Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio i
ALL IN ONE
CISSP® E X A M G U I D E
Seventh Edition
Shon Harris Fernando Maymí
New York Chicago San Francisco Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/ training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and CD may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education warrants that use of this publication and CD will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other countries. All other trademarks are trademarks of their respective owners.
00-FM.indd 1 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio ii
McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.
CISSP® All-in-One Exam Guide, Seventh Edition
Copyright © 2016 by McGraw-Hill Education. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks.
1 2 3 4 5 6 7 8 9 DOC 21 20 19 18 17 16
ISBN: Book p/n 978-0-07-184961-6 and CD p/n 978-0-07-184925-8 of set 978-0-07-184927-2
MHID: Book p/n 0-07-184961-0 and CD p/n 0-07-184925-4 of set 0-07-184927-0
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
Sponsoring Editor Wendy Rinaldi
Editorial Supervisor Janet Walden
Project Manager Yashmita Hota, Cenveo® Publisher Services
Acquisitions Coordinator Amy Stonebraker
Technical Editor Jonathan Ham
Copy Editor William McManus
Proofreader Lisa McCoy
Indexer Karin Arrigoni
Production Supervisor James Kussow
Composition Cenveo Publisher Services
Illustration Cenveo Publisher Services
Art Director, Cover Jeff Weeks
Library of Congress Cataloging-in-Publication Data
Names: Harris, Shon, author. | Maymi, Fernando, author. Title: CISSP exam guide / Shon Harris, Fernando Maymi. Other titles: CISSP all-in-one exam guide Description: Seventh edition. | New York : McGraw-Hill Education, 2016. | Includes index. Identifiers: LCCN 2016017045 (print) | LCCN 2016017235 (ebook) | ISBN 9780071849272 (set : alk. paper) | ISBN 9780071849616 (book : alk. paper) | ISBN 9780071849258 (CD) | ISBN 0071849270 (set : alk. paper) | ISBN 0071849610 (book : alk. paper) | ISBN 0071849254 (CD) | ISBN 9780071849265 () Subjects: LCSH: Computer networks—Examinations—Study guides. | Telecommunications engineers—Certification. Classification: LCC TK5105.5 .H368 2016 (print) | LCC TK5105.5 (ebook) | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2016017045
00-FM.indd 2 14/04/16 5:04 PM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iii
We dedicate this book to all those who have served selflessly.
00-FM.indd 3 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iv
ABOUT THE AUTHORS Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logi- cal Security LLC, a security consultant, a former engineer in the Air Force’s Informa- tion Warfare unit, an instructor, and an author. Shon owned and ran her own training and consulting companies for 13 years prior to her death in 2014. She consulted with Fortune 100 corporations and government agencies on extensive security issues. She authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook and Security Information and Event Management (SIEM) Implementation, and a technical editor for Information Security Magazine.
Fernando Maymí, Ph.D., CISSP, is a security practitioner with over 25 years’ experience in the field. He currently leads a multidisciplinary team charged with developing disruptive innovations for cyberspace operations as well as impactful pub- lic-private partnerships aimed at better securing cyberspace. Fernando has served as a consultant for both government and private-sector organizations in the United States and abroad. He has authored and taught dozens of courses and workshops in cyber security for academic, government, and professional audiences in the United States and Latin America. Fernando is the author of over a dozen publications and holds three
patents. His awards include the U.S. Department of the Army Research and Development Achievement Award and he was recognized as a HENAAC Luminary. He worked closely with Shon Harris, advising her on a multitude of projects, including the sixth edition of the CISSP All-in-One Exam Guide. Fernando is also a volunteer puppy raiser for Guiding Eyes for the Blind and has raised two guide dogs, Trinket and Virgo.
About the Contributor Bobby E. Rogers is an information security engineer working as a contractor for Depart- ment of Defense agencies, helping to secure, certify, and accredit their information sys- tems. His duties include information system security engineering, risk management, and certification and accreditation efforts. He retired after 21 years in the U.S. Air Force, serving as a network security engineer and instructor, and has secured networks all over the world. Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral degree in cybersecurity from Capitol Technology University in Maryland. His many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+ certifications.
00-FM.indd 4 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio v
About the Technical Editor Jonathan Ham, CISSP, GSEC, GCIA, GCIH, is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO, he has helped his clients achieve greater success for more than 12 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. Jonathan has been commissioned to teach NCIS investigators how to use Snort, has performed packet analysis from a facil- ity more than 2,000 feet underground, and has chartered and trained the CIRT for one of the largest U.S. civilian federal agencies. He is a member of the GIAC Advisory Board and is a SANS instructor teaching their MGT414: SANS Training Program for CISSP Certification course. He is also co-author of Network Forensics: Tracking Hackers Through Cyberspace, a textbook published by Prentice-Hall.
