CISSP For Dummies

Lawrence C. Miller, CISSP, is a veteran systems administration and information security professional who has consulted for Coca–Cola and Goldman Sachs. Peter H. Gregory, CISSP, is a security, risk, and technology director and a widely published author.

Foreword xv


Introduction 1


About This Book 2


How This Book Is Organized 2


Icons Used in This Book 3


Beyond the Book 4


Getting Started 4


Part I: Getting Started With CISSP Certification 5


Chapter 1: (ISC)2 and the CISSP Certification 7


About (ISC)2 and the CISSP Certification 7


You Must Be This Tall to Ride This Ride (and Other Requirements) 8


Preparing for the Exam 9


Studying on your own 10


Getting hands on experience 11


Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar 11


Attending other training courses or study groups 12


Take the testing tutorial and practice exam 12


Are you ready for the exam? 13


Registering for the Exam 13


About the CISSP Examination 14


After the Examination 16


Chapter 2: Putting Your Certification to Good Use 19


Being an Active (ISC)2 Member 19


Considering (ISC)2 Volunteer Opportunities 20


Writing certification exam questions 20


Speaking at events 20


Read and contribute to (ISC)2 publications 21


Support the (ISC)2 Center for Cyber Safety and Education 21


Participating in (ISC)2 focus groups 22


Get involved with a CISSP study group 22


Help others learn more about data security 22


Becoming an Active Member of Your Local Security Chapter 23


Spreading the Good Word about CISSP Certification 24


Promoting other certifications 25


Wear the colors proudly 25


Lead by example 25


Using Your CISSP Certification to Be an Agent of Change 26


Earning Other Certifications 26


Other (ISC)2 certifications 27


CISSP concentrations 27


Non (ISC)2 certifications 28


Choosing the right certifications 31


Pursue Security Excellence 32


Part II: Certification Domains 33


Chapter 3: Security and Risk Management 35


Understand and Apply Concepts of Confidentiality, Integrity, and Availability 35


Confidentiality 36


Integrity 37


Availability 37


Apply Security Governance Principles 37


Alignment of security function to business strategy, goals, mission and objectives 38


Organizational processes (security executive oversight) 39


Security roles and responsibilities 40


Control frameworks 41


Due care 43


Due diligence 44


Compliance 44


Legislative and regulatory compliance 44


Privacy requirements compliance 49


Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 49


Computer crimes 50


Licensing and intellectual property 60


Import/export controls 63


Trans border data flow 63


Privacy 63


Data breaches 69


Understand Professional Ethics 70


Exercise the (ISC)2 Code of Professional Ethics 71


Support your organization s code of ethics 72


Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 73


Policies 74


Standards (and baselines) 75


Procedures 75


Guidelines 75


Understand Business Continuity Requirements 76


Develop and document project scope and plan 78


Conduct Business Impact Analysis 86


Developing the Business Continuity Plan 93


Implementing the BCP 96


Contribute to Personnel Security Policies 98


Employment candidate screening 98


Employment agreements and policies 100


Employment termination processes 101


Vendor, consultant and contractor controls 101


Compliance 102


Privacy 102


Understand and Apply Risk Management Concepts 102


Identify threats and vulnerabilities 103


Risk assessment/analysis (treatment) 103


Risk assignment/acceptance 108


Countermeasure selection 108


Implementation 110


Types of controls 110


Control assessment 112


Monitoring and measurement 114


Asset valuation 114


Reporting 115


Continuous improvement 115


Risk frameworks 116


Understand and Apply Threat Modeling 117


Identifying threats 117


Determining and diagramming potential attacks 118


Performing reduction analysis 119


Technologies and processes to remediate threats 119


Integrate Security Risk Considerations into Acquisition


Strategy and Practice 120


Hardware, software, and services 121


Third party assessment and monitoring 121


Minimum security requirements 121


Service level requirements 122


Establish and Manage Information Security Education,


Training, and Awareness 122


Appropriate levels of awareness, training and


education required within organization 122


Periodic reviews for content relevancy 124


Chapter 4: Asset Security 125


Classify Information and Supporting Assets 125


Commercial data classification 126


Government data classification 126


Determine and Maintain Ownership 128


Protect Privacy 129


Ensure Appropriate Retention 131


Determine Data Security Controls 132


Baselines 133


Scoping and tailoring 134


Standards selection 134


Cryptography 135


Establish Handling Requirements 135


Chapter 5: Security Engineering 137


Implement and Manage Engineering Processes Using


Secure Design Principles 137


Understand the Fundamental Concepts of Security Models 139


Confidentiality 139


Integrity 140


Availability 140


Access control models 141


Select Controls and Countermeasures based upon Systems Security Evaluation Models 144


