CISSP - James Michael Stewart - ebook

CISSP ebook

James Michael Stewart

0,0
199,99 zł

Opis

Fully updated Sybex Study Guide for the industry-leadingsecurity certification: CISSP Security professionals consider the Certified InformationSystems Security Professional (CISSP) to be the most desiredcertification to achieve. More than 200,000 have taken the exam,and there are more than 70,000 CISSPs worldwide. This highlyrespected guide is updated to cover changes made to the CISSP Bodyof Knowledge in 2012. It also provides additional advice on how topass each section of the exam. With expanded coverage of key areas,it also includes a full-length, 250-question practice exam. * Fully updated for the 2012 CISSP Body of Knowledge, theindustry-leading standard for IT professionals * Thoroughly covers exam topics, including access control,application development security, business continuity and disasterrecovery planning, cryptography, operations security, and physical(environmental) security * Examines information security governance and risk management,legal regulations, investigations and compliance, andtelecommunications and network security * Features expanded coverage of biometrics, auditing andaccountability, software security testing, and many more keytopics CISSP: Certified Information Systems Security ProfessionalStudy Guide, 6th Edition prepares you with both the knowledgeand the confidence to pass the CISSP exam.

Ebooka przeczytasz w aplikacjach Legimi na:

Androidzie
iOS
czytnikach certyfikowanych
przez Legimi
Windows
10
Windows
Phone

Liczba stron: 1653




Contents

Dedication

Acknowledgments

About the Authors

Introduction

Assessment Test

Chapter 1: Access Control

Access Control Overview

Identification and Authentication Techniques

Access Control Techniques

Authorization Mechanisms

Identity and Access Provisioning Life Cycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 2: Access Control Attacks and Monitoring

Understanding Access Control Attacks

Preventing Access Control Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 3: Secure Network Architecture and Securing Network Components

OSI Model

Secure Network Components

Cabling, Wireless, Topology, and Communications Technology

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 4: Secure Communications and Network Attacks

Network and Protocol Security Mechanisms

Virtual Private Network

Remote Access Security Management

Network Address Translation

Switching Technologies

WAN Technologies

Virtualization

Miscellaneous Security Control Characteristics

Manage Email Security

Secure Voice Communications

Security Boundaries

Network Attacks and Countermeasures

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 5: Security Governance Concepts, Principles, and Policies

Security Management Planning

Security Governance

Security Roles and Responsibilities

Protection Mechanisms

Privacy Requirements Compliance

Control Frameworks: Planning to Plan

Security Management Concepts and Principles

Develop and Implement Security Policy

Change Control/Management

Data Classification

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 6: Risk and Personnel Management

Manage Third-Party Governance

Risk Management

Manage Personnel Security

Develop and Manage Security Education, Training, and Awareness

Manage the Security Function

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 7: Software Development Security

Application Issues

Databases and Data Warehousing

Data/Information Storage

Knowledge-Based Systems

Systems Development Controls

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 8: Malicious Code and Application Attacks

Malicious Code

Password Attacks

Application Attacks

Web Application Security

Reconnaissance Attacks

Masquerading Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 9: Cryptography and Symmetric Key Algorithms

Historical Milestones in Cryptography

Cryptographic Basics

Modern Cryptography

Symmetric Cryptography

Cryptographic Life Cycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 10: PKI and Cryptographic Applications

Asymmetric Cryptography

Hash Functions

Digital Signatures

Public Key Infrastructure

Asymmetric Key Management

Applied Cryptography

Cryptographic Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 11: Principles of Security Models, Design, and Capabilities

Understand the Fundamental Concepts of Security Models

Objects and Subjects

Understand the Components of Information Systems Security Evaluation Models

Understand Security Capabilities Of Information Systems

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 12: Security Architecture Vulnerabilities, Threats, and Countermeasures

