All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio i
ALL IN ONE
CISSP® E X A M G U I D E
Seventh Edition
Shon Harris Fernando Maymí
New York Chicago San Francisco Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/ training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and CD may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education warrants that use of this publication and CD will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other countries. All other trademarks are trademarks of their respective owners.
00-FM.indd 1 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio ii
McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.
CISSP® All-in-One Exam Guide, Seventh Edition
Copyright © 2016 by McGraw-Hill Education. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks.
1 2 3 4 5 6 7 8 9 DOC 21 20 19 18 17 16
ISBN: Book p/n 978-0-07-184961-6 and CD p/n 978-0-07-184925-8 of set 978-0-07-184927-2
MHID: Book p/n 0-07-184961-0 and CD p/n 0-07-184925-4 of set 0-07-184927-0
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
Sponsoring Editor Wendy Rinaldi
Editorial Supervisor Janet Walden
Project Manager Yashmita Hota, Cenveo® Publisher Services
Acquisitions Coordinator Amy Stonebraker
Technical Editor Jonathan Ham
Copy Editor William McManus
Proofreader Lisa McCoy
Indexer Karin Arrigoni
Production Supervisor James Kussow
Composition Cenveo Publisher Services
Illustration Cenveo Publisher Services
Art Director, Cover Jeff Weeks
Library of Congress Cataloging-in-Publication Data
Names: Harris, Shon, author. | Maymi, Fernando, author. Title: CISSP exam guide / Shon Harris, Fernando Maymi. Other titles: CISSP all-in-one exam guide Description: Seventh edition. | New York : McGraw-Hill Education, 2016. | Includes index. Identifiers: LCCN 2016017045 (print) | LCCN 2016017235 (ebook) | ISBN 9780071849272 (set : alk. paper) | ISBN 9780071849616 (book : alk. paper) | ISBN 9780071849258 (CD) | ISBN 0071849270 (set : alk. paper) | ISBN 0071849610 (book : alk. paper) | ISBN 0071849254 (CD) | ISBN 9780071849265 () Subjects: LCSH: Computer networks—Examinations—Study guides. | Telecommunications engineers—Certification. Classification: LCC TK5105.5 .H368 2016 (print) | LCC TK5105.5 (ebook) | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2016017045
00-FM.indd 2 14/04/16 5:04 PM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iii
We dedicate this book to all those who have served selflessly.
00-FM.indd 3 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iv
ABOUT THE AUTHORS Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logi- cal Security LLC, a security consultant, a former engineer in the Air Force’s Informa- tion Warfare unit, an instructor, and an author. Shon owned and ran her own training and consulting companies for 13 years prior to her death in 2014. She consulted with Fortune 100 corporations and government agencies on extensive security issues. She authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook and Security Information and Event Management (SIEM) Implementation, and a technical editor for Information Security Magazine.
Fernando Maymí, Ph.D., CISSP, is a security practitioner with over 25 years’ experience in the field. He currently leads a multidisciplinary team charged with developing disruptive innovations for cyberspace operations as well as impactful pub- lic-private partnerships aimed at better securing cyberspace. Fernando has served as a consultant for both government and private-sector organizations in the United States and abroad. He has authored and taught dozens of courses and workshops in cyber security for academic, government, and professional audiences in the United States and Latin America. Fernando is the author of over a dozen publications and holds three
patents. His awards include the U.S. Department of the Army Research and Development Achievement Award and he was recognized as a HENAAC Luminary. He worked closely with Shon Harris, advising her on a multitude of projects, including the sixth edition of the CISSP All-in-One Exam Guide. Fernando is also a volunteer puppy raiser for Guiding Eyes for the Blind and has raised two guide dogs, Trinket and Virgo.
About the Contributor Bobby E. Rogers is an information security engineer working as a contractor for Depart- ment of Defense agencies, helping to secure, certify, and accredit their information sys- tems. His duties include information system security engineering, risk management, and certification and accreditation efforts. He retired after 21 years in the U.S. Air Force, serving as a network security engineer and instructor, and has secured networks all over the world. Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral degree in cybersecurity from Capitol Technology University in Maryland. His many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+ certifications.
00-FM.indd 4 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio v
About the Technical Editor Jonathan Ham, CISSP, GSEC, GCIA, GCIH, is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO, he has helped his clients achieve greater success for more than 12 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. Jonathan has been commissioned to teach NCIS investigators how to use Snort, has performed packet analysis from a facil- ity more than 2,000 feet underground, and has chartered and trained the CIRT for one of the largest U.S. civilian federal agencies. He is a member of the GIAC Advisory Board and is a SANS instructor teaching their MGT414: SANS Training Program for CISSP Certification course. He is also co-author of Network Forensics: Tracking Hackers Through Cyberspace, a textbook published by Prentice-Hall.