00-FM.indd 5 14/04/16 10:24 AM
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
vi
CONTENTS AT A GLANCE
Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
Glossary ................................................................................................................ 1273
Index ...................................................................................................................... 1291
00-FM.indd 6 14/04/16 10:24 AM
vii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
CONTENTS
In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv From the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Enterprise Architecture Development . . . . . . . . . . . . . . . . . . 19 Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 33 Process Management Development . . . . . . . . . . . . . . . . . . . . 37 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
The Crux of Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . 45 Complexities in Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Electronic Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 The Evolution of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Types of Legal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Intellectual Property Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Trademark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Internal Protection of Intellectual Property . . . . . . . . . . . . . . 67 Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 The Increasing Need for Privacy Laws . . . . . . . . . . . . . . . . . . 72 Laws, Directives, and Regulations . . . . . . . . . . . . . . . . . . . . . 73 Employee Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
00-FM.indd 7 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
viii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Data Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 U.S. Laws Pertaining to Data Breaches . . . . . . . . . . . . . . . . . 84 Other Nations’ Laws Pertaining to Data Breaches . . . . . . . . . 85
Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . 86 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Holistic Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Information Systems Risk Management Policy . . . . . . . . . . . 95 The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . 96 The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . 97
Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Reduction Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 104 Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . 105 Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 106 Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 107 Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Categorize Information System . . . . . . . . . . . . . . . . . . . . . . . 128 Select Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Implement Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . 129 Assess Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Authorize Information System . . . . . . . . . . . . . . . . . . . . . . . . 130 Monitor Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . 130 Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 133 Making BCM Part of the Enterprise Security Program . . . . . 136 BCP Project Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
00-FM.indd 8 14/04/16 10:24 AM
Contents
ix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157 Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166 The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166 Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207
Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
00-FM.indd 9 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
x
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Media Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Protecting Other Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Paper Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Computer Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
The Central Processing Unit . . . . . . . . . . . . . . . . . . . . . . . . . 252 Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Memory Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Input/Output Device Management . . . . . . . . . . . . . . . . . . . . 285 CPU Architecture Integration . . . . . . . . . . . . . . . . . . . . . . . . 287 Operating System Architectures . . . . . . . . . . . . . . . . . . . . . . . 291 Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
System Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Architecture Requirements . . . . . . . . . . . . . . . . . . . . 302
Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Bell-LaPadula Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Biba Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Clark-Wilson Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Noninterference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Brewer and Nash Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Graham-Denning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . 312
Systems Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Why Put a Product Through Evaluation? . . . . . . . . . . . . . . . 317
Certification vs. Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
00-FM.indd 10 14/04/16 10:24 AM
Contents
xi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333
Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335
Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340 Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343 Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364
Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378 International Data Encryption Algorithm . . . . . . . . . . . . . . . 378 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386 Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
00-FM.indd 11 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 The One-Way Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Various Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 393 MD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Attacks Against One-Way Hash Functions . . . . . . . . . . . . . . . 395 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 The Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . 402 PKI Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Key Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . 406 Rules for Keys and Key Management . . . . . . . . . . . . . . . . . . 407
Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 TPM Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Attacks on Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Ciphertext-Only Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Known-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Chosen-Ciphertext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Analytic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Statistical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 414
Site and Facility Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 The Site Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Crime Prevention Through Environmental Design . . . . . . . . 420 Designing a Physical Security Program . . . . . . . . . . . . . . . . . 426
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Using Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Internal Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Electric Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Environmental Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Fire Prevention, Detection, and Suppression . . . . . . . . . . . . . 448
00-FM.indd 12 14/04/16 10:24 AM
Contents
xiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . 477
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Open Systems Interconnection Reference Model . . . . . . . . . . . . . . 479
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Functions and Protocols in the OSI Model . . . . . . . . . . . . . . 492 Tying the Layers Together . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Multilayer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Layer 2 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Converged Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Types of Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Analog and Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Asynchronous and Synchronous . . . . . . . . . . . . . . . . . . . . . . 514 Broadband and Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Twisted-Pair Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Fiber-Optic Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Cabling Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Networking Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Media Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Transmission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Network Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . 538 Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 E-mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . 560 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
00-FM.indd 13 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xiv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 PBXs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . 607 Content Distribution Networks . . . . . . . . . . . . . . . . . . . . . . . 608 Software Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . 609
Intranets and Extranets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Metropolitan Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Metro Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Wide Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Telecommunications Evolution . . . . . . . . . . . . . . . . . . . . . . . 617 Dedicated Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 WAN Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 DSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Cable Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Wireless Communications Techniques . . . . . . . . . . . . . . . . . . 660 WLAN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Evolution of WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . 665 Wireless Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 Best Practices for Securing WLANs . . . . . . . . . . . . . . . . . . . . 677 Satellites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Mobile Wireless Communication . . . . . . . . . . . . . . . . . . . . . 678
Network Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Link Encryption vs. End-to-End Encryption . . . . . . . . . . . . . 685 E-mail Encryption Standards . . . . . . . . . . . . . . . . . . . . . . . . . 687 Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 DNS Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Drive-by Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
00-FM.indd 14 14/04/16 10:24 AM
Contents
xv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Identification, Authentication, Authorization, and Accountability . . . 724 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 727 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 Integrating Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . 786
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 787 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 789 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 791 Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 796 Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 796 Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . 798 Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . 799
Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 Centralized Access Control Administration . . . . . . . . . . . . . . 800 Decentralized Access Control Administration . . . . . . . . . . . . 807
Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 816 Protecting Audit Data and Log Information . . . . . . . . . . . . . 818 Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 819
Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 822 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . 830
Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 Phishing and Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
00-FM.indd 15 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xvi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Audit Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 Internal Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862 Third-Party Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Auditing Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Vulnerability Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 War Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Other Vulnerability Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 875 Postmortem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876 Log Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878 Synthetic Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 Misuse Case Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882 Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 Interface Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Auditing Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Backup Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . 892 Security Training and Security Awareness Training . . . . . . . . 899 Key Performance and Risk Indicators . . . . . . . . . . . . . . . . . . 903
