Introduction 1
Chapter 1:
The CISSP Certification Exam ............................................................15
Introduction ..............................................................................................16
Assessing Exam Readiness........................................................................16
Taking the Exam.......................................................................................17
Multiple-Choice Question Format ..........................................................19
Exam Strategy...........................................................................................19
Question-Handling Strategies..................................................................21
Mastering the Inner Game.......................................................................21
Need to Know More?...............................................................................22
Chapter 2:
Physical Security ...........................................................................23
Introduction ..............................................................................................24
Physical Security Risks .............................................................................24
Natural Disasters.............................................................................25
Man-Made Threats .........................................................................26
Technical Problems .........................................................................27
Facility Concerns and Requirements.......................................................28
CPTED ...........................................................................................28
Area Concerns .................................................................................29
Location...........................................................................................30
Construction....................................................................................30
Doors, Walls, Windows, and Ceilings............................................31
Asset Placement...............................................................................34
Perimeter Controls...................................................................................34
Fences ..............................................................................................34
Gates ................................................................................................36
Bollards ............................................................................................37
CCTV Cameras ..............................................................................38
Lighting ...........................................................................................39
Guards and Dogs.............................................................................40
Locks................................................................................................41
Employee Access Control ........................................................................44
Badges, Tokens, and Cards..............................................................44
Biometric Access Controls ..............................................................46
Environmental Controls...........................................................................47
Heating, Ventilating, and Air Conditioning...................................48
Electrical Power........................................................................................49
Uninterruptible Power Supply .......................................................50
Equipment Life Cycle ..............................................................................50
Fire Prevention, Detection, and Suppression..........................................51
Fire-Detection Equipment..............................................................52
Fire Suppression ..............................................................................52
Alarm Systems...........................................................................................55
Intrusion Detection Systems...........................................................55
Monitoring and Detection ..............................................................56
Exam Prep Questions ...............................................................................58
Answers to Exam Prep Questions............................................................60
Suggested Reading and Resources ...........................................................61
Chapter 3:
Access Control Systems and Methodology .............................................63
Introduction ..............................................................................................64
Identification, Authentication, and Authorization ..................................65
Authentication .................................................................................65
Single Sign-On .........................................................................................78
Kerberos...........................................................................................78
SESAME..........................................................................................81
Authorization and Access Controls Techniques ......................................81
Discretionary Access Control .........................................................81
Mandatory Access Control..............................................................82
Role-Based Access Control .............................................................84
Other Types of Access Controls .....................................................85
Access Control Methods ..........................................................................86
Centralized Access Control.............................................................86
Decentralized Access Control.........................................................89
Access Control Types ...............................................................................90
Administrative Controls ..................................................................90
Technical Controls ..........................................................................91
Physical Controls.............................................................................91
Access Control Categories ..............................................................92
Audit and Monitoring...............................................................................93
Monitoring Access and Usage ........................................................93
Intrusion Detection Systems...........................................................94
Intrusion Prevention Systems .........................................................98
Network Access Control .................................................................98
Keystroke Monitoring.....................................................................99
Emanation Security .......................................................................100
Access Control Attacks ...........................................................................101
Password Attacks ...........................................................................101
Spoofing.........................................................................................105
Sniffing...........................................................................................105
Eavesdropping and Shoulder Surfing...........................................105
Wiretapping...................................................................................106
Identity Theft ................................................................................106
Denial of Service Attacks ..............................................................107
Distributed Denial of Service Attacks ..........................................109
Botnets ...........................................................................................109
Exam Prep Questions .............................................................................111
Answers to Exam Prep Questions..........................................................113
Suggesting Reading and Resources........................................................115
Chapter 4:
Cryptography...............................................................................117
Introduction ............................................................................................118
Cryptographic Basics ..............................................................................118
History of Encryption ............................................................................121
Steganography ........................................................................................126
Steganography Operation .............................................................127
Digital Watermark ........................................................................128
Algorithms...............................................................................................128
Cipher Types and Methods ....................................................................130
Symmetric Encryption ...........................................................................131
Data Encryption Standard ............................................................133
Triple-DES ....................................................................................136
Advanced Encryption Standard ....................................................138
International Data Encryption Algorithm....................................138