00-FM.indd 5 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
vi
CONTENTS AT A GLANCE
Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
Glossary ................................................................................................................ 1273
Index ...................................................................................................................... 1291
00-FM.indd 6 14/04/16 10:24 AM
vii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
CONTENTS
In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv From the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Enterprise Architecture Development . . . . . . . . . . . . . . . . . . 19 Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 33 Process Management Development . . . . . . . . . . . . . . . . . . . . 37 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
The Crux of Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . 45 Complexities in Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Electronic Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 The Evolution of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Types of Legal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Intellectual Property Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Trademark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Internal Protection of Intellectual Property . . . . . . . . . . . . . . 67 Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 The Increasing Need for Privacy Laws . . . . . . . . . . . . . . . . . . 72 Laws, Directives, and Regulations . . . . . . . . . . . . . . . . . . . . . 73 Employee Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
00-FM.indd 7 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
viii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Data Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 U.S. Laws Pertaining to Data Breaches . . . . . . . . . . . . . . . . . 84 Other Nations’ Laws Pertaining to Data Breaches . . . . . . . . . 85
Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . 86 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Holistic Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Information Systems Risk Management Policy . . . . . . . . . . . 95 The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . 96 The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . 97
Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Reduction Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 104 Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . 105 Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 106 Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 107 Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Categorize Information System . . . . . . . . . . . . . . . . . . . . . . . 128 Select Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Implement Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . 129 Assess Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Authorize Information System . . . . . . . . . . . . . . . . . . . . . . . . 130 Monitor Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . 130 Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 133 Making BCM Part of the Enterprise Security Program . . . . . 136 BCP Project Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
00-FM.indd 8 14/04/16 10:24 AM
Contents
ix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157 Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166 The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166 Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207
Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
00-FM.indd 9 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
x
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Media Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Protecting Other Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Paper Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Computer Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
The Central Processing Unit . . . . . . . . . . . . . . . . . . . . . . . . . 252 Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Memory Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Input/Output Device Management . . . . . . . . . . . . . . . . . . . . 285 CPU Architecture Integration . . . . . . . . . . . . . . . . . . . . . . . . 287 Operating System Architectures . . . . . . . . . . . . . . . . . . . . . . . 291 Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
System Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Architecture Requirements . . . . . . . . . . . . . . . . . . . . 302
Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Bell-LaPadula Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Biba Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Clark-Wilson Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Noninterference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Brewer and Nash Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Graham-Denning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . 312
Systems Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Why Put a Product Through Evaluation? . . . . . . . . . . . . . . . 317
Certification vs. Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
00-FM.indd 10 14/04/16 10:24 AM
Contents
xi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333
Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335
Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340 Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343 Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364
Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378 International Data Encryption Algorithm . . . . . . . . . . . . . . . 378 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386 Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
00-FM.indd 11 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 The One-Way Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Various Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 393 MD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Attacks Against One-Way Hash Functions . . . . . . . . . . . . . . . 395 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 The Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . 402 PKI Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Key Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . 406 Rules for Keys and Key Management . . . . . . . . . . . . . . . . . . 407
Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 TPM Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Attacks on Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Ciphertext-Only Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Known-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Ciphertext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Analytic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Statistical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 414
Site and Facility Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 The Site Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Crime Prevention Through Environmental Design . . . . . . . . 420 Designing a Physical Security Program . . . . . . . . . . . . . . . . . 426
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Using Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Internal Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Electric Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Environmental Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Fire Prevention, Detection, and Suppression . . . . . . . . . . . . . 448
00-FM.indd 12 14/04/16 10:24 AM
Contents
xiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . 477
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Open Systems Interconnection Reference Model . . . . . . . . . . . . . . 479
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Functions and Protocols in the OSI Model . . . . . . . . . . . . . . 492 Tying the Layers Together . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Multilayer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Layer 2 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Converged Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Types of Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Analog and Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Asynchronous and Synchronous . . . . . . . . . . . . . . . . . . . . . . 514 Broadband and Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Twisted-Pair Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Fiber-Optic Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Cabling Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Networking Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Media Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Transmission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Network Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . 538 Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 E-mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . 560 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
00-FM.indd 13 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xiv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 PBXs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . 607 Content Distribution Networks . . . . . . . . . . . . . . . . . . . . . . . 608 Software Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . 609
Intranets and Extranets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Metropolitan Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Metro Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Wide Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Telecommunications Evolution . . . . . . . . . . . . . . . . . . . . . . . 617 Dedicated Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 WAN Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 DSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Cable Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Wireless Communications Techniques . . . . . . . . . . . . . . . . . . 660 WLAN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Evolution of WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . 665 Wireless Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 Best Practices for Securing WLANs . . . . . . . . . . . . . . . . . . . . 677 Satellites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Mobile Wireless Communication . . . . . . . . . . . . . . . . . . . . . 678
Network Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Link Encryption vs. End-to-End Encryption . . . . . . . . . . . . . 685 E-mail Encryption Standards . . . . . . . . . . . . . . . . . . . . . . . . . 687 Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 DNS Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Drive-by Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
00-FM.indd 14 14/04/16 10:24 AM
Contents
xv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Identification, Authentication, Authorization, and Accountability . . . 724 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 727 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 Integrating Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . 786
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 787 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 789 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 791 Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 796 Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 796 Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . 798 Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . 799
Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 Centralized Access Control Administration . . . . . . . . . . . . . . 800 Decentralized Access Control Administration . . . . . . . . . . . . 807
Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 816 Protecting Audit Data and Log Information . . . . . . . . . . . . . 818 Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 819
Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . 830
Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 Phishing and Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
00-FM.indd 15 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xvi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Audit Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 Internal Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862 Third-Party Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Auditing Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Vulnerability Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 War Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Other Vulnerability Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 875 Postmortem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876 Log Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878 Synthetic Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 Misuse Case Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882 Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 Interface Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Auditing Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Backup Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . 892 Security Training and Security Awareness Training . . . . . . . . 899 Key Performance and Risk Indicators . . . . . . . . . . . . . . . . . . 903
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905 Technical Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906 Executive Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Management Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Before the Management Review . . . . . . . . . . . . . . . . . . . . . . 909 Reviewing Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909 Management Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
The Role of the Operations Department . . . . . . . . . . . . . . . . . . . . . 924 Administrative Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
Security and Network Personnel . . . . . . . . . . . . . . . . . . . . . . 928 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 Clipping Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
00-FM.indd 16 14/04/16 10:24 AM
Contents
xvii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 Operational Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Unusual or Unexplained Occurrences . . . . . . . . . . . . . . . . . . 931 Deviations from Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 932 Unscheduled Initial Program Loads (aka Rebooting) . . . . . . . 932
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Trusted Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Input and Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 936 System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 Facility Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 Personnel Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 949 External Boundary Protection Mechanisms . . . . . . . . . . . . . . 950 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 960 Patrol Force and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962 Dogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 Auditing Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Secure Resource Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Asset Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 966 Provisioning Cloud Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Network and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . 970 Mean Time Between Failures . . . . . . . . . . . . . . . . . . . . . . . . . 971 Mean Time to Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972 Single Points of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981 Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 Intrusion Detection and Prevention Systems . . . . . . . . . . . . . 986 Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
The Incident Management Process . . . . . . . . . . . . . . . . . . . . . . . . . 993 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Business Process Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 Facility Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
00-FM.indd 17 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xviii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Supply and Technology Recovery . . . . . . . . . . . . . . . . . . . . . . 1013 Choosing a Software Backup Facility . . . . . . . . . . . . . . . . . . . 1018 End-User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Data Backup Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Electronic Backup Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 1025 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030 Recovery and Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Developing Goals for the Plans . . . . . . . . . . . . . . . . . . . . . . . 1034 Implementing Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038 Computer Forensics and Proper Collection of Evidence . . . . 1039 Motive, Opportunity, and Means . . . . . . . . . . . . . . . . . . . . . 1041 Computer Criminal Behavior . . . . . . . . . . . . . . . . . . . . . . . . 1042 Incident Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 The Forensic Investigation Process . . . . . . . . . . . . . . . . . . . . . 1043 What Is Admissible in Court? . . . . . . . . . . . . . . . . . . . . . . . . 1049 Surveillance, Search, and Seizure . . . . . . . . . . . . . . . . . . . . . . 1051 Interviewing Suspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
Liability and Its Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Liability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Third-Party Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Contractual Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Procurement and Vendor Processes . . . . . . . . . . . . . . . . . . . . 1059
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060 Personal Safety Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Building Good Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077 Where Do We Place Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Different Environments Demand Different Security . . . . . . . 1080 Environment vs. Application . . . . . . . . . . . . . . . . . . . . . . . . . 1081 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082 Implementation and Default Issues . . . . . . . . . . . . . . . . . . . . 1082
Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Requirements Gathering Phase . . . . . . . . . . . . . . . . . . . . . . . 1085 Design Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086 Development Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089 Testing/Validation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 Release/Maintenance Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
00-FM.indd 18 14/04/16 10:24 AM
Contents
xix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Secure Software Development Best Practices . . . . . . . . . . . . . . . . . . 1097 Software Development Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Build and Fix Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 Waterfall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 V-Shaped Model (V-Model) . . . . . . . . . . . . . . . . . . . . . . . . . 1100 Prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Incremental Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Spiral Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102 Rapid Application Development . . . . . . . . . . . . . . . . . . . . . . 1104 Agile Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Integrated Product Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109 DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . . . . 1111 Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Software Configuration Management . . . . . . . . . . . . . . . . . . 1114 Security of Code Repositories . . . . . . . . . . . . . . . . . . . . . . . . 1116
Programming Languages and Concepts . . . . . . . . . . . . . . . . . . . . . . 1116 Assemblers, Compilers, Interpreters . . . . . . . . . . . . . . . . . . . . 1119 Object-Oriented Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 Other Software Development Concepts . . . . . . . . . . . . . . . . 1129 Application Programming Interfaces . . . . . . . . . . . . . . . . . . . 1131
Distributed Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 Distributed Computing Environment . . . . . . . . . . . . . . . . . . 1132 CORBA and ORBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 COM and DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 Java Platform, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . 1138 Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1138
Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 Specific Threats for Web Environments . . . . . . . . . . . . . . . . . 1146 Web Application Security Principles . . . . . . . . . . . . . . . . . . . 1154
Database Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 Database Management Software . . . . . . . . . . . . . . . . . . . . . . 1155 Database Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 Database Programming Interfaces . . . . . . . . . . . . . . . . . . . . . 1161 Relational Database Components . . . . . . . . . . . . . . . . . . . . . 1164 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166 Database Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169 Data Warehousing and Data Mining . . . . . . . . . . . . . . . . . . . 1174
Malicious Software (Malware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
00-FM.indd 19 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xx
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182 Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Antimalware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187 Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Antimalware Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192
Assessing the Security of Acquired Software . . . . . . . . . . . . . . . . . . 1193 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207
Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269 Total Tester Premium Practice Exam Software . . . . . . . . . . . . . . . . . 1269 Installing and Running Total Tester
Premium Practice Exam Software . . . . . . . . . . . . . . . . . . . . . . . . 1270 Hotspot and Drag-and-Drop Questions . . . . . . . . . . . . . . . . . . . . . 1270 PDF Copy of the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271
Total Seminars Technical Support . . . . . . . . . . . . . . . . . . . . . 1271 McGraw-Hill Education Content Support . . . . . . . . . . . . . . 1271
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291
00-FM.indd 20 14/04/16 10:24 AM
xxi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
IN MEMORY OF SHON HARRIS
In the summer of 2014, Shon asked me to write a foreword for the new edition of her CISSP All-in-One Exam Guide. I was honored to do that, and the following two para- graphs are that original foreword. Following that, I will say more about my friend, the late Shon Harris.
