Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Apt 9 lisa indexer wallet

29/11/2021 Client: muhammad11 Deadline: 2 Day

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio i

ALL IN ONE

CISSP® E X A M G U I D E

Seventh Edition

Shon Harris Fernando Maymí

New York Chicago San Francisco Athens London Madrid Mexico City

Milan New Delhi Singapore Sydney Toronto

McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/ training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and CD may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education warrants that use of this publication and CD will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other countries. All other trademarks are trademarks of their respective owners.

00-FM.indd 1 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio ii

McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.

CISSP® All-in-One Exam Guide, Seventh Edition

Copyright © 2016 by McGraw-Hill Education. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks.

1 2 3 4 5 6 7 8 9 DOC 21 20 19 18 17 16

ISBN: Book p/n 978-0-07-184961-6 and CD p/n 978-0-07-184925-8 of set 978-0-07-184927-2

MHID: Book p/n 0-07-184961-0 and CD p/n 0-07-184925-4 of set 0-07-184927-0

Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

Sponsoring Editor Wendy Rinaldi

Editorial Supervisor Janet Walden

Project Manager Yashmita Hota, Cenveo® Publisher Services

Acquisitions Coordinator Amy Stonebraker

Technical Editor Jonathan Ham

Copy Editor William McManus

Proofreader Lisa McCoy

Indexer Karin Arrigoni

Production Supervisor James Kussow

Composition Cenveo Publisher Services

Illustration Cenveo Publisher Services

Art Director, Cover Jeff Weeks

Library of Congress Cataloging-in-Publication Data

Names: Harris, Shon, author. | Maymi, Fernando, author. Title: CISSP exam guide / Shon Harris, Fernando Maymi. Other titles: CISSP all-in-one exam guide Description: Seventh edition. | New York : McGraw-Hill Education, 2016. | Includes index. Identifiers: LCCN 2016017045 (print) | LCCN 2016017235 (ebook) | ISBN 9780071849272 (set : alk. paper) | ISBN 9780071849616 (book : alk. paper) | ISBN 9780071849258 (CD) | ISBN 0071849270 (set : alk. paper) | ISBN 0071849610 (book : alk. paper) | ISBN 0071849254 (CD) | ISBN 9780071849265 () Subjects: LCSH: Computer networks—Examinations—Study guides. | Telecommunications engineers—Certification. Classification: LCC TK5105.5 .H368 2016 (print) | LCC TK5105.5 (ebook) | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2016017045

00-FM.indd 2 14/04/16 5:04 PM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iii

We dedicate this book to all those who have served selflessly.

00-FM.indd 3 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iv

ABOUT THE AUTHORS Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logi- cal Security LLC, a security consultant, a former engineer in the Air Force’s Informa- tion Warfare unit, an instructor, and an author. Shon owned and ran her own training and consulting companies for 13 years prior to her death in 2014. She consulted with Fortune 100 corporations and government agencies on extensive security issues. She authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook and Security Information and Event Management (SIEM) Implementation, and a technical editor for Information Security Magazine.

Fernando Maymí, Ph.D., CISSP, is a security practitioner with over 25 years’ experience in the field. He currently leads a multidisciplinary team charged with developing disruptive innovations for cyberspace operations as well as impactful pub- lic-private partnerships aimed at better securing cyberspace. Fernando has served as a consultant for both government and private-sector organizations in the United States and abroad. He has authored and taught dozens of courses and workshops in cyber security for academic, government, and professional audiences in the United States and Latin America. Fernando is the author of over a dozen publications and holds three

patents. His awards include the U.S. Department of the Army Research and Development Achievement Award and he was recognized as a HENAAC Luminary. He worked closely with Shon Harris, advising her on a multitude of projects, including the sixth edition of the CISSP All-in-One Exam Guide. Fernando is also a volunteer puppy raiser for Guiding Eyes for the Blind and has raised two guide dogs, Trinket and Virgo.

About the Contributor Bobby E. Rogers is an information security engineer working as a contractor for Depart- ment of Defense agencies, helping to secure, certify, and accredit their information sys- tems. His duties include information system security engineering, risk management, and certification and accreditation efforts. He retired after 21 years in the U.S. Air Force, serving as a network security engineer and instructor, and has secured networks all over the world. Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral degree in cybersecurity from Capitol Technology University in Maryland. His many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+ certifications.

00-FM.indd 4 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio v

About the Technical Editor Jonathan Ham, CISSP, GSEC, GCIA, GCIH, is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO, he has helped his clients achieve greater success for more than 12 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. Jonathan has been commissioned to teach NCIS investigators how to use Snort, has performed packet analysis from a facil- ity more than 2,000 feet underground, and has chartered and trained the CIRT for one of the largest U.S. civilian federal agencies. He is a member of the GIAC Advisory Board and is a SANS instructor teaching their MGT414: SANS Training Program for CISSP Certification course. He is also co-author of Network Forensics: Tracking Hackers Through Cyberspace, a textbook published by Prentice-Hall.

00-FM.indd 5 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

vi

CONTENTS AT A GLANCE

Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859

Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923

Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077

Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213

Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269

Glossary ................................................................................................................ 1273

Index ...................................................................................................................... 1291

00-FM.indd 6 14/04/16 10:24 AM

vii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

CONTENTS

In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv From the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix

Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Enterprise Architecture Development . . . . . . . . . . . . . . . . . . 19 Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 33 Process Management Development . . . . . . . . . . . . . . . . . . . . 37 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

The Crux of Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . 45 Complexities in Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Electronic Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 The Evolution of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Types of Legal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Intellectual Property Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Trademark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Internal Protection of Intellectual Property . . . . . . . . . . . . . . 67 Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 The Increasing Need for Privacy Laws . . . . . . . . . . . . . . . . . . 72 Laws, Directives, and Regulations . . . . . . . . . . . . . . . . . . . . . 73 Employee Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