Rivest Cipher Algorithms .............................................................139
Asymmetric Encryption..........................................................................139
Diffie-Hellman ..............................................................................141
RSA ................................................................................................142
El Gamal........................................................................................143
Elliptical Curve Cryptosystem......................................................144
Merkle-Hellman Knapsack ...........................................................144
Review of Symmetric and Asymmetric Cryptographic Systems .145
Hybrid Encryption .................................................................................145
Integrity and Authentication ..................................................................146
Hashing and Message Digests ......................................................147
Digital Signatures..........................................................................150
Cryptographic System Review......................................................151
Public Key Infrastructure .......................................................................151
Certificate Authority .....................................................................152
Registration Authority...................................................................152
Certificate Revocation List ...........................................................153
Digital Certificates ........................................................................153
The Client’s Role in PKI ..............................................................155
Email Protection Mechanisms ...............................................................156
Pretty Good Privacy......................................................................156
Other Email Security Applications...............................................157
Securing TCP/IP with Cryptographic Solutions..................................157
Application/Process Layer Controls.............................................158
Host to Host Layer Controls........................................................159
Internet Layer Controls ................................................................160
Network Access Layer Controls ...................................................161
Link and End to End Encryption.................................................162
Cryptographic Attacks............................................................................163
Exam Prep Questions .............................................................................166
Answers to Exam Prep Questions..........................................................168
Need to Know More?.............................................................................170
Chapter 5:
Security Architecture and Models ......................................................171
Introduction ............................................................................................172
Computer System Architecture..............................................................172
Central Processing Unit................................................................172
Storage Media................................................................................175
I/O Bus Standards .........................................................................178
Virtual Memory and Virtual Machines.........................................178
Computer Configurations.............................................................179
Security Architecture..............................................................................180
Protection Rings............................................................................180
Trusted Computer Base ................................................................182
Open and Closed Systems.............................................................185
Security Modes of Operation........................................................185
Operating States ............................................................................186
Recovery Procedures.....................................................................187
Process Isolation............................................................................188
Security Models of Control....................................................................188
State Machine Model ....................................................................189
Confidentiality...............................................................................190
Integrity .........................................................................................191
Other Models ................................................................................194
Documents and Guidelines ....................................................................195
The Rainbow Series ......................................................................195
The Red Book: Trusted Network Interpretation.........................197
Information Technology Security Evaluation Criteria ................198
Common Criteria..........................................................................199
British Standard 7799....................................................................200
System Validation ...................................................................................200
Certification and Accreditation.....................................................201
Governance and Enterprise Architecture.....................................202
Security Architecture Threats................................................................204
Buffer Overflow.............................................................................204
Back Doors ....................................................................................205
Asynchronous Attacks ...................................................................205
Covert Channels............................................................................205
Incremental Attacks.......................................................................206
Exam Prep Questions .............................................................................207
Answers to Exam Prep Questions..........................................................209
Need to Know More?.............................................................................211
Chapter 6:
Telecommunications and Network Security...........................................213
Introduction ............................................................................................214
Network Models and Standards.............................................................214
OSI Model.....................................................................................215
Encapsulation/De-encapsulation ..................................................221
TCP/IP ...................................................................................................222
Network Access Layer...................................................................222
Internet Layer................................................................................223
Host-to-Host (Transport) Layer...................................................226
Application Layer ..........................................................................229
LANs and Their Components...............................................................232
LAN Communication Protocols ..................................................233
Network Topologies......................................................................233
LAN Cabling.................................................................................236
Network Types ..............................................................................238
Communication Standards.....................................................................239
Network Equipment...............................................................................240
Repeaters........................................................................................240
Hubs...............................................................................................240
Bridges ...........................................................................................240
Switches .........................................................................................241
Routers...........................................................................................242
Brouters .........................................................................................243
Gateways........................................................................................243
Routing....................................................................................................244
WANs and Their Components..............................................................246
Packet Switching ...........................................................................246
Circuit Switching...........................................................................248
Voice Communications and Wireless Communications.......................251
Voice over IP .................................................................................251
Cell Phones....................................................................................252
802.11 Wireless Networks and Standards....................................253
Network Security....................................................................................261
