SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
CISSP Cert Guide, Premium Edition eBook and Practice Test, Third Edition
The exciting new CISSP Cert Guide, Premium Edition eBook and Practice Test, Third Editionis a digital-only certification preparation product combining an eBook with enhanced Pearson Test Prep practice test software. The Premium Edition eBook and Practice Test contains the following items:
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson Test Prep practice test software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package
Pearson Test Prep practice test software minimum system requirements:
Pearson Test Prep online system requirements:
Browsers: Chrome version 40 and above; Firefox version 35 and above; Safari version 7; Internet Explorer 10, 11; Microsoft Edge; Opera. Devices: Desktop and laptop computers, tablets running on Android and iOS, smartphones with a minimum screen size of 4.7". Internet access required.
Pearson Test Prep offline system requirements:
Windows 10, Windows 8.1, or Windows 7; Microsoft .NET Framework 4.5 Client; Pentium-class 1 GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam; access to the Internet to register and download exam databases
About the Premium Edition eBook
Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT Certification learning.
CISSP Cert Guide, Third Edition is a best-of-breed exam study guide. Leading IT certification experts Robin Abernathy and Troy McMillan share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.
The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.
The ISC2 study guide helps you master all the topics on the CISSP exam, including
· Access control
· Telecommunications and network security
· Information security governance and risk management
· Software development security
· Cryptography
· Security architecture and design
· Operation security
· Business continuity and disaster recovery planning
· Legal, regulations, investigations, and compliance
· Physical (environmental) security
Download the sample pages (includes Chapter 6)
Introduction xlv
Chapter 1 Security and Risk Management 2
Security Terms 5
CIA 5
Auditing and Accounting 6
Non-Repudiation 7
Default Security Posture 7
Defense in Depth 7
Abstraction 8
Data Hiding 8
Encryption 8
Security Governance Principles 8
Security Function Alignment 9
Organizational Processes 12
Organizational Roles and Responsibilities 14
Security Control Frameworks 17
Due Care and Due Diligence 32
Compliance 33
Contractual, Legal, Industry Standards, and Regulatory Compliance 34
Privacy Requirements Compliance 35
Legal and Regulatory Issues 35
Computer Crime Concepts 36
Major Legal Systems 38
Licensing and Intellectual Property 40
Cyber Crimes and Data Breaches 44
Import/Export Controls 45
Trans-Border Data Flow 45
Privacy 45
Professional Ethics 52
(ISC)2 Code of Ethics 52
Computer Ethics Institute 53
Internet Architecture Board 54
Organizational Code of Ethics 54
Security Documentation 54
Policies 55
Processes 57
Procedures 57
Standards 57
Guidelines 58
Baselines 58
Business Continuity 58
Business Continuity and Disaster Recovery Concepts 58
Scope and Plan 61
BIA Development 65
Personnel Security Policies and Procedures 68
Candidate Screening and Hiring 69
Employment Agreements and Policies 70
Employee Onboarding and Offboarding Policies 71
Vendor, Consultant, and Contractor Agreements and Controls 72
Compliance Policy Requirements 72
Privacy Policy Requirements 72
Job Rotation 73
Separation of Duties 73
Risk Management Concepts 73
Asset and Asset Valuation 73
Vulnerability 74
Threat 74
Threat Agent 74
Exploit 75
Risk 75
Exposure 75
Countermeasure 75
Risk Appetite 76
Attack 76
Breach 76
Risk Management Policy 77
Risk Management Team 77
Risk Analysis Team 77
Risk Assessment 78
Implementation 82
Control Categories 83
Control Types 84
Controls Assessment, Monitoring, and Measurement 89
Reporting and Continuous Improvement 89
Risk Frameworks 90
Geographical Threats 108
Internal Versus External Threats 108
Natural Threats 109
System Threats 110
Human-Caused Threats 111
Politically Motivated Threats 114
Threat Modeling 115
Threat Modeling Concepts 116
Threat Modeling Methodologies 116
Identifying Threats 119
Potential Attacks 120
Remediation Technologies and Processes 121
Security Risks in the Supply Chain 121
Risks Associated with Hardware, Software, and Services 121
