CISSP Cert Guide

Troy McMillan is a Product Developer and Technical Editor for Kaplan Cert Prep as well as a full time trainer and writer. He became a professional trainer 12 years ago teaching Cisco, Microsoft, CompTIA, and Wireless classes. Troy’s book CCNA Essentials by Sybex Publishing was released in November 2011. It has been chosen as the textbook for both online and instructor-led classes at several colleges in the United States. Troy also is a courseware developer. Among the work he has done in this area is wireless training materials for Motorola in 2011 and instructor materials for a series of books by Sybex on Windows Server 2008 R2 in 2011. Troy also teaches Cisco, Microsoft, CompTIA, and Security classes for several large corporate training companies. Among these are Global Knowledge and New Horizons. He now creates certification practice tests and study guides for the Transcender and Self-Test brands. Troy lives in Atlanta, Georgia.   Troy’s professional accomplishments include B.B.A., MCSE (NT/2000/ 2003, 2008), CCNA, CCNP, MCP+I, CNA, A+, Net+, MCT, Server+, I-Net+, MCSA, CIW p, CIWa, CIW security analyst, CWNA, CWSP, CWNT, CWNE, MCTS: Vista Configuration, MCITP: Enterprise Support Technician, MCITP: Server Administrator, MCITP: Consumer Support Technician, MCTS: Forefront Client and Server Configuration, MCTS: Business Desktop Deployment with BDD, MCTS: Office Project Server 2007, MCTS: Windows Active Directory: Configuration, MCTS: Applications Infrastructure: Configuration, MCTS: Network Infrastructure: Configuration, CCSI, and VCP.   Robin M. Abernathy has been working in the IT certification preparation industry at Kaplan IT Certification Preparation, the owners of the Transcender and Self Test brands, for more than a decade. Robin has written and edited certification preparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITIL certifications and holds multiple IT certifications from these vendors. Robin provides training on computer hardware and software, networking, security, and project management. Over the past couple years, she has ventured into the traditional publishing industry by technically editing several publications. More recently, she has presented at technical conferences and hosted webinars on IT certification topics.

Introduction

 

Chapter 1 The CISSP Certification 3

The Goals of the CISSP Certification 3

 Sponsoring Bodies 3

 Stated Goals 4

The Value of the CISSP Certification 4

 To the Security Professional 5

 To the Enterprise 5

The Common Body of Knowledge 5

 Access Control 5

 Telecommunications and Network Security 6

 Information Security Governance and Risk Management 6

 Software Development Security 7

 Cryptography 7

 Security Architecture and Design 8

 Operations Security 8

 Business Continuity and Disaster Recovery Planning 8

 Legal, Regulations, Investigations, and Compliance 9

 Physical and Environmental Security 9

Steps to Becoming a CISSP 10

 Qualifying for the Exam 10

 Signing Up for the Exam 10

 About the CISSP Exam 10

 

