Home Page Icon
Home Page
Table of Contents for
Cover Page
Close
Cover Page
by
CISSP Exam Cram, 5th Edition
Cover Page
About This eBook
Title Page
Copyright Page
Credits
Contents at a Glance
Table of Contents
About the Author
About the Technical Reviewer
Dedication
Acknowledgments
We Want to Hear from You!
Reader Services
Introduction
How to Prepare for the Exam
Practice Tests
Taking a Certification Exam
Arriving at the Exam Location
In the Testing Center
After the Exam
Retaking a Test
Tracking Your CISSP Status
About This Book
The Chapter Elements
Other Book Elements
Chapter Contents
Companion Website
Accessing the Pearson Test Prep Practice Test Software and Questions
Accessing the Pearson Test Prep Software Online
Accessing the Pearson Test Prep Software Offline
Customizing Your Exams
Updating Your Exams
Contacting the Author
Assessing Your Readiness for the CISSP Exam
Security Professionals in the Real World
The Ideal CISSP Candidate
Put Yourself to the Test
Your Educational Background
Testing Your Exam Readiness
After the Exam
Chapter 1 The CISSP Certification Exam
Introduction
Assessing Exam Readiness
Exam Topics
Taking the Exam
Examples of CISSP Test Questions
Answer to Multiple-Choice Question
Answer to Drag and Drop Question
Answer to Hotspot Question
Question-Handling Strategies
Mastering the Inner Game
Need to Know More?
Chapter 2 Understanding Asset Security
Introduction
Basic Security Principles
Data Management: Determining and Maintaining Ownership
Data Governance Policies
Roles and Responsibilities
Data Ownership
Data Custodians
Data Documentation and Organization
Data Warehousing
Data Mining
Knowledge Management
Data Standards
Data Lifecycle Control
Data Audits
Data Storage and Archiving
Data Security, Protection, Sharing, and Dissemination
Privacy Impact Assessment
Information Handling Requirements
Record Retention and Destruction
Data Remanence and Decommissioning
Classifying Information and Supporting Asset Classification
Data Classification
Military Data Classification
Public/Private Data Classification
Asset Management and Governance
Software Licensing
The Equipment Lifecycle
Determining Data Security Controls
Data at Rest
Data in Transit
Endpoint Security
Baselines
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 3 Security and Risk Management
Introduction
Security Governance
U.S. Legal System and Laws
Relevant U.S. Laws and Regulations
International Legal Systems and Laws
International Laws to Protect Intellectual Property
Global Legal and Regulatory Issues
Computer Crime and Hackers
Sexual Harassment
U.S. Governance
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Federal Information Security Management Act (FISMA)
Sarbanes-Oxley Act (SOX)
National Institute of Standards and Technology (NIST)
Federal Information Processing Standards (FIPS)
International Governance
Risk Management Concepts
Risk Management Frameworks
Risk Assessment
Risk Management Team
Asset Identification and Valuation
Threats Analysis
Quantitative Assessments
Qualitative Assessments
Selecting Countermeasures
Threat Modeling Concepts and Methodologies
Threat Modeling Steps
Threat Modeling Tools and Methodologies
Managing Risk with the Supply Chain and Third Parties
Reducing Risk in Organization Processes
Identifying and Prioritizing Business Continuity Requirements Based on Risk
Project Management and Initiation
Business Impact Analysis
Assessing Potential Loss
Developing and Implementing Security Policy
Security Policy
Advisory Policy
Informative Policy
Regulatory Policy
Standards
Baselines
Guidelines
Procedures
Types of Controls
Administrative Controls
Technical Controls
Physical Controls
Access Control Categories
Implementing Personnel Security
New-Hire Agreements and Policies
Separation of Duties
Job Rotation
Least Privilege
Mandatory Vacations
Termination
Security Education, Training, and Awareness
Security Awareness
Social Engineering
Professional Ethics Training and Awareness
(ISC)2 Code of Ethics
Computer Ethics Institute
Internet Architecture Board
NIST SP 800-14
Common Computer Ethics Fallacies
Regulatory Requirements for Ethics Programs
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 4 Security Architecture and Engineering
Introduction
Secure Design Guidelines and Governance Principles
Enterprise Architecture
Regulatory Compliance and Process Control
Fundamental Concepts of Security Models
Central Processing Unit
Storage Media
RAM
ROM
Secondary Storage
I/O Bus Standards
Virtual Memory and Virtual Machines
Computer Configurations
Security Architecture
Protection Rings
Trusted Computing Base
Open and Closed Systems
Security Modes of Operation
Operating States
Recovery Procedures
Process Isolation
Common Formal Security Models
State Machine Model
Information Flow Model
Noninterference Model
Confidentiality
Bell-LaPadula Model
Integrity
Biba Model
Clark-Wilson Model
Take-Grant Model
Brewer and Nash Model
Other Models
Product Security Evaluation Models
The Rainbow Series