00-FM.indd 7 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

viii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Data Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 U.S. Laws Pertaining to Data Breaches . . . . . . . . . . . . . . . . . 84 Other Nations’ Laws Pertaining to Data Breaches . . . . . . . . . 85

Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . 86 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Holistic Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Information Systems Risk Management Policy . . . . . . . . . . . 95 The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . 96 The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . 97

Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Reduction Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 104 Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . 105 Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 106 Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 107 Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Categorize Information System . . . . . . . . . . . . . . . . . . . . . . . 128 Select Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Implement Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . 129 Assess Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Authorize Information System . . . . . . . . . . . . . . . . . . . . . . . . 130 Monitor Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . 130 Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 133 Making BCM Part of the Enterprise Security Program . . . . . 136 BCP Project Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

00-FM.indd 8 14/04/16 10:24 AM

Contents

ix

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157 Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166 The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166 Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207

Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

00-FM.indd 9 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

x

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Media Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Protecting Other Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Paper Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Computer Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

The Central Processing Unit . . . . . . . . . . . . . . . . . . . . . . . . . 252 Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Memory Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Input/Output Device Management . . . . . . . . . . . . . . . . . . . . 285 CPU Architecture Integration . . . . . . . . . . . . . . . . . . . . . . . . 287 Operating System Architectures . . . . . . . . . . . . . . . . . . . . . . . 291 Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

System Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Architecture Requirements . . . . . . . . . . . . . . . . . . . . 302

Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Bell-LaPadula Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Biba Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Clark-Wilson Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Noninterference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Brewer and Nash Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Graham-Denning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . 312

Systems Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Why Put a Product Through Evaluation? . . . . . . . . . . . . . . . 317

Certification vs. Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

00-FM.indd 10 14/04/16 10:24 AM

Contents

xi

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333

Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335

Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340 Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343 Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364

Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378 International Data Encryption Algorithm . . . . . . . . . . . . . . . 378 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386 Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

00-FM.indd 11 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 The One-Way Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Various Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 393 MD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Attacks Against One-Way Hash Functions . . . . . . . . . . . . . . . 395 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 The Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . 402 PKI Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Key Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . 406 Rules for Keys and Key Management . . . . . . . . . . . . . . . . . . 407

Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 TPM Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Attacks on Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Ciphertext-Only Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Known-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Ciphertext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Analytic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Statistical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 414

Site and Facility Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 The Site Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Crime Prevention Through Environmental Design . . . . . . . . 420 Designing a Physical Security Program . . . . . . . . . . . . . . . . . 426

Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Using Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Internal Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Electric Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Environmental Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Fire Prevention, Detection, and Suppression . . . . . . . . . . . . . 448

00-FM.indd 12 14/04/16 10:24 AM

Contents

xiii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . 477

Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Open Systems Interconnection Reference Model . . . . . . . . . . . . . . 479

Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Functions and Protocols in the OSI Model . . . . . . . . . . . . . . 492 Tying the Layers Together . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Multilayer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Layer 2 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Converged Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Types of Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Analog and Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Asynchronous and Synchronous . . . . . . . . . . . . . . . . . . . . . . 514 Broadband and Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Twisted-Pair Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Fiber-Optic Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Cabling Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Networking Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Media Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Transmission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Network Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . 538 Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 E-mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . 560 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562

Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

00-FM.indd 13 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xiv

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 PBXs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . 607 Content Distribution Networks . . . . . . . . . . . . . . . . . . . . . . . 608 Software Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . 609

Intranets and Extranets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Metropolitan Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614

Metro Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Wide Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Telecommunications Evolution . . . . . . . . . . . . . . . . . . . . . . . 617 Dedicated Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 WAN Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624

Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 DSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Cable Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Wireless Communications Techniques . . . . . . . . . . . . . . . . . . 660 WLAN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Evolution of WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . 665 Wireless Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 Best Practices for Securing WLANs . . . . . . . . . . . . . . . . . . . . 677 Satellites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Mobile Wireless Communication . . . . . . . . . . . . . . . . . . . . . 678

Network Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Link Encryption vs. End-to-End Encryption . . . . . . . . . . . . . 685 E-mail Encryption Standards . . . . . . . . . . . . . . . . . . . . . . . . . 687 Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 DNS Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Drive-by Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

00-FM.indd 14 14/04/16 10:24 AM

Contents

xv

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724

Identification, Authentication, Authorization, and Accountability . . . 724 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 727 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 Integrating Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . 786

Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 787 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 789 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 791 Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 796 Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 796 Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . 798 Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . 799

Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 Centralized Access Control Administration . . . . . . . . . . . . . . 800 Decentralized Access Control Administration . . . . . . . . . . . . 807

Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811

Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 816 Protecting Audit Data and Log Information . . . . . . . . . . . . . 818 Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818

Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 819

Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . 830

Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 Phishing and Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836

00-FM.indd 15 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xvi

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854

Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859

Audit Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 Internal Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862 Third-Party Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863

Auditing Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Vulnerability Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 War Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Other Vulnerability Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 875 Postmortem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876 Log Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878 Synthetic Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 Misuse Case Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882 Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 Interface Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

Auditing Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Backup Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . 892 Security Training and Security Awareness Training . . . . . . . . 899 Key Performance and Risk Indicators . . . . . . . . . . . . . . . . . . 903

Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905 Technical Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906 Executive Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907

Management Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Before the Management Review . . . . . . . . . . . . . . . . . . . . . . 909 Reviewing Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909 Management Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919

Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923

The Role of the Operations Department . . . . . . . . . . . . . . . . . . . . . 924 Administrative Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925

Security and Network Personnel . . . . . . . . . . . . . . . . . . . . . . 928 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 Clipping Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930

00-FM.indd 16 14/04/16 10:24 AM

Contents

xvii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 Operational Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931

Unusual or Unexplained Occurrences . . . . . . . . . . . . . . . . . . 931 Deviations from Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 932 Unscheduled Initial Program Loads (aka Rebooting) . . . . . . . 932

Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Trusted Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Input and Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 936 System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 Facility Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 Personnel Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 949 External Boundary Protection Mechanisms . . . . . . . . . . . . . . 950 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 960 Patrol Force and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962 Dogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 Auditing Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963

Secure Resource Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Asset Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 966 Provisioning Cloud Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 969