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905 Technical Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906 Executive Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Management Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Before the Management Review . . . . . . . . . . . . . . . . . . . . . . 909 Reviewing Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909 Management Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
The Role of the Operations Department . . . . . . . . . . . . . . . . . . . . . 924 Administrative Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
Security and Network Personnel . . . . . . . . . . . . . . . . . . . . . . 928 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 Clipping Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
00-FM.indd 16 14/04/16 10:24 AM
Contents
xvii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 Operational Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Unusual or Unexplained Occurrences . . . . . . . . . . . . . . . . . . 931 Deviations from Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 932 Unscheduled Initial Program Loads (aka Rebooting) . . . . . . . 932
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Trusted Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Input and Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 936 System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 Facility Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 Personnel Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 949 External Boundary Protection Mechanisms . . . . . . . . . . . . . . 950 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 960 Patrol Force and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962 Dogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 Auditing Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Secure Resource Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Asset Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 966 Provisioning Cloud Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Network and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . 970 Mean Time Between Failures . . . . . . . . . . . . . . . . . . . . . . . . . 971 Mean Time to Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972 Single Points of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981 Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 Intrusion Detection and Prevention Systems . . . . . . . . . . . . . 986 Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
The Incident Management Process . . . . . . . . . . . . . . . . . . . . . . . . . 993 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Business Process Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 Facility Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
00-FM.indd 17 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xviii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Supply and Technology Recovery . . . . . . . . . . . . . . . . . . . . . . 1013 Choosing a Software Backup Facility . . . . . . . . . . . . . . . . . . . 1018 End-User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Data Backup Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021 Electronic Backup Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 1025 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030 Recovery and Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Developing Goals for the Plans . . . . . . . . . . . . . . . . . . . . . . . 1034 Implementing Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038 Computer Forensics and Proper Collection of Evidence . . . . 1039 Motive, Opportunity, and Means . . . . . . . . . . . . . . . . . . . . . 1041 Computer Criminal Behavior . . . . . . . . . . . . . . . . . . . . . . . . 1042 Incident Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 The Forensic Investigation Process . . . . . . . . . . . . . . . . . . . . . 1043 What Is Admissible in Court? . . . . . . . . . . . . . . . . . . . . . . . . 1049 Surveillance, Search, and Seizure . . . . . . . . . . . . . . . . . . . . . . 1051 Interviewing Suspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
Liability and Its Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Liability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Third-Party Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Contractual Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Procurement and Vendor Processes . . . . . . . . . . . . . . . . . . . . 1059
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060 Personal Safety Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Building Good Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077 Where Do We Place Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Different Environments Demand Different Security . . . . . . . 1080 Environment vs. Application . . . . . . . . . . . . . . . . . . . . . . . . . 1081 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082 Implementation and Default Issues . . . . . . . . . . . . . . . . . . . . 1082
Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Requirements Gathering Phase . . . . . . . . . . . . . . . . . . . . . . . 1085 Design Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086 Development Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089 Testing/Validation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 Release/Maintenance Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
00-FM.indd 18 14/04/16 10:24 AM
Contents
xix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Secure Software Development Best Practices . . . . . . . . . . . . . . . . . . 1097 Software Development Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Build and Fix Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 Waterfall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 V-Shaped Model (V-Model) . . . . . . . . . . . . . . . . . . . . . . . . . 1100 Prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Incremental Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 Spiral Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102 Rapid Application Development . . . . . . . . . . . . . . . . . . . . . . 1104 Agile Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Integrated Product Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109 DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . . . . 1111 Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Software Configuration Management . . . . . . . . . . . . . . . . . . 1114 Security of Code Repositories . . . . . . . . . . . . . . . . . . . . . . . . 1116
Programming Languages and Concepts . . . . . . . . . . . . . . . . . . . . . . 1116 Assemblers, Compilers, Interpreters . . . . . . . . . . . . . . . . . . . . 1119 Object-Oriented Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 Other Software Development Concepts . . . . . . . . . . . . . . . . 1129 Application Programming Interfaces . . . . . . . . . . . . . . . . . . . 1131
Distributed Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 Distributed Computing Environment . . . . . . . . . . . . . . . . . . 1132 CORBA and ORBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 COM and DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 Java Platform, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . 1138 Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1138
Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 Specific Threats for Web Environments . . . . . . . . . . . . . . . . . 1146 Web Application Security Principles . . . . . . . . . . . . . . . . . . . 1154
Database Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 Database Management Software . . . . . . . . . . . . . . . . . . . . . . 1155 Database Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 Database Programming Interfaces . . . . . . . . . . . . . . . . . . . . . 1161 Relational Database Components . . . . . . . . . . . . . . . . . . . . . 1164 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166 Database Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169 Data Warehousing and Data Mining . . . . . . . . . . . . . . . . . . . 1174
Malicious Software (Malware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
00-FM.indd 19 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xx
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182 Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 Antimalware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187 Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Antimalware Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192
Assessing the Security of Acquired Software . . . . . . . . . . . . . . . . . . 1193 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207
Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269 Total Tester Premium Practice Exam Software . . . . . . . . . . . . . . . . . 1269 Installing and Running Total Tester
Premium Practice Exam Software . . . . . . . . . . . . . . . . . . . . . . . . 1270 Hotspot and Drag-and-Drop Questions . . . . . . . . . . . . . . . . . . . . . 1270 PDF Copy of the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271
Total Seminars Technical Support . . . . . . . . . . . . . . . . . . . . . 1271 McGraw-Hill Education Content Support . . . . . . . . . . . . . . 1271
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291
00-FM.indd 20 14/04/16 10:24 AM
xxi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
IN MEMORY OF SHON HARRIS
In the summer of 2014, Shon asked me to write a foreword for the new edition of her CISSP All-in-One Exam Guide. I was honored to do that, and the following two para- graphs are that original foreword. Following that, I will say more about my friend, the late Shon Harris.
The cyber security field is still relatively new and has been evolving as technology advances. Every decade or so, we have an advance or two that seems to change the game. For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of money was spent on perimeter devices like firewalls to keep the bad guys out. Around 2000, recognizing that perimeter defense alone was insufficient, the “defense in depth” approach became popular, and we spent another decade trying to build layers of defense and detect the bad guys who were able to get past our perimeter defenses. Again, lots of money was spent, this time on intrusion detection, intrusion prevention, and end-point solutions. Then, around 2010, following the lead of the U.S. government in particular, we began to focus on “continuous monitoring,” the goal being to catch the bad guys inside the network if they get past the perimeter defense and the defense in depth. Security information and event management (SIEM) technology has emerged as the best way to handle this continuous monitoring requirement. The latest buzz phrase is “active defense,” which refers to the ability to respond in real time through a dynamic and changing defense that works to contain the attacker and allow the organization to recover quickly and get back to business. We are starting to see the re-emergence of honeypots combined with sandbox technology to bait and trap attackers for further analysis of their activity. One thing is common throughout this brief historical survey: the bad guys keep getting in and we keep responding to try and keep up, if not prevent them in the first place. This cat-and-mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats, each new strategy and tactic brings with it a new set of terminology and concepts for the security professional to master. The sheer bulk of the body of knowledge can be overwhelming, particularly to newcomers. As a security practitioner, consultant, and business leader, I am often asked by aspiring security practitioners where to start when trying to get into the field. I often refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the purpose of becoming a CISSP, but so that they may have in one resource the body of knowledge in the field. I am also often asked by experienced security practitioners how to advance in the field. I encourage them to pursue CISSP certification and, once again, I refer them to Shon’s book. Some are destined to become leaders in the field, and the CISSP is a solid certificate for managers. Other security professionals I encounter are just looking for more breadth of knowledge, and I recommend Shon’s book to them too as a good one-stop reference for that. This book has stood the test of time. It has evolved as the field has evolved and stands as the single most important
00-FM.indd 21 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
book in the cyber security field, period. I have personally referred to it several times throughout my career and keep a copy near me at all times on my Kindle. Simply put, if you are in the cyber security field, you need a copy of this book.