Computer Architecture

Avoiding Single Points of Failure

Distributed Architecture

Security Protection Mechanisms

Common Flaws and Security Issues

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 13: Security Operations

Security Operations Concepts

Resource Protection

Patch and Vulnerability Management

Change and Configuration Management

Security Audits and Reviews

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 14: Incident Management

Managing Incident Response

Implement Preventive Measures Against Attacks

Understand System Resilience and Fault Tolerance

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 15: Business Continuity Planning

Planning for Business Continuity

Project Scope and Planning

Business Impact Assessment

Continuity Planning

BCP Documentation

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 16: Disaster Recovery Planning

The Nature of Disaster

Recovery Strategy

Recovery Plan Development

Training and Documentation

Testing and Maintenance

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 17: Laws, Regulations, and Compliance

Categories of Laws

Laws

Compliance

Contracting and Procurement

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 18: Incidents and Ethics

Investigations

Major Categories of Computer Crime

Incident Handling

Ethics

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 19: Physical Security Requirements

Site and Facility Design Considerations

Forms of Physical Access Controls

Technical Controls

Environment and Life Safety

Equipment Failure

Privacy Responsibilities and Legal Requirements

Summary

Exam Essentials

Written Lab

Review Questions

Appendix A: Answers to Review Questions

Appendix B: Answers to Written Labs

Appendix C: About the Additional Study Tools

Index

Free Online Study Tools

Senior Acquisitions Editor: Jeff Kellum

Development Editor: Stef Jones

Technical Editors: David Seidl and Debbie Dahlin

Production Editor: Dassi Zeidel

Copy Editors: Judy Flynn and Liz Welch

Editorial Manager: Pete Gaughan

Production Manager: Tim Tate

Vice President and Executive Group Publisher: Richard Swadley

Vice President and Publisher: Neil Edde

Media Project Manager 1: Laura Moss-Hollister

Media Associate Producer: Josh Frank

Media Quality Assurance: Marilyn Hummel

Book Designer: Judy Fung

Proofreader: Josh Chase, Word One New York

Indexer: Ted Laux

Project Coordinator, Cover: Katherine Crocker

Cover Designer: Ryan Sneed

Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-31417-3

ISBN: 978-1-118-46389-5 (ebk.)

ISBN: 978-1-118-33210-8 (ebk.)

ISBN: 978-1-118-33539-0 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2012940018

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of the International Information Systems Security Certifications Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Dear Reader,

Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected] If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde

Vice President and Publisher

Sybex, an Imprint of Wiley

To Cathy, whenever there is trouble, just remember “Some beach, somewhere. . .”

—James Michael Stewart

To Robert Riley, a credit to our profession who left us far too soon.

—Mike Chapple

To my wife: Thanks for sharing your life with me for the past 20 years. I look forward to 20 more.

—Darril Gibson

To Ed, we missed you on this one.

—Authors

Acknowledgments

I’d like to express my thanks to Sybex for continuing to support this project. Thanks to Mike Chapple for continuing to contribute to this project. Thanks to Darril Gibson for stepping up and taking over several chapters. Ed, we missed your input and perspective. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. Extra thanks to the sixth edition developmental editor, Stef Jones, and technical editor, David Seidl, who performed amazing feats in guiding us to improve this book.

To my wonderful wife, Cathy: Our life together is getting more complicated and more wonderful every day. To my son, Xzavier Slayde, and daughter, Remington Annaliese: May you grow to be more than we could imagine; you’ve already outshined all our expectations. To my parents, Dave and Sue: Thanks for your love and consistent support. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis—the world could use a little “Hunka Hunka Burnin’ Love!”

—James Michael Stewart

Special thanks go to the information security team at the University of Notre Dame who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book.

I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. It would be remiss not to also thank Ed Tittel, our coauthor on the first five editions of this book, who was unable to participate in this revision. David Seidl, who joined the team as our technical editor, provided valuable insight as we brought this edition to press.

I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press.