Network and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . 970 Mean Time Between Failures . . . . . . . . . . . . . . . . . . . . . . . . . 971 Mean Time to Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972 Single Points of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981 Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983

Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 Intrusion Detection and Prevention Systems . . . . . . . . . . . . . 986 Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991

The Incident Management Process . . . . . . . . . . . . . . . . . . . . . . . . . 993 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001

Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Business Process Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 Facility Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006

00-FM.indd 17 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xviii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Supply and Technology Recovery . . . . . . . . . . . . . . . . . . . . . . 1013 Choosing a Software Backup Facility . . . . . . . . . . . . . . . . . . . 1018 End-User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Data Backup Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Electronic Backup Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 1025 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028

Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030 Recovery and Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031

Developing Goals for the Plans . . . . . . . . . . . . . . . . . . . . . . . 1034 Implementing Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036

Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038 Computer Forensics and Proper Collection of Evidence . . . . 1039 Motive, Opportunity, and Means . . . . . . . . . . . . . . . . . . . . . 1041 Computer Criminal Behavior . . . . . . . . . . . . . . . . . . . . . . . . 1042 Incident Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 The Forensic Investigation Process . . . . . . . . . . . . . . . . . . . . . 1043 What Is Admissible in Court? . . . . . . . . . . . . . . . . . . . . . . . . 1049 Surveillance, Search, and Seizure . . . . . . . . . . . . . . . . . . . . . . 1051 Interviewing Suspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052

Liability and Its Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Liability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Third-Party Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Contractual Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Procurement and Vendor Processes . . . . . . . . . . . . . . . . . . . . 1059

Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060 Personal Safety Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072

Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077

Building Good Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077 Where Do We Place Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078

Different Environments Demand Different Security . . . . . . . 1080 Environment vs. Application . . . . . . . . . . . . . . . . . . . . . . . . . 1081 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082 Implementation and Default Issues . . . . . . . . . . . . . . . . . . . . 1082

Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Requirements Gathering Phase . . . . . . . . . . . . . . . . . . . . . . . 1085 Design Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086 Development Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089 Testing/Validation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 Release/Maintenance Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 1095

00-FM.indd 18 14/04/16 10:24 AM

Contents

xix

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Secure Software Development Best Practices . . . . . . . . . . . . . . . . . . 1097 Software Development Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098

Build and Fix Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 Waterfall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 V-Shaped Model (V-Model) . . . . . . . . . . . . . . . . . . . . . . . . . 1100 Prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Incremental Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Spiral Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102 Rapid Application Development . . . . . . . . . . . . . . . . . . . . . . 1104 Agile Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

Integrated Product Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109 DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109

Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . . . . 1111 Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113

Software Configuration Management . . . . . . . . . . . . . . . . . . 1114 Security of Code Repositories . . . . . . . . . . . . . . . . . . . . . . . . 1116

Programming Languages and Concepts . . . . . . . . . . . . . . . . . . . . . . 1116 Assemblers, Compilers, Interpreters . . . . . . . . . . . . . . . . . . . . 1119 Object-Oriented Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 Other Software Development Concepts . . . . . . . . . . . . . . . . 1129 Application Programming Interfaces . . . . . . . . . . . . . . . . . . . 1131

Distributed Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 Distributed Computing Environment . . . . . . . . . . . . . . . . . . 1132 CORBA and ORBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 COM and DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 Java Platform, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . 1138 Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1138

Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144

Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 Specific Threats for Web Environments . . . . . . . . . . . . . . . . . 1146 Web Application Security Principles . . . . . . . . . . . . . . . . . . . 1154

Database Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 Database Management Software . . . . . . . . . . . . . . . . . . . . . . 1155 Database Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 Database Programming Interfaces . . . . . . . . . . . . . . . . . . . . . 1161 Relational Database Components . . . . . . . . . . . . . . . . . . . . . 1164 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166 Database Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169 Data Warehousing and Data Mining . . . . . . . . . . . . . . . . . . . 1174

Malicious Software (Malware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182

00-FM.indd 19 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xx

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182 Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Antimalware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187 Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Antimalware Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192

Assessing the Security of Acquired Software . . . . . . . . . . . . . . . . . . 1193 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207

Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249

Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269 Total Tester Premium Practice Exam Software . . . . . . . . . . . . . . . . . 1269 Installing and Running Total Tester

Premium Practice Exam Software . . . . . . . . . . . . . . . . . . . . . . . . 1270 Hotspot and Drag-and-Drop Questions . . . . . . . . . . . . . . . . . . . . . 1270 PDF Copy of the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271

Total Seminars Technical Support . . . . . . . . . . . . . . . . . . . . . 1271 McGraw-Hill Education Content Support . . . . . . . . . . . . . . 1271

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291

00-FM.indd 20 14/04/16 10:24 AM

xxi

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

IN MEMORY OF SHON HARRIS

In the summer of 2014, Shon asked me to write a foreword for the new edition of her CISSP All-in-One Exam Guide. I was honored to do that, and the following two para- graphs are that original foreword. Following that, I will say more about my friend, the late Shon Harris.

The cyber security field is still relatively new and has been evolving as technology advances. Every decade or so, we have an advance or two that seems to change the game. For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of money was spent on perimeter devices like firewalls to keep the bad guys out. Around 2000, recognizing that perimeter defense alone was insufficient, the “defense in depth” approach became popular, and we spent another decade trying to build layers of defense and detect the bad guys who were able to get past our perimeter defenses. Again, lots of money was spent, this time on intrusion detection, intrusion prevention, and end-point solutions. Then, around 2010, following the lead of the U.S. government in particular, we began to focus on “continuous monitoring,” the goal being to catch the bad guys inside the network if they get past the perimeter defense and the defense in depth. Security information and event management (SIEM) technology has emerged as the best way to handle this continuous monitoring requirement. The latest buzz phrase is “active defense,” which refers to the ability to respond in real time through a dynamic and changing defense that works to contain the attacker and allow the organization to recover quickly and get back to business. We are starting to see the re-emergence of honeypots combined with sandbox technology to bait and trap attackers for further analysis of their activity. One thing is common throughout this brief historical survey: the bad guys keep getting in and we keep responding to try and keep up, if not prevent them in the first place. This cat-and-mouse game will continue for the foreseeable future.