The Orange Book: Trusted Computer System Evaluation Criteria
The Red Book: Trusted Network Interpretation
Information Technology Security Evaluation Criteria (ITSEC)
Common Criteria
System Validation
Certification and Accreditation
Vulnerabilities of Security Architectures
Buffer Overflows
Backdoors
State Attacks
Covert Channels
Incremental Attacks
Emanations
Web-Based Vulnerabilities
Mobile System Vulnerabilities
Cryptography
Algorithms
Cipher Types and Methods
Symmetric Encryption
Data Encryption Standard (DES)
Electronic Codebook (ECB) Mode
Cipher Block Chaining (CBC) Mode
Cipher Feedback (CFB) Mode
Output Feedback (OFB) Mode
Counter (CTR) Mode
Triple DES (3DES)
Advanced Encryption Standard (AES)
International Data Encryption Algorithm (IDEA)
Rivest Cipher Algorithms
Asymmetric Encryption
Diffie-Hellman
RSA
El Gamal
Elliptical Curve Cryptosystem (ECC)
Merkle-Hellman Knapsack
Review of Symmetric and Asymmetric Cryptographic Systems
Hybrid Encryption
Public Key Infrastructure and Key Management
Certificate Authorities
Registration Authorities
Certificate Revocation Lists
Digital Certificates
The Client’s Role in PKI
Integrity and Authentication
Hashing and Message Digests
MD Series
SHA-1/2
SHA-3
HAVAL
Message Authentication Code (MAC)
HMAC
CBC-MAC
CMAC
Digital Signatures
DSA
Cryptographic System Review
Cryptographic Attacks
Site and Facility Security Controls
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 5 Communications and Network Security
Introduction
Secure Network Design
Network Models and Standards
OSI Model
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
OSI Summary
Encapsulation/De-encapsulation
TCP/IP
Network Access Layer
Internet Layer
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Address Resolution Protocol (ARP)
Internet Group Management Protocol (IGMP)
Host-to-Host (Transport) Layer
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Comparing and Contrasting UDP and TCP
Application Layer
LANs and Their Components
LAN Communication Protocols
Network Topologies
Bus Topology
Mesh Topology
Fully Connected Topology
LAN Cabling
Network Types
Network Storage
Communication Standards
Network Equipment
Repeaters
Hubs
Bridges
Switches
Mirrored Ports and Network Taps
VLANs
Routers
Gateways
Routing
WANs and Their Components
Packet Switching
Synchronous Optical Network (SONET)
X.25
Frame Relay
Asynchronous Transfer Mode (ATM)
Circuit Switching
Plain Old Telephone Service (POTS)
Integrated Services Digital Network (ISDN)
T-Carrier
Digital Subscriber Line (DSL)
Cable Internet Access
Other WAN Technologies
Cloud Computing
Software-Defined WAN (SD-WAN)
Securing Email Communications
Pretty Good Privacy (PGP)
Other Email Security Applications
Securing Voice and Wireless Communications
Secure Communications History
Voice over IP (VoIP)
VoIP Vulnerabilities
Cell Phones
802.11 Wireless Networks and Standards
Wireless Topologies
Wireless Standards
Bluetooth
Wireless LAN Components
Wireless Protection Mechanisms
Other Wireless Technologies
Securing TCP/IP with Cryptographic Solutions
Application/Process Layer Controls
Host-to-Host Layer Controls
Internet Layer Controls
Network Access Layer Controls
Link and End-to-End Encryption
Network Access Control Devices
Firewalls
Packet Filters
Stateful Firewalls
Proxy Servers
Demilitarized Zone (DMZ)
Network Address Translation (NAT)
Remote Access
Point-to-Point Protocol (PPP)
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Extensible Authentication Protocol (EAP)
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS)
Internet Protocol Security (IPsec)
Message Privacy and Multimedia Collaboration
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 6 Identity and Access Management
Introduction
Perimeter Physical Control Systems
Fences
Gates
Bollards
Additional Physical Security Controls
CCTV Cameras
Lighting
Guards and Dogs
Locks
Lock Picking
Employee Access Control
Badges, Tokens, and Cards
RFID Tags
Biometric Access Controls
Identification, Authentication, and Authorization
Authentication Techniques
Something You Know (Type 1): Passwords and PINs
Something You Have (Type 2): Tokens, Cards, and Certificates
Something You Are (Type 3): Biometrics
Strong Authentication
Identity Management Implementation
Single Sign-On (SSO)
Kerberos
SESAME
Authorization and Access Control Techniques
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control
Rule-Based Access Control
Other Types of Access Control
Centralized and Decentralized Access Control Models
Centralized Access Control
RADIUS
TACACS
Diameter
Decentralized Access Control
Audits and Monitoring
Monitoring Access and Usage
Intrusion Detection Systems (IDSs)
Network-Based Intrusion Detection Systems (NIDSs)
Host-Based Intrusion Detection Systems (HIDSs)
Signature-Based, Anomaly-Based, and Rule-Based IDS Engines
Sensor Placement
Intrusion Prevention Systems (IPSs)
Network Access Control (NAC)
Keystroke Monitoring
Exam Prep Questions
Answers to Exam Prep Questions