The cyber security field is still relatively new and has been evolving as technology advances. Every decade or so, we have an advance or two that seems to change the game. For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of money was spent on perimeter devices like firewalls to keep the bad guys out. Around 2000, recognizing that perimeter defense alone was insufficient, the “defense in depth” approach became popular, and we spent another decade trying to build layers of defense and detect the bad guys who were able to get past our perimeter defenses. Again, lots of money was spent, this time on intrusion detection, intrusion prevention, and end-point solutions. Then, around 2010, following the lead of the U.S. government in particular, we began to focus on “continuous monitoring,” the goal being to catch the bad guys inside the network if they get past the perimeter defense and the defense in depth. Security information and event management (SIEM) technology has emerged as the best way to handle this continuous monitoring requirement. The latest buzz phrase is “active defense,” which refers to the ability to respond in real time through a dynamic and changing defense that works to contain the attacker and allow the organization to recover quickly and get back to business. We are starting to see the re-emergence of honeypots combined with sandbox technology to bait and trap attackers for further analysis of their activity. One thing is common throughout this brief historical survey: the bad guys keep getting in and we keep responding to try and keep up, if not prevent them in the first place. This cat-and-mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats, each new strategy and tactic brings with it a new set of terminology and concepts for the security professional to master. The sheer bulk of the body of knowledge can be overwhelming, particularly to newcomers. As a security practitioner, consultant, and business leader, I am often asked by aspiring security practitioners where to start when trying to get into the field. I often refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the purpose of becoming a CISSP, but so that they may have in one resource the body of knowledge in the field. I am also often asked by experienced security practitioners how to advance in the field. I encourage them to pursue CISSP certification and, once again, I refer them to Shon’s book. Some are destined to become leaders in the field, and the CISSP is a solid certificate for managers. Other security professionals I encounter are just looking for more breadth of knowledge, and I recommend Shon’s book to them too as a good one-stop reference for that. This book has stood the test of time. It has evolved as the field has evolved and stands as the single most important
00-FM.indd 21 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
book in the cyber security field, period. I have personally referred to it several times throughout my career and keep a copy near me at all times on my Kindle. Simply put, if you are in the cyber security field, you need a copy of this book.
On a personal note, little did I know that within months of writing the preceding foreword, Shon would no longer be with us. I counted Shon as a good friend and still admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002. I had just learned of the CISSP and within weeks found myself in her class. I had no clue that she had already written several books by that time and was a true leader in the field. I must have chattered away during our lunch sessions, because a few months after the class, she reached out to me and said, “Hey, I remember you were interested in writing. I have a new project that I need help on. Would you like to help?” After an awkward pause, as I picked myself up from the floor, I told her that I felt underqualified, but yes! That started a journey that has blessed me many times over. The book was called Gray Hat Hacking and is now in the fourth edition. From the book came many consulting, writing, and teaching opportunities, such as Black Hat. Then, as I retired from the Marine Corps, in 2008, there was Shon, right on cue: “Hey, I have an opportunity to provide services to a large company. Would you like to help?” Just like that, I had my first large client, launching my company, which I was able to grow, with Shon’s help, and then sell a couple of years ago. During the 12 years I knew her, Shon continued to give me opportunities to become much more than I could have dreamed. She never asked for a thing in return, simply saying, “You take it and run with it, I am too busy doing other things.” As I think back over my career after the Marine Corps, I owe most of my success to Shon. I have shared this story with others and found that I am not the only one; Shon blessed so many people with her giving spirit. I am convinced there are many “Shon” stories like this one out there. She touched so many people in the security field and more than lived up to the nickname I had for her, Miss CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in the field. If you knew Shon, I know you would echo that sentiment. If you did not know Shon, I hope that through these few words, you understand why she was so special and why there had to be another edition of this book. I have been asked several times over the last year, “Do you think there will be another edition? The security field and CISSP certification have both changed so much, we need another edition.” For this reason, I am excited this new edition came to be. Shon would have wanted the book to go on helping people to be the best they can be. I believe we, as a profession, need this book to continue. So, I am thankful that the team from McGraw-Hill and Fernando are honoring Shon in this way and continuing her legacy. She truly deserves it. Shon, you are missed and loved by so many. Through this book, your generous spirit lives on, helping others.