As the cyber security field continuously evolves to meet the latest emerging threats, each new strategy and tactic brings with it a new set of terminology and concepts for the security professional to master. The sheer bulk of the body of knowledge can be overwhelming, particularly to newcomers. As a security practitioner, consultant, and business leader, I am often asked by aspiring security practitioners where to start when trying to get into the field. I often refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the purpose of becoming a CISSP, but so that they may have in one resource the body of knowledge in the field. I am also often asked by experienced security practitioners how to advance in the field. I encourage them to pursue CISSP certification and, once again, I refer them to Shon’s book. Some are destined to become leaders in the field, and the CISSP is a solid certificate for managers. Other security professionals I encounter are just looking for more breadth of knowledge, and I recommend Shon’s book to them too as a good one-stop reference for that. This book has stood the test of time. It has evolved as the field has evolved and stands as the single most important

00-FM.indd 21 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xxii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

book in the cyber security field, period. I have personally referred to it several times throughout my career and keep a copy near me at all times on my Kindle. Simply put, if you are in the cyber security field, you need a copy of this book.

On a personal note, little did I know that within months of writing the preceding foreword, Shon would no longer be with us. I counted Shon as a good friend and still admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002. I had just learned of the CISSP and within weeks found myself in her class. I had no clue that she had already written several books by that time and was a true leader in the field. I must have chattered away during our lunch sessions, because a few months after the class, she reached out to me and said, “Hey, I remember you were interested in writing. I have a new project that I need help on. Would you like to help?” After an awkward pause, as I picked myself up from the floor, I told her that I felt underqualified, but yes! That started a journey that has blessed me many times over. The book was called Gray Hat Hacking and is now in the fourth edition. From the book came many consulting, writing, and teaching opportunities, such as Black Hat. Then, as I retired from the Marine Corps, in 2008, there was Shon, right on cue: “Hey, I have an opportunity to provide services to a large company. Would you like to help?” Just like that, I had my first large client, launching my company, which I was able to grow, with Shon’s help, and then sell a couple of years ago. During the 12 years I knew her, Shon continued to give me opportunities to become much more than I could have dreamed. She never asked for a thing in return, simply saying, “You take it and run with it, I am too busy doing other things.” As I think back over my career after the Marine Corps, I owe most of my success to Shon. I have shared this story with others and found that I am not the only one; Shon blessed so many people with her giving spirit. I am convinced there are many “Shon” stories like this one out there. She touched so many people in the security field and more than lived up to the nickname I had for her, Miss CISSP.

Without a doubt, Shon was the most kindhearted, generous, and humble person in the field. If you knew Shon, I know you would echo that sentiment. If you did not know Shon, I hope that through these few words, you understand why she was so special and why there had to be another edition of this book. I have been asked several times over the last year, “Do you think there will be another edition? The security field and CISSP certification have both changed so much, we need another edition.” For this reason, I am excited this new edition came to be. Shon would have wanted the book to go on helping people to be the best they can be. I believe we, as a profession, need this book to continue. So, I am thankful that the team from McGraw-Hill and Fernando are honoring Shon in this way and continuing her legacy. She truly deserves it. Shon, you are missed and loved by so many. Through this book, your generous spirit lives on, helping others.

Allen Harper, CISSP (thanks to Shon) EVP and Chief Hacker, Tangible Security, Inc.

00-FM.indd 22 14/04/16 10:24 AM

xxiii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

FOREWORD

I’m excited and honored to introduce the seventh edition of CISSP All-in-One Exam Guide to cyber security experts worldwide. This study guide is essential for those pursu- ing CISSP certification and should be part of every cyber security professional’s library.

After 39 years of service in the Profession of Arms, I know well what it means to be a member of a profession and the importance of shared values, common language, and identity. At the same time, expert knowledge gained through training, education, and experience are critical ingredients to a profession, but formal certifications based on clearly articulated standards are the coin of the realm for cyber security professionals.

In every operational assignment, I sought ways to leverage technology and increase digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled with our vulnerabilities and the potential consequences create a new operational reality—national security is at risk. When we enter any network, we must fight to ensure we maintain our security, and cyber security experts are the professionals we will call on to out-think and out-maneuver the threats we face from cyberspace.

As our world becomes more interconnected, we can expect cyber threats to continue to grow exponentially. While our cyber workforce enabled by technology must focus on preventing threats and reducing vulnerabilities, we will not eliminate either. This demands professionals who understand risk management and security—experts who are trusted and committed to creating and providing a wide range of security measures tailored to mitigate enterprise risk and assure all missions, public and private.

Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is the king of the hill. In this edition, Shon’s quality content is present and is being stewarded forward by Fernando Maymí. You’re in good hands, and you will grow personally and professionally, from your study. As competent, trusted professionals of character, this book is essential to you, your organization, and our national security.

Rhett Hernandez Lieutenant General, U.S. Army Retired

Former Commander, U.S. Army Cyber Command Current West Point Cyber Chair, Army Cyber Institute

00-FM.indd 23 14/04/16 10:24 AM

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii

00-FM.indd 2 8/24/12 2:43 PM

This page is intentionally left blank to match the printed book.

xxv

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

ACKNOWLEDGMENTS

We would like to thank all the people who work in the information security industry who are driven by their passion, dedication, and a true sense of doing right. The best security people are the ones who are driven toward an ethical outcome.

In this seventh edition, we would also like to thank the following:

• Ronald Dodge, who brought the two authors of this book together and, in doing so, set off a sequence of events that he couldn’t have possibly anticipated.

• David Miller, whose work ethic, loyalty, and friendship have continuously in- spired us.

