(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

ABOUT THE AUTHORS Mike Chapple, PhD, CISSP, Security+, CISA, CySA+ is Associate Teaching Professor of IT, Analytics and Operations at the University of Notre Dame. He is a leading expert on cybersecurity certification and runs CertMike.com. James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has focused on security, certification, networking, and various operating systems for more than 25 years. He teaches numerous job skill and certification focused courses. He has authored or coauthored more than 75 books. Darril Gibson, CISSP, Security+, CASP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.

Introduction xxxiii

Assessment Test xlii

Chapter 1 Security Governance Through Principles and Policies 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2

Evaluate and Apply Security Governance Principles 14

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 26

Understand and Apply Threat Modeling Concepts and Methodologies 30

Apply Risk-Based Management Concepts to the Supply Chain 38

Summary 40

Exam Essentials 42

Written Lab 44

Review Questions 45

Chapter 2 Personnel Security and Risk Management Concepts 49

Personnel Security Policies and Procedures 51

Security Governance 62

Understand and Apply Risk Management Concepts 63

Establish and Maintain a Security Awareness, Education, and Training Program 86

Manage the Security Function 87

Summary 88

Exam Essentials 89

Written Lab 92

Review Questions 93

Chapter 3 Business Continuity Planning 97

Planning for Business Continuity 98

Project Scope and Planning 99

Business Impact Assessment 105

Continuity Planning 111

Plan Approval and Implementation 114

Summary 119

Exam Essentials 119

Written Lab 120

Review Questions 121

Chapter 4 Laws, Regulations, and Compliance 125

Categories of Laws 126

Laws 129

Compliance 149

Contracting and Procurement 150

Summary 151

Exam Essentials 152

Written Lab 153

Review Questions 154

Chapter 5 Protecting Security of Assets 159

Identify and Classify Assets 160

Determining Ownership 178

Using Security Baselines 186

Summary 187

Exam Essentials 188

Written Lab 189

Review Questions 190

Chapter 6 Cryptography and Symmetric Key Algorithms 195

Historical Milestones in Cryptography 196

Cryptographic Basics 198

Modern Cryptography 214

Symmetric Cryptography 219

Cryptographic Lifecycle 228

Summary 229

Exam Essentials 229

Written Lab 231

Review Questions 232

Chapter 7 PKI and Cryptographic Applications 237

Asymmetric Cryptography 238

Hash Functions 242

Digital Signatures 246

Public Key Infrastructure 249

Asymmetric Key Management 253

Applied Cryptography 254

Cryptographic Attacks 265

Summary 268

Exam Essentials 269

Written Lab 270

Review Questions 271

Chapter 8 Principles of Security Models, Design, and Capabilities 275

Implement and Manage Engineering Processes Using Secure Design Principles 276

Understand the Fundamental Concepts of Security Models 281

Select Controls Based On Systems Security Requirements 295

Understand Security Capabilities of Information Systems 309

Summary 311

Exam Essentials 312

Written Lab 313

Review Questions 314

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 319

Assess and Mitigate Security Vulnerabilities 320

Client-Based Systems 342

Server-Based Systems 346

Database Systems Security 347

Distributed Systems and Endpoint Security 350

Internet of Things 358

Industrial Control Systems 359

Assess and Mitigate Vulnerabilities in Web-Based Systems 360

Assess and Mitigate Vulnerabilities in Mobile Systems 365

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 375

Essential Security Protection Mechanisms 379

Common Architecture Flaws and Security Issues 384

Summary 390

Exam Essentials 391

Written Lab 394

Review Questions 395

Chapter 10 Physical Security Requirements 399

Apply Security Principles to Site and Facility Design 400

Implement Site and Facility Security Controls 403

Implement and Manage Physical Security 422

Summary 431

Exam Essentials 432

Written Lab 434

Review Questions 435

Chapter 11 Secure Network Architecture and Securing Network Components 439

OSI Model 440

TCP/IP Model 451

Converged Protocols 470

Wireless Networks 472

Secure Network Components 486

Cabling, Wireless, Topology, Communications, and Transmission Media Technology 495

Summary 513

Exam Essentials 514

Written Lab 516

Review Questions 517

Chapter 12 Secure Communications and Network Attacks 521

Network and Protocol Security Mechanisms 522

Secure Voice Communications 525

Multimedia Collaboration 529

Manage Email Security 530

Remote Access Security Management 536

Virtual Private Network 540

Virtualization 546

Network Address Translation 549

Switching Technologies 553

WAN Technologies 556

Miscellaneous Security Control Characteristics 561

Security Boundaries 563

Prevent or Mitigate Network Attacks 564

Summary 569

Exam Essentials 571

Written Lab 573

Review Questions 574

Chapter 13 Managing Identity and Authentication 579

Controlling Access to Assets 580

Comparing Identification and Authentication 584

Implementing Identity Management 602

Managing the Identity and Access Provisioning Lifecycle 611

Summary 614

Exam Essentials 615

Written Lab 617

Review Questions 618

Chapter 14 Controlling and Monitoring Access 623

Comparing Access Control Models 624

Understanding Access Control Attacks 635

Summary 653

Exam Essentials 654

Written Lab 656

Review Questions 657

Chapter 15 Security Assessment and Testing 661

Building a Security Assessment and Testing Program 662

Performing Vulnerability Assessments 668

Testing Your Software 681

Implementing Security Management Processes 688

Summary 690

Exam Essentials 691

Written Lab 692

Review Questions 693

Chapter 16 Managing Security Operations 697

Applying Security Operations Concepts 698

Securely Provisioning Resources 710

Managing Configuration 718

Managing Change 719

Managing Patches and Reducing Vulnerabilities 723

Summary 728

Exam Essentials 729

Written Lab 731

Review Questions 732

Chapter 17 Preventing and Responding to Incidents 737

Managing Incident Response 738

Implementing Detective and Preventive Measures 745

Logging, Monitoring, and Auditing 773

Summary 790

Exam Essentials 792

Written Lab 795

Review Questions 796

Chapter 18 Disaster Recovery Planning 801

The Nature of Disaster 802

Understand System Resilience and Fault Tolerance 812

Recovery Strategy 818

Recovery Plan Development 827

Training, Awareness, and Documentation 835

Testing and Maintenance 836

Summary 838

Exam Essentials 838

Written Lab 839

Review Questions 840

Chapter 19 Investigations and Ethics 845

Investigations 846

Major Categories of Computer Crime 857

Ethics 861

Summary 864

Exam Essentials 864

Written Lab 865

Review Questions 866

Chapter 20 Software Development Security 871

Introducing Systems Development Controls 872

Establishing Databases and Data Warehousing 895

Storing Data and Information 904

Understanding Knowledge-Based Systems 906

Summary 909

Exam Essentials 909

Written Lab 910

Review Questions 911

Chapter 21 Malicious Code and Application Attacks 915

Malicious Code 916

Password Attacks 929

Application Attacks 933

Web Application Security 935

Reconnaissance Attacks 940

Masquerading Attacks 941

Summary 942

Exam Essentials 943

Written Lab 944

Review Questions 945

Appendix A Answers to Review Questions 949

Chapter 1: Security Governance Through Principles and Policies 950

Chapter 2: Personnel Security and Risk Management Concepts 951

Chapter 3: Business Continuity Planning 952

Chapter 4: Laws, Regulations, and Compliance 954

Chapter 5: Protecting Security of Assets 956

Chapter 6: Cryptography and Symmetric Key Algorithms 958

Chapter 7: PKI and Cryptographic Applications 960

Chapter 8: Principles of Security Models, Design, and Capabilities 961

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 963

Chapter 10: Physical Security Requirements 965

Chapter 11: Secure Network Architecture and Securing Network Components 966

Chapter 12: Secure Communications and Network Attacks 968

Chapter 13: Managing Identity and Authentication 969

Chapter 14: Controlling and Monitoring Access 971

Chapter 15: Security Assessment and Testing 973

Chapter 16: Managing Security Operations 975

Chapter 17: Preventing and Responding to Incidents 977

Chapter 18: Disaster Recovery Planning 980

Chapter 19: Investigations and Ethics 981

Chapter 20: Software Development Security 983

Chapter 21: Malicious Code and Application Attacks 984

Appendix B Answers to Written Labs 987

Chapter 1: Security Governance Through Principles and Policies 988

Chapter 2: Personnel Security and Risk Management Concepts 988

Chapter 3: Business Continuity Planning 989

Chapter 4: Laws, Regulations, and Compliance 990

Chapter 5: Protecting Security of Assets 991

Chapter 6: Cryptography and Symmetric Key Algorithms 991

Chapter 7: PKI and Cryptographic Applications 992

Chapter 8: Principles of Security Models, Design, and Capabilities 992

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 993

Chapter 10: Physical Security Requirements 994

Chapter 11: Secure Network Architecture and Securing Network Components 994

Chapter 12: Secure Communications and Network Attacks 995

Chapter 13: Managing Identity and Authentication 996

Chapter 14: Controlling and Monitoring Access 996

Chapter 15: Security Assessment and Testing 997

Chapter 16: Managing Security Operations 997

Chapter 17: Preventing and Responding to Incidents 998

Chapter 18: Disaster Recovery Planning 999

Chapter 19: Investigations and Ethics 999

Chapter 20: Software Development Security 1000

Chapter 21: Malicious Code and Application Attacks 1000

Index 1001