On a personal note, little did I know that within months of writing the preceding foreword, Shon would no longer be with us. I counted Shon as a good friend and still admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002. I had just learned of the CISSP and within weeks found myself in her class. I had no clue that she had already written several books by that time and was a true leader in the field. I must have chattered away during our lunch sessions, because a few months after the class, she reached out to me and said, “Hey, I remember you were interested in writing. I have a new project that I need help on. Would you like to help?” After an awkward pause, as I picked myself up from the floor, I told her that I felt underqualified, but yes! That started a journey that has blessed me many times over. The book was called Gray Hat Hacking and is now in the fourth edition. From the book came many consulting, writing, and teaching opportunities, such as Black Hat. Then, as I retired from the Marine Corps, in 2008, there was Shon, right on cue: “Hey, I have an opportunity to provide services to a large company. Would you like to help?” Just like that, I had my first large client, launching my company, which I was able to grow, with Shon’s help, and then sell a couple of years ago. During the 12 years I knew her, Shon continued to give me opportunities to become much more than I could have dreamed. She never asked for a thing in return, simply saying, “You take it and run with it, I am too busy doing other things.” As I think back over my career after the Marine Corps, I owe most of my success to Shon. I have shared this story with others and found that I am not the only one; Shon blessed so many people with her giving spirit. I am convinced there are many “Shon” stories like this one out there. She touched so many people in the security field and more than lived up to the nickname I had for her, Miss CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in the field. If you knew Shon, I know you would echo that sentiment. If you did not know Shon, I hope that through these few words, you understand why she was so special and why there had to be another edition of this book. I have been asked several times over the last year, “Do you think there will be another edition? The security field and CISSP certification have both changed so much, we need another edition.” For this reason, I am excited this new edition came to be. Shon would have wanted the book to go on helping people to be the best they can be. I believe we, as a profession, need this book to continue. So, I am thankful that the team from McGraw-Hill and Fernando are honoring Shon in this way and continuing her legacy. She truly deserves it. Shon, you are missed and loved by so many. Through this book, your generous spirit lives on, helping others.
Allen Harper, CISSP (thanks to Shon) EVP and Chief Hacker, Tangible Security, Inc.
00-FM.indd 22 14/04/16 10:24 AM
xxiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
FOREWORD
I’m excited and honored to introduce the seventh edition of CISSP All-in-One Exam Guide to cyber security experts worldwide. This study guide is essential for those pursu- ing CISSP certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to be a member of a profession and the importance of shared values, common language, and identity. At the same time, expert knowledge gained through training, education, and experience are critical ingredients to a profession, but formal certifications based on clearly articulated standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled with our vulnerabilities and the potential consequences create a new operational reality—national security is at risk. When we enter any network, we must fight to ensure we maintain our security, and cyber security experts are the professionals we will call on to out-think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue to grow exponentially. While our cyber workforce enabled by technology must focus on preventing threats and reducing vulnerabilities, we will not eliminate either. This demands professionals who understand risk management and security—experts who are trusted and committed to creating and providing a wide range of security measures tailored to mitigate enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is the king of the hill. In this edition, Shon’s quality content is present and is being stewarded forward by Fernando Maymí. You’re in good hands, and you will grow personally and professionally, from your study. As competent, trusted professionals of character, this book is essential to you, your organization, and our national security.
Rhett Hernandez Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command Current West Point Cyber Chair, Army Cyber Institute
00-FM.indd 23 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
ACKNOWLEDGMENTS
We would like to thank all the people who work in the information security industry who are driven by their passion, dedication, and a true sense of doing right. The best security people are the ones who are driven toward an ethical outcome.
In this seventh edition, we would also like to thank the following:
• Ronald Dodge, who brought the two authors of this book together and, in doing so, set off a sequence of events that he couldn’t have possibly anticipated.
• David Miller, whose work ethic, loyalty, and friendship have continuously in- spired us.
• All the teammates from Logical Security. • The men and women of our armed forces, who selflessly defend our way of life. • Kathy Conlon, who, more than anyone else, set the conditions that led to seven editions of this book.
• David Harris. • Emma Fernandez.
Most especially, we thank you, our readers, for standing on the frontlines of our digital conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
00-FM.indd 25 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxvii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
FROM THE AUTHOR
For the first time in seven editions, the CISSP All-in-One Exam Guide bears the names of two authors. For the first time in 15 years, Shon Harris will not be with us as we go to print on a new edition of her seminal work. Still, she remains with us in the pages of the hundreds of thousands of books sold, which have enriched the lives of security profes- sionals worldwide. It is no exaggeration to say that Shon was one of the most influential authors in our field. Her legacy lives on in the pages of this latest edition.
Our goal in this seventh edition of Shon’s book was both to address the newly revised CISSP body of knowledge and to allow you to hear Shon’s voice as you read the words on its pages. You see, much of the content in this book was actually authored by Shon. We have reorganized, enhanced, augmented, and updated it, but the content is still largely hers. If you have read any of her multitude of other works or had the blessing of having met her, you will recognize her distinctive tone in these pages. We also hope that you will perceive her penchant for excellence in every aspect of professional development.
The goal of this book is not just to get you to pass the CISSP exam, but to provide you the bedrock of knowledge that will allow you to flourish as an information systems security professional before and after you pass the certification exam. If you strive for excellence in your own development, the CISSP certification will follow as a natural byproduct. This approach will demand that you devote time and energy to topics and issues that may seem to have no direct or immediate return on investment. That is OK. We each have our own areas of strength and weakness, and many of us tend to reinforce the former while ignoring the latter. This leads to individuals who have tremendous depth in a very specific topic, but who lack the breadth to understand context or thrive in new and unexpected conditions. What we propose is an inversion of this natural tendency, so that we devote appropriate amounts of effort to those areas in which we are weakest. What we propose is that we balance the urge to be specialists with the need to be well-rounded professionals. This is what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals that performs a critical service that societies cannot do for themselves. In the case of the CISSP, this professional ensures the confidentiality, integrity, and availability of our information systems. This cannot be done simply by being the best firewall administrator, or the best forensic examiner, or the best reverse engineer. Instead, our service requires a breadth of knowledge that will allow us to choose the right tool for the job. This relevant knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon which we can build our expertise. This is why, in order to be competent professionals, we all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and foundational knowledge. It is designed, as it always was, to be both a study guide and an enduring reference. Our hope is that, long after you obtain your CISSP certification, you will turn to this tome time and again to brush up on your areas of weakness as well as to guide you in a lifelong pursuit of self-learning and excellence.
00-FM.indd 27 14/04/16 10:24 AM
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio ii
CertPrs8 / OCA Java SE 7 Programmer I Study Guide (Exam 1Z0-803) / Finegan & Liguori / 942-1 / Front Matter / Blind Folio iii
00-FM.indd 2 8/24/12 2:43 PM
This page is intentionally left blank to match the printed book.
xxix
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
WHY BECOME A CISSP?
As our world changes, the need for improvements in security and technology continues to grow. Corporations and other organizations are desperate to identify and recruit talented and experienced security professionals to help protect the resources on which they depend to run their businesses and remain competitive. As a Certified Information Systems Security Professional (CISSP), you will be seen as a security professional of proven ability who has successfully met a predefined standard of knowledge and expe- rience that is well understood and respected throughout the industry. By keeping this certification current, you will demonstrate your dedication to staying abreast of security developments.