• All the teammates from Logical Security. • The men and women of our armed forces, who selflessly defend our way of life. • Kathy Conlon, who, more than anyone else, set the conditions that led to seven editions of this book.

• David Harris. • Emma Fernandez.

Most especially, we thank you, our readers, for standing on the frontlines of our digital conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.

00-FM.indd 25 14/04/16 10:24 AM

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii

00-FM.indd 2 8/24/12 2:43 PM

This page is intentionally left blank to match the printed book.

xxvii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

FROM THE AUTHOR

For the first time in seven editions, the CISSP All-in-One Exam Guide bears the names of two authors. For the first time in 15 years, Shon Harris will not be with us as we go to print on a new edition of her seminal work. Still, she remains with us in the pages of the hundreds of thousands of books sold, which have enriched the lives of security profes- sionals worldwide. It is no exaggeration to say that Shon was one of the most influential authors in our field. Her legacy lives on in the pages of this latest edition.

Our goal in this seventh edition of Shon’s book was both to address the newly revised CISSP body of knowledge and to allow you to hear Shon’s voice as you read the words on its pages. You see, much of the content in this book was actually authored by Shon. We have reorganized, enhanced, augmented, and updated it, but the content is still largely hers. If you have read any of her multitude of other works or had the blessing of having met her, you will recognize her distinctive tone in these pages. We also hope that you will perceive her penchant for excellence in every aspect of professional development.

The goal of this book is not just to get you to pass the CISSP exam, but to provide you the bedrock of knowledge that will allow you to flourish as an information systems security professional before and after you pass the certification exam. If you strive for excellence in your own development, the CISSP certification will follow as a natural byproduct. This approach will demand that you devote time and energy to topics and issues that may seem to have no direct or immediate return on investment. That is OK. We each have our own areas of strength and weakness, and many of us tend to reinforce the former while ignoring the latter. This leads to individuals who have tremendous depth in a very specific topic, but who lack the breadth to understand context or thrive in new and unexpected conditions. What we propose is an inversion of this natural tendency, so that we devote appropriate amounts of effort to those areas in which we are weakest. What we propose is that we balance the urge to be specialists with the need to be well-rounded professionals. This is what our organizations and societies need from us.

The very definition of a profession describes a group of trusted, well-trained individuals that performs a critical service that societies cannot do for themselves. In the case of the CISSP, this professional ensures the confidentiality, integrity, and availability of our information systems. This cannot be done simply by being the best firewall administrator, or the best forensic examiner, or the best reverse engineer. Instead, our service requires a breadth of knowledge that will allow us to choose the right tool for the job. This relevant knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon which we can build our expertise. This is why, in order to be competent professionals, we all need to devote ourselves to learning topics that may not be immediately useful.

This book provides an encyclopedic treatment of both directly applicable and foundational knowledge. It is designed, as it always was, to be both a study guide and an enduring reference. Our hope is that, long after you obtain your CISSP certification, you will turn to this tome time and again to brush up on your areas of weakness as well as to guide you in a lifelong pursuit of self-learning and excellence.

00-FM.indd 27 14/04/16 10:24 AM

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii

CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii

00-FM.indd 2 8/24/12 2:43 PM

This page is intentionally left blank to match the printed book.

xxix

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

WHY BECOME A CISSP?

As our world changes, the need for improvements in security and technology continues to grow. Corporations and other organizations are desperate to identify and recruit talented and experienced security professionals to help protect the resources on which they depend to run their businesses and remain competitive. As a Certified Information Systems Security Professional (CISSP), you will be seen as a security professional of proven ability who has successfully met a predefined standard of knowledge and expe- rience that is well understood and respected throughout the industry. By keeping this certification current, you will demonstrate your dedication to staying abreast of security developments.

Consider some of the reasons for attaining a CISSP certification:

• To broaden your current knowledge of security concepts and practices • To demonstrate your expertise as a seasoned security professional • To become more marketable in a competitive workforce • To increase your salary and be eligible for more employment opportunities • To bring improved security expertise to your current occupation • To show a dedication to the security discipline

The CISSP certification helps companies identify which individuals have the ability, knowledge, and experience necessary to implement solid security practices; perform risk analysis; identify necessary countermeasures; and help the organization as a whole protect its facility, network, systems, and information. The CISSP certification also shows potential employers you have achieved a level of proficiency and expertise in skill sets and knowledge required by the security industry. The increasing importance placed on security in corporate success will only continue in the future, leading to even greater demands for highly skilled security professionals. The CISSP certification shows that a respected third-party organization has recognized an individual’s technical and theoretical knowledge and expertise, and distinguishes that individual from those who lack this level of knowledge.

Understanding and implementing security practices is an essential part of being a good network administrator, programmer, or engineer. Job descriptions that do not specifically target security professionals still often require that a potential candidate have a good understanding of security concepts as well as how to implement them. Due to staff size and budget restraints, many organizations can’t afford separate network and security staffs. But they still believe security is vital to their organization. Thus, they often try to combine knowledge of technology and security into a single role. With a CISSP designation, you can put yourself head and shoulders above other individuals in this regard.

00-FM.indd 29 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xxx

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

The CISSP Exam Because the CISSP exam covers the eight domains making up the CISSP Common Body of Knowledge (CBK), it is often described as being “an inch deep and a mile wide,” a reference to the fact that many questions on the exam are not very detailed and do not require you to be an expert in every subject. However, the questions do require you to be familiar with many different security subjects.