Third-party Assessment and Monitoring 122
Minimum Service-Level and Security Requirements 123
Service-Level Requirements 123
Security Education, Training, and Awareness 124
Levels Required 124
Methods and Techniques 125
Periodic Content Reviews 126
Exam Preparation Tasks 126
Chapter 2 Asset Security 140
Asset Security Concepts 141
Data Policy 141
Roles and Responsibilities 143
Data Quality 144
Data Documentation and Organization 145
Identify and Classify Information and Assets 146
Data and Asset Classification 146
Sensitivity and Criticality 146
Private Sector Classifications 151
Military and Government Classifications 152
Information Life Cycle 153
Databases 155
Data Audit 160
Information and Asset Ownership 160
Protect Privacy 161
Owners 161
Data Processors 162
Data Remanence 162
Collection Limitation 163
Asset Retention 164
Data Security Controls 166
Data Security 166
Data States 166
Data Access and Sharing 167
Data Storage and Archiving 168
Baselines 169
Scoping and Tailoring 170
Standards Selection 170
Data Protection Methods 171
Information and Asset Handling Requirements 172
Marking, Labeling, and Storing 172
Destruction 173
Exam Preparation Tasks 173
Chapter 3 Security Architecture and Engineering 178
Engineering Processes Using Secure Design Principles 180
Objects and Subjects 181
Closed Versus Open Systems 182
Security Model Concepts 182
Confidentiality, Integrity, and Availability 182
Confinement 183
Bounds 183
Isolation 183
Security Modes 183
Defense in Depth 185
Security Model Types 185
Security Models 188
System Architecture Steps 192
ISO/IEC 42010:2011 193
Computing Platforms 193
Security Services 196
System Components 196
System Security Evaluation Models 205
TCSEC 206
ITSEC 209
Common Criteria 211
Security Implementation Standards 213
Controls and Countermeasures 217
Certification and Accreditation 217
Control Selection Based upon Systems Security Requirements 218
Security Capabilities of Information Systems 219
Memory Protection 219
Virtualization 220
Trusted Platform Module 220
Interfaces 221
Fault Tolerance 221
Policy Mechanisms 222
Encryption/Decryption 223
Security Architecture Maintenance 223
Vulnerabilities of Security Architectures, Designs, and Solution Elements 224
Client-Based Systems 224
Server-Based Systems 225
Database Systems 226
Cryptographic Systems 227
Industrial Control Systems 227
Cloud-Based Systems 230
Large-Scale Parallel Data Systems 236
Distributed Systems 237
Grid Computing 237
Peer-to-Peer Computing 237
Internet of Things 238
Vulnerabilities in Web-Based Systems 242
Maintenance Hooks 242
Time-of-Check/Time-of-Use Attacks 243
Web-Based Attacks 243
XML 244
SAML 244
OWASP 244
Vulnerabilities in Mobile Systems 244
Device Security 245
Application Security 246
Mobile Device Concerns 246
NIST SP 800-164 248
Vulnerabilities in Embedded Devices 250
Cryptography 250
Cryptography Concepts 250
Cryptography History 253
Cryptosystem Features 256
NIST SP 800-175A and B 257
Cryptographic Mathematics 258
Cryptographic Life Cycle 261
Cryptographic Types 262
Running Key and Concealment Ciphers 263
Substitution Ciphers 263
Transposition Ciphers 265
Symmetric Algorithms 266
Asymmetric Algorithms 268
Hybrid Ciphers 269
Symmetric Algorithms 269
DES and 3DES 270
AES 274
IDEA 274
Skipjack 274
Blowfish 275
Twofish 275
RC4/RC5/RC6/RC7 275
CAST 275
Asymmetric Algorithms 276
Diffie-Hellman 277
RSA 277
El Gamal 278
ECC 278
Knapsack 279
Zero-knowledge Proof 279
Public Key Infrastructure 279
Certification Authority and Registration Authority 279
Certificates 280
Certificate Life Cycle 281
Certificate Revocation List 283
OCSP 284
PKI Steps 284
Cross-Certification 285
Key Management Practices 285
Message Integrity 293
Hashing 294
Message Authentication Code 297
Salting 299
Digital Signatures 299
DSS 300
Applied Cryptography 300
Link Encryption Versus End-to-End Encryption 300
Email Security 300
Internet Security 300
Cryptanalytic Attacks 301
Ciphertext-Only Attack 302
Known Plaintext Attack 302
Chosen Plaintext Attack 302
Chosen Ciphertext Attack 302
Social Engineering 302
Brute Force 302
Differential Cryptanalysis 303
Linear Cryptanalysis 303
Algebraic Attack 303
Frequency Analysis 303
Birthday Attack 303
Dictionary Attack 303
Replay Attack 304
Analytic Attack 304
Statistical Attack 304
Factoring Attack 304
Reverse Engineering 304
Meet-in-the-Middle Attack 304