Allen Harper, CISSP (thanks to Shon) EVP and Chief Hacker, Tangible Security, Inc.
00-FM.indd 22 14/04/16 10:24 AM
xxiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
FOREWORD
I’m excited and honored to introduce the seventh edition of CISSP All-in-One Exam Guide to cyber security experts worldwide. This study guide is essential for those pursu- ing CISSP certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to be a member of a profession and the importance of shared values, common language, and identity. At the same time, expert knowledge gained through training, education, and experience are critical ingredients to a profession, but formal certifications based on clearly articulated standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled with our vulnerabilities and the potential consequences create a new operational reality—national security is at risk. When we enter any network, we must fight to ensure we maintain our security, and cyber security experts are the professionals we will call on to out-think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue to grow exponentially. While our cyber workforce enabled by technology must focus on preventing threats and reducing vulnerabilities, we will not eliminate either. This demands professionals who understand risk management and security—experts who are trusted and committed to creating and providing a wide range of security measures tailored to mitigate enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is the king of the hill. In this edition, Shon’s quality content is present and is being stewarded forward by Fernando Maymí. You’re in good hands, and you will grow personally and professionally, from your study. As competent, trusted professionals of character, this book is essential to you, your organization, and our national security.
Rhett Hernandez Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command Current West Point Cyber Chair, Army Cyber Institute
00-FM.indd 23 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
ACKNOWLEDGMENTS
We would like to thank all the people who work in the information security industry who are driven by their passion, dedication, and a true sense of doing right. The best security people are the ones who are driven toward an ethical outcome.
In this seventh edition, we would also like to thank the following:
• Ronald Dodge, who brought the two authors of this book together and, in doing so, set off a sequence of events that he couldn’t have possibly anticipated.
• David Miller, whose work ethic, loyalty, and friendship have continuously in- spired us.
• All the teammates from Logical Security. • The men and women of our armed forces, who selflessly defend our way of life. • Kathy Conlon, who, more than anyone else, set the conditions that led to seven editions of this book.
• David Harris. • Emma Fernandez.
Most especially, we thank you, our readers, for standing on the frontlines of our digital conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
00-FM.indd 25 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxvii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
FROM THE AUTHOR
For the first time in seven editions, the CISSP All-in-One Exam Guide bears the names of two authors. For the first time in 15 years, Shon Harris will not be with us as we go to print on a new edition of her seminal work. Still, she remains with us in the pages of the hundreds of thousands of books sold, which have enriched the lives of security profes- sionals worldwide. It is no exaggeration to say that Shon was one of the most influential authors in our field. Her legacy lives on in the pages of this latest edition.
Our goal in this seventh edition of Shon’s book was both to address the newly revised CISSP body of knowledge and to allow you to hear Shon’s voice as you read the words on its pages. You see, much of the content in this book was actually authored by Shon. We have reorganized, enhanced, augmented, and updated it, but the content is still largely hers. If you have read any of her multitude of other works or had the blessing of having met her, you will recognize her distinctive tone in these pages. We also hope that you will perceive her penchant for excellence in every aspect of professional development.
The goal of this book is not just to get you to pass the CISSP exam, but to provide you the bedrock of knowledge that will allow you to flourish as an information systems security professional before and after you pass the certification exam. If you strive for excellence in your own development, the CISSP certification will follow as a natural byproduct. This approach will demand that you devote time and energy to topics and issues that may seem to have no direct or immediate return on investment. That is OK. We each have our own areas of strength and weakness, and many of us tend to reinforce the former while ignoring the latter. This leads to individuals who have tremendous depth in a very specific topic, but who lack the breadth to understand context or thrive in new and unexpected conditions. What we propose is an inversion of this natural tendency, so that we devote appropriate amounts of effort to those areas in which we are weakest. What we propose is that we balance the urge to be specialists with the need to be well-rounded professionals. This is what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals that performs a critical service that societies cannot do for themselves. In the case of the CISSP, this professional ensures the confidentiality, integrity, and availability of our information systems. This cannot be done simply by being the best firewall administrator, or the best forensic examiner, or the best reverse engineer. Instead, our service requires a breadth of knowledge that will allow us to choose the right tool for the job. This relevant knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon which we can build our expertise. This is why, in order to be competent professionals, we all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and foundational knowledge. It is designed, as it always was, to be both a study guide and an enduring reference. Our hope is that, long after you obtain your CISSP certification, you will turn to this tome time and again to brush up on your areas of weakness as well as to guide you in a lifelong pursuit of self-learning and excellence.
00-FM.indd 27 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
WHY BECOME A CISSP?
As our world changes, the need for improvements in security and technology continues to grow. Corporations and other organizations are desperate to identify and recruit talented and experienced security professionals to help protect the resources on which they depend to run their businesses and remain competitive. As a Certified Information Systems Security Professional (CISSP), you will be seen as a security professional of proven ability who has successfully met a predefined standard of knowledge and expe- rience that is well understood and respected throughout the industry. By keeping this certification current, you will demonstrate your dedication to staying abreast of security developments.