The CISSP exam comprises 250 multiple-choice and innovative questions, which must be answered in no more than 6 hours. Innovative questions incorporate drag- and-drop (i.e., take a term or item and drag it to the correct position in the frame) or hotspot (i.e., click the item or term that correctly answers the question) interfaces, but are otherwise weighed and scored just like any other question. The questions are pulled from a much larger question bank to ensure the exam is as unique as possible for each entrant. In addition, the test bank constantly changes and evolves to more accurately reflect the real world of security. The exam questions are continually rotated and replaced in the bank as necessary. Only 225 questions are graded, while 25 are used for research purposes. The 25 research questions are integrated into the exam, so you won’t know which go toward your final grade. To pass the exam, you need a scale score of 700 points out of 1,000. Questions are weighted based on their difficulty; not all questions are worth the same number of points. The exam is not product or vendor oriented, meaning no questions will be specific to certain products or vendors (for instance, Windows, Unix, or Cisco). Instead, you will be tested on the security models and methodologies used by these types of systems.

EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer in a reasonable amount of time, then you should guess and move on to the next question.

(ISC)2, which stands for International Information Systems Security Certification Consortium, also includes scenario-based questions in the CISSP exam. These questions present a short scenario to the test taker rather than asking the test taker to identify terms and/or concepts. The goal of the scenario-based questions is to ensure that test takers not only know and understand the concepts within the CBK, but also can apply this knowledge to real-life situations. This is more practical because in the real world, you won’t be challenged by having someone asking you “What is the definition of collusion?” You need to know how to detect and prevent collusion from taking place, in addition to knowing the definition of the term.

After passing the exam, you will be asked to supply documentation, supported by a sponsor, proving that you indeed have the type of experience required to obtain this certification. The sponsor must sign a document vouching for the security experience you are submitting. So, make sure you have this sponsor lined up prior to registering for the exam and providing payment. You don’t want to pay for and pass the exam, only to find you can’t find a sponsor for the final step needed to achieve your certification.

00-FM.indd 30 14/04/16 10:24 AM

Why Become a CISSP?

xxxi

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

The reason behind the sponsorship requirement is to ensure that those who achieve the certification have real-world experience to offer organizations. Book knowledge is extremely important for understanding theory, concepts, standards, and regulations, but it can never replace hands-on experience. Proving your practical experience supports the relevance of the certification.

A small sample group of individuals selected at random will be audited after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’ sponsors and contacts to verify the test taker’s related experience.

One of the factors that makes the CISSP exam challenging is that most candidates, although they work in the security field, are not necessarily familiar with all eight CBK domains. If a security professional is considered an expert in vulnerability testing or application security, for example, she may not be familiar with physical security, cryptography, or forensics. Thus, studying for this exam will broaden your knowledge of the security field.

The exam questions address the eight CBK security domains, which are described in Table 1.

Domain Description

Security and Risk Management

This domain covers many of the foundational concepts of information systems security. Some of the topics covered include

• The principles of availability, integrity, and confidentiality • Security governance and compliance • Legal and regulatory issues • Professional ethics • Personnel security policies • Risk management • Threat modeling

Asset Security This domain examines the protection of information assets throughout their life cycle. Some of the topics covered include

• Information classification • Maintaining ownership • Privacy • Retention • Data security controls • Handling requirements

Security Engineering

This domain examines the development of information systems that remain secure in the face of a myriad of threats. Some of the topics covered include

• Security design principles • Selection of effective controls • Mitigation of vulnerabilities • Cryptography • Secure site and facility design • Physical security

Table 1 Security Domains That Make Up the CISSP CBK (continued)

00-FM.indd 31 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xxxii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Table 1 Security Domains That Make Up the CISSP CBK

Domain Description

Communication and Network Security

This domain examines network architectures, communications technologies, and network protocols with a goal of understanding how to secure them. Some of the topics covered include

• Secure network architectures • Network components • Secure communications channels • Network attacks

Identity and Access Management

Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems. Some of the topics covered include

• Controlling physical and logical access • Identification and authentication • Identity as a Service • Third-party identity services • Authorization methods • Access control attacks

Security Assessment and Testing

This domain examines ways to verify the security of our information systems. Some of the topics covered include

• Assessment and testing strategies • Testing security controls • Collecting security process data • Analyzing and reporting results • Conducting and facilitating audits

Security Operations

This domain covers the many activities involved in the daily business of maintaining the security of our networks. Some of the topics covered include • Supporting investigations • Logging and monitoring • Secure provisioning of resources • Incident management • Preventative measures • Change management • Business continuity • Managing physical security

Software Development Security

This domain examines the application of security principles to the acquisition and development of software systems. Some of the topics covered include • Security in the software development life cycle • Security controls in development activities • Assessing software security • Assessing the security implications of acquired software

00-FM.indd 32 14/04/16 10:24 AM

Why Become a CISSP?

xxxiii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

(ISC)2 attempts to keep up with changes in technology and methodologies in the security field by adding numerous new questions to the test question bank each year. These questions are based on current technologies, practices, approaches, and standards. For example, the CISSP exam given in 1998 did not have questions pertaining to wireless security, cross-site scripting attacks, or IPv6.

What Does This Book Cover? This book covers everything you need to know to become an (ISC)2-certified CISSP. It teaches you the hows and whys behind organizations’ development and implementa- tion of policies, procedures, guidelines, and standards. It covers network, application, and system vulnerabilities; what exploits them; and how to counter these threats. The book explains physical security, operational security, and why systems implement the security mechanisms they do. It also reviews the U.S. and international security criteria and evaluations performed on systems for assurance ratings, what these criteria mean, and why they are used. This book also explains the legal and liability issues that surround computer systems and the data they hold, including such subjects as computer crimes, forensics, and what should be done to properly prepare computer evidence associated with these topics for court.

While this book is mainly intended to be used as a study guide for the CISSP exam, it is also a handy reference guide for use after your certification.

Tips for Taking the CISSP Exam Many people feel as though the exam questions are tricky. Make sure to read each ques- tion and its answer choices thoroughly instead of reading a few words and immediately assuming you know what the question is asking. Some of the answer choices may have only subtle differences, so be patient and devote time to reading through the question more than once.