Firewalls.........................................................................................261
Demilitarized Zone .......................................................................263
Firewall Design..............................................................................264
Remote Access ........................................................................................265
Point-to-Point Protocol................................................................265
Virtual Private Networks ..............................................................266
Remote Authentication Dial-in User Service ..............................267
Terminal Access Controller Access Control System....................267
IPSec ..............................................................................................268
Message Privacy......................................................................................268
Threats to Network Security .................................................................269
DoS Attacks ...................................................................................269
Disclosure Attacks .........................................................................270
Destruction, Alteration, or Theft .................................................271
Exam Prep Questions .............................................................................274
Answers to Exam Prep Questions..........................................................277
Need to Know More?.............................................................................278
Chapter 7:
Business Continuity and Disaster Recovery Planning...............................279
Introduction ............................................................................................280
Threats to Business Operations .............................................................280
Disaster Recovery and Business Continuity Management ...................281
Project Management and Initiation..............................................283
Business Impact Analysis...............................................................285
Recovery Strategy..........................................................................290
Plan Design and Development .....................................................303
Implementation .............................................................................306
Testing............................................................................................307
Monitoring and Maintenance .......................................................309
Disaster Life Cycle .................................................................................310
Teams and Responsibilities ...........................................................312
Exam Prep Questions .............................................................................314
Answers to Exam Prep Questions..........................................................316
Need to Know More?.............................................................................318
Chapter 8:
Legal, Regulations, Compliance, and Investigations ...............................319
Introduction ............................................................................................320
United States Legal System and Laws...................................................320
International Legal Systems and Laws ..................................................321
International Property Laws ..................................................................323
Piracy and Issues with Copyrights................................................323
Privacy Laws and Protection of Personal Information .........................325
Privacy Impact Assessment ...........................................................327
Computer Crime Laws...........................................................................328
Ethics.......................................................................................................328
ISC2 Code of Ethics ......................................................................329
Computer Ethics Institute ............................................................330
Internet Architecture Board..........................................................331
NIST 800-14 .................................................................................332
Computer Crime and Criminals ............................................................332
Pornography ..................................................................................335
Well-Known Computer Crimes ............................................................335
How Computer Crime Has Changed....................................................336
Attack Vectors .........................................................................................338
Keystroke Logging........................................................................338
Wiretapping...................................................................................339
Spoofing Attacks............................................................................339
Manipulation Attacks ....................................................................340
Social Engineering ........................................................................341
Dumpster Diving...........................................................................341
Investigating Computer Crime ..............................................................342
Computer Crime Jurisdiction .......................................................343
Incident Response .........................................................................343
Forensics .................................................................................................347
Standardization of Forensic Procedures.......................................349
Computer Forensics ......................................................................349
Investigations ..........................................................................................354
Search, Seizure, and Surveillance .................................................354
Interviews and Interrogations .......................................................355
Honeypots and Honeynets ...........................................................355
Evidence Types..............................................................................356
Trial .........................................................................................................357
The Evidence Life Cycle ..............................................................358
Exam Prep Questions .............................................................................359
Answers to Exam Prep Questions..........................................................362
Need to Know More?.............................................................................364
Chapter 9:
Applications and Systems-Development Security ...................................365
Introduction ............................................................................................366
System Development..............................................................................366
Avoiding System Failure ...............................................................367
The System Development Life Cycle ..........................................369
System Development Methods ..............................................................376
The Waterfall Model ....................................................................376
The Spiral Model ..........................................................................376
Joint Application Development ....................................................377
Rapid Application Development...................................................377
Incremental Development ............................................................377
Prototyping....................................................................................378
Computer-Aided Software Engineering.......................................378
Agile Development Methods ........................................................378
Capability Maturity Model ...........................................................379
Scheduling .....................................................................................380
Change Management..............................................................................380
Programming Languages .......................................................................382
Object-Oriented Programming ....................................................384
CORBA..........................................................................................385
Database Management ...........................................................................385
Database Terms .............................................................................386
Integrity .........................................................................................388
Transaction Processing..................................................................388
Data Warehousing.........................................................................388
Data Mining ..................................................................................389
Knowledge Management ..............................................................390
Artificial Intelligence and Expert Systems ...................................390
Malicious Code .......................................................................................391
Viruses............................................................................................391