Ransomware Attack 304
Side-Channel Attack 305
Digital Rights Management 305
Document DRM 306
Music DRM 306
Movie DRM 306
Video Game DRM 306
E-book DRM 307
Site and Facility Design 307
Layered Defense Model 307
CPTED 307
Physical Security Plan 308
Facility Selection Issues 309
Site and Facility Security Controls 312
Doors 312
Locks 313
Biometrics 315
Glass Entries 315
Visitor Control 315
Wiring Closets/Intermediate Distribution Facilities 316
Work Areas 316
Environmental Security 317
Equipment Security 321
Exam Preparation Tasks 323
Chapter 4 Communication and Network Security 334
Secure Network Design Principles 335
OSI Model 335
TCP/IP Model 340
IP Networking 345
Common TCP/UDP Ports 346
Logical and Physical Addressing 347
IPv4 348
Network Transmission 353
IPv6 357
Network Types 370
Protocols and Services 372
ARP/RARP 372
DHCP/BOOTP 373
DNS 374
FTP, FTPS, SFTP, TFTP 374
HTTP, HTTPS, S-HTTP 375
ICMP 375
IGMP 376
IMAP 376
LDAP 376
LDP 376
NAT 376
NetBIOS 376
NFS 377
PAT 377
POP 377
CIFS/SMB 377
SMTP 377
SNMP 377
SSL/TLS 378
Multilayer Protocols 378
Converged Protocols 379
FCoE 379
MPLS 380
VoIP 381
iSCSI 381
Wireless Networks 381
FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 382
WLAN Structure 384
WLAN Standards 384
WLAN Security 387
Communications Cryptography 392
Link Encryption 392
End-to-End Encryption 393
Email Security 393
Internet Security 394
Secure Network Components 396
Hardware 397
Transmission Media 415
Network Access Control Devices 435
Endpoint Security 437
Content-Distribution Networks 438
Secure Communication Channels 438
Voice 439
Multimedia Collaboration 439
Remote Access 440
Data Communications 450
Virtualized Networks 450
Network Attacks 451
Cabling 451
Network Component Attacks 453
ICMP Attacks 454
DNS Attacks 456
Email Attacks 458
Wireless Attacks 459
Remote Attacks 460
Other Attacks 460
Exam Preparation Tasks 462
Chapter 5 Identity and Access Management (IAM) 474
Access Control Process 475
Identify Resources 475
Identify Users 476
Identify the Relationships Between Resources and Users 476
Physical and Logical Access to Assets 477
Access Control Administration 477
Information 478
Systems 478
Devices 479
Facilities 479
Identification and Authentication Concepts 480
NIST SP 800-63 480
Five Factors for Authentication 484
Single-Factor Versus Multi-Factor Authentication 495
Device Authentication 495
Identification and Authentication Implementation 496
Separation of Duties 496
Least Privilege/Need-to-Know 497
Default to No Access 497
Directory Services 498
Single Sign-on 498
Session Management 503
Registration and Proof of Identity 503
Credential Management Systems 504
Accountability 505
Identity as a Service (IDaaS) Implementation 507
Third-Party Identity Services Integration 507
Authorization Mechanisms 508
Permissions, Rights, and Privileges 508
Access Control Models 508
Access Control Policies 514
Provisioning Life Cycle 514
Provisioning 515
User and System Account Access Review 516
Account Revocation 516
Access Control Threats 516
Password Threats 517
Social Engineering Threats 518
DoS/DDoS 520
Buffer Overflow 520
Mobile Code 520
Malicious Software 521
Spoofing 521
Sniffing and Eavesdropping 521
Emanating 522
Backdoor/Trapdoor 522
Access Aggregation 522
Advanced Persistent Threat 523
Prevent or Mitigate Access Control Threats 523
Exam Preparation Tasks 524
Chapter 6 Security Assessment and Testing 532
Design and Validate Assessment and Testing Strategies 533
Security Testing 534
Security Assessments 534
Security Auditing 535
Internal, External, and Third-party Security Assessment, Testing, and Auditing 535
Conduct Security Control Testing 535
Vulnerability Assessment 535
Penetration Testing 539
Log Reviews 541
Synthetic Transactions 546
Code Review and Testing 546
Misuse Case Testing 549
Test Coverage Analysis 549
Interface Testing 549
Collect Security Process Data 550
NIST SP 800-137 550
Account Management 551
Management Review and Approval 551
Key Performance and Risk Indicators 552
Backup Verification Data 553
Training and Awareness 553
Disaster Recovery and Business Continuity 553
Analyze and Report Test Outputs 553
Conduct or Facilitate Security Audits 554
Exam Preparation Tasks 555
Chapter 7 Security Operations 564
Investigations 566
Forensic and Digital Investigations 566
Evidence Collection and Handling 574
Digital Forensic Tools, Tactics, and Procedures 579