A common complaint heard about the CISSP exam is that some questions seem a bit subjective. For example, whereas it might be easy to answer a technical question that asks for the exact mechanism used in Transport Layer Security (TLS) that protects against man-in-the-middle attacks, it’s not quite as easy to answer a question that asks whether an eight-foot perimeter fence provides low, medium, or high security. Many questions ask the test taker to choose the “best” approach, which some people find confusing and subjective. These complaints are mentioned here not to criticize (ISC)2 and the exam writers, but to help you better prepare for the exam. This book covers all the necessary material for the exam and contains many questions and self-practice tests. Most of the questions are formatted in such a way as to better prepare you for what you will encounter on the actual exam. So, make sure to read all the material in the book, and pay close attention to the questions and their formats. Even if you know the subject well, you may still get some answers wrong—it is just part of learning how to take tests.

In answering many questions, it is important to keep in mind that some things are inherently more valuable than others. For example, the protection of human lives and welfare will almost always trump all other responses. Similarly, if all other factors are equal

00-FM.indd 33 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xxxiv

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

and you are given a choice between an expensive and complex solution and a simpler and cheaper one, the second will win most of the time. Expert advice (e.g., from an attorney) is more valuable than that offered by someone with lesser credentials. If one of the possible responses to a question is to seek or obtain advice from an expert, pay close attention to that question. The correct response may very well be to seek out that expert.

Familiarize yourself with industry standards and expand your technical knowledge and methodologies outside the boundaries of what you use today. We cannot stress enough that just because you are the top dog in your particular field, it doesn’t mean you are properly prepared for every domain the exam covers.

When you take the CISSP exam at the Pearson VUE test center, other certification exams may be taking place simultaneously in the same room. Don’t feel rushed if you see others leaving the room early; they may be taking a shorter exam.

How to Use This Book Much effort has gone into putting all the necessary information into this book. Now it’s up to you to study and understand the material and its various concepts. To best benefit from this book, you might want to use the following study method:

• Study each chapter carefully and make sure you understand each concept presented. Many concepts must be fully understood, and glossing over a couple here and there could be detrimental to you. The CISSP CBK contains hundreds of individual topics, so take the time needed to understand them all.

• Make sure to study and answer all of the questions. If any questions confuse you, go back and study those sections again. Remember, some of the questions on the actual exam are a bit confusing because they do not seem straightforward. Do not ignore the confusing questions, thinking they’re not well worded. Instead, pay even closer attention to them because they are there for a reason.

• If you are not familiar with specific topics, such as firewalls, laws, physical security, or protocol functionality, use other sources of information (books, articles, and so on) to attain a more in-depth understanding of those subjects. Don’t just rely on what you think you need to know to pass the CISSP exam.

• After reading this book, study the questions and answers, and take the practice tests. Then review the (ISC)2 exam outline and make sure you are comfortable with each bullet item presented. If you are not comfortable with some items, revisit those chapters.

• If you have taken other certification exams—such as Cisco, Novell, or Microsoft— you might be used to having to memorize details and configuration parameters. But remember, the CISSP test is “an inch deep and a mile wide,” so make sure you understand the concepts of each subject before trying to memorize the small, specific details.

• Remember that the exam is looking for the “best” answer. On some questions test takers do not agree with any or many of the answers. You are being asked to choose the best answer out of the four being offered to you.

00-FM.indd 34 14/04/16 10:24 AM

CHAPTER

1

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

1Security and Risk Management This chapter presents the following:

• Security terminology and principles • Protection control types • Security frameworks, models, standards, and best practices • Computer laws and crimes • Intellectual property • Data breaches • Risk management • Threat modeling • Business continuity and disaster recovery • Personnel security • Security governance

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then

I have my doubts.

—Eugene H. Spafford

In reality, organizations have many other things to do than practice security. Businesses exist to make money. Most nonprofit organizations exist to offer some type of service, as in charities, educational centers, and religious entities. None of them exist specifi- cally to deploy and maintain firewalls, intrusion detection systems, identity management technologies, and encryption devices. No business really wants to develop hundreds of security policies, deploy antimalware products, maintain vulnerability management sys- tems, constantly update its incident response capabilities, and have to comply with the alphabet soup of security laws, regulations, and standards such as SOX (Sarbanes-Oxley), GLBA (Gramm-Leach-Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and FISMA (Federal Information Security Management Act). Business owners would like to be able to make their widgets, sell their widgets, and go home. But those simpler days are long

01-ch01.indd 1 14/04/16 11:41 AM

CISSP All-in-One Exam Guide

2

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

gone. Now organizations are faced with attackers who want to steal businesses’ customer data to carry out identity theft and banking fraud. Company secrets are commonly being stolen by internal and external entities for economic espionage purposes. Systems are being hijacked and used within botnets to attack other organizations or to spread spam. Company funds are being secretly siphoned off through complex and hard-to-identify digital methods, commonly by organized criminal rings in different countries. And orga- nizations that find themselves in the crosshairs of attackers may come under constant attack that brings their systems and websites offline for hours or days. Companies are required to practice a wide range of security disciplines today to keep their market share, protect their customers and bottom line, stay out of jail, and still sell their widgets.

In this chapter we will cover many of the disciplines that are necessary for organizations to practice security in a holistic manner. Each organization must develop an enterprise- wide security program that consists of technologies, procedures, and processes covered throughout this book. As you go along in your security career, you will find that most organizations have some pieces to the puzzle of an “enterprise-wide security program” in place, but not all of them. And almost every organization struggles with the best way to assess the risks it faces and how to allocate funds and resources properly to mitigate those risks. Many of the security programs in place today can be thought of as lopsided or lumpy. The security programs excel within the disciplines that the team is most familiar with, and the other disciplines are found lacking. It is your responsibility to become as well rounded in security as possible so that you can identify these deficiencies in security programs and help improve upon them. This is why the CISSP exam covers a wide variety of technologies, methodologies, and processes—you must know and understand them holistically if you are going to help an organization carry out security holistically.

