"This comprehensive book will guide readers through CISSP exam topics, including: Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security This study guide will be complete with 100% coverage of the exam objectives, real world scenarios, hands-on exercises, and challenging review questions, both in the book and on the CD"--
Fully updated Study Guide for the CISSPCISSP Certified Information Systems Security Professional Study Guide, 7th Edition has completely been updated for the latest 2015 CISSP Body of Knowledge. This Sybex Study Guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:
- 250 question practice exam to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
- More than 100 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
- A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam
Coverage of all of the exam topics in the book means you'll be ready for:
- Access Control
- Application Development Security
- Business Continuity and Disaster Recovery Planning
- Cryptography
- Information Security Governance and Risk Management
- Legal, Regulations, Investigations and Compliance
- Operations Security
- Physical (Environmental) Security
- Security Architecture and Design
- Telecommunications and Network Security
Introduction xxxiii
Assessment Test xlii
Chapter 1 Security Governance Through Principles and Policies 1
Understand and Apply Concepts of Confidentiality, Integrity, and
Availability 3
Apply Security Governance Principles 13
Develop and Implement Documented Security Policy, Standards, Procedures, and
Guidelines 25
Understand and Apply Threat Modeling 28
Integrate Security Risk Considerations into Acquisition Strategy and
Practice 35
Summary 36
Exam Essentials 38
Written Lab 41
Review Questions 42
Chapter 2 Personnel Security and Risk Management Concepts 47
Contribute to Personnel Security Policies 49
Security Governance 59
Understand and Apply Risk Management Concepts 60
Establish and Manage Information Security Education, Training, and Awareness
81
Manage the Security Function 82
Summary 83
Exam Essentials 84
Written Lab 88
Review Questions 89
Chapter 3 Business Continuity Planning 93
Planning for Business Continuity 94
Project Scope and Planning 95
Business Impact Assessment 101
Continuity Planning 107
Plan Approval and Implementation 109
Summary 114
Exam Essentials 115
Written Lab 117
Review Questions 118
Chapter 4 Laws, Regulations, and Compliance 123
Categories of Laws 124
Laws 127
Compliance 146
Contracting and Procurement 147
Summary 148
Exam Essentials 149
Written Lab 151
Review Questions 152
Chapter 5 Protecting Security of Assets 157
Classifying and Labeling Assets 158
Identifying Data Roles 174
Protecting Privacy 178
Summary 181
Exam Essentials 182
Written Lab 183
Review Questions 184
Chapter 6 Cryptography and Symmetric Key Algorithms 189
Historical Milestones in Cryptography 190
Cryptographic Basics 192
Modern Cryptography 208
Symmetric Cryptography 214
Cryptographic Life Cycle 222
Summary 222
Exam Essentials 223
Written Lab 225
Review Questions 226
Chapter 7 PKI and Cryptographic Applications 231
Asymmetric Cryptography 232
Hash Functions 236
Digital Signatures 240
Public Key Infrastructure 242
Asymmetric Key Management 246
Applied Cryptography 247
Cryptographic Attacks 258
Summary 261
Exam Essentials 261
Written Lab 264
Review Questions 265
Chapter 8 Principles of Security Models, Design, and Capabilities 269
Implement and Manage Engineering Processes Using Secure Design Principles
270
Understand the Fundamental Concepts of Security Models 275
Select Controls and Countermeasures Based on Systems Security Evaluation
Models 289
Understand Security Capabilities of Information Systems 303
Summary 305
Exam Essentials 305
Written Lab 307
Review Questions 308
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 313
Assess and Mitigate Security Vulnerabilities 314
Client-Based 337
Server Based 341
Database Security 341
Distributed Systems 344
Industrial Control Systems 348
Assess and Mitigate Vulnerabilities in Web-Based Systems 349
Assess and Mitigate Vulnerabilities in Mobile Systems 350
Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical
Systems 360
Essential Security Protection Mechanisms 364
Common Architecture Flaws and Security Issues 369
Summary 375
Exam Essentials 376
Written Lab 379
Review Questions 380
Chapter 10 Physical Security Requirements 385
Apply Secure Principles to Site and Facility Design 386
Design and Implement Physical Security 389
Implement and Manage Physical Security 407
Summary 415
Exam Essentials 416
Written Lab 420
Review Questions 421
Chapter 11 Secure Network Architecture and Securing Network Components 425
OSI Model 426
TCP/IP Model 437
Converged Protocols 452
Wireless Networks 454
General Wi-Fi Security Procedure 462
Cabling, Wireless, Topology, and Communications Technology 473
Summary 490
Exam Essentials 490
Written Lab 494
Review Questions 495
Chapter 12 Secure Communications and Network Attacks 499
Network and Protocol Security Mechanisms 500
Secure Voice Communications 503
Multimedia Collaboration 507
Manage Email Security 508
Remote Access Security Management 513
Virtual Private Network 517
Virtualization 523
Network Address Translation 525
Switching Technologies 530
WAN Technologies 532
Miscellaneous Security Control Characteristics 537