—Mike Chapple

Thanks to Ed Tittel for thinking of me when his schedule was too full to take on the update of this book. No one can fill Ed’s shoes, but I am grateful for the opportunity to contribute to this book in his place. Thanks to James Michael Stewart and Mike Chapple for the work they’ve done with this book in the past, and especially in this edition. I’m also grateful to Jeff Kellum at Wiley for inviting me into the project and to Carole Jelen, my agent at Waterside Productions, for getting all the pieces to fit together. Last, thanks to all the editing, graphics, and production work done by the team at Wiley.

—Darril Gibson

About the Authors

James Michael Stewart, CISSP, has been writing and training for more than 18 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Windows security and ethical hacking/penetration testing. He is the author of several books and courseware sets on security certification, Microsoft topics, and network administration. More information about Michael can be found at his website: www.impactonline.com.

Mike Chapple, CISSP, PhD, is an IT professional with the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of several information security titles, including The GSEC Prep Guide from Wiley and Information Security Illuminated from Jones and Bartlett Publishers.

Darril Gibson, CISSP, is the CEO of Security Consulting and Training, LLC, and has authored or coauthored 25 books and served as the technical editor on many others. He has been a Microsoft Certified Trainer (MCT) since 1999 and holds a multitude of certifications. He regularly teaches classes on security and Microsoft topics as a traveling trainer and as an adjunct professor at ECPI University. Darril regularly blogs at blogs.GetCertifiedGetAhead.com.

CISSP: Certified Information Systems Security Professional Study Guide, 6th Edition

CISSP Common Body of Knowledge

KEY AREA OF KNOWLEDGE

CHAPTER

1. ACCESS CONTROL

A. Control access by applying the following concepts/methodology/techniques

A.1 Policies
A.2 Types of controls (preventative, detective, corrective, etc.)
A.3 Techniques (e.g., non-discretionary, discretionary and mandatory)
A.4 Identification and Authentication
A.5 Decentralized/distributed access control techniques
A.6 Authorization mechanisms
A.7 Logging and monitoring

1, 2

B. Understand access control attacks

B.1 Threat modeling
B.2 Asset valuation
B.3 Vulnerability analysis
B.4 Access aggregation

2

C. Assess effectiveness of access controls

C.1 User entitlement
C.2 Access review & audit

2

D. Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

1

2. TELECOMMUNICATIONS AND NETWORK SECURITY

A. Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)

A.1 OSI and TCP/IP models
A.2 IP networking
A.3 Implications of multi-layer protocols

B. Securing network components

B.1 Hardware (e.g., modems, switches, routers, wireless access points)
B.2 Transmission media (e.g., wired, wireless, fiber)
B.3 Network access control devices (e.g., firewalls, proxies)
B.4 End-point security

3

C. Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)

C.1 Voice (e.g., POTS, PBX, VoIP)
C.2 Multimedia collaboration (e.g., remote meeting technology, instant messaging)
C.3 Remote access (e.g., screen scraper, virtual application/desktop, telecommuting); Data communications

4

D. Understand network attacks (e.g., DDoS, spoofing)

4

3. INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT

A. Understand and align security function to goals, mission, and objectives of the organization

5

B. Understand and apply security governance

B.1 Organizational processes (e.g., acquisitions, divestitures, governance committees)
B.2 Security roles and responsibilities
B.3 Legislative and regulatory compliance
B.4 Privacy requirements compliance
B.5 Control frameworks
B.6 Due care
B.7 Due diligence

5

C. Understand and apply concepts of confidentiality, availability, and integrity

5

D. Develop and implement security policy

D.1 Security policies
D.2 Standards/baselines
D.3 Procedures
D.4 Guidelines
D.5 Documentation

5

E. Manage the information life cycle (e.g., classification, categorization, and ownership)

5

F. Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)

6

G. Understand and apply risk management concepts

G.1 Identify threats and vulnerabilities
G.2 Risk assessment/analysis (qualitative, quantitative, hybrid)
G.3 Risk assignment/acceptance
G.4 Countermeasure selection
G.5 Tangible and intangible asset valuation