We will begin with the foundational pieces of security and build upon them through the chapter and then throughout the book. Building your knowledge base is similar to building a house: without a solid foundation, it will be weak, unpredictable, and fail in the most critical of moments. Our goal is to make sure you have solid and deep roots of understanding so that you can not only protect yourself against many of the threats we face today, but also protect the commercial and government organizations who depend upon you and your skill set.

The essence of our work as security professionals is our understanding of two key terms: security and risk. Since security is what we are charged with providing to our organizations, it is a good idea to spend some time defining this and related terms. A good way to understand key terms in a broader societal context is to explore the laws and crimes around them, together with the concomitant tradeoffs that we must make lest we sacrifice privacy in the name of crime fighting. Building on this foundation, we next turn our attention to the concept that should underlie every decision made when defending our information systems: risk. Risk is so important that we will cover it in detail in this chapter, but will also return to it time and again in the rest of the book. We start off narrowly, but focusing on the malicious threats to our organizations; we also widen our aperture to include accidental and environmental threats and how to prepare for them by planning for business continuity and disaster recovery. Finally, we will close

01-ch01.indd 2 14/04/16 11:42 AM

Chapter 1: Security and Risk Management

3

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

with discussions on personnel, governance, and ethics and how they apply to all that has preceded them in this chapter.

Fundamental Principles of Security We need to understand the core goals of security, which are to provide availability, integ- rity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Writing Factory
Math Specialist
Accounting Homework Help
Financial Solutions Provider
Assignment Helper
Quick N Quality
Writer Writer Name Offer Chat
Writing Factory

ONLINE

Writing Factory

I can assist you in plagiarism free writing as I have already done several related projects of writing. I have a master qualification with 5 years’ experience in; Essay Writing, Case Study Writing, Report Writing.

$48 Chat With Writer
Math Specialist

ONLINE

Math Specialist

I have written research reports, assignments, thesis, research proposals, and dissertations for different level students and on different subjects.

$22 Chat With Writer
Accounting Homework Help

ONLINE

Accounting Homework Help

I will provide you with the well organized and well research papers from different primary and secondary sources will write the content that will support your points.

$45 Chat With Writer
Financial Solutions Provider

ONLINE

Financial Solutions Provider

Being a Ph.D. in the Business field, I have been doing academic writing for the past 7 years and have a good command over writing research papers, essay, dissertations and all kinds of academic writing and proofreading.

$23 Chat With Writer
Assignment Helper

ONLINE

Assignment Helper

I will be delighted to work on your project. As an experienced writer, I can provide you top quality, well researched, concise and error-free work within your provided deadline at very reasonable prices.

$46 Chat With Writer
Quick N Quality

ONLINE

Quick N Quality

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$19 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Shoo fly don't bother me - How to write a letter to a friend - Chcccs011 learner guide - Introduction to java programming and data structures comprehensive version pdf - Textual analysis essay assignment - Red lion hmi software download - Discussion 1.3 Management Theories - Deliverable 6 – 5500 Conflict Management and Negotiation Strategies - Children's activities for a shunammite woman helps elisha - Oreo ultimate dunking set rite aid - How long is 1260 days in years - 4/114 dennis road springwood - 640w2D1 - Levay simon et al discovering human sexuality 4th edition pdf - Seed lab sql injection - Playground duty policy nsw - Peter's pool service - Year 11 legal studies exam - 1 4 bsw tap drill size - Is it Right to be a Relativist? - Discussion: Alternate Selection Procedure Validation Processes - Royal north shore private maternity - Biology - Strain hardening exponent from stress strain curve - Henry ford college webadvisor - R v katarzynski [2002] nswsc 613 - Capital acquisition and repayment cycle - List of all ps2 games - Dosh pressure vessel certification - Apa ethical guidelines ap psychology - Four stages of appreciative inquiry - Berridge manufacturing color chart - Mary ward centre london - Should i buy aurora stock - Research health - Business Proposal for Change - Sources of errors in calibration of burette - Abc company currently has 1/4 fewer computers - Studio arts exam 2016 - Organizational behavior managing people and organizations pdf - Fire drill powerpoint templates - Course Paper Prep: Interview Planning Assignments Submit Assignment - BUS 629 Final Assignment - Jennifer aniston aveeno 2019 - Problem Statement - Caboolture rubbish tip hours - Acct10001 - accounting reports and analysis - Economies of scale in managerial economics - African american thesis statement - 63-MS-Four - Juran's quality planning roadmap - Devil's playground amish movie - Accorhotels and the digital transformation case analysis - I lost my homework in a cave somewhere - Aircraft metal structural repair - 1. Strategic Decision Making 2. Initiating the Project - Trader joe's design jobs - Www masteringgeology com - How to measure benefits - Marketing Plan - Securities exchange act of auditor liability - Padan aram bible map - Index person in genogram - Advantages of living in a multi faith society - Tom robinson innocence quotes - Dq - Fist stick knife gun sparknotes - Capstone Research Companion - Clark golder golder comparative politics - Water balance feedback loop - Us architectural lighting rzr - Discussion Reply- Response 1-2 paragraphs with 1-2 references - All three models of urban structure - Ted bundy height weight - Four lens night vision - They say i say chapter 7 exercise answers - Up the coolly keystone answers - So42- to so2 half equation - Games on human resource management - Goetsch and davis 2012 pdf - Qut library room booking - Clavubactin 250 62.5 mg - Bl21 de3 transformation protocol - Geringer v wildhorn ranch inc case brief - Vce physical education units 1 and 2 - Self balancing robot raspberry pi - Write 42 as a product of primes - Richard g ukulele songs - Maddie and elijah intro song - Sweat gland distribution experiment lab report - Global warming - Enron case study - An explanation of at least two opportunities that exist for RN's and APRNs to actively participate in policy-making.  - Methods of risk analysis in capital budgeting - Finance - Time zones practice worksheet pdf - Dream chocolate company choosing a costing system answers - 123 springdale road east killara - 171 wust road cooroy - Essay on criminal justice