Shon harris cause of death

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio i

ALL IN ONE

CISSP® E X A M G U I D E

Seventh Edition

Shon Harris Fernando Maymí

New York Chicago San Francisco Athens London Madrid Mexico City

Milan New Delhi Singapore Sydney Toronto

McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/ training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and CD may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education warrants that use of this publication and CD will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other countries. All other trademarks are trademarks of their respective owners.

00-FM.indd 1 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio ii

McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.

CISSP® All-in-One Exam Guide, Seventh Edition

Copyright © 2016 by McGraw-Hill Education. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks.

1 2 3 4 5 6 7 8 9 DOC 21 20 19 18 17 16

ISBN: Book p/n 978-0-07-184961-6 and CD p/n 978-0-07-184925-8 of set 978-0-07-184927-2

MHID: Book p/n 0-07-184961-0 and CD p/n 0-07-184925-4 of set 0-07-184927-0

Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

Sponsoring Editor Wendy Rinaldi

Editorial Supervisor Janet Walden

Project Manager Yashmita Hota, Cenveo® Publisher Services

Acquisitions Coordinator Amy Stonebraker

Technical Editor Jonathan Ham

Copy Editor William McManus

Proofreader Lisa McCoy

Indexer Karin Arrigoni

Production Supervisor James Kussow

Composition Cenveo Publisher Services

Illustration Cenveo Publisher Services

Art Director, Cover Jeff Weeks

Library of Congress Cataloging-in-Publication Data

Names: Harris, Shon, author. | Maymi, Fernando, author. Title: CISSP exam guide / Shon Harris, Fernando Maymi. Other titles: CISSP all-in-one exam guide Description: Seventh edition. | New York : McGraw-Hill Education, 2016. | Includes index. Identifiers: LCCN 2016017045 (print) | LCCN 2016017235 (ebook) | ISBN 9780071849272 (set : alk. paper) | ISBN 9780071849616 (book : alk. paper) | ISBN 9780071849258 (CD) | ISBN 0071849270 (set : alk. paper) | ISBN 0071849610 (book : alk. paper) | ISBN 0071849254 (CD) | ISBN 9780071849265 () Subjects: LCSH: Computer networks—Examinations—Study guides. | Telecommunications engineers—Certification. Classification: LCC TK5105.5 .H368 2016 (print) | LCC TK5105.5 (ebook) | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2016017045

00-FM.indd 2 14/04/16 5:04 PM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iii

We dedicate this book to all those who have served selflessly.

00-FM.indd 3 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio iv

ABOUT THE AUTHORS Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logi- cal Security LLC, a security consultant, a former engineer in the Air Force’s Informa- tion Warfare unit, an instructor, and an author. Shon owned and ran her own training and consulting companies for 13 years prior to her death in 2014. She consulted with Fortune 100 corporations and government agencies on extensive security issues. She authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook and Security Information and Event Management (SIEM) Implementation, and a technical editor for Information Security Magazine.

Fernando Maymí, Ph.D., CISSP, is a security practitioner with over 25 years’ experience in the field. He currently leads a multidisciplinary team charged with developing disruptive innovations for cyberspace operations as well as impactful pub- lic-private partnerships aimed at better securing cyberspace. Fernando has served as a consultant for both government and private-sector organizations in the United States and abroad. He has authored and taught dozens of courses and workshops in cyber security for academic, government, and professional audiences in the United States and Latin America. Fernando is the author of over a dozen publications and holds three

patents. His awards include the U.S. Department of the Army Research and Development Achievement Award and he was recognized as a HENAAC Luminary. He worked closely with Shon Harris, advising her on a multitude of projects, including the sixth edition of the CISSP All-in-One Exam Guide. Fernando is also a volunteer puppy raiser for Guiding Eyes for the Blind and has raised two guide dogs, Trinket and Virgo.