6

H. Manage personnel security

H.1 Employment candidate screening (e.g., reference checks, education verification)
H.2 Employment agreements and policies
H.3 Employee termination processes
H.4 Vendor, consultant and contractor controls

6

I. Develop and manage security education, training, and awareness

6

J. Manage the Security Function

J.1 Budget
J.2 Metrics
J.3 Resources
J.4 Develop and implement information security strategies
J.5 Assess the completeness and effectiveness of the security program

6

4. SOFTWARE DEVELOPMENT SECURITY

A. Understand and apply security in the software development life cycle

A.1 Development Life Cycle
A.2 Maturity models
A.3 Operation and maintenance
A.4 Change management

7

B. Understand the environment and security controls

B.1 Security of the software environment
B.2 Security issues of programming languages
B.3 Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor)
B.4 Configuration management

7, 8

C. Assess the effectiveness of software security

7

5. CRYPTOGRAPHY

A. Understand the application and use of cryptography

A.1 Data at rest (e.g., Hard Drive)
A.2 Data in transit (e.g., On the wire)

9

B. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)

9

C. Understand encryption concepts

C.1 Foundational concepts
C.2 Symmetric cryptography
C.3 Asymmetric cryptography
C.4 Hybrid cryptography
C.5 Message digests
C.6 Hashing

9, 10

D. Understand key management process

D.1 Creation/distribution
D.2 Storage/destruction
D.3 Recovery
D.4 Key escrow

9, 10

E. Understand digital signatures

10

F. Understand non-repudiation

9, 10

G. Understand methods of cryptanalytic attacks

G.1 Chosen plain-text
G.2 Social engineering for key discovery
G.3 Brute Force (e.g., rainbow tables, specialized/scalable architecture)
G.4 Cipher-text only
G.5 Known plaintext
G.6 Frequency analysis
G.7 Chosen cipher-text
G.8 Implementation attacks

10

H. Use cryptography to maintain network security

10

I. Use cryptography to maintain application security

10

J. Understand Public Key Infrastructure (PKI)

10

K. Understand certificate related issues

10

L. Understand information hiding alternatives (e.g., steganography, watermarking)

10

6. SECURITY ARCHITECTURE & DESIGN

A. Understand the fundamental concepts of security models (e.g., Confidentiality; Integrity; and Multi-level Models

11

B. Understand the components of information systems security evaluation models

B.1 Product evaluation models (e.g., common criteria)
B.2 Industry and international security implementation guidelines (e.g., PCI-DSS, ISO)

11

C. Understand security capabilities of information systems (e.g., memory protection; virtualization, trusted platform module)

11

D. Understand the vulnerabilities of security architectures

D.1 System (e.g., covert channels; states attacks; emanations)
D.2 Technology and process integration (e.g., single point of failure, service oriented architecture)

12

E. Understand software and system vulnerabilities and threats

E.1 Web-based (e.g., XML, SAML, OWASP)
E.2 Client-based (e.g., applets)
E.3 Server-based (e.g., data flow control)
E.4 Database security (e.g., inference, aggregation, data mining, warehousing)
E.5 Distributed systems (e.g., cloud computing, grid computing, peer to peer)

7, 8, 12

F. Understand countermeasure principles (e.g., defense in depth)

12

7. SECURITY OPERATIONS

A. Understand security operations concepts

A.1 Need-to-know/least privilege
A.2 Separation of duties and responsibilities
A.3 Monitor special privileges (e.g., operators, administrators)
A.4. Job rotation
A.5 Marking, handling, storing, and destroying of sensitive information and media
A.6 Record retention

13

B. Employ resource protection

B.1 Media management
B.2 Asset management (e.g., equipment life cycle, software licensing)

13

C. Manage incident response

C.1 Detection
C.2 Response
C.3 Reporting
C.4 Recovery
C.5 Remediation and review (e.g., root cause analysis)

14

D. Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service)