Consider some of the reasons for attaining a CISSP certification:
• To broaden your current knowledge of security concepts and practices • To demonstrate your expertise as a seasoned security professional • To become more marketable in a competitive workforce • To increase your salary and be eligible for more employment opportunities • To bring improved security expertise to your current occupation • To show a dedication to the security discipline
The CISSP certification helps companies identify which individuals have the ability, knowledge, and experience necessary to implement solid security practices; perform risk analysis; identify necessary countermeasures; and help the organization as a whole protect its facility, network, systems, and information. The CISSP certification also shows potential employers you have achieved a level of proficiency and expertise in skill sets and knowledge required by the security industry. The increasing importance placed on security in corporate success will only continue in the future, leading to even greater demands for highly skilled security professionals. The CISSP certification shows that a respected third-party organization has recognized an individual’s technical and theoretical knowledge and expertise, and distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good network administrator, programmer, or engineer. Job descriptions that do not specifically target security professionals still often require that a potential candidate have a good understanding of security concepts as well as how to implement them. Due to staff size and budget restraints, many organizations can’t afford separate network and security staffs. But they still believe security is vital to their organization. Thus, they often try to combine knowledge of technology and security into a single role. With a CISSP designation, you can put yourself head and shoulders above other individuals in this regard.
00-FM.indd 29 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxx
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
The CISSP Exam Because the CISSP exam covers the eight domains making up the CISSP Common Body of Knowledge (CBK), it is often described as being “an inch deep and a mile wide,” a reference to the fact that many questions on the exam are not very detailed and do not require you to be an expert in every subject. However, the questions do require you to be familiar with many different security subjects.
The CISSP exam comprises 250 multiple-choice and innovative questions, which must be answered in no more than 6 hours. Innovative questions incorporate drag- and-drop (i.e., take a term or item and drag it to the correct position in the frame) or hotspot (i.e., click the item or term that correctly answers the question) interfaces, but are otherwise weighed and scored just like any other question. The questions are pulled from a much larger question bank to ensure the exam is as unique as possible for each entrant. In addition, the test bank constantly changes and evolves to more accurately reflect the real world of security. The exam questions are continually rotated and replaced in the bank as necessary. Only 225 questions are graded, while 25 are used for research purposes. The 25 research questions are integrated into the exam, so you won’t know which go toward your final grade. To pass the exam, you need a scale score of 700 points out of 1,000. Questions are weighted based on their difficulty; not all questions are worth the same number of points. The exam is not product or vendor oriented, meaning no questions will be specific to certain products or vendors (for instance, Windows, Unix, or Cisco). Instead, you will be tested on the security models and methodologies used by these types of systems.
EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer in a reasonable amount of time, then you should guess and move on to the next question.
(ISC)2, which stands for International Information Systems Security Certification Consortium, also includes scenario-based questions in the CISSP exam. These questions present a short scenario to the test taker rather than asking the test taker to identify terms and/or concepts. The goal of the scenario-based questions is to ensure that test takers not only know and understand the concepts within the CBK, but also can apply this knowledge to real-life situations. This is more practical because in the real world, you won’t be challenged by having someone asking you “What is the definition of collusion?” You need to know how to detect and prevent collusion from taking place, in addition to knowing the definition of the term.
After passing the exam, you will be asked to supply documentation, supported by a sponsor, proving that you indeed have the type of experience required to obtain this certification. The sponsor must sign a document vouching for the security experience you are submitting. So, make sure you have this sponsor lined up prior to registering for the exam and providing payment. You don’t want to pay for and pass the exam, only to find you can’t find a sponsor for the final step needed to achieve your certification.
00-FM.indd 30 14/04/16 10:24 AM
Why Become a CISSP?
xxxi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
The reason behind the sponsorship requirement is to ensure that those who achieve the certification have real-world experience to offer organizations. Book knowledge is extremely important for understanding theory, concepts, standards, and regulations, but it can never replace hands-on experience. Proving your practical experience supports the relevance of the certification.
A small sample group of individuals selected at random will be audited after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’ sponsors and contacts to verify the test taker’s related experience.
One of the factors that makes the CISSP exam challenging is that most candidates, although they work in the security field, are not necessarily familiar with all eight CBK domains. If a security professional is considered an expert in vulnerability testing or application security, for example, she may not be familiar with physical security, cryptography, or forensics. Thus, studying for this exam will broaden your knowledge of the security field.
The exam questions address the eight CBK security domains, which are described in Table 1.