Security Boundaries 539
Prevent or Mitigate Network Attacks 539
Summary 545
Exam Essentials 546
Written Lab 549
Review Questions 550
Chapter 13 Managing Identity and Authentication 555
Controlling Access to Assets 556
Comparing Identification and Authentication 560
Implementing Identity Management 573
Managing the Identity and Access Provisioning Life Cycle 582
Summary 585
Exam Essentials 586
Written Lab 588
Review Questions 589
Chapter 14 Controlling and Monitoring Access 593
Comparing Access Control Models 594
Understanding Access Control Attacks 604
Summary 621
Exam Essentials 622
Written Lab 624
Review Questions 625
Chapter 15 Security Assessment and Testing 629
Building a Security Assessment and Testing Program 630
Performing Vulnerability Assessments 634
Testing Your Software 643
Implementing Security Management Processes 649
Summary 650
Exam Essentials 651
Written Lab 653
Review Questions 654
Chapter 16 Managing Security Operations 659
Applying Security Operations Concepts 661
Provisioning and Managing Resources 670
Managing Configuration 678
Managing Change 680
Managing Patches and Reducing Vulnerabilities 684
Summary 688
Exam Essentials 689
Written Lab 691
Review Questions 692
Chapter 17 Preventing and Responding to Incidents 697
Managing Incident Response 698
Implementing Preventive Measures 704
Logging, Monitoring, and Auditing 731
Summary 748
Exam Essentials 750
Written Lab 754
Review Questions 755
Chapter 18 Disaster Recovery Planning 759
The Nature of Disaster 760
Understand System Resilience and Fault Tolerance 770
Recovery Strategy 775
Recovery Plan Development 784
Training, Awareness, and Documentation 792
Testing and Maintenance 793
Summary 795
Exam Essentials 795
Written Lab 797
Review Questions 798
Chapter 19 Incidents and Ethics 803
Investigations 804
Major Categories of Computer Crime 812
Incident Handling 817
Ethics 826
Summary 829
Exam Essentials 830
Written Lab 832
Review Questions 833
Chapter 20 Software Development Security 837
Introducing Systems Development Controls 838
Establishing Databases and Data Warehousing 860
Storing Data and Information 869
Understanding Knowledge-based Systems 870
Summary 873
Exam Essentials 874
Written Lab 875
Review Questions 876
Chapter 21 Malicious Code and Application Attacks 881
Malicious Code 882
Password Attacks 895
Application Attacks 899
Web Application Security 901
Reconnaissance Attacks 905
Masquerading Attacks 907
Summary 908
Exam Essentials 909
Written Lab 910
Review Questions 911
Appendix A Answers to Review Questions 915
Chapter 1: Security Governance Through Principles and Policies 916
Chapter 2: Personnel Security and Risk Management Concepts 917
Chapter 3: Business Continuity Planning 918
Chapter 4: Laws, Regulations, and Compliance 920
Chapter 5: Protecting Security of Assets 922
Chapter 6: Cryptography and Symmetric Key Algorithms 924
Chapter 7: PKI and Cryptographic Applications 926
Chapter 8: Principles of Security Models, Design, and Capabilities 927
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 929
Chapter 10: Physical Security Requirements 931
Chapter 11: Secure Network Architecture and Securing Network Components 932
Chapter 12: Secure Communications and Network Attacks 933
Chapter 13: Managing Identity and Authentication 935
Chapter 14: Controlling and Monitoring Access 937
Chapter 15: Security Assessment and Testing 939
Chapter 16: Managing Security Operations 940
Chapter 17: Preventing and Responding to Incidents 943
Chapter 18: Disaster Recovery Planning 946
Chapter 19: Incidents and Ethics 948
Chapter 20: Software Development Security 949
Chapter 21: Malicious Code and Application Attacks 950
Appendix B Answers to Written Labs 953
Chapter 1: Security Governance Through Principles and Policies 954
Chapter 2: Personnel Security and Risk Management Concepts 954
Chapter 3: Business Continuity Planning 955
Chapter 4: Laws, Regulations, and Compliance 956
Chapter 5: Protecting Security of Assets 956
Chapter 6: Cryptography and Symmetric Key Algorithms 957
Chapter 7: PKI and Cryptographic Applications 958
Chapter 8: Principles of Security Models, Design, and Capabilities 958
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 959
Chapter 10: Physical Security Requirements 959
Chapter 11: Secure Network Architecture and Securing Network Components 960
Chapter 12: Secure Communications and Network Attacks 960
Chapter 13: Managing Identity and Authentication 961
Chapter 14: Controlling and Monitoring Access 962
Chapter 15: Security Assessment and Testing 962
Chapter 16: Managing Security Operations 963
Chapter 17: Preventing and Responding to Incidents 963
Chapter 18: Disaster Recovery Planning 964
Chapter 19: Incidents and Ethics 965
Chapter 20: Software Development Security 965
Chapter 21: Malicious Code and Application Attacks 966
Index 967
James Michael Stewart, CISSP, CEH, CHFI, Security+, has focused on security, certification, and various operating systems for more than 20 years. He teaches numerous job skill and certification courses.
Mike Chapple, PhD, CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. He oversees information security, data governance, IT architecture, project management, strategic planning, and product management functions.
Darril Gibson, CISSP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.