Evaluation criteria 144


System certification and accreditation 149


Security controls and countermeasures 151


Understand Security Capabilities of Information Systems 154


Computer architecture 154


Trusted Computing Base (TCB) 161


Trusted Platform Module (TPM) 161


Secure modes of operation 162


Open and closed systems 163


Protection rings 163


Security modes 163


Recovery procedures 164


Vulnerabilities in security architectures 165


Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 166


Client based 166


Server based 167


Database security 167


Large scale parallel data systems 168


Distributed systems 168


Cryptographic systems 169


Industrial control systems 170


Assess and Mitigate Vulnerabilities in Web Based Systems 171


Assess and Mitigate Vulnerabilities in Mobile Systems 172


Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber Physical Systems 173


Apply Cryptography 174


Cryptographic Life Cycle 176


Plaintext and ciphertext 177


Encryption and decryption 177


Cryptography alternatives 183


Not quite the metric system: Symmetric and asymmetric key systems 184


Message authentication 193


Public Key Infrastructure (PKI) 196


Key management functions 197


Key escrow and key recovery 198


Methods of attack 198


Apply Secure Principles to Site and Facility Design 201


Choosing a secure location 202


Designing a secure facility 203


Design and Implement Physical Security 205


Wiring closets, server rooms, media storage


facilities, and evidence storage 206


Restricted and work area security 207


Utilities and HVAC considerations 207


Water issues 211


Fire prevention, detection and suppression 211


Chapter 6: Communication and Network Security 215


Apply Secure Design Principles to Network Architecture 215


OSI and TCP/IP models 219


Cryptography used to maintain communication security 251


Secure Network Components 251


Operation of hardware 252


Transmission media 252


Network access control devices 254


Endpoint security 262


Content distribution networks 264


Physical devices 265


Design and Establish Secure Communication Channels 265


Voice 266


Email 266


Web 270


Facsimile 271


Multimedia collaboration 272


Remote access 272


Data communications 277


Virtualized networks 277


Prevent or Mitigate Network Attacks 279


Bluejacking and bluesnarfing 279


Fraggle 279


Smurf 279


DNS Server Attacks 280


Man in the Middle 280


ICMP flood 280


Session hijacking (spoofing) 280


Session hijacking (session token interception) 280


SYN flood 281


Teardrop 281


UDP flood 281


Chapter 7: Identity and Access Management 283


Control Physical and Logical Access to Assets 284


Information 284


Systems and devices 284


Facilities 285


Manage Identification and Authentication of People and Devices 285


Identity management implementation 286


Single/multi factor authentication 295


Accountability 309


Session management 309


Registration and proofing of identity 310


Federated identity management 311


Credential management systems 312


Integrate Identity as a Service 312


Integrate Third Party Identity Services 314


Implement and Manage Authorization Mechanisms 314


Access control techniques 314


Prevent or Mitigate Access Control Attacks 318


Manage the Identity and Access Provisioning Lifecycle 320


Chapter 8: Security Assessment and Testing 323


Design and Validate Assessment and Test Strategies 323


Conduct Security Control Testing 324


Vulnerability assessment 324


Penetration testing 324


Log reviews 326


Synthetic transactions 328


Code review and testing 328


Misuse case testing 329


Test coverage analysis 329


Interface testing 329


Collect Security Process Data 330


Account management 330


Management review 331


Key performance and risk indicators 331


Backup verification data 331


Training and awareness 332


Disaster recovery and business continuity 332


Analyze and Report Test Outputs 332


Conduct or Facilitate Internal and Third Party Audits 332


Chapter 9: Security Operations 335


Understand and Support Investigations 335


Evidence collection and handling 335


Reporting and documenting 342


Investigative techniques 342


Digital forensics 344


Understand Requirements for Investigation Types 345


Conduct Logging and Monitoring Activities 346


Intrusion detection and prevention 347


Security information and event management 348


Continuous monitoring 348


Egress monitoring 349


Secure the Provisioning of Resources 349


Understand and Apply Foundational Security Operations Concepts 351


Need to know and least privilege 351


Separation of duties and responsibilities 352


Monitor special privileges 353


Job rotation 355


Information lifecycle 356


Service level agreements 357


Employ Resource Protection Techniques 359


Media management 359


Hardware and software asset management 361


Conduct Incident Management 361


Operate and Maintain Preventative Measures 363


Implement and Support Patch and Vulnerability Management 364


Participate in and Understand Change Management Processes 365


Implement Recovery Strategies 366


Backup storage strategies 366


Recovery site strategies 366


Multiple processing sites 367


System resilience, high availability, and fault tolerance 367


Quality of Service (QoS) 367


Implement Disaster Recovery Processes 368


Response 372


Personnel 373


Communications 374


Assessment 375


Restoration 375


Training and awareness 376


Test Disaster Recovery Plans 376


Read through 376


Walkthrough 377


Simulation 377


Parallel 378


Full interruption (or cutover) 379


Participate in Business Continuity Planning and Exercises 379


Implement and Manage Physical Security 380


Participate in Addressing Personnel Safety Concerns 380


Chapter 10: Software Development Security 381


Understand and Apply Security in the Software Development Lifecycle 381


Development methodologies 382


Maturity models 388


Operation and maintenance 389


Change management 390


Integrated product team 391


Enforce Security Controls in Development Environments 392


Security of the software environments 392


Configuration management as an aspect of secure coding 394


Security of code repositories 395


Security of application programming interfaces 395


Assess the Effectiveness of Software Security 396


Auditing and logging of changes 397


Risk analysis and mitigation 397


Acceptance testing 398


Assess Security Impact of Acquired Software 399


Part III: The Part of Tens 401


Chapter 11: Ten (Okay, Nine) Test–Planning Tips 403


Know Your Learning Style 403


Get a Networking Certification First 403


Register NOW! 404


Make a 60 Day Study Plan 404


Get Organized and READ! 405


Join a Study Group 405


Take Practice Exams 406


Take a CISSP Review Seminar 406


Take a Breather 406


Chapter 12: Ten Test Day Tips 407


Get a Good Night s Rest 407


Dress Comfortably 407


Eat a Good Breakfast 407


Arrive Early 408


Bring a Photo ID 408


Bring Snacks and Drinks 408


Bring Prescription and Over the Counter Medications 408


Leave Your Electronic Devices Behind 409


Take Frequent Breaks 409


Guess as a Last Resort 409


Glossary 411


Index 455