Investigation Types 581
Operations/Administrative 581
Criminal 582
Civil 582
Regulatory 582
Industry Standards 582
eDiscovery 585
Logging and Monitoring Activities 585
Audit and Review 585
Intrusion Detection and Prevention 587
Security Information and Event Management (SIEM) 588
Continuous Monitoring 588
Egress Monitoring 588
Resource Provisioning 589
Asset Inventory and Management 590
Configuration Management 592
Security Operations Concepts 593
Need to Know/Least Privilege 593
Managing Accounts, Groups, and Roles 594
Separation of Duties and Responsibilities 594
Privilege Account Management 595
Job Rotation and Mandatory Vacation 595
Two-Person Control 596
Sensitive Information Procedures 596
Record Retention 596
Information Life Cycle 596
Service-Level Agreements 597
Resource Protection 597
Protecting Tangible and Intangible Assets 597
Asset Management 599
Incident Management 608
Event Versus Incident 608
Incident Response Team and Incident Investigations 609
Rules of Engagement, Authorization, and Scope 609
Incident Response Procedures 610
Incident Response Management 610
Detect 610
Respond 611
Mitigate 611
Report 611
Recover 612
Remediate 612
Lessons Learned and Review 612
Detective and Preventive Measures 612
IDS/IPS 612
Firewalls 613
Whitelisting/Blacklisting 613
Third-Party Security Services 613
Sandboxing 614
Honeypots/Honeynets 614
Anti-malware/Antivirus 614
Clipping Levels 614
Deviations from Standards 615
Unusual or Unexplained Events 615
Unscheduled Reboots 615
Unauthorized Disclosure 615
Trusted Recovery 615
Trusted Paths 616
Input/Output Controls 616
System Hardening 616
Vulnerability Management Systems 616
Patch and Vulnerability Management 617
Change Management Processes 618
Recovery Strategies 618
Create Recovery Strategies 619
Backup Storage Strategies 626
Recovery and Multiple Site Strategies 628
Redundant Systems, Facilities, and Power 630
Fault-Tolerance Technologies 631
Insurance 631
Data Backup 632
Fire Detection and Suppression 632
High Availability 632
Quality of Service 633
System Resilience 633
Disaster Recovery 633
Response 634
Personnel 634
Communications 636
Assessment 636
Restoration 637
Training and Awareness 637
Testing Disaster Recovery Plans 637
Read-Through Test 638
Checklist Test 638
Table-Top Exercise 638
Structured Walk-Through Test 638
Simulation Test 639
Parallel Test 639
Full-Interruption Test 639
Functional Drill 639
Evacuation Drill 639
Business Continuity Planning and Exercises 639
Physical Security 640
Perimeter Security Controls 640
Building and Internal Security Controls 645
Personnel Safety and Security 645
Duress 646
Travel 646
Monitoring 646
Emergency Management 646
Security Training and Awareness 647
Exam Preparation Tasks 647
Chapter 8 Software Development Security 658
Software Development Concepts 659
Machine Languages 659
Assembly Languages and Assemblers 660
High-Level Languages, Compilers, and Interpreters 660
Object-Oriented Programming 660
Distributed Object-Oriented Systems 663
Mobile Code 664
Security in the System and Software Development Life Cycles 668
System Development Life Cycle 668
Software Development Life Cycle 670
Software Development Methods and Maturity Models 674
Operation and Maintenance 684
Integrated Product Team 685
Security Controls in Development 686
Software Development Security Best Practices 686
Software Environment Security 687
Source Code Analysis Tools 688
Code Repository Security 688
Software Threats 688
Software Protection Mechanisms 694
Assess Software Security Effectiveness 695
Auditing and Logging 695
Risk Analysis and Mitigation 695
Regression and Acceptance Testing 696
Security Impact of Acquired Software 696
Secure Coding Guidelines and Standards 697
Security Weaknesses and Vulnerabilities at the Source Code Level 697
Security of Application Programming Interfaces 700
Secure Coding Practices 701
Exam Preparation Tasks 702
Chapter 9 Final Preparation 712
Tools for Final Preparation 713
Pearson Test Prep Practice Test Engine and Questions on the Website 713
Customizing Your Exams 715
Updating Your Exams 716
Memory Tables 717
Chapter-Ending Review Tools 717
Suggested Plan for Final Review/Study 717
Summary 718
Glossary 721
Online Elements
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Glossary
9780789759696 TOC 6/27/2018
We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.
Download the errata (43 KB .doc)