About the Contributor Bobby E. Rogers is an information security engineer working as a contractor for Depart- ment of Defense agencies, helping to secure, certify, and accredit their information sys- tems. His duties include information system security engineering, risk management, and certification and accreditation efforts. He retired after 21 years in the U.S. Air Force, serving as a network security engineer and instructor, and has secured networks all over the world. Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral degree in cybersecurity from Capitol Technology University in Maryland. His many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+ certifications.

00-FM.indd 4 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter Blind Folio v

About the Technical Editor Jonathan Ham, CISSP, GSEC, GCIA, GCIH, is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO, he has helped his clients achieve greater success for more than 12 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. Jonathan has been commissioned to teach NCIS investigators how to use Snort, has performed packet analysis from a facil- ity more than 2,000 feet underground, and has chartered and trained the CIRT for one of the largest U.S. civilian federal agencies. He is a member of the GIAC Advisory Board and is a SANS instructor teaching their MGT414: SANS Training Program for CISSP Certification course. He is also co-author of Network Forensics: Tracking Hackers Through Cyberspace, a textbook published by Prentice-Hall.

00-FM.indd 5 14/04/16 10:24 AM

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

vi

CONTENTS AT A GLANCE

Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859

Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923

Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077

Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213

Appendix B About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269

Glossary ................................................................................................................ 1273

Index ...................................................................................................................... 1291

00-FM.indd 6 14/04/16 10:24 AM

vii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

CONTENTS

In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv From the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix

Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Enterprise Architecture Development . . . . . . . . . . . . . . . . . . 19 Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 33 Process Management Development . . . . . . . . . . . . . . . . . . . . 37 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

The Crux of Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . 45 Complexities in Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Electronic Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 The Evolution of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Types of Legal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Intellectual Property Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Trademark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Internal Protection of Intellectual Property . . . . . . . . . . . . . . 67 Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 The Increasing Need for Privacy Laws . . . . . . . . . . . . . . . . . . 72 Laws, Directives, and Regulations . . . . . . . . . . . . . . . . . . . . . 73 Employee Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

00-FM.indd 7 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

viii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Data Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 U.S. Laws Pertaining to Data Breaches . . . . . . . . . . . . . . . . . 84 Other Nations’ Laws Pertaining to Data Breaches . . . . . . . . . 85

Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . 86 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Holistic Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Information Systems Risk Management Policy . . . . . . . . . . . 95 The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . 96 The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . 97

Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Reduction Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 104 Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . 105 Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 106 Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 107 Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Categorize Information System . . . . . . . . . . . . . . . . . . . . . . . 128 Select Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Implement Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . 129 Assess Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Authorize Information System . . . . . . . . . . . . . . . . . . . . . . . . 130 Monitor Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . 130 Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 133 Making BCM Part of the Enterprise Security Program . . . . . 136 BCP Project Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

00-FM.indd 8 14/04/16 10:24 AM

Contents

ix

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157 Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166 The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166 Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207

Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

00-FM.indd 9 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

x

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Media Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Protecting Other Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Paper Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Computer Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

The Central Processing Unit . . . . . . . . . . . . . . . . . . . . . . . . . 252 Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Memory Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Input/Output Device Management . . . . . . . . . . . . . . . . . . . . 285 CPU Architecture Integration . . . . . . . . . . . . . . . . . . . . . . . . 287 Operating System Architectures . . . . . . . . . . . . . . . . . . . . . . . 291 Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

System Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Security Architecture Requirements . . . . . . . . . . . . . . . . . . . . 302

Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Bell-LaPadula Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Biba Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Clark-Wilson Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Noninterference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Brewer and Nash Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Graham-Denning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . 312

Systems Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Why Put a Product Through Evaluation? . . . . . . . . . . . . . . . 317

Certification vs. Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

00-FM.indd 10 14/04/16 10:24 AM

Contents

xi

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter

Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333

Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335

Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340 Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343 Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364

Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378 International Data Encryption Algorithm . . . . . . . . . . . . . . . 378 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386 Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

00-FM.indd 11 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

xii

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front …

Read more

Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com