Domain Description
Security and Risk Management
This domain covers many of the foundational concepts of information systems security. Some of the topics covered include
• The principles of availability, integrity, and confidentiality • Security governance and compliance • Legal and regulatory issues • Professional ethics • Personnel security policies • Risk management • Threat modeling
Asset Security This domain examines the protection of information assets throughout their life cycle. Some of the topics covered include
• Information classification • Maintaining ownership • Privacy • Retention • Data security controls • Handling requirements
Security Engineering
This domain examines the development of information systems that remain secure in the face of a myriad of threats. Some of the topics covered include
• Security design principles • Selection of effective controls • Mitigation of vulnerabilities • Cryptography • Secure site and facility design • Physical security
Table 1 Security Domains That Make Up the CISSP CBK (continued)
00-FM.indd 31 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxxii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Table 1 Security Domains That Make Up the CISSP CBK
Domain Description
Communication and Network Security
This domain examines network architectures, communications technologies, and network protocols with a goal of understanding how to secure them. Some of the topics covered include
• Secure network architectures • Network components • Secure communications channels • Network attacks
Identity and Access Management
Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems. Some of the topics covered include
• Controlling physical and logical access • Identification and authentication • Identity as a Service • Third-party identity services • Authorization methods • Access control attacks
Security Assessment and Testing
This domain examines ways to verify the security of our information systems. Some of the topics covered include
• Assessment and testing strategies • Testing security controls • Collecting security process data • Analyzing and reporting results • Conducting and facilitating audits
Security Operations
This domain covers the many activities involved in the daily business of maintaining the security of our networks. Some of the topics covered include • Supporting investigations • Logging and monitoring • Secure provisioning of resources • Incident management • Preventative measures • Change management • Business continuity • Managing physical security
Software Development Security
This domain examines the application of security principles to the acquisition and development of software systems. Some of the topics covered include • Security in the software development life cycle • Security controls in development activities • Assessing software security • Assessing the security implications of acquired software
00-FM.indd 32 14/04/16 10:24 AM
Why Become a CISSP?
xxxiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
(ISC)2 attempts to keep up with changes in technology and methodologies in the security field by adding numerous new questions to the test question bank each year. These questions are based on current technologies, practices, approaches, and standards. For example, the CISSP exam given in 1998 did not have questions pertaining to wireless security, cross-site scripting attacks, or IPv6.
What Does This Book Cover? This book covers everything you need to know to become an (ISC)2-certified CISSP. It teaches you the hows and whys behind organizations’ development and implementa- tion of policies, procedures, guidelines, and standards. It covers network, application, and system vulnerabilities; what exploits them; and how to counter these threats. The book explains physical security, operational security, and why systems implement the security mechanisms they do. It also reviews the U.S. and international security criteria and evaluations performed on systems for assurance ratings, what these criteria mean, and why they are used. This book also explains the legal and liability issues that surround computer systems and the data they hold, including such subjects as computer crimes, forensics, and what should be done to properly prepare computer evidence associated with these topics for court.
While this book is mainly intended to be used as a study guide for the CISSP exam, it is also a handy reference guide for use after your certification.
Tips for Taking the CISSP Exam Many people feel as though the exam questions are tricky. Make sure to read each ques- tion and its answer choices thoroughly instead of reading a few words and immediately assuming you know what the question is asking. Some of the answer choices may have only subtle differences, so be patient and devote time to reading through the question more than once.
A common complaint heard about the CISSP exam is that some questions seem a bit subjective. For example, whereas it might be easy to answer a technical question that asks for the exact mechanism used in Transport Layer Security (TLS) that protects against man-in-the-middle attacks, it’s not quite as easy to answer a question that asks whether an eight-foot perimeter fence provides low, medium, or high security. Many questions ask the test taker to choose the “best” approach, which some people find confusing and subjective. These complaints are mentioned here not to criticize (ISC)2 and the exam writers, but to help you better prepare for the exam. This book covers all the necessary material for the exam and contains many questions and self-practice tests. Most of the questions are formatted in such a way as to better prepare you for what you will encounter on the actual exam. So, make sure to read all the material in the book, and pay close attention to the questions and their formats. Even if you know the subject well, you may still get some answers wrong—it is just part of learning how to take tests.
In answering many questions, it is important to keep in mind that some things are inherently more valuable than others. For example, the protection of human lives and welfare will almost always trump all other responses. Similarly, if all other factors are equal
00-FM.indd 33 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxxiv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
and you are given a choice between an expensive and complex solution and a simpler and cheaper one, the second will win most of the time. Expert advice (e.g., from an attorney) is more valuable than that offered by someone with lesser credentials. If one of the possible responses to a question is to seek or obtain advice from an expert, pay close attention to that question. The correct response may very well be to seek out that expert.
Familiarize yourself with industry standards and expand your technical knowledge and methodologies outside the boundaries of what you use today. We cannot stress enough that just because you are the top dog in your particular field, it doesn’t mean you are properly prepared for every domain the exam covers.
When you take the CISSP exam at the Pearson VUE test center, other certification exams may be taking place simultaneously in the same room. Don’t feel rushed if you see others leaving the room early; they may be taking a shorter exam.
How to Use This Book Much effort has gone into putting all the necessary information into this book. Now it’s up to you to study and understand the material and its various concepts. To best benefit from this book, you might want to use the following study method:
• Study each chapter carefully and make sure you understand each concept presented. Many concepts must be fully understood, and glossing over a couple here and there could be detrimental to you. The CISSP CBK contains hundreds of individual topics, so take the time needed to understand them all.