8, 14

E. Implement and support patch and vulnerability management

8, 13

F. Understand change and configuration management (e.g., versioning, baselining)

13

G. Understand system resilience and fault tolerance requirements

14

8. BUSINESS CONTINUITY & DISASTER RECOVERY

A. Understand business continuity requirements

A.1 Develop and document project scope and plan

15

B. Conduct business impact analysis

B.1 Identify and prioritize critical business functions
B.2 Determine maximum tolerable downtime and other criteria
B.3 Assess exposure to outages (e.g., local, regional, global); Define recovery objectives

15

C. Develop a recovery strategy

C.1 Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation)
C.2 Recovery site strategies

16

D. Understand disaster recovery process

D.1 Response
D.2 Personnel
D.3 Communications
D.4 Assessment
D.5 Restoration
D.6 Provide training

16

E. Exercise, assess and maintain the plan (e.g., version control, distribution)

15, 16

9. LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE

A. Understand legal issues that pertain to information security internationally

A.1 Computer crime
A.2 Licensing and intellectual property (e.g., copyright, trademark)
A.3 Import/Export
A.4 Trans-border data flow
A.5 Privacy

17, 18

B. Understand professional ethics

B.1 (ISC)2 Code of Professional Ethics
B.2 Support organization’s code of ethics

18

C. Understand and support investigations

C.1 Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)
C.2 Incident handling and response
C.3 Evidence collection and handling (e.g., chain of custody, interviewing)
C.4 Reporting and documenting

18

D. Understand forensic procedures

D.1 Media analysis
D.2 Network analysis
D.3 Software analysis
D.4 Hardware/embedded device analysis

18

E. Understand compliance requirements and procedures

E.1 Regulatory environment
E.2 Audits
E.3 Reporting

17

F. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

17

10. PHYSICAL (ENVIRONMENTAL) SECURITY

A. Understand site and facility design considerations

19

B. Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)

19

C. Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)

19

D. Support the implementation and operation of operations or facility security (e.g., technology convergence)

D.1 Communications and server rooms
D.2 Restricted and work area security
D.3 Data center security
D.4 Utilities and Heating, Ventilation and Air Conditioning (HVAC) considerations
D.5 Water issues (e.g., leakage, flooding)
D.6 Fire prevention, detection and suppression

19

E. Support the protection and securing of equipment

19

F. Understand personnel privacy and safety (e.g., duress, travel, monitoring)

19

The (ISC)2 BOK is subject to change at any time without prior notice and at (ISC)2’s sole discretion. Please visit (ISC)2’s website (www.isc2.org) for the most up-to-date information.

Introduction

The CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section.

(ISC)2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2 organization. (ISC)2 is a global not-for-profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of information systems security.

Provide certification for information systems security professionals and practitioners.

Conduct certification training and administer the certification exams.

Oversee the ongoing accreditation of qualified certification candidates through continued education.

The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. You can obtain more information about (ISC)2 from its website at www.isc2.org.

CISSP and SSCP

(ISC)2 supports and provides two primary certifications: CISSP and SSCP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. The Certified Information Systems Security Professional credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. The Systems Security Certified Practitioner (SSCP) is a credential for security professionals responsible for implementing or operating a security infrastructure in an organization.

The CISSP certification covers material from the 10 CBK domains:

Access Control

Telecommunications and Network Security

Information Security Governance and Risk Management

Software Development Security

Cryptography

Security Architecture and Design

Security Operations

Business Continuity and Disaster Recovery Planning

Legal, Regulations, Investigations and Compliance

Physical (Environmental) Security

The SSCP certification covers material from seven CBK domains:

Access Controls

Cryptography

Malicious Code and Activity

Monitoring and Analysis

Networks and Communications

Risk, Response, and Recovery

Security Operations and Administration

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org.

(ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years’ of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification.

To sign up, visit the (ISC)2 website, and follow the instructions listed there for registering to take the CISSP exam. You’ll provide your contact information, payment details, and security-related professional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)2 approves your application to take the exam, you’ll receive a confirmation email with all the details you’ll need to find the testing center and take the exam. By the way, be sure to print out a copy of your confirmation letter with your assigned candidate ID number because this is the third form of proof required to enter the testing location (the first two forms are a picture ID and something with your signature on it).