Chapter 2 Access Control 13

Foundation Topics 13

Access Control Concepts 13

 CIA 13

 Default Stance 14

 Defense In Depth 14

 Access Control Process 15

  Identify Resources 15

  Identify Users 15

  Identify Relationships Between Resources and Users 16

Identification and Authentication Concepts 16

 Three Factors for Authentication 17

 Knowledge Factors 17

  Identity and Account Management 18

  Password Types and Management 19

 Ownership Factors 22

  Synchronous and Asynchronous Token 22

  Memory Cards 22

  Smart Cards 23

 Characteristic Factors 23

  Physiological Characteristics 24

  Behavioral Characteristics 25

  Biometric Considerations 26

Authorization Concepts 28

 Access Control Policies 28

 Separation of Duties 29

 Least Privilege/Need-to-Know 29

 Default to No Access 30

 Directory Services 30

 Single Sign-on 31

  Kerberos 32

  SESAME 34

  Federated Identity Management 35

 Security Domains 35

Accountability 35

 Auditing and Reporting 36

 Vulnerability Assessment 37

 Penetration Testing 38

Access Control Categories 39

 Compensative 40

 Corrective 40

 Detective 40

 Deterrent 40

 Directive 40

 Preventive 41

 Recovery 41

Access Control Types 41

 Administrative (Management) Controls 41

 Logical (Technical) Controls 43

 Physical Controls 43

Access Control Models 46

 Discretionary Access Control 46

 Mandatory Access Control 47

 Role-based Access Control 47

 Rule-based Access Control 48

 Content-dependent Versus Context-dependent 48

 Access Control Matrix 48

  Capabilities Table 48

  Access Control List (ACL) 49

Access Control Administration 49

 Centralized 49

 Decentralized 49

 Provisioning Life Cycle 50

Access Control Monitoring 50

 IDS 50

 IPS 52

Access Control Threats 52

 Password Threats 53

  Dictionary Attack 53

  Brute-Force Attack 53

 Social Engineering Threats 53

  Phishing/Pharming 54

  Shoulder Surfing 54

  Identity Theft 54

  Dumpster Diving 55

 DoS/DDoS 55

 Buffer Overflow 55

 Mobile Code 56

 Malicious Software 56

 Spoofing 56

 Sniffing and Eavesdropping 57

 Emanating 57

 Backdoor/Trapdoor 57

Exam Preparation Tasks 57

Review All Key Topics 57

Complete the Tables and Lists from Memory 58

 Define Key Terms 59

 Review Questions 59

 Answers and Explanations 61

 

