CISSP Exam Cram

As the founder and president of Superior Solutions, Inc., a Houston-based IT security consulting and auditing firm, Michael Gregg has more than 20 years of experience in information security and risk management. He holds two associate’s degrees, a bachelor’s degree, and a master’s degree. Some of the certifications he holds include CISA, CISSP, MCSE, CTT+, A+, N+, Security+, CASP, CCNA, GSEC, CEH, CHFI, CEI, CISA, CISM, CGEIT, and SSCP.   In addition to his experience with performing security audits and assessments, Gregg has authored or coauthored more than 15 books, including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), and Security Administrator Street Smarts (Sybex). He is a site expert for TechTarget.com websites, such as SearchNetworking.com. He also serves on their editorial advisory board. His articles have been published on IT websites and he has been quoted on Fox News and the in the New York Times. He has created more than 15 security-related courses and training classes for various companies and universities. Although audits and assessments are where he spends the bulk of his time, teaching and contributing to the written body of IT security knowledge are how Michael believes he can give something back to the community that has given him so much.   He is a board member for Habitat for Humanity and when not working, Michael enjoys traveling and restoring muscle cars.

Introduction. . . . 1

How to Prepare for the Exam. . . 1

 Practice Tests . . . 2

Taking a Certification Exam . . . 2

 Arriving at the Exam Location . . 2

 In the Testing Center . . . 3

 After the Exam. . . 3

 Retaking a Test . . . 3

 Tracking Your CISSP Status . . 3

About This Book. . . 4

 The Chapter Elements. . . 4

 Other Book Elements. . . 7

 Chapter Contents . . . 7

Pearson IT Certification Practice Test Engine and Questions on the CD . . . . 9

 Install the Software from the CD. . 10

 Activate and Download the Practice Exam . . 11

 Activating Other Exams . . . 11

Contacting the Author . . . 12

Self-Assessment. . . 12

 CISSPs in the Real World . . . 12

 The Ideal CISSP Candidate . . 12

 Put Yourself to the Test . . . 13

 After the Exam . . . 15

Chapter 1: The CISSP Certification Exam . . . 17

Introduction. . . . 18

Assessing Exam Readiness . . . 18

Taking the Exam . . . 19

Multiple-Choice Question Format . . 21

Exam Strategy . . . 21

Question-Handling Strategies . . . 22

Mastering the Inner Game . . . 23

Need to Know More? . . . 24

Chapter 2: Physical Security . . . . 25

Introduction. . . . 26

Physical Security Risks. . . 26

 Natural Disasters. . . 27

 Man-Made Threats. . . 28

 Technical Problems. . . 28

Facility Concerns and Requirements . . 29

 CPTED . . . 30

 Area Concerns . . . 30

 Location . . . 31

 Construction . . . 32

 Doors, Walls, Windows, and Ceilings . . 32

 Asset Placement. . . 35

 Physical Port Controls . . . 36

Perimeter Controls. . . 36

 Fences . . . . 36

 Gates. . . . 38

 Bollards. . . . 39

 CCTV Cameras . . . 40

 Lighting . . . 41

 Guards and Dogs . . . 42

 Locks. . . . 43

Employee Access Control . . . 46

 Badges, Tokens, and Cards . . 47

 Biometric Access Controls. . . 48

Environmental Controls . . . 49

 Heating, Ventilating, and Air Conditioning . . 50

Electrical Power . . . 51

 Uninterruptible Power Supply . . 52

Equipment Life Cycle . . . 53

Fire Prevention, Detection, and Suppression . . 53

 Fire-Detection Equipment . . 54

 Fire Suppression . . . 54

Alarm Systems . . . 57

 Intrusion Detection Systems . . 57

 Monitoring and Detection. . . 58

Exam Prep Questions. . . 60

Answers to Exam Prep Questions . . 62

Suggested Reading and Resources . . 64

Chapter 3: Access Control Systems and Methodology. . 65

Introduction. . . . 66

Identification, Authentication, and Authorization . . 67

 Authentication . . . 67

 Access Management . . . 79

Single Sign-On . . . 80

 Kerberos. . . 81

 SESAME . . . 83

Authorization and Access Controls Techniques . . 84

 Discretionary Access Control . . 84

 Mandatory Access Control . . 85

 Role-Based Access Control . . 87

 Other Types of Access Controls . . 88

Access Control Methods . . . 89

 Centralized Access Control . . 89

 Decentralized Access Control . . 92

Access Control Types . . . 93

 Administrative Controls. . . 93

  Technical Controls . . . 94

 Physical Controls . . . 94

 Access Control Categories. . . 95

Audit and Monitoring . . . 96

 Monitoring Access and Usage. . 96

 Intrusion Detection Systems . . 97

 Intrusion Prevention Systems . . 101

 Network Access Control . . . 102

 Keystroke Monitoring . . . 102

 Emanation Security . . . 103

Access Control Attacks. . . 104

 Unauthorized Access . . . 104

 Access Aggregation . . . 105

 Password Attacks. . . 105

 Spoofing . . . 109

 Sniffing . . . 109

 Eavesdropping and Shoulder Surfing. . 110

 Wiretapping. . . 110

 Identity Theft . . . 110

 Denial of Service Attacks . . . 111

 Distributed Denial of Service Attacks . . 113

 Botnets . . . 113

Exam Prep Questions. . . 116

Answers to Exam Prep Questions . . 119

Suggesting Reading and Resources . . 121

Chapter 4: Cryptography. . . . 123

Introduction. . . . 124

Cryptographic Basics . . . 124

History of Encryption . . . 127

Steganography. . . 132

 Steganography Operation . . 133

 Digital Watermark . . . 134

Algorithms . . . . 135

Cipher Types and Methods . . . 137

Symmetric Encryption . . . 137

 Data Encryption Standard. . 140

 Triple-DES . . . 144

 Advanced Encryption Standard. . 145

 International Data Encryption Algorithm. . 146

 Rivest Cipher Algorithms . . 146

Asymmetric Encryption . . . 147

 Diffie-Hellman . . . 149

 RSA. . . . 150

 El Gamal . . . 151

 Elliptical Curve Cryptosystem . . 152

 Merkle-Hellman Knapsack . . 152

 Review of Symmetric and Asymmetric Cryptographic Systems . . . 153

Hybrid Encryption . . . 153

Integrity and Authentication. . . 154

 Hashing and Message Digests. . 155

 Digital Signatures . . . 158

 Cryptographic System Review . . 159

Public Key Infrastructure . . . 160

 Certificate Authority . . . 160

 Registration Authority . . . 161

 Certificate Revocation List . . 161

 Digital Certificates . . . 161

 The Client’s Role in PKI . . . 163

Email Protection Mechanisms . . . 164

 Pretty Good Privacy. . . 164

 Other Email Security Applications. . 165

Securing TCP/IP with Cryptographic Solutions. . 165

 Application/Process Layer Controls . . 166

 Host to Host Layer Controls . . 167

 Internet Layer Controls. . . 168

 Network Access Layer Controls . . 170

 Link and End-to-End Encryption . . 170

Cryptographic Attacks . . . 171

Exam Prep Questions. . . 175

Answers to Exam Prep Questions . . 178

Need to Know More? . . . 180

Chapter 5: Security Architecture and Models . . . 181

Introduction. . . . 182

Computer System Architecture . . 182

 Central Processing Unit . . . 182

 Storage Media . . . 186

 I/O Bus Standards. . . 189

 Hardware Cryptographic Components . . 190

  Virtual Memory and Virtual Machines . . 190

 Computer Configurations . . 191

Security Architecture . . . 192

 Protection Rings . . . 192

 Trusted Computer Base . . . 194

 Open and Closed Systems . . 197

 Security Modes of Operation . . 197

 Operating States . . . 199

 Recovery Procedures . . . 199

 Process Isolation . . . 200

Security Models . . . 201

 State Machine Model . . . 202

 Information Flow Model . . . 203

 Noninterference Model . . . 203

 Confidentiality. . . 203

 Integrity . . . 204

 Other Models . . . 208

Documents and Guidelines . . . 208

 The Rainbow Series . . . 209

 The Red Book: Trusted Network Interpretation . 211

 Information Technology Security Evaluation Criteria . 212

 Common Criteria . . . 212

System Validation . . . 214

 Certification and Accreditation. . 215

 Governance and Enterprise Architecture . . 216

Security Architecture Threats. . . 219

 Buffer Overflow . . . 219

 Back Doors . . . 220

 Asynchronous Attacks . . . 220

 Covert Channels . . . 221

 Incremental Attacks . . . 221

Exam Prep Questions. . . 223

Answers to Exam Prep Questions . . 226

Need to Know More? . . . 228

Chapter 6: Telecommunications and Network Security . . 229

Introduction. . . . 230

Network Models and Standards . . 230

 OSI Model . . . 231

 Encapsulation/De-Encapsulation . . 237

TCP/IP . . . . 238

 Network Access Layer . . . 238

 Internet Layer . . . 239

 Host-to-Host (Transport) Layer. . 243

 Application Layer . . . 245

LANs and Their Components . . . 249

 LAN Communication Protocols . . 250

 Network Topologies . . . 251

 LAN Cabling. . . 253

 Network Types . . . 255

Communication Standards . . . 256

Network Equipment. . . 257

 Repeaters . . . 257

 Hubs . . . . 257

 Bridges . . . 257

 Switches . . . 258

 VLANs . . . 259

Routers . . . 260

 Brouters . . . 261

 Gateways . . . 261

Routing. . . . 262

WANs and Their Components . . 264

 Packet Switching. . . 264

 Circuit Switching . . . 266

Cloud Computing. . . 270

Voice Communications and Wireless Communications . 271

 Voice over IP . . . 271

 Cell Phones . . . 272

 802.11 Wireless Networks and Standards . . 274

Network Security . . . 281

 Firewalls . . . 282

 Demilitarized Zone. . . 283

 Firewall Design . . . 285

Remote Access. . . 285

 Point-to-Point Protocol. . . 286

 Virtual Private Networks . . . 287

 Remote Authentication Dial-in User Service . 288

 Terminal Access Controller Access Control System . 288

 IPSec. . . . 288

Message Privacy . . . 289

Threats to Network Security . . . 290

 DoS Attacks . . . 290

 Distributed Denial of Service . . 291

 Disclosure Attacks. . . 291

 Destruction, Alteration, or Theft . . 292

Exam Prep Questions. . . 295

Answers to Exam Prep Questions . . 298

Need to Know More? . . . 299

Chapter 7: Business Continuity and Disaster Recovery Planning. . 301

Introduction. . . . 302

Threats to Business Operations . . 302

Disaster Recovery and Business Continuity Management . 303

 Project Management and Initiation . . 305

 Business Impact Analysis . . . 307

 Recovery Strategy . . . 313

 Plan Design and Development . . 327

 Implementation. . . 330

 Testing . . . 331

 Monitoring and Maintenance . . 333

Disaster Life Cycle . . . 334

 Teams and Responsibilities . . 336

Exam Prep Questions. . . 338

Answers to Exam Prep Questions . . 341

Need to Know More? . . . 343

Chapter 8: Legal, Regulations, Investigations, and Compliance . . 345

Introduction. . . . 346

United States Legal System and Laws. . 346

International Legal Systems and Laws . . 347

International Property Laws . . . 349

 Piracy and Issues with Copyrights . . 350

Privacy Laws and Protection of Personal Information . 351

 Privacy Impact Assessment . . 353

Computer Crime Laws . . . 354

Regulatory Compliance and Process Control. . 354

Ethics . . . . 355

 ISC2 Code of Ethics. . . 356

 Computer Ethics Institute . . 357

 Internet Architecture Board . . 357

 NIST 800-14. . . 358

Computer Crime and Criminals. . 359

 Pornography . . . 361

Well-Known Computer Crimes . . 362

How Computer Crime Has Changed . . 363

Attack Vectors . . . 364

 Keystroke Logging . . . 365

 Wiretapping. . . 365

 Spoofing Attacks . . . 366

 Manipulation Attacks . . . 367

 Social Engineering . . . 367

 Dumpster Diving . . . 368

Investigating Computer Crime. . . 368

 Computer Crime Jurisdiction . . 369

 Incident Response. . . 369

Forensics . . . . 374

 Standardization of Forensic Procedures . . 375

 Computer Forensics . . . 376

Investigations. . . 381

 Search, Seizure, and Surveillance . . 381

 Interviews and Interrogations . . 381

 Honeypots and Honeynets . . 381

 Evidence Types . . . 383

Trial . . . . 384

 The Evidence Life Cycle . . . 384

Exam Prep Questions. . . 385

Answers to Exam Prep Questions . . 388

Need to Know More? . . . 390

Chapter 9: Software Development Security . . . 391

Introduction. . . . 392

Software Development. . . 392

 Avoiding System Failure . . . 393

 The System Development Life Cycle . . 394

System Development Methods. . . 402

 The Waterfall Model . . . 402

 The Spiral Model . . . 402

 Joint Application Development . . 403

 Rapid Application Development. . 404

 Incremental Development . . 404

 Prototyping . . . 404

 Computer-Aided Software Engineering . . 405

 Agile Development Methods. . 405

 Capability Maturity Model . . 406

 Scheduling . . . 407

Change Management . . . 408

Programming Languages. . . 409

 Object-Oriented Programming . . 412

 CORBA . . . 413

Database Management. . . 413

 Database Terms. . . 414

 Integrity . . . 416

 Transaction Processing. . . 416

 Data Warehousing . . . 416

 Data Mining . . . 417

 Knowledge Management . . . 418

 Artificial Intelligence and Expert Systems. . 418

Malicious Code . . . 419

 Viruses . . . 420

 Worms . . . 421

 Spyware . . . 422

 Back Doors and Trapdoors . . 423

 Change Detection. . . 423

 Mobile Code . . . 424

 Financial Attacks . . . 424

 Buffer Overflow . . . 424

 Input Validation and Injection Attacks . . 426

Exam Prep Questions. . . 429

Answers to Exam Prep Questions . . 432

Need to Know More? . . . 434

Chapter 10: Information Security Governance and Risk Management . . 435

Introduction. . . . 436

Basic Security Principles . . . 436

Security Management and Governance. . 438

Asset Identification . . . 440

Risk Assessment . . . 441

 Risk Management . . . 442

Policies Development. . . 458

 Security Policy. . . 459

 Standards . . . 461

 Baselines . . . 461

 Guidelines . . . 461

 Procedures . . . 462

 Data Classification . . . 462

Implementation. . . 465

 Roles and Responsibility . . . 465

 Security Controls . . . 467

Training and Education . . . 469

 Security Awareness . . . 470

 Social Engineering . . . 471

Auditing Your Security Infrastructure . . 472

The Risk of Poor Security Management. . 474

Exam Prep Questions. . . 475

Answers to Exam Prep Questions . . 478

Need to Know More? . . . 480

Chapter 11: Security Operations . . . 481

Introduction. . . . 482

Security Operations . . . 482

 Employee Recruitment . . . 483

 New-Hire Orientation . . . 484

 Separation of Duties. . . 484

 Job Rotation. . . 485

 Least Privilege. . . 485

 Mandatory Vacations . . . 486

 Termination . . . 486

Accountability . . . 486

Controls . . . . 488

 Security Controls . . . 489

 Operational Controls . . . 490

Auditing and Monitoring. . . 498

 Auditing . . . 498

 Security Information and Event Management (SIEM) . 499

 Monitoring Controls . . . 499

 Clipping Levels . . . 501

 Intrusion Detection . . . 501

 Keystroke Monitoring . . . 502

 Antivirus . . . 503

 Facility Access Control . . . 504

Telecommunication Controls . . . 504

 Fax. . . . 505

 PBX. . . . 506

 Email. . . . 507

Backup, Fault Tolerance, and Recovery Controls . . 509

  Backups. . . 509

 Fault Tolerance . . . 511

 RAID . . . . 513

 Recovery Controls . . . 515

Security Assessments . . . 516

 Policy Reviews. . . 516

 Vulnerability Scanning . . . 517

 Penetration Testing. . . 518

Operational Security Threats and Vulnerabilities . . 521

 Common Attack Methodologies. . 522

 Attack Terms and Techniques . . 524

Exam Prep Questions. . . 526

Answers to Exam Prep Questions . . 529

Need to Know More? . . . 531

Practice Exam I. . . . 533

Practice Exam Questions. . . 533

Answers to Practice Exam I . . . 547

Practice Exam II . . . . 563

Practice Exam Questions. . . 563

Answers to Practice Exam II . . . 577

TOC, 9780789749574, 11/2/2012