O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CISSP All-in-One Exam Guide, Eighth Edition, 8th Edition

Book Description

A new edition of Shon Harris’ bestselling exam prep guide—fully updated for the new CISSP 2018 Common Body of Knowledge

This effective self-study guide fully prepares you for the challenging CISSP exam and offers 100% coverage of all exam domains. This edition has been thoroughly revised to cover the new CISSP 2018 Common Body of Knowledge, hot spot and drag and drop question formats, and more.

CISSP All-in-One Exam Guide, Eighth Edition features hands-on exercises as well as “Notes,” “Tips,” and “Cautions” that provide real-world insight and call out potentially harmful situations. Each chapter features learning objectives, exam tips, and practice questions with in-depth answer explanations. Beyond exam prep, the guide also serves as an ideal on-the-job reference for IT security professionals.

•Fully updated to cover 2018 exam objectives and question formats
•Digital content includes access to the Total Tester test engine with 1500 practice questions, and flashcards
•Serves as an essential on-the-job-reference

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. Contents at a Glance
  7. Contents
  8. In Memory of Shon Harris
  9. Foreword
  10. From the Author
  11. Acknowledgments
  12. Why Become a CISSP?
  13. Chapter 1 Security and Risk Management
    1. Fundamental Principles of Security
      1. Availability
      2. Integrity
      3. Confidentiality
      4. Balanced Security
    2. Security Definitions
    3. Control Types
    4. Security Frameworks
      1. ISO/IEC 27000 Series
      2. Enterprise Architecture Development
      3. Security Controls Development
      4. Process Management Development
      5. Functionality vs. Security
    5. The Crux of Computer Crime Laws
    6. Complexities in Cybercrime
      1. Electronic Assets
      2. The Evolution of Attacks
      3. International Issues
      4. Types of Legal Systems
    7. Intellectual Property Laws
      1. Trade Secret
      2. Copyright
      3. Trademark
      4. Patent
      5. Internal Protection of Intellectual Property
      6. Software Piracy
    8. Privacy
      1. The Increasing Need for Privacy Laws
      2. Laws, Directives, and Regulations
      3. Employee Privacy Issues
    9. Data Breaches
      1. U.S. Laws Pertaining to Data Breaches
      2. Other Nations’ Laws Pertaining to Data Breaches
    10. Policies, Standards, Baselines, Guidelines, and Procedures
      1. Security Policy
      2. Standards
      3. Baselines
      4. Guidelines
      5. Procedures
      6. Implementation
    11. Risk Management
      1. Holistic Risk Management
      2. Information Systems Risk Management Policy
      3. The Risk Management Team
      4. The Risk Management Process
    12. Threat Modeling
      1. Threat Modeling Concepts
      2. Threat Modeling Methodologies
    13. Risk Assessment and Analysis
      1. Risk Assessment Team
      2. The Value of Information and Assets
      3. Costs That Make Up the Value
      4. Identifying Vulnerabilities and Threats
      5. Methodologies for Risk Assessment
      6. Risk Analysis Approaches
      7. Qualitative Risk Analysis
      8. Protection Mechanisms
      9. Total Risk vs. Residual Risk
      10. Handling Risk
    14. Supply Chain Risk Management
      1. Upstream and Downstream Suppliers
      2. Service Level Agreements
    15. Risk Management Frameworks
      1. Categorize Information System
      2. Select Security Controls
      3. Implement Security Controls
      4. Assess Security Controls
      5. Authorize Information System
      6. Monitor Security Controls
    16. Business Continuity and Disaster Recovery
      1. Standards and Best Practices
      2. Making BCM Part of the Enterprise Security Program
      3. BCP Project Components
    17. Personnel Security
      1. Hiring Practices
      2. Onboarding
      3. Termination
      4. Security Awareness Training
      5. Degree or Certification?
    18. Security Governance
      1. Metrics
    19. Ethics
      1. The Computer Ethics Institute
      2. The Internet Architecture Board
      3. Corporate Ethics Programs
    20. Summary
    21. Quick Tips
      1. Questions
      2. Answers
  14. Chapter 2 Asset Security
    1. Information Life Cycle
      1. Acquisition
      2. Use
      3. Archival
      4. Disposal
    2. Classification
      1. Classifications Levels
      2. Classification Controls
    3. Layers of Responsibility
      1. Executive Management
      2. Data Owner
      3. Data Custodian
      4. System Owner
      5. Security Administrator
      6. Supervisor
      7. Change Control Analyst
      8. Data Analyst
      9. User
      10. Auditor
      11. Why So Many Roles?
    4. Retention Policies
      1. Developing a Retention Policy
    5. Protecting Privacy
      1. Data Owners
      2. Data Processers
      3. Data Remanence
      4. Limits on Collection
    6. Protecting Assets
      1. Data Security Controls
      2. Media Controls
      3. Protecting Mobile Devices
      4. Paper Records
      5. Safes
      6. Selecting Standards
    7. Data Leakage
      1. Data Leak Prevention
    8. Summary
    9. Quick Tips
      1. Questions
      2. Answers
  15. Chapter 3 Security Architecture and Engineering
    1. System Architecture