Chapter 3 Telecommunications and Network Security 65

Foundation Topics 66

OSI Model 66

 Application Layer 67

 Presentation Layer 67

 Session Layer 67

 Transport Layer 68

 Network Layer 68

 Data Link Layer 68

 Physical Layer 69

Multi-Layer Protocols 70

TCP/IP Model 71

 Application Layer 72

 Transport Layer 72

 Internet Layer 74

 Link Layer 76

 Encapsulation 76

Common TCP/UDP Ports 77

Logical and Physical Addressing 78

 IPv4 78

 IP Classes 80

 Public Versus Private IP Addresses 81

 NAT 81

 IPv4 Versus IPv6 82

 MAC Addressing 82

Network Transmission 83

 Analog Versus Digital 83

 Asynchronous Versus Synchronous 84

 Broadband Versus Baseband 84

 Unicast, Multicast, and Broadcast 85

 Wired Versus Wireless 86

Cabling 87

 Coaxial 87

 Twisted Pair 88

 Fiberoptic 90

Network Topologies 91

 Ring 91

 Bus 92

 Star 92

 Mesh 93

 Hybrid 94

Network Technologies 94

 Ethernet 802.3 94

 Token Ring 802.5 96

 FDDI 97

 Contention Methods 97

  CSMA/CD Versus CSMA/CA 98

  Collision Domains 98

  CSMA/CD 99

  CSMA/CA 100

  Token Passing 101

  Polling 101

Network Protocols/Services 101

 ARP 101

 DHCP 102

 DNS 103

 FTP, FTPS, SFTP 103

 HTTP, HTTPS, SHTTP 104

 ICMP 104

 IMAP 105

 NAT 105

 PAT 105

 POP 105

 SMTP 105

 SNMP 105

Network Routing 106

 Distance Vector, Link State, or Hybrid Routing 106

 RIP 107

 OSPF 107

 IGRP 108

 EIGRP 108

 VRRP 108

 IS-IS 108

 BGP 108

Network Devices 109

 Patch Panel 109

 Multiplexer 109

 Hub 109

 Switch 110

  VLANs 111

  Layer 3 Versus Layer 4 111

 Router 111

 Gateway 112

 Firewall 112

  Types 113

  Architecture 114

  Virtualization 116

 Proxy Server 116

 PBX 116

 Honeypot 117

 Cloud Computing 117

 Endpoint Security 119

Network Types 119

 LAN 119

 Intranet 119

 Extranet 120

 MAN 120

 WAN 120

WAN Technologies 121

 T Lines 121

 E Lines 121

 OC Lines (SONET) 122

 CSU/DSU 122

 Circuit-Switching Versus Packet-Switching 123

 Frame Relay 123

 ATM 123

 X.25 124

 Switched Multimegabit Data Service 124

 Point-to-Point Protocol 124

 High-Speed Serial Interface 124

 PSTN (POTS, PBX) 125

 VoIP 125

Remote Connection Technologies 126

 Dial-up 126

 ISDN 127

 DSL 127

 Cable 128

 VPN 129

 RADIUS and TACACS 132

 Remote Authentication Protocols 133

 Telnet 134

 TLS/SSL 134

 Multimedia Collaboration 134

Wireless Networks 135

 FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 135

  802.11 Techniques 136

  Cellular or Mobile Wireless Techniques 136

 WLAN Structure 137

  Access Point 137

  SSID 137

  Infrastructure Mode Versus Ad Hoc Mode 137

 WLAN Standards 137

  802.11a 138

  802.11b 138

  802.11f 138

  802.11g 138

  802.11n 138

  Bluetooth 139

  Infrared 139

 WLAN Security 139

  WEP 139

  WPA 140

  WPA2 140

  Personal Versus Enterprise 140

  SSID Broadcast 141

  MAC Filter 141

 Satellites 141

Network Threats 142

 Cabling 142

  Noise 142

  Attenuation 142

  Crosstalk 143

  Eavesdropping 143

 ICMP Attacks 143

  Ping of Death 143

  Smurf 144

  Fraggle 144

  ICMP Redirect 144

  Ping Scanning 145

 DNS Attacks 145

  DNS Cache Poisoning 145

  DoS 146

  DDoS 146

  DNSSEC 146

  URL Hiding 146

  Domain Grabbing 147

  Cybersquatting 147

 Email Attacks 147

  Email Spoofing 147

  Spear Phishing 148

  Whaling 148

  Spam 148

 Wireless Attacks 148

  Wardriving 149

  Warchalking 149

 Remote Attacks 149

 Other Attacks 149

  SYN ACK Attacks 149

  Session Hijacking 150

  Port Scanning 150

  Teardrop 150

  IP Address Spoofing 150

Exam Preparation Tasks 151

Review All Key Topics 151

 Define Key Terms 151

 Review Questions 153

 Answers and Explanations 155

 

Chapter 4 Information Security Governance and Risk Management 159

Foundation Topics 159

Security Principles and Terms 159

 CIA 160

 Vulnerability 160

 Threat 161

 Threat Agent 161

 Risk 161

 Exposure 161

 Countermeasure 161

 Due Care and Due Diligence 162

 Job Rotation 163

 Separation of Duties 163

Security Frameworks and Methodologies 163

 ISO/IEC 27000 Series 164

 Zachman Framework 166

 The Open Group Architecture Framework (TOGAF) 168

 Department of Defense Architecture Framework (DoDAF) 168

 British Ministry of Defence Architecture Framework (MODAF) 168

 Sherwood Applied Business Security Architecture (SABSA) 168

 Control Objectives for Information and Related Technology (CobiT) 170

 National Institute of Standards and Technology (NIST) Special Publication (SP) 170