Suggesting Reading and Resources
Chapter 7 Security Assessment and Testing
Introduction
Security Assessments and Penetration Test Strategies
Audits
Root Cause Analyses
Log Reviews
Network Scanning
Vulnerability Scans and Assessments
Penetration Testing
Test Techniques and Methods
Security Threats and Vulnerabilities
Threat Actors
Attack Methodologies
Network Security Threats and Attack Techniques
Session Hijacking
Sniffing
Wiretapping
DoS and DDoS Attacks
Botnets
Other Network Attack Techniques
Access Control Threats and Attack Techniques
Unauthorized Access
Access Aggregation
Password Attacks
Dictionary Cracking
Brute-Force Cracking
Rainbow Tables
Spoofing
Eavesdropping and Shoulder Surfing
Identity Theft
Social-Based Threats and Attack Techniques
Malicious Software Threats and Attack Techniques
Viruses
Worms
Logic Bombs
Backdoors and Trojans
Wrappers, Packers, and Crypters
Rootkits
Exploit Kits
Advanced Persistent Threats (APTs)
Ransomware
Investigating Computer Crime
Computer Crime Jurisdiction
Incident Response
The Incident Response Team
The Incident Response Process
Incident Response and Results
Disaster Recovery and Business Continuity
Investigations
Search, Seizure, and Surveillance
Interviews and Interrogations
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 8 Security Operations
Introduction
Foundational Security Operations Concepts
Managing Users and Accounts
Privileged Entities
Controlling Access
Clipping Levels
Resource Protection
Due Care and Due Diligence
Asset Management
System Hardening
Change and Configuration Management
Trusted Recovery
Remote Access
Media Management, Retention, and Destruction
Telecommunication Controls
Cloud Computing
Email
Whitelisting, Blacklisting, and Graylisting
Firewalls
Phone, Fax, and PBX
Anti-malware
Honeypots and Honeynets
Patch Management
System Resilience, Fault Tolerance, and Recovery Controls
Recovery Controls
Monitoring and Auditing Controls
Auditing User Activity
Monitoring Application Transactions
Security Information and Event Management (SIEM)
Network Access Control
Keystroke Monitoring
Emanation Security
Perimeter Security Controls and Risks
Natural Disasters
Human-Caused Threats
Technical Problems
Facility Concerns and Requirements
CPTED
Area Concerns
Location
Construction
Doors, Walls, Windows, and Ceilings
Asset Placement
Environmental Controls
Heating, Ventilating, and Air Conditioning
Electrical Power
Uninterruptible Power Supplies (UPSs)
Equipment Lifecycle
Fire Prevention, Detection, and Suppression
Fire-Detection Equipment
Fire Suppression
Water Sprinklers
Halon
Alarm Systems
Intrusion Detection Systems (IDSs)
Monitoring and Detection
Intrusion Detection and Prevention Systems
Investigations and Incidents
Incident Response
Digital Forensics, Tools, Tactics, and Procedures
Standardization of Forensic Procedures
Digital Forensics
Acquisition
Authentication
Analysis
The Disaster Recovery Lifecycle
Teams and Responsibilities
Recovery Strategy
Business Process Recovery
Facility and Supply Recovery
User Recovery
Operations Recovery
Fault Tolerance
Data and Information Recovery
Backups
Full Backups
Differential Backups
Incremental Backups
Tape Rotation Schemes
Other Data Backup Methods
Plan Design and Development
Personnel Mobilization
Interface with External Groups
Employee Services
Insurance
Implementation
Awareness and Training
Testing
Monitoring and Maintenance
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Chapter 9 Software Development Security
Introduction
Integrating Security into the Development Lifecycle
Avoiding System Failure
Checks and Application Controls
Failure States
The Software Development Lifecycle
Project Initiation
Functional Requirements and Planning
Software Design Specifications
Software Development and Build
Acceptance Testing and Implementation
Operations/Maintenance
Disposal
Development Methodologies
The Waterfall Model
The Spiral Model
Joint Application Development (JAD)
Rapid Application Development (RAD)
Incremental Development
Prototyping
Modified Prototype Model (MPM)
Computer-Aided Software Engineering (CASE)
Agile Development Methods
Maturity Models
Scheduling
Change Management
Database Management
Database Terms
Integrity
Transaction Processing
Database Vulnerabilities and Threats
Artificial Intelligence and Expert Systems
Programming Languages, Secure Coding Guidelines, and Standards
Object-Oriented Programming
CORBA
Security of the Software Environment
Mobile Code
Buffer Overflow
Financial Attacks
Change Detection
Viruses and Worms
Exam Prep Questions
Answers to Exam Prep Questions
Need to Know More?
Practice Exam I
Practice Exam Questions
Practice Exam II
Practice Exam Questions
Answers to Practice Exam I
Answers to Practice Exam II
Glossary
Index
Where are the companion content files? - Register
Inside Front Cover
Inside Back Cover
Code Snippets
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
About This eBook
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset