CISSP Cert Guide, 4th edition
Published by Pearson IT Certification (October 27, 2022) © 2023
- Robin Abernathy
- Darren R. Hayes
Price Reduced From: $110.95 AUD
Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning.
- Master the latest CISSP exam topics
- Assess your knowledge with chapter-ending quizzes
- Review key concepts with exam preparation tasks
- Practice with realistic exam questions
- Get practical guidance for test taking strategies
CISSP Cert Guide, Fourth Edition is a comprehensive exam study guide. Leading IT certification experts Robin Abernathy and Darren Hayes share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.
The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.
This study guide helps you master all the topics on the CISSP exam, including
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Introduction xlvii
Chapter 1 Security and Risk Management 5
Security Terms 6
   CIA 6
   Auditing and Accounting 7
   Non-repudiation 8
   Default Security Posture 8
   Defense in Depth 9
   Abstraction 10
   Data Hiding 10
   Encryption 10
Security Governance Principles 10
   Security Function Alignment 12
   Organizational Processes 14
   Organizational Roles and Responsibilities 16
   Security Control Frameworks 20
   Due Care and Due Diligence 38
Compliance 38
   Contractual, Legal, Industry Standards, and Regulatory Compliance 40
   Privacy Requirements Compliance 40
Legal and Regulatory Issues 41
   Computer Crime Concepts 41
   Major Legal Systems 43
   Licensing and Intellectual Property 46
   Cyber Crimes and Data Breaches 50
   Import/Export Controls 51
   Trans-Border Data Flow 51
   Privacy 52
Investigation Types 62
   Operations/Administrative 63
   Criminal 63
   Civil 64
   Regulatory 64
   Industry Standards 64
   eDiscovery 67
Professional Ethics 67
    (ISC)2 Code of Ethics 67
   Computer Ethics Institute 68
   Internet Architecture Board 68
   Organizational Code of Ethics 69
Security Documentation 69
   Policies 70
   Processes 72
   Procedures 72
   Standards 73
   Guidelines 73
   Baselines 73
Business Continuity 73
   Business Continuity and Disaster Recovery Concepts 73
   Scope and Plan 77
   BIA Development 81
Personnel Security Policies and Procedures 85
   Candidate Screening and Hiring 85
   Employment Agreements and Policies 87
   Employee Onboarding and Offboarding Policies 88
   Vendor, Consultant, and Contractor Agreements and Controls 88
   Compliance Policy Requirements 89
   Privacy Policy Requirements 89
   Job Rotation 89
   Separation of Duties 89
Risk Management Concepts 90
   Asset and Asset Valuation 90
   Vulnerability 91
   Threat 91
   Threat Agent 91
   Exploit 91
   Risk 91
   Exposure 92
   Countermeasure 92
   Risk Appetite 92
   Attack 93
   Breach 93
   Risk Management Policy 94
   Risk Management Team 94
   Risk Analysis Team 94
   Risk Assessment 95
   Implementation 100
   Control Categories 100
   Control Types 102
   Controls Assessment, Monitoring, and Measurement 108
   Reporting and Continuous Improvement 108
   Risk Frameworks 109
   A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128
Geographical Threats 129
   Internal Versus External Threats 129
   Natural Threats 130
   System Threats 131
   Human-Caused Threats 133
   Politically Motivated Threats 135
Threat Modeling 137
   Threat Modeling Concepts 138
   Threat Modeling Methodologies 138
   Identifying Threats 141
   Potential Attacks 142
   Remediation Technologies and Processes 143
Security Risks in the Supply Chain 143
   Risks Associated with Hardware, Software, and Services 144
   Third-Party Assessment and Monitoring 144
   Minimum Service-Level and Security Requirements 145
   Service-Level Requirements 146
Security Education, Training, and Awareness 147
   Levels Required 147
   Methods and Techniques 148
   Periodic Content Reviews 148
Review All Key Topics 148
Complete the Tables and Lists from Memory 150
Define Key Terms 150
Answers and Explanations 157
Chapter 2 Asset Security 165
Asset Security Concepts 166
   Asset and Data Policies 166
   Data Quality 167
   Data Documentation and Organization 168
Identify and Classify Information and Assets 169
   Data and Asset Classification 170
   Sensitivity and Criticality 170
   Private Sector Data Classifications 175
   Military and Government Data Classifications 176
Information and Asset Handling Requirements 177
   Marking, Labeling, and Storing 178
   Destruction 178
Provision Resources Securely 179
   Asset Inventory and Asset Management 179
Data Life Cycle 180
   Databases 182
   Roles and Responsibilities 188
   Data Collection and Limitation 191
   Data Location 192
   Data Maintenance 192
   Data Retention 193
   Data Remanence and Destruction 193
   Data Audit 194
Asset Retention 195
Data Security Controls 197
   Data Security 197
   Data States 197
   Data Access and Sharing 198
   Data Storage and Archiving 199
   Baselines 200
   Scoping and Tailoring 201
   Standards Selection 201
   Data Protection Methods 202
Review All Key Topics 205
Define Key Terms 205
Answers and Explanations 207
Chapter 3 Security Architecture and Engineering 213
Engineering Processes Using Secure Design Principles 214
   Objects and Subjects 215
   Closed Versus Open Systems 215
   Threat Modeling 215
   Least Privilege 216
   Defense in Depth 216
   Secure Defaults 216
   Fail Securely 217
   Separation of Duties (SoD) 217
   Keep It Simple 218
   Zero Trust 218
   Privacy by Design 218
   Trust but Verify 219
   Shared Responsibility 219
Security Model Concepts 220
   Confidentiality, Integrity, and Availability 220
   Confinement 220
   Bounds 221
   Isolation 221
   Security Modes 221
   Security Model Types 222
   Security Models 226
   System Architecture Steps 230
   ISO/IEC 42010:2011 231
   Computing Platforms 231
   Security Services 234
   System Components 235
System Security Evaluation Models 244
   TCSEC 245
   ITSEC 248
   Common Criteria 250
   Security Implementation Standards 252
   Controls and Countermeasures 255
Certification and Accreditation 256
Control Selection Based on Systems Security Requirements 256
Security Capabilities of Information Systems 257
   Memory Protection 257
   Trusted Platform Module 258
   Interfaces 259
   Fault Tolerance 259
   Policy Mechanisms 260
   Encryption/Decryption 260
Security Architecture Maintenance 261
Vulnerabilities of Security Architectures, Designs, and Solution Elements 261
   Client-Based Systems 262
   Server-Based Systems 263
   Database Systems 264
   Cryptographic Systems 265
   Industrial Control Systems 265
   Cloud-Based Systems 268
   Large-Scale Parallel Data Systems 274
   Distributed Systems 275
   Grid Computing 275
   Peer-to-Peer Computing 275
   Internet of Things 276
   Microservices 280
   Containerization 281
   Serverless Systems 281
   High-Performance Computing Systems 282
   Edge Computing Systems 282
   Virtualized Systems 283
Vulnerabilities in Web-Based Systems 283
   Maintenance Hooks 284
   Time-of-Check/Time-of-Use Attacks 284
   Web-Based Attacks 285
   XML 285
   SAML 285
   OWASP 286
Vulnerabilities in Mobile Systems 286
   Device Security 287
   Application Security 287
   Mobile Device Concerns 287
   NIST SP 800-164 290
Vulnerabilities in Embedded Systems 291
Cryptographic Solutions 292
   Cryptography Concepts 292
   Cryptography History 294
   Cryptosystem Features 298
   NIST SP 800-175A and B 299
   Cryptographic Mathematics 300
   Cryptographic Life Cycle 302
Cryptographic Types 304
   Running Key and Concealment Ciphers 305
   Substitution Ciphers 305
   Transposition Ciphers 307
   Symmetric Algorithms 308
   Asymmetric Algorithms 310
   Hybrid Ciphers 311
   Elliptic Curves 312
   Quantum Cryptography 312
Symmetric Algorithms 312
   DES and 3DES 313
   AES 316
   IDEA 317
   Skipjack 317
   Blowfish 317
   Twofish 318
   RC4/RC5/RC6/RC7 318
   CAST 318
Asymmetric Algorithms 319
   Diffie-Hellman 320
   RSA 320
   El Gamal 321
   ECC 321
   Knapsack 322
   Zero-Knowledge Proof 322
Public Key Infrastructure and Digital Certificates 322
   Certificate Authority and Registration Authority 323
   Certificates 323
   Certificate Life Cycle 324
   Certificate Revocation List 327
   OCSP 327
   PKI Steps 327
   Cross-Certification 328
Key Management Practices 328
Message Integrity 332
   Hashing 333
   Message Authentication Code 337
   Salting 339
Digital Signatures and Non-repudiation 339
   DSS 340
   Non-repudiation 340
Applied Cryptography 340
   Link Encryption Versus End-to-End Encryption 340
   Email Security 340
   Internet Security 341
Cryptanalytic Attacks 341
   Ciphertext-Only Attack 342
   Known Plaintext Attack 342
   Chosen Plaintext Attack 342
   Chosen Ciphertext Attack 342
   Social Engineering 342
   Brute Force 343
   Differential Cryptanalysis 343
   Linear Cryptanalysis 343
   Algebraic Attack 343
   Frequency Analysis 343
   Birthday Attack 344
   Dictionary Attack 344
   Replay Attack 344
   Analytic Attack 344
   Statistical Attack 344
   Factoring Attack 344
   Reverse Engineering 344
   Meet-in-the-Middle Attack 345
   Ransomware Attack 345
   Side-Channel Attack 345
   Implementation Attack 345
   Fault Injection 345
   Timing Attack 346
   Pass-the-Hash Attack 346
Digital Rights Management 346
   Document DRM 347
   Music DRM 347
   Movie DRM 347
   Video Game DRM 348
   E-book DRM 348
Site and Facility Design 348
   Layered Defense Model 348
   CPTED 348
   Physical Security Plan 350
   Facility Selection Issues 351
Site and Facility Security Controls 353
   Doors 353
   Locks 355
   Biometrics 356
   Type of Glass Used for Entrances 356
   Visitor Control 357
   Wiring Closets/Intermediate Distribution Facilities 357
   Restricted and Work Areas 357
   Environmental Security and Issues 358
   Equipment Physical Security 362
Review All Key Topics 364
Complete the Tables and Lists from Memory 366
Define Key Terms 366
Answers and Explanations 372
Chapter 4 Communication and Network Security 377
Secure Network Design Principles 378
   OSI Model 378
   TCP/IP Model 383
IP Networking 389
   Common TCP/UDP Ports 389
   Logical and Physical Addressing 391
   IPv4 392
   Network Transmission 399
   IPv6 403
   Network Types 416
Protocols and Services 421
   ARP/RARP 422
   DHCP/BOOTP 423
   DNS 424
   FTP, FTPS, SFTP, and TFTP 424
   HTTP, HTTPS, and S-HTTP 425
   ICMP 425
   IGMP 426
   IMAP 426
   LDAP 426
   LDP 426
   NAT 426
   NetBIOS 426
   NFS 427
   PAT 427
   POP 427
   CIFS/SMB 427
   SMTP 427
   SNMP 427
   SSL/TLS 428
   Multilayer Protocols 428
Converged Protocols 429
   FCoE 429
   MPLS 430
   VoIP 431
   iSCSI 431
Wireless Networks 431
   FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432
   WLAN Structure 435
   WLAN Standards 436
   WLAN Security 439
Communications Cryptography 445
   Link Encryption 445
   End-to-End Encryption 446
   Email Security 446
   Internet Security 448
Secure Network Components 450
   Hardware 450
   Transmission Media 471
   Network Access Control Devices 491
   Endpoint Security 493
   Content-Distribution Networks 494
Secure Communication Channels 495
   Voice 495
   Multimedia Collaboration 495
   Remote Access 497
   Data Communications 507
   Virtualized Networks 507
Network Attacks 509
   Cabling 509
   Network Component Attacks 510
   ICMP Attacks 512
   DNS Attacks 514
   Email Attacks 516
   Wireless Attacks 518
   Remote Attacks 519
   Other Attacks 519
Review All Key Topics 521
Define Key Terms 522
Answers and Explanations 529
Chapter 5 Identity and Access Management (IAM) 535
Access Control Process 536
   Identify Resources 536
   Identify Users 536
   Identify the Relationships Between Resources and Users 537
Physical and Logical Access to Assets 537
   Access Control Administration 538
   Information 539
   Systems 539
   Devices 540
   Facilities 540
   Applications 541
Identification and Authentication Concepts 541
   NIST SP 800-63 542
   Five Factors for Authentication 546
   Single-Factor Versus Multifactor Authentication 557
   Device Authentication 557
Identification and Authentication Implementation 558
   Separation of Duties 558
   Least Privilege/Need-to-Know 559
   Default to No Access 560
   Directory Services 560
   Single Sign-on 561
   Session Management 566
   Registration, Proof, and Establishment of Identity 566
   Credential Management Systems 567
   Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568
   Accountability 568
   Just-In-Time (JIT) 570
Identity as a Service (IDaaS) Implementation 571
Third-Party Identity Services Integration 571
Authorization Mechanisms 572
   Permissions, Rights, and Privileges 572
   Access Control Models 572
   Access Control Policies 580
Provisioning Life Cycle 580
   Provisioning 581
   User, System, and Service Account Access Review 582
   Account Transfers 582
   Account Revocation 583
   Role Definition 583
   Privilege Escalation 583
Access Control Threats 584
   Password Threats 585
   Social Engineering Threats 586
   DoS/DDoS 588
   Buffer Overflow 588
   Mobile Code 588
   Malicious Software 589
   Spoofing 589
   Sniffing and Eavesdropping 589
   Emanating 590
   Backdoor/Trapdoor 590
   Access Aggregation 590
   Advanced Persistent Threat 591
Prevent or Mitigate Access Control Threats 591
Review All Key Topics 592
Define Key Terms 593
Answers and Explanations 596
Chapter 6 Security Assessment and Testing 601
Design and Validate Assessment and Testing Strategies 602
   Security Testing 602
   Security Assessments 603
   Red Team versus Blue Team 603
   Security Auditing 604
   Internal, External, and Third-party Security Assessment, Testing, and Auditing 604
Conduct Security Control Testing 605
   Vulnerability Assessment 605
   Penetration Testing 609
   Log Reviews 611
   Synthetic Transactions 616
   Code Review and Testing 616
   Misuse Case Testing 619
   Test Coverage Analysis 619
   Interface Testing 620
Collect Security Process Data 620
   NIST SP 800-137 620
   Account Management 621
   Management Review and Approval 622
   Key Performance and Risk Indicators 622
   Backup Verification Data 623
   Training and Awareness 623
   Disaster Recovery and Business Continuity 624
Analyze Test Outputs and Generate a Report 624
Conduct or Facilitate Security Audits 624
Review All Key Topics 626
Define Key Terms 627
Answers and Explanations 630
Chapter 7 Security Operations 637
Investigations 638
   Forensic and Digital Investigations 638
   Evidence Collection and Handling 646
   Digital Forensic Tools, Tactics, and Procedures 651
Logging and Monitoring Activities 654
   Audit and Review 654
   Log Types 655
   Intrusion Detection and Prevention 656
   Security Information and Event Management (SIEM) 656
   Continuous Monitoring 657
   Egress Monitoring 657
   Log Management 658
   Threat Intelligence 658
   User and Entity Behavior Analytics (UEBA) 659
Configuration and Change Management 659
   Resource Provisioning 661
   Baselining 664
   Automation 664
Security Operations Concepts 664
   Need to Know/Least Privilege 664
   Managing Accounts, Groups, and Roles 665
   Separation of Duties and Responsibilities 666
   Privilege Account Management 666
   Job Rotation and Mandatory Vacation 666
   Two-Person Control 667
   Sensitive Information Procedures 667
   Record Retention 667
   Information Life Cycle 668
   Service-Level Agreements 668
Resource Protection 669
   Protecting Tangible and Intangible Assets 669
   Asset Management 671
Incident Management 680
   Event Versus Incident 680
   Incident Response Team and Incident Investigations 681