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you have 6 hours to complete it. The exam is still administered using a paper booklet and answer sheet. This means you’ll be using a pencil to fill in answer bubbles.

However, (ISC)2 just announced a new partnership with Pearson Vue. This partnership will allow the CISSP exam, and other (ISC)2 certification exams, to be taken at a Pearson Vue CBT (computer based testing) facility starting June 1, 2012. This change in testing venues will be implemented worldwide. For more details on this development, please visit www.isc2.org.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain in the CBK but not necessarily be a master of each domain.

You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.

(ISC)2 has traditionally administered the exam under its own direct guidance and control. In most cases, the exams were held in large conference rooms at hotels. Existing CISSP holders were recruited to serve as proctors or administrators for these exams. However, with the upcoming change to offering CISSP as a computer-based test (CBT), the location-based test offerings may be eliminated or reduced (especially in areas where Pearson Vue locations are widely accessible). Once you are ready to schedule your exam, please check with (ISC)2 to see if you have the option of a CBT or a paper-based, location-based exam.

If you take a paper-based, location-based exam, be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m. Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions. This may take 30 minutes or more. Once that process is finished, the 6 hour window for taking the test will begin.

CISSP Exam Question Types

Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:

1. What is the most important goal and top priority of a security solution?
A. Preventing disclosure
B. Maintaining integrity
C. Maintaining human safety
D. Sustaining availability

You must select the one correct or best answer and mark it on your answer sheet. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.

By the way, the correct answer for this sample question is C. Maintaining human safety is always your first priority.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a 250-question exam, you have just less than 90 seconds for each question. Thus, it is important to work quickly, without rushing but also without wasting time.

One key factor to remember is that guessing is better than not answering a question. If you don’t answer a question, you will not get any credit. But if you guess, you have at least a 25 percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.

You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling your selected answer in the question booklet before you mark it on your answer sheet.

To maximize your test-taking activities, here are some general guidelines:

Answer easy questions first.

Skip harder questions, and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.

Eliminate wrong answers before selecting the correct one.

Watch for double negatives.

Be sure you understand what the question is asking.

Manage your time. You should try to complete about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work. Be very careful to mark your answers by the correct question number on the answer sheet.

If you’re attending a paper-based, location-based test, be sure to bring food and drink to the test site. You will not be allowed to leave to obtain sustenance. Your food and drink will be stored against one wall of the testing room. You can eat and drink at any time, but only against that wall. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. Wear a watch, but make sure it is not a programmable one. Bring pencils, a manual pencil sharpener, and an eraser. We also recommend bringing foam ear plugs, wearing comfortable clothes, and taking a light jacket with you (some testing locations are a bit chilly).

If you take your exam at a Pearson Vue center, you may be prohibited from using your own paper and pen/pencil because they usually provide a dry erase board and marker. Pearson Vue testing centers usually have a no food or drink policy, but with a potentially 6-hour exam, new accommodations will be required. Please be sure to contact your testing location and inquire about the procedures and limitations for food and drink.

If English is not your first language, you can register for one of several other language versions of the exam. Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport.

Occasionally, small changes are made to the exam or exam objectives. When that happens, Sybex will post updates to its website. Visit www.sybex.com/go/cissp6e before you sit for the exam to make sure you have the latest information.

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

Take one or two evenings to read each chapter in this book and work through its review material.

Answer all the review questions and take the practice exams provided in the book and on the test engine. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics for which more study or time spent working through key concepts and strategies might be beneficial.

Review the (ISC)

2

’s study guide from

www.isc2.org

.

Use the flashcards included with the study tools to reinforce your understanding of concepts.