Consider some of the reasons for attaining a CISSP certification:
• To broaden your current knowledge of security concepts and practices • To demonstrate your expertise as a seasoned security professional • To become more marketable in a competitive workforce • To increase your salary and be eligible for more employment opportunities • To bring improved security expertise to your current occupation • To show a dedication to the security discipline
The CISSP certification helps companies identify which individuals have the ability, knowledge, and experience necessary to implement solid security practices; perform risk analysis; identify necessary countermeasures; and help the organization as a whole protect its facility, network, systems, and information. The CISSP certification also shows potential employers you have achieved a level of proficiency and expertise in skill sets and knowledge required by the security industry. The increasing importance placed on security in corporate success will only continue in the future, leading to even greater demands for highly skilled security professionals. The CISSP certification shows that a respected third-party organization has recognized an individual’s technical and theoretical knowledge and expertise, and distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good network administrator, programmer, or engineer. Job descriptions that do not specifically target security professionals still often require that a potential candidate have a good understanding of security concepts as well as how to implement them. Due to staff size and budget restraints, many organizations can’t afford separate network and security staffs. But they still believe security is vital to their organization. Thus, they often try to combine knowledge of technology and security into a single role. With a CISSP designation, you can put yourself head and shoulders above other individuals in this regard.
00-FM.indd 29 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxx
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
The CISSP Exam Because the CISSP exam covers the eight domains making up the CISSP Common Body of Knowledge (CBK), it is often described as being “an inch deep and a mile wide,” a reference to the fact that many questions on the exam are not very detailed and do not require you to be an expert in every subject. However, the questions do require you to be familiar with many different security subjects.
The CISSP exam comprises 250 multiple-choice and innovative questions, which must be answered in no more than 6 hours. Innovative questions incorporate drag- and-drop (i.e., take a term or item and drag it to the correct position in the frame) or hotspot (i.e., click the item or term that correctly answers the question) interfaces, but are otherwise weighed and scored just like any other question. The questions are pulled from a much larger question bank to ensure the exam is as unique as possible for each entrant. In addition, the test bank constantly changes and evolves to more accurately reflect the real world of security. The exam questions are continually rotated and replaced in the bank as necessary. Only 225 questions are graded, while 25 are used for research purposes. The 25 research questions are integrated into the exam, so you won’t know which go toward your final grade. To pass the exam, you need a scale score of 700 points out of 1,000. Questions are weighted based on their difficulty; not all questions are worth the same number of points. The exam is not product or vendor oriented, meaning no questions will be specific to certain products or vendors (for instance, Windows, Unix, or Cisco). Instead, you will be tested on the security models and methodologies used by these types of systems.
EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer in a reasonable amount of time, then you should guess and move on to the next question.
(ISC)2, which stands for International Information Systems Security Certification Consortium, also includes scenario-based questions in the CISSP exam. These questions present a short scenario to the test taker rather than asking the test taker to identify terms and/or concepts. The goal of the scenario-based questions is to ensure that test takers not only know and understand the concepts within the CBK, but also can apply this knowledge to real-life situations. This is more practical because in the real world, you won’t be challenged by having someone asking you “What is the definition of collusion?” You need to know how to detect and prevent collusion from taking place, in addition to knowing the definition of the term.
After passing the exam, you will be asked to supply documentation, supported by a sponsor, proving that you indeed have the type of experience required to obtain this certification. The sponsor must sign a document vouching for the security experience you are submitting. So, make sure you have this sponsor lined up prior to registering for the exam and providing payment. You don’t want to pay for and pass the exam, only to find you can’t find a sponsor for the final step needed to achieve your certification.
00-FM.indd 30 14/04/16 10:24 AM
Why Become a CISSP?
xxxi
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
The reason behind the sponsorship requirement is to ensure that those who achieve the certification have real-world experience to offer organizations. Book knowledge is extremely important for understanding theory, concepts, standards, and regulations, but it can never replace hands-on experience. Proving your practical experience supports the relevance of the certification.
A small sample group of individuals selected at random will be audited after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’ sponsors and contacts to verify the test taker’s related experience.
One of the factors that makes the CISSP exam challenging is that most candidates, although they work in the security field, are not necessarily familiar with all eight CBK domains. If a security professional is considered an expert in vulnerability testing or application security, for example, she may not be familiar with physical security, cryptography, or forensics. Thus, studying for this exam will broaden your knowledge of the security field.
The exam questions address the eight CBK security domains, which are described in Table 1.
Domain Description
Security and Risk Management
This domain covers many of the foundational concepts of information systems security. Some of the topics covered include
• The principles of availability, integrity, and confidentiality • Security governance and compliance • Legal and regulatory issues • Professional ethics • Personnel security policies • Risk management • Threat modeling
Asset Security This domain examines the protection of information assets throughout their life cycle. Some of the topics covered include
• Information classification • Maintaining ownership • Privacy • Retention • Data security controls • Handling requirements
Security Engineering
This domain examines the development of information systems that remain secure in the face of a myriad of threats. Some of the topics covered include
• Security design principles • Selection of effective controls • Mitigation of vulnerabilities • Cryptography • Secure site and facility design • Physical security
Table 1 Security Domains That Make Up the CISSP CBK (continued)
00-FM.indd 31 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxxii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Table 1 Security Domains That Make Up the CISSP CBK
Domain Description
Communication and Network Security
This domain examines network architectures, communications technologies, and network protocols with a goal of understanding how to secure them. Some of the topics covered include
• Secure network architectures • Network components • Secure communications channels • Network attacks
Identity and Access Management
Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems. Some of the topics covered include
• Controlling physical and logical access • Identification and authentication • Identity as a Service • Third-party identity services • Authorization methods • Access control attacks
Security Assessment and Testing
This domain examines ways to verify the security of our information systems. Some of the topics covered include
• Assessment and testing strategies • Testing security controls • Collecting security process data • Analyzing and reporting results • Conducting and facilitating audits
Security Operations
This domain covers the many activities involved in the daily business of maintaining the security of our networks. Some of the topics covered include • Supporting investigations • Logging and monitoring • Secure provisioning of resources • Incident management • Preventative measures • Change management • Business continuity • Managing physical security
Software Development Security
This domain examines the application of security principles to the acquisition and development of software systems. Some of the topics covered include • Security in the software development life cycle • Security controls in development activities • Assessing software security • Assessing the security implications of acquired software
00-FM.indd 32 14/04/16 10:24 AM
Why Become a CISSP?
xxxiii
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
(ISC)2 attempts to keep up with changes in technology and methodologies in the security field by adding numerous new questions to the test question bank each year. These questions are based on current technologies, practices, approaches, and standards. For example, the CISSP exam given in 1998 did not have questions pertaining to wireless security, cross-site scripting attacks, or IPv6.