• Make sure to study and answer all of the questions. If any questions confuse you, go back and study those sections again. Remember, some of the questions on the actual exam are a bit confusing because they do not seem straightforward. Do not ignore the confusing questions, thinking they’re not well worded. Instead, pay even closer attention to them because they are there for a reason.
• If you are not familiar with specific topics, such as firewalls, laws, physical security, or protocol functionality, use other sources of information (books, articles, and so on) to attain a more in-depth understanding of those subjects. Don’t just rely on what you think you need to know to pass the CISSP exam.
• After reading this book, study the questions and answers, and take the practice tests. Then review the (ISC)2 exam outline and make sure you are comfortable with each bullet item presented. If you are not comfortable with some items, revisit those chapters.
• If you have taken other certification exams—such as Cisco, Novell, or Microsoft— you might be used to having to memorize details and configuration parameters. But remember, the CISSP test is “an inch deep and a mile wide,” so make sure you understand the concepts of each subject before trying to memorize the small, specific details.
• Remember that the exam is looking for the “best” answer. On some questions test takers do not agree with any or many of the answers. You are being asked to choose the best answer out of the four being offered to you.
00-FM.indd 34 14/04/16 10:24 AM
CHAPTER
1
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
1Security and Risk Management This chapter presents the following:
• Security terminology and principles • Protection control types • Security frameworks, models, standards, and best practices • Computer laws and crimes • Intellectual property • Data breaches • Risk management • Threat modeling • Business continuity and disaster recovery • Personnel security • Security governance
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then
I have my doubts.
—Eugene H. Spafford
In reality, organizations have many other things to do than practice security. Businesses exist to make money. Most nonprofit organizations exist to offer some type of service, as in charities, educational centers, and religious entities. None of them exist specifi- cally to deploy and maintain firewalls, intrusion detection systems, identity management technologies, and encryption devices. No business really wants to develop hundreds of security policies, deploy antimalware products, maintain vulnerability management sys- tems, constantly update its incident response capabilities, and have to comply with the alphabet soup of security laws, regulations, and standards such as SOX (Sarbanes-Oxley), GLBA (Gramm-Leach-Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and FISMA (Federal Information Security Management Act). Business owners would like to be able to make their widgets, sell their widgets, and go home. But those simpler days are long
01-ch01.indd 1 14/04/16 11:41 AM
CISSP All-in-One Exam Guide
2
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
gone. Now organizations are faced with attackers who want to steal businesses’ customer data to carry out identity theft and banking fraud. Company secrets are commonly being stolen by internal and external entities for economic espionage purposes. Systems are being hijacked and used within botnets to attack other organizations or to spread spam. Company funds are being secretly siphoned off through complex and hard-to-identify digital methods, commonly by organized criminal rings in different countries. And orga- nizations that find themselves in the crosshairs of attackers may come under constant attack that brings their systems and websites offline for hours or days. Companies are required to practice a wide range of security disciplines today to keep their market share, protect their customers and bottom line, stay out of jail, and still sell their widgets.
In this chapter we will cover many of the disciplines that are necessary for organizations to practice security in a holistic manner. Each organization must develop an enterprise- wide security program that consists of technologies, procedures, and processes covered throughout this book. As you go along in your security career, you will find that most organizations have some pieces to the puzzle of an “enterprise-wide security program” in place, but not all of them. And almost every organization struggles with the best way to assess the risks it faces and how to allocate funds and resources properly to mitigate those risks. Many of the security programs in place today can be thought of as lopsided or lumpy. The security programs excel within the disciplines that the team is most familiar with, and the other disciplines are found lacking. It is your responsibility to become as well rounded in security as possible so that you can identify these deficiencies in security programs and help improve upon them. This is why the CISSP exam covers a wide variety of technologies, methodologies, and processes—you must know and understand them holistically if you are going to help an organization carry out security holistically.
We will begin with the foundational pieces of security and build upon them through the chapter and then throughout the book. Building your knowledge base is similar to building a house: without a solid foundation, it will be weak, unpredictable, and fail in the most critical of moments. Our goal is to make sure you have solid and deep roots of understanding so that you can not only protect yourself against many of the threats we face today, but also protect the commercial and government organizations who depend upon you and your skill set.
The essence of our work as security professionals is our understanding of two key terms: security and risk. Since security is what we are charged with providing to our organizations, it is a good idea to spend some time defining this and related terms. A good way to understand key terms in a broader societal context is to explore the laws and crimes around them, together with the concomitant tradeoffs that we must make lest we sacrifice privacy in the name of crime fighting. Building on this foundation, we next turn our attention to the concept that should underlie every decision made when defending our information systems: risk. Risk is so important that we will cover it in detail in this chapter, but will also return to it time and again in the rest of the book. We start off narrowly, but focusing on the malicious threats to our organizations; we also widen our aperture to include accidental and environmental threats and how to prepare for them by planning for business continuity and disaster recovery. Finally, we will close
01-ch01.indd 2 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
3
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
with discussions on personnel, governance, and ethics and how they apply to all that has preceded them in this chapter.
Fundamental Principles of Security We need to understand the core goals of security, which are to provide availability, integ- rity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.