We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams. Students have reported that the more time they spent taking practice exams, the better they retained test topics. You might also consider visiting resources such as www.cccure.org, www.cissp.com, and other CISSP-focused websites.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. The endorsement form is accessible through the email notifying you of your achievement in passing the exam. The endorser must review your resume, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2 via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 90 days after receiving the confirmation-of-passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via USPS.

If you happen to fail the exam, you may take the exam a second time as soon as you can find another open slot in a testing location. However, you will need to pay full price for your second attempt. In the unlikely case you need to test a third time, (ISC)2 requires that you wait six months.

Post-CISSP Concentrations

(ISC)2 has added three concentrations to its certification lineup. These concentrations are offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:

Information Systems Security Architecture Professional (ISSAP) Aimed at those who specialize in information security architecture. Key domains covered here include access control systems and methodology; cryptography; physical security integration; requirements analysis and security standards, guidelines, and criteria; technology-related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security. This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures.
Information Systems Security Management Professional (ISSMP) Aimed at those who focus on management of information security policies, practices, principles, and procedures. Key domains covered here include enterprise security management practices; enterprise-wide system development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery planning, and continuity of operations planning. This is a credential for professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture.
Information Systems Security Engineering Professional (ISSEP) Aimed at those who focus on the design and engineering of secure hardware and software information systems, components, or applications. Key domains covered include certification and accreditation, systems security engineering, technical management, and US government information assurance rules and regulations. Most ISSEPs work for the US government or for a government contractor that manages government security clearances.

For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.

Notes on This Book’s Organization

This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first 9 domains are each covered by 2 chapters, and the final domain, Physical (Environmental) Security, is covered in Chapter 19. The domain/chapter breakdown is as follows:

Chapters 1 and 2 Access Control
Chapters 3 and 4 Telecommunications and Network Security
Chapters 5 and 6 Information Security Governance and Risk Management
Chapters 7 and 8 Software Development Security
Chapters 9 and 10 Cryptography
Chapters 11 and 12 Security Architecture and Design
Chapters 13 and 14 Security Operations
Chapters 15 and 16 Business Continuity and Disaster Recovery Planning
Chapters 17 and 18 Legal, Regulations, Investigations, and Compliance
Chapter 19 Physical (Environmental) Security

Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections.

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide. Here are descriptions of some of those elements:

Summaries The summary is a brief review of the chapter to sum up what was covered.
Exam Essentials The Exam Essentials highlight topics that could appear on the exam in some form. While we obviously do not know exactly what will be included in a particular exam, this section reinforces significant concepts that are key to understanding the Common Body of Knowledge (CBK) area and the test specs for the CISSP exam.
Chapter review questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying the corresponding topics. The answers to the practice questions can be found at the end of each chapter.
Written labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you’ve encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions.
Real World Scenarios As you work through each chapter, you’ll find descriptions of typical and plausible workplace situations where an understanding of the security strategies and approaches relevant to the chapter content could play a role in fixing problems or in fending off potential difficulties. This gives readers a chance to see how specific security policies, guidelines, or practices should or may be applied to the workplace.

What’s Included With the Additional Study Tools

Readers of this book can get access to a number of additional study tools. We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

Readers can get access to the following tools by visiting www.sybex.com/go/cissp6e.

The Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book plus additional bonus practice exams that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions.

Electronic Flashcards

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

Glossary of Terms in PDF

Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes all of the key terms you should understand for the CISSP, in a searchable format.

Bonus Practice Exams

Sybex includes bonus practice exams, each comprising questions meant to survey your understanding of key elements in the CISSP CBK. This book has three bonus exams, each comprised of 250 full-length questions.

How to Use This Book’s Study Tools

This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP body of knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The review questions at the end of each chapter and the practice exams are designed to test your retention of the material you’ve read to make sure you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and study tools (found at www.sybex.com/go/cissp6e):

Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher.

Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.

Download the flashcards to your mobile device, and review them when you have a few minutes during the day.

Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus practice exams included with the additional study tools. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.

Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak.

Assessment Test

1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!