 Committee of Sponsoring Organizations (COSO) of the Treadway

 Commission Framework 171

 Information Technology Infrastructure Library (ITIL) 172

 Six Sigma 173

 Capability Maturity Model Integration (CMMI) 174

 Top-Down Versus Bottom-Up Approach 174

 Security Program Life Cycle 174

Risk Assessment 175

 Information and Asset (Tangible/Intangible) Value and Costs 177

 Vulnerabilities and Threats Identification 177

 Quantitative Risk Analysis 178

 Qualitative Risk Analysis 179

 Safeguard Selection 179

 Total Risk Versus Residual Risk 180

 Handling Risk 180

Risk Management Principles 181

 Risk Management Policy 181

 Risk Management Team 181

 Risk Analysis Team 182

Information Security Governance Components 182

 Policies 183

  Organizational Security Policy 184

  System-Specific Security Policy 185

  Issue-Specific Security Policy 185

  Policy Categories 185

 Standards 185

 Baselines 185

 Guidelines 186

 Procedures 186

 Information Classification and Life Cycle 186

  Commercial Business Classifications 186

  Military and Government Classifications 187

  Information Life Cycle 188

Security Governance Responsibilities and Roles 188

 Board of Directors 188

 Management 189

 Audit Committee 189

 Data Owner 190

 Data Custodian 190

 System Owner 190

 System Administrator 190

 Security Administrator 190

 Security Analyst 191

 Application Owner 191

 Supervisor 191

 User 191

 Auditor 191

 Third-Party Governance 191

  Onsite Assessment 192

  Document Exchange/Review 192

  Process/Policy Review 192

 Personnel Security (Screening, Hiring, and Termination) 192

Security Awareness Training 193

Security Budget, Metrics, and Effectiveness 194

Exam Preparation Tasks 195

Review All Key Topics 195

 Complete the Tables and Lists from Memory 195

 Define Key Terms 196

 Review Questions 196

 Answers and Explanations 198

 

Chapter 5 Software Development Security 203

Foundation Topics 203

System Development Life Cycle 203

 Initiate 204

 Acquire/Develop 204

 Implement 205

 Operate/Maintain 205

 Dispose 205

Software Development Life Cycle 206

 Gather Requirements 206

 Design 207

 Develop 207

 Test/Validate 208

 Release/Maintain 209

 Change Management and Configuration Management 209

Software Development Security Best Practices 209

 WASC 210

 OWASP 210

 BSI 210

 ISO/IEC 27000 210

Software Development Methods 211

 Build and Fix 211

 Waterfall 212

 V-Shaped 213

 Prototyping 214

 Incremental 214

 Spiral 215

 Rapid Application Development (RAD) 216

 Agile 216

 JAD 218

 Cleanroom 218

 CMMI 218

Programming Concepts 219

 Machine Languages 219

 Assembly Languages and Assemblers 219

 High-level Languages, Compilers, and Interpreters 219

 Object-Oriented Programming 220

  Polymorphism 221

  Cohesion 221

  Coupling 221

  Data Structures 221

 Distributed Object-Oriented Systems 222

  CORBA 222

  COM and DCOM 222

  OLE 223

  Java 223

  SOA 223

 Mobile Code 223

  Java Applets 223

  ActiveX 224

Database Concepts and Security 224

 DBMS Architecture and Models 224

 Database Interface Languages 226

  ODBC 226

  JDBC 227

  XML 227

  OLE DB 227

 Data Warehouses and Data Mining 227

 Database Threats 228

  Database Views 228

  Database Locks 228

  Polyinstantiation 228

  OLTP ACID Test 229

Knowledge-Based Systems 229

Software Threats 230

 Malware 230

  Virus 230

  Worm 231

  Trojan Horse 231

  Logic Bomb 232

  Spyware/Adware 232

  Botnet 232

  Rootkit 233

 Source Code Issues 233

  Buffer Overflow 233

  Escalation of Privileges 235

  Backdoor 235

 Malware Protection 235

  Antivirus Software 235

  Antimalware Software 236

  Security Policies 236

Software Security Effectiveness 236

 Certification and Accreditation 236

 Auditing 237

Exam Preparation Tasks 237

Review All Key Topics 237

 Define Key Terms 238

 Complete the Tables and Lists from Memory 238

 Review Questions 238

 Answers and Explanations 240

 