What Does This Book Cover? This book covers everything you need to know to become an (ISC)2-certified CISSP. It teaches you the hows and whys behind organizations’ development and implementa- tion of policies, procedures, guidelines, and standards. It covers network, application, and system vulnerabilities; what exploits them; and how to counter these threats. The book explains physical security, operational security, and why systems implement the security mechanisms they do. It also reviews the U.S. and international security criteria and evaluations performed on systems for assurance ratings, what these criteria mean, and why they are used. This book also explains the legal and liability issues that surround computer systems and the data they hold, including such subjects as computer crimes, forensics, and what should be done to properly prepare computer evidence associated with these topics for court.
While this book is mainly intended to be used as a study guide for the CISSP exam, it is also a handy reference guide for use after your certification.
Tips for Taking the CISSP Exam Many people feel as though the exam questions are tricky. Make sure to read each ques- tion and its answer choices thoroughly instead of reading a few words and immediately assuming you know what the question is asking. Some of the answer choices may have only subtle differences, so be patient and devote time to reading through the question more than once.
A common complaint heard about the CISSP exam is that some questions seem a bit subjective. For example, whereas it might be easy to answer a technical question that asks for the exact mechanism used in Transport Layer Security (TLS) that protects against man-in-the-middle attacks, it’s not quite as easy to answer a question that asks whether an eight-foot perimeter fence provides low, medium, or high security. Many questions ask the test taker to choose the “best” approach, which some people find confusing and subjective. These complaints are mentioned here not to criticize (ISC)2 and the exam writers, but to help you better prepare for the exam. This book covers all the necessary material for the exam and contains many questions and self-practice tests. Most of the questions are formatted in such a way as to better prepare you for what you will encounter on the actual exam. So, make sure to read all the material in the book, and pay close attention to the questions and their formats. Even if you know the subject well, you may still get some answers wrong—it is just part of learning how to take tests.
In answering many questions, it is important to keep in mind that some things are inherently more valuable than others. For example, the protection of human lives and welfare will almost always trump all other responses. Similarly, if all other factors are equal
00-FM.indd 33 14/04/16 10:24 AM
CISSP All-in-One Exam Guide
xxxiv
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
and you are given a choice between an expensive and complex solution and a simpler and cheaper one, the second will win most of the time. Expert advice (e.g., from an attorney) is more valuable than that offered by someone with lesser credentials. If one of the possible responses to a question is to seek or obtain advice from an expert, pay close attention to that question. The correct response may very well be to seek out that expert.
Familiarize yourself with industry standards and expand your technical knowledge and methodologies outside the boundaries of what you use today. We cannot stress enough that just because you are the top dog in your particular field, it doesn’t mean you are properly prepared for every domain the exam covers.
When you take the CISSP exam at the Pearson VUE test center, other certification exams may be taking place simultaneously in the same room. Don’t feel rushed if you see others leaving the room early; they may be taking a shorter exam.
How to Use This Book Much effort has gone into putting all the necessary information into this book. Now it’s up to you to study and understand the material and its various concepts. To best benefit from this book, you might want to use the following study method:
• Study each chapter carefully and make sure you understand each concept presented. Many concepts must be fully understood, and glossing over a couple here and there could be detrimental to you. The CISSP CBK contains hundreds of individual topics, so take the time needed to understand them all.
• Make sure to study and answer all of the questions. If any questions confuse you, go back and study those sections again. Remember, some of the questions on the actual exam are a bit confusing because they do not seem straightforward. Do not ignore the confusing questions, thinking they’re not well worded. Instead, pay even closer attention to them because they are there for a reason.
• If you are not familiar with specific topics, such as firewalls, laws, physical security, or protocol functionality, use other sources of information (books, articles, and so on) to attain a more in-depth understanding of those subjects. Don’t just rely on what you think you need to know to pass the CISSP exam.
• After reading this book, study the questions and answers, and take the practice tests. Then review the (ISC)2 exam outline and make sure you are comfortable with each bullet item presented. If you are not comfortable with some items, revisit those chapters.
• If you have taken other certification exams—such as Cisco, Novell, or Microsoft— you might be used to having to memorize details and configuration parameters. But remember, the CISSP test is “an inch deep and a mile wide,” so make sure you understand the concepts of each subject before trying to memorize the small, specific details.
• Remember that the exam is looking for the “best” answer. On some questions test takers do not agree with any or many of the answers. You are being asked to choose the best answer out of the four being offered to you.
00-FM.indd 34 14/04/16 10:24 AM
CHAPTER
1
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
1Security and Risk Management This chapter presents the following:
• Security terminology and principles • Protection control types • Security frameworks, models, standards, and best practices • Computer laws and crimes • Intellectual property • Data breaches • Risk management • Threat modeling • Business continuity and disaster recovery • Personnel security • Security governance
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then
I have my doubts.
—Eugene H. Spafford
In reality, organizations have many other things to do than practice security. Businesses exist to make money. Most nonprofit organizations exist to offer some type of service, as in charities, educational centers, and religious entities. None of them exist specifi- cally to deploy and maintain firewalls, intrusion detection systems, identity management technologies, and encryption devices. No business really wants to develop hundreds of security policies, deploy antimalware products, maintain vulnerability management sys- tems, constantly update its incident response capabilities, and have to comply with the alphabet soup of security laws, regulations, and standards such as SOX (Sarbanes-Oxley), GLBA (Gramm-Leach-Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and FISMA (Federal Information Security Management Act). Business owners would like to be able to make their widgets, sell their widgets, and go home. But those simpler days are long
01-ch01.indd 1 14/04/16 11:41 AM
CISSP All-in-One Exam Guide
2
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
gone. Now organizations are faced with attackers who want to steal businesses’ customer data to carry out identity theft and banking fraud. Company secrets are commonly being stolen by internal and external entities for economic espionage purposes. Systems are being hijacked and used within botnets to attack other organizations or to spread spam. Company funds are being secretly siphoned off through complex and hard-to-identify digital methods, commonly by organized criminal rings in different countries. And orga- nizations that find themselves in the crosshairs of attackers may come under constant attack that brings their systems and websites offline for hours or days. Companies are required to practice a wide range of security disciplines today to keep their market share, protect their customers and bottom line, stay out of jail, and still sell their widgets.
In this chapter we will cover many of the disciplines that are necessary for organizations to practice security in a holistic manner. Each organization must develop an enterprise- wide security program that consists of technologies, procedures, and processes covered throughout this book. As you go along in your security career, you will find that most organizations have some pieces to the puzzle of an “enterprise-wide security program” in place, but not all of them. And almost every organization struggles with the best way to assess the risks it faces and how to allocate funds and resources properly to mitigate those risks. Many of the security programs in place today can be thought of as lopsided or lumpy. The security programs excel within the disciplines that the team is most familiar with, and the other disciplines are found lacking. It is your responsibility to become as well rounded in security as possible so that you can identify these deficiencies in security programs and help improve upon them. This is why the CISSP exam covers a wide variety of technologies, methodologies, and processes—you must know and understand them holistically if you are going to help an organization carry out security holistically.
We will begin with the foundational pieces of security and build upon them through the chapter and then throughout the book. Building your knowledge base is similar to building a house: without a solid foundation, it will be weak, unpredictable, and fail in the most critical of moments. Our goal is to make sure you have solid and deep roots of understanding so that you can not only protect yourself against many of the threats we face today, but also protect the commercial and government organizations who depend upon you and your skill set.
The essence of our work as security professionals is our understanding of two key terms: security and risk. Since security is what we are charged with providing to our organizations, it is a good idea to spend some time defining this and related terms. A good way to understand key terms in a broader societal context is to explore the laws and crimes around them, together with the concomitant tradeoffs that we must make lest we sacrifice privacy in the name of crime fighting. Building on this foundation, we next turn our attention to the concept that should underlie every decision made when defending our information systems: risk. Risk is so important that we will cover it in detail in this chapter, but will also return to it time and again in the rest of the book. We start off narrowly, but focusing on the malicious threats to our organizations; we also widen our aperture to include accidental and environmental threats and how to prepare for them by planning for business continuity and disaster recovery. Finally, we will close
01-ch01.indd 2 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
3
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
with discussions on personnel, governance, and ethics and how they apply to all that has preceded them in this chapter.
Fundamental Principles of Security We need to understand the core goals of security, which are to provide availability, integ- rity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.
Availability
Security objectives
Integrity Confidentiality
NOTE In some documentation, the “triad” is presented as CIA: confidentiality, integrity, and availability.
Availability Availability protection ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of
01-ch01.indd 3 14/04/16 11:42 AM
CISSP All-in-One Exam Guide
4
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components.
Like many things in life, ensuring the availability of the necessary resources within an organization sounds easier to accomplish than it really is. Networks have many pieces that must stay up and running (routers, switches, DNS servers, DHCP servers, proxies, firewalls, and so on). Software has many components that must be executing in a healthy manner (operating system, applications, antimalware software, and so forth). And an organization’s operations can potentially be negatively affected by environmental aspects (such as fire, flood, HVAC issues, or electrical problems), natural disasters, and physical theft or attacks. An organization must fully understand its operational environment and its availability weaknesses so that it can put in place the proper countermeasures.
Integrity Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and pro- cess data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.
Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. When an attacker inserts a virus, logic bomb, or back door into a system, the system’s integrity is compromised. This can, in turn, harm the integrity of information held on the system by way of corruption, malicious modification, or the replacement of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat these threats.
Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, users with a full hard drive may unwittingly delete configuration files under the mistaken assumption that deleting a file must be okay because they don’t remember ever using it. Or, for example, a user may insert incorrect values into a data-processing application that ends up charging a customer $3,000 instead of $300. Incorrectly modifying data kept in databases is another common way users may accidentally corrupt data—a mistake that can have lasting effects.
Security should streamline users’ capabilities and give them only certain choices and functionality, so errors become less common and less devastating. System-critical files should be restricted from viewing and access by users. Applications should provide mechanisms that check for valid and reasonable input values. Databases should let only authorized individuals modify data, and data in transit should be protected by encryption or other mechanisms.
01-ch01.indd 4 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
5
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
Confidentiality Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination.
Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing password files, breaking encryption schemes, and social engineering. These topics will be addressed in more depth in later chapters, but briefly, shoulder surfing is when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. Social engineering is when one person tricks another person into sharing confidential information, for example, by posing as someone authorized to have access to that information. Social engineering can take many forms. Any one-to-one communication medium can be used to perform social engineering attacks.
Users can intentionally or accidentally disclose sensitive information by not encrypting it before sending it to another person, by falling prey to a social engineering attack, by sharing a company’s trade secrets, or by not using extra care to protect confidential information when processing it.
Confidentiality can be provided by encrypting data as it is stored and transmitted, by enforcing strict access control and data classification, and by training personnel on the proper data protection procedures.
Availability, integrity, and confidentiality are critical principles of security. You should understand their meaning, how they are provided by different mechanisms, and how their absence can negatively affect an organization.
Balanced Security In reality, when information security is dealt with, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats can be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (company trade secrets), some have critical integrity requirements (financial transaction values), and some have critical availability requirements (e-commerce web servers). Many people understand the con- cepts of the AIC triad, but may not fully appreciate the complexity of implementing the necessary controls to provide all the protection these concepts cover. The follow- ing provides a short list of some of these controls and how they map to the components of the AIC triad.
Availability:
• Redundant array of independent disks (RAID) • Clustering • Load balancing • Redundant data and power lines
01-ch01.indd 5 14/04/16 11:42 AM
CISSP All-in-One Exam Guide
6
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
• Software and data backups • Disk shadowing • Co-location and offsite facilities • Rollback functions • Failover configurations
Integrity:
• Hashing (data integrity) • Configuration management (system integrity) • Change control (process integrity) • Access control (physical and technical) • Software digital signing • Transmission cyclic redundancy check (CRC) functions
Confidentiality:
• Encryption for data at rest (whole disk, database encryption) • Encryption for data in transit (IPSec, TLS, PPTP, SSH, described in Chapter 4) • Access control (physical and technical)
All of these control types will be covered in this book. What is important to realize at this point is that while the concept of the AIC triad may seem simplistic, meeting its requirements is commonly more challenging.
Security Definitions The words “vulnerability,” “threat,” “risk,” and “exposure” are often interchanged, even though they have different meanings. It is important to understand each word’s defini- tion and the relationships between the concepts they represent.
A vulnerability is a weakness in a system that allows a threat source to compromise its security. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
A threat is any potential danger that is associated with the exploitation of a vulnerability. If the threat is that someone will identify a specific vulnerability and use it against the company or individual, then the entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a
01-ch01.indd 6 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
7
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
port on the firewall, a process accessing data in a way that violates the security policy, or an employee circumventing controls in order to copy files to a medium that could expose confidential information.
A risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords compromised and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.
A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.
NOTE The terms “control,” “countermeasure,” and “safeguard” are interchangeable terms. They are mechanisms put into place to reduce risk.
If a company has antimalware software but does not keep the signatures up to date, this is a vulnerability. The company is vulnerable to malware attacks. The threat is that a virus will show up in the environment and disrupt productivity. The risk is the likelihood of a virus showing up in the environment and causing damage and the resulting potential damage. If a virus infiltrates the company’s environment, then a vulnerability has been exploited and the company is exposed to loss. The countermeasures in this situation are to update the signatures and install the antimalware software on all computers. The relationships among risks, vulnerabilities, threats, and countermeasures are shown in Figure 1-1.
Applying the right countermeasure can eliminate the vulnerability and exposure, and thus reduce the risk. The company cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment.
01-ch01.indd 7 14/04/16 11:42 AM
CISSP All-in-One Exam Guide
8
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
Many people gloss over these basic terms with the idea that they are not as important as the sexier things in information security. But you will find that unless a security team has an agreed-upon language in place, confusion will quickly take over. These terms embrace the core concepts of security, and if they are confused in any manner, then the activities that are rolled out to enforce security are commonly confused.
Control Types Up to this point we have covered the goals of security (availability, integrity, confidenti- ality) and the terminology used in the security industry (vulnerability, threat, risk, con- trol). These are foundational components that must be understood if security is going to take place in an organized manner. The next foundational issue we are going to tackle is control types that can be implemented and their associated functionality.
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls” because they are more management oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are
Gives rise to
Threat agent
Threat
Exploits
Leads to
Vulnerability
Risk
Directly affects Asset Can damage
And causes anExposure
Safeguard Can be countermeasured by a
Figure 1-1 The relationships among the different security concepts
01-ch01.indd 8 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
9
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
software or hardware components, as in firewalls, IDS, encryption, and identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
These control types need to be put into place to provide defense-in-depth, which is the coordinated use of multiple security controls in a layered approach, as shown in Figure 1-2. A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before she gained access to the critical assets. For example, Company A can have the following physical controls in place that work in a layered model:
• Fence • Locked external doors • Closed-circuit TV • Security guard • Locked internal doors • Locked server room • Physically secured computers (cable locks)
Potential threat
Asset
Physical security
Virus scanners
Patch management
Rule-based access control
Account management
Secure architecture
Demilitarized zones (DMZs)
Firewalls
Virtual private networks (VPNs)
Policies and procedures
Figure 1-2 Defense-in-depth
01-ch01.indd 9 14/04/16 11:42 AM
Moose
Highlight
CISSP All-in-One Exam Guide
10
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
Technical controls that are commonly put into place to provide this type of layered approach are
• Firewalls • Intrusion detection system • Intrusion prevention systems • Antimalware • Access control • Encryption
The types of controls that are actually implemented must map to the threats the company faces, and the number of layers that are put into place must map to the sensitivity of the asset. The rule of thumb is the more sensitive the asset, the more layers of protection that must be put into place.
So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.
The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating. By having a better understanding of the different control functionalities, you will be able to make more informed decisions about what controls will be best used in specific situations. The six different control functionalities are as follows:
• Preventive Intended to avoid an incident from occurring • Detective Helps identify an incident’s activities and potentially an intruder • Corrective Fixes components or systems after an incident has occurred • Deterrent Intended to discourage a potential attacker • Recovery Intended to bring the environment back to regular operations • Compensating Controls that provide an alternative measure of control
Once you understand fully what the different controls do, you can use them in the right locations for specific risks.
When looking at a security structure of an environment, it is most productive to use a preventive model and then use detective, corrective, and recovery mechanisms to help support this model. Basically, you want to stop any trouble before it starts, but you must be able to quickly react and combat trouble if it does find you. It is not feasible to prevent everything; therefore, what you cannot prevent, you should be able to quickly detect. That’s why preventive and detective controls should always be implemented together and should complement each other. To take this concept further: what you can’t prevent, you should be able to detect, and if you detect something, it means you weren’t able to prevent it, and therefore you should take corrective action to make sure it is indeed
01-ch01.indd 10 14/04/16 11:42 AM
Chapter 1: Security and Risk Management
11
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1
prevented the next time around. Therefore, all three types work together: preventive, detective, and corrective.
The control types described next (administrative, physical, and technical) are preventive in nature. These are important to understand when developing an enterprise- wide security program.
Preventive: Administrative
• Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness
Preventive: Physical
• Badges, swipe cards • Guards, dogs • Fences, locks, mantraps
Preventive: Technical
• Passwords, biometrics, smart cards • Encryption, secure protocols, call-back systems, database views, constrained user
interfaces • Antimalware software, access control lists, firewalls, intrusion prevention system
Table 1-1 shows how these types of control mechanisms perform different security functions. Many students get themselves wrapped around the axle when trying to get their mind around which control provides which functionality. This is how this train of thought usually takes place: “A firewall is a preventive control, but if an attacker knew that it was in place it could be a deterrent.” Let’s stop right here. Do not make this any harder than it has to be. When trying to map the functionality requirement to a control, think of the main reason that control would be put into place. A firewall tries to prevent something bad from taking place, so it is a preventative control. Auditing logs is done after an event took place, so it is detective. A data backup system is developed so that data can be recovered; thus, this is a recovery control. Computer images are created so that if software gets corrupted, they can be reloaded; thus, this is a corrective control.
One control functionality that some people struggle with is a compensating control. Let’s look at some examples of compensating controls to best explain their function. If your company needed to implement strong physical security, you might suggest to
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
ONLINE |
Professional AccountantI am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles. |
$23 | Chat With Writer |
ONLINE |
Math SpecialistThis project is my strength and I can fulfill your requirements properly within your given deadline. I always give plagiarism-free work to my clients at very competitive prices. |
$38 | Chat With Writer |
ONLINE |
Professor SmithI have read your project details and I can provide you QUALITY WORK within your given timeline and budget. |
$36 | Chat With Writer |
ONLINE |
Engineering HelpI am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles. |
$40 | Chat With Writer |
ONLINE |
Quick N QualityI have read your project details and I can provide you QUALITY WORK within your given timeline and budget. |
$15 | Chat With Writer |
ONLINE |
Top Essay TutorI have read your project details and I can provide you QUALITY WORK within your given timeline and budget. |
$44 | Chat With Writer |
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.