Civil, and Administrative Law 391 (2)
Criminal Law 392 (1)
Civil Law 392 (1)
Administrative law 393 (1)
Information Security Aspects of Law 393 (11)
Computer crime 394 (1)
Intellectual property 395 (4)
Import and export restrictions 399 (1)
Privacy 400 (3)
Transborder data flow 403 (1)
Liability 403 (1)
Forensics 404 (5)
Forensic Media Analysis 405 (2)
Network forensics 407 (1)
Forensic software analysis 408 (1)
Embedded device forensics 408 (1)
Incident response 408 (1)
Legal Aspects of Investigations 409 (5)
Evidence 409 (2)
Evidence integrity 411 (1)
Chain of custody 411 (1)
Reasonable searches 412 (2)
Entrapment and enticement 414 (1)
Important Laws and Regulations 414 (4)
U.S. Computer Fraud and Abuse Act 414 (3)
USA Patriot Act 417 (1)
HIPAA 417 (1)
U.S. breach notification laws 418 (1)
Security and Third Parties 418 (2)
Service provider contractual security 418 (1)
Procurement 419 (1)
Vendor governance 420 (1)
Ethics 420 (3)
The (ISC)2® Code of Ethics 420 (2)
Computer Ethics Institute 422 (1)
IAB's Ethics and the Internet 422 (1)
Summary of Exam Objectives 423 (1)
Self Test 424 (2)
Self Test Quick Answer Key 426 (3)
Chapter 11 Domain 10: Physical 429 (34)
(Environmental) Security
Unique Terms and Definitions 429 (1)
Introduction 429 (1)
Perimeter Defenses 430 (12)
Fences 430 (1)
Gates 430 (1)
Bollards 430 (1)
Lights 431 (1)
CCTV 432 (1)
Locks 433 (4)
Smart cards and magnetic stripe cards 437 (1)
Tailgating/piggybacking 438 (1)
Mantraps and turnstiles 439 (1)
Contraband checks 439 (1)
Motion detectors and other perimeter 439 (1)
alarms
Doors and windows 440 (1)
Walls, floors, and ceilings 441 (1)
Guards 441 (1)
Dogs 442 (1)
Restricted areas and escorts 442 (1)
Site Selection, Design, and Configuration 442 (2)
Site selection issues 443 (1)
Site design and configuration issues 443 (1)
System Defenses 444 (4)
Asset tracking 445 (1)
Port controls 445 (1)
Drive and tape encryption 445 (1)
Media storage and transportation 446 (1)
Media cleaning and destruction 446 (2)
Environmental Controls 448 (11)
Electricity 448 (2)
HVAC 450 (1)
Heat, flame, and smoke detectors 451 (1)
Personnel safety, training, and 452 (1)
awareness
ABCD fires and suppression 453 (2)
Types of fire suppression agents 455 (4)
Summary of Exam Objectives 459 (1)
Self Test 460 (2)
Self Test Quick Answer Key 462 (1)
Appendix: Self Test 463 (50)
Glossary 513 (36)
Index 549
新书报道