Chapter 6 Cryptography 243

Foundation Topics 244

Cryptography Concepts 244

 Cryptographic Life Cycle 246

Cryptography History 246

 Julius Caesar and the Caesar Cipher 247

 Vigenere Cipher 248

 Kerckhoff’s Principle 249

 World War II Enigma 249

 Lucifer by IBM 250

Cryptosystem Features 250

 Authentication 250

 Confidentiality 250

 Integrity 251

 Authorization 251

 Non-repudiation 251

Encryption Systems 251

 Running Key and Concealment Ciphers 251

 Substitution Ciphers 252

 Transposition Ciphers 253

 Symmetric Algorithms 253

  Stream-based Ciphers 254

  Block Ciphers 255

  Initialization Vectors (IVs) 255

 Asymmetric Algorithms 255

 Hybrid Ciphers 256

Substitution Ciphers 257

 One-Time Pads 257

 Steganography 258

Symmetric Algorithms 258

 Digital Encryption Standard (DES) and Triple DES (3DES) 259

  DES Modes 259

  Triple DES (3DES) and Modes 262

 Advanced Encryption Standard (AES) 263

 IDEA 263

 Skipjack 264

 Blowfish 264

 Twofish 264

 RC4/RC5/RC6 264

 CAST 265

Asymmetric Algorithms 265

 Diffie-Hellman 266

 RSA 267

 El Gamal 267

 ECC 267

 Knapsack 268

 Zero Knowledge Proof 268

Message Integrity 268

 Hash Functions 269

  One-Way Hash 269

  MD2/MD4/MD5/MD6 271

  SHA/SHA-2/SHA-3 271

  HAVAL 272

  RIPEMD-160 272

  Tiger 272

 Message Authentication Code 273

  HMAC 273

  CBC-MAC 274

  CMAC 274

Digital Signatures 274

Public Key Infrastructure 275

 Certification Authority (CA) and Registration Authority (RA) 275

 OCSP 276

 Certificates 276

 Certificate Revocation List (CRL) 277

 PKI Steps 277

 Cross-Certification 278

Key Management 278

Trusted Platform Module (TPM) 279

Encryption Communication Levels 280

 Link Encryption 280

 End-to-End Encryption 281

E-mail Security 281

 PGP 281

 MIME and S/MIME 282

 Quantum Cryptography 282

Internet Security 282

 Remote Access 283

 SSL/TLS 283

 HTTP, HTTPS, and SHTTP 284

 SET 284

 Cookies 284

 SSH 285

 IPsec 285

Cryptography Attacks 286

 Ciphertext-Only Attack 287

 Known Plaintext Attack 287

 Chosen Plaintext Attack 287

 Chosen Ciphertext Attack 287

 Social Engineering 287

 Brute Force 288

 Differential Cryptanalysis 288

 Linear Cryptanalysis 288

 Algebraic Attack 288

 Frequency Analysis 288

 Birthday Attack 289

 Dictionary Attack 289

 Replay Attack 289

 Analytic Attack 289

 Statistical Attack 289

 Factoring Attack 289

 Reverse Engineering 289

 Meet-in-the-Middle Attack 290

Exam Preparation Tasks 290

Review All Key Topics 290

 Complete the Tables and Lists from Memory 290

 Define Key Terms 291

 Review Questions 291

 Answers and Explanations 293

 

Chapter 7 Security Architecture and Design 297

Foundation Topics 297

Security Model Concepts 297

 Confidentiality 297

 Integrity 297

 Availability 298

 Defense in Depth 298

System Architecture 298

 System Architecture Steps 299

 ISO/IEC 42010:2011 299

 Computing Platforms 300

  Mainframe/Thin Clients 300

  Distributed Systems 300

  Middleware 301

  Embedded Systems 301

  Mobile Computing 301

  Virtual Computing 301

 Security Services 302

  Boundary Control Services 302

  Access Control Services 302