Worms............................................................................................393
Spyware..........................................................................................394
Back Doors and Trapdoors ...........................................................394
Change Detection .........................................................................395
Malformed Input (SQL Injection)................................................395
Mobile Code..................................................................................396
Financial Attacks............................................................................396
Buffer Overflow.............................................................................397
Denial of Service ...........................................................................398
Distributed Denial of Service .......................................................399
Exam Prep Questions .............................................................................400
Answers to Exam Prep Questions..........................................................402
Need to Know More?.............................................................................404
Chapter 10:
Information Security and Risk Management Practices..............................405
Introduction ............................................................................................406
Basic Security Principles ........................................................................406
Security Management and Governance.................................................408
Asset Identification .................................................................................410
Risk Assessment ......................................................................................411
Risk Management..........................................................................412
Policies Development.............................................................................427
Security Policy...............................................................................428
Standards........................................................................................430
Baselines.........................................................................................430
Guidelines......................................................................................431
Procedures .....................................................................................431
Data Classification.........................................................................431
Implementation.......................................................................................434
Roles and Responsibility ...............................................................434
Security Controls...........................................................................436
Training and Education..........................................................................438
Security Awareness ........................................................................439
Social Engineering ........................................................................440
Auditing Your Security Infrastructure ...................................................441
The Risk of Poor Security Management...............................................442
Exam Prep Questions .............................................................................443
Answers to Exam Prep Questions..........................................................445
Need to Know More?.............................................................................447
Chapter 11:
Operations Security .......................................................................449
Introduction ............................................................................................450
Operational Security...............................................................................450
Employee Recruitment .................................................................451
New-Hire Orientation ..................................................................452
Separation of Duties......................................................................452
Job Rotation...................................................................................452
Least Privilege ...............................................................................453
Mandatory Vacations.....................................................................453
Termination ...................................................................................454
Accountability .........................................................................................454
Controls ..................................................................................................456
Security Controls...........................................................................456
Operational Controls ....................................................................458
Auditing and Monitoring .......................................................................465
Auditing .........................................................................................466
Monitoring Controls.....................................................................467
Clipping Levels..............................................................................468
Intrusion Detection .......................................................................469
Keystroke Monitoring...................................................................470
Antivirus.........................................................................................470
Facility Access Control..................................................................471
Telecommunication Controls.................................................................472
Fax..................................................................................................472
PBX................................................................................................473
Email..............................................................................................474
Backup, Fault Tolerance, and Recovery Controls .................................476
Backups ..........................................................................................477
Fault Tolerance..............................................................................478
RAID..............................................................................................480
Recovery Controls.........................................................................482
Security Assessments ..............................................................................483
Policy Reviews ...............................................................................484
Vulnerability Scanning ..................................................................484
Penetration Testing .......................................................................485
Operational Security Threats and Vulnerabilities.................................489
Common Attack Methodologies...................................................490
Attack Terms and Techniques .......................................................492
Exam Prep Questions .............................................................................494
Answers to Exam Prep Questions..........................................................497
Need to Know More?.............................................................................499
Chapter 12:
Practice Exam I ............................................................................501
Chapter 13:
Answers to Practice Exam I..............................................................515
Chapter 14:
Practice Exam II ...........................................................................531
Chapter 15:
Answers to Practice Exam II.............................................................545
Appendix A:
What’s on the CD ..........................................................................559
Index ........................................................................................563
As the founder and president of Superior Solutions, Inc., a Houston-based IT security consulting, auditing, and training firm, Michael Gregg has more than15 years experience in information security and risk management. He holds two associate’s degrees, a bachelor’s degree, and a master’s degree. Some of the certifications he holds include the following: CISSP, CISA, CISM, MCSE, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP.
Michael has experience not only in performing security audits and assessments, but also is the co-author of Build Your Own Security Lab by Wiley Publishing. Other publications he has authored include CISSP Practice Questions Exam Cram, CISA Exam Prep, and CEH Exam Prep 2. Michael is a site expert for TechTarget.com websites and also serves on their editorial advisory board. His articles have been published on IT websites including CertMag.com, CramSession.com, and GoCertify.com. Michael has created security, audit, and IT networking course material for various companies and universities. Although audits and assessments are where he spends the bulk of his time, teaching and contributing to the written body of IT security knowledge is how Michael believes he can give something back to the community that has given him so much.
He is a member of the American College of Forensic Examiners and the Information Systems Audit and Control Association. When not working, Michael enjoys traveling and restoring muscle cars.
 |
Ask a Question About this Product More... |
|