   Rules of Engagement, Authorization, and Scope 681
   Incident Response Procedures 682
   Incident Response Management 682
   Detect 683
   Respond 683
   Mitigate 683
   Report 684
   Recover 684
   Remediate 684
   Review and Lessons Learned 684
Detective and Preventive Measures 684
   IDS/IPS 685
   Firewalls 685
   Whitelisting/Blacklisting 685
   Third-Party Security Services 686
   Sandboxing 686
   Honeypots/Honeynets 686
   Anti-malware/Antivirus 686
   Clipping Levels 686
   Deviations from Standards 687
   Unusual or Unexplained Events 687
   Unscheduled Reboots 687
   Unauthorized Disclosure 687
   Trusted Recovery 688
   Trusted Paths 688
   Input/Output Controls 688
   System Hardening 688
   Vulnerability Management Systems 689
   Machine Learning and Artificial Intelligence (AI)-Based Tools 689
Patch and Vulnerability Management 689
Recovery Strategies 690
   Create Recovery Strategies 691
   Backup Storage Strategies 699
   Recovery and Multiple Site Strategies 700
   Redundant Systems, Facilities, and Power 703
   Fault-Tolerance Technologies 704
   Insurance 704
   Data Backup 705
   Fire Detection and Suppression 705
   High Availability 705
   Quality of Service 706
   System Resilience 706
Disaster Recovery 706
   Response 707
   Personnel 707
   Communications 709
   Assessment 710
   Restoration 710
   Training and Awareness 710
   Lessons Learned 710
Testing Disaster Recovery Plans 711
   Read-Through Test 711
   Checklist Test 712
   Table-Top Exercise 712
   Structured Walk-Through Test 712
   Simulation Test 712
   Parallel Test 712
   Full-Interruption Test 712
   Functional Drill 713
   Evacuation Drill 713
Business Continuity Planning and Exercises 713
Physical Security 713
   Perimeter Security Controls 713
   Building and Internal Security Controls 719
Personnel Safety and Security 719
   Duress 720
   Travel 720
   Monitoring 720
   Emergency Management 721
   Security Training and Awareness 721
Review All Key Topics 722
Define Key Terms 723
Answers and Explanations 727
Chapter 8 Software Development Security 733
Software Development Concepts 734
   Machine Languages 734
   Assembly Languages and Assemblers 734
   High-Level Languages, Compilers, and Interpreters 734
   Object-Oriented Programming 735
   Distributed Object-Oriented Systems 737
   Mobile Code 739
Security in the System and Software Development Life Cycle 743
   System Development Life Cycle 743
   Software Development Life Cycle 746
   DevSecOps 750
   Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750
   Security Orchestration and Automated Response (SOAR) 751
   Software Development Methods and Maturity Models 751
   Operation and Maintenance 762
   Integrated Product Team 763
Security Controls in Development 764
   Software Development Security Best Practices 764
   Software Environment Security 765
   Source Code Analysis Tools 766
   Code Repository Security 766
   Software Threats 766
   Software Protection Mechanisms 772
Assess Software Security Effectiveness 774
   Auditing and Logging 774
   Risk Analysis and Mitigation 774
   Regression and Acceptance Testing 775
Security Impact of Acquired Software 775
Secure Coding Guidelines and Standards 776
   Security Weaknesses and Vulnerabilities at the Source Code Level 776
   Security of Application Programming Interfaces 780
   Secure Coding Practices 780
Review All Key Topics 782
Define Key Terms 782
Answers and Explanations 786
Chapter 9 Final Preparation 791
Tools for Final Preparation 791
   Pearson Test Prep Practice Test Engine and Questions on the Website 791
   Customizing Your Exams 793
   Updating Your Exams 794
   Memory Tables 795
   Chapter-Ending Review Tools 795
Suggested Plan for Final Review/Study 795
Summary 796
Online Elements
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Glossary
Â
9780137507474Â Â TOCÂ Â 9/19/2022
Need help? Get in touch