    2. Computer Architecture
      1. The Central Processing Unit
      2. Multiprocessing
      3. Memory Types
    3. Operating Systems
      1. Process Management
      2. Memory Management
      3. Input/Output Device Management
      4. CPU Architecture Integration
      5. Operating System Architectures
      6. Virtual Machines
    4. System Security Architecture
      1. Security Policy
      2. Security Architecture Requirements
    5. Security Models
      1. Bell-LaPadula Model
      2. Biba Model
      3. Clark-Wilson Model
      4. Noninterference Model
      5. Brewer and Nash Model
      6. Graham-Denning Model
      7. Harrison-Ruzzo-Ullman Model
    6. Systems Evaluation
      1. Common Criteria
      2. Why Put a Product Through Evaluation?
    7. Certification vs. Accreditation
      1. Certification
      2. Accreditation
    8. Open vs. Closed Systems
      1. Open Systems
      2. Closed Systems
    9. Systems Security
      1. Client-Based Systems
      2. Client-Server Systems
      3. Distributed Systems
      4. Cloud Computing
      5. Parallel Computing
      6. Database Systems
      7. Web-Based Systems
      8. Mobile Systems
      9. Cyber-Physical Systems
    10. A Few Threats to Review
      1. Maintenance Hooks
      2. Time-of-Check/Time-of-Use Attacks
    11. Cryptography in Context
      1. The History of Cryptography
    12. Cryptography Definitions and Concepts
      1. Kerckhoffs’ Principle
      2. The Strength of the Cryptosystem
      3. One-Time Pad
      4. Running and Concealment Ciphers
      5. Steganography
    13. Types of Ciphers
      1. Substitution Ciphers
      2. Transposition Ciphers
    14. Methods of Encryption
      1. Symmetric vs. Asymmetric Algorithms
      2. Symmetric Cryptography
      3. Block and Stream Ciphers
      4. Hybrid Encryption Methods
    15. Types of Symmetric Systems
      1. Data Encryption Standard
      2. Triple-DES
      3. Advanced Encryption Standard
      4. International Data Encryption Algorithm
      5. Blowfish
      6. RC4
      7. RC5
      8. RC6
    16. Types of Asymmetric Systems
      1. Diffie-Hellman Algorithm
      2. RSA
      3. El Gamal
      4. Elliptic Curve Cryptosystems
      5. Knapsack
      6. Zero Knowledge Proof
    17. Message Integrity
      1. The One-Way Hash
      2. Various Hashing Algorithms
      3. MD4
      4. MD5
      5. SHA
      6. Attacks Against One-Way Hash Functions
    18. Public Key Infrastructure
      1. Certificate Authorities
      2. Certificates
      3. The Registration Authority
      4. PKI Steps
    19. Applying Cryptography
      1. Services of Cryptosystems
      2. Digital Signatures
      3. Digital Signature Standard
      4. Key Management
      5. Trusted Platform Module
      6. Digital Rights Management
    20. Attacks on Cryptography
      1. Ciphertext-Only Attacks
      2. Known-Plaintext Attacks
      3. Chosen-Plaintext Attacks
      4. Chosen-Ciphertext Attacks
      5. Differential Cryptanalysis
      6. Linear Cryptanalysis
      7. Side-Channel Attacks
      8. Replay Attacks
      9. Algebraic Attacks
      10. Analytic Attacks
      11. Statistical Attacks
      12. Social Engineering Attacks
      13. Meet-in-the-Middle Attacks
    21. Site and Facility Security
    22. The Site Planning Process
      1. Crime Prevention Through Environmental Design
      2. Designing a Physical Security Program
    23. Internal Support Systems
      1. Electric Power
      2. Environmental Issues
      3. Fire Prevention, Detection, and Suppression
    24. Summary
    25. Quick Tips
      1. Questions
      2. Answers
  16. Chapter 4 Communication and Network Security
    1. Principles of Network Architectures
    2. Open Systems Interconnection Reference Model
      1. Protocol
      2. Application Layer
      3. Presentation Layer
      4. Session Layer
      5. Transport Layer
      6. Network Layer
      7. Data Link Layer
      8. Physical Layer
      9. Functions and Protocols in the OSI Model
      10. Tying the Layers Together
      11. Multilayer Protocols
    3. TCP/IP Model
      1. TCP
      2. IP Addressing
      3. IPv6
      4. Layer 2 Security Standards
      5. Converged Protocols
    4. Transmission Media
      1. Types of Transmission
      2. Cabling
    5. Wireless Networks
      1. Wireless Communications Techniques
      2. WLAN Components
      3. Evolution of WLAN Security
      4. Wireless Standards
      5. Best Practices for Securing WLANs
      6. Satellites
      7. Mobile Wireless Communication
    6. Networking Foundations
      1. Network Topology
      2. Media Access Technologies
      3. Transmission Methods
    7. Network Protocols and Services
      1. Address Resolution Protocol
      2. Dynamic Host Configuration Protocol
      3. Internet Control Message Protocol
      4. Simple Network Management Protocol
      5. Domain Name Service
      6. E-mail Services
      7. Network Address Translation
      8. Routing Protocols
    8. Network Components
      1. Repeaters
      2. Bridges
      3. Routers
      4. Switches
      5. Gateways
      6. PBXs
      7. Firewalls
      8. Proxy Servers
      9. Unified Threat Management
      10. Content Distribution Networks
      11. Software Defined Networking
      12. Endpoints
      13. Honeypot
      14. Network Access Control
      15. Virtualized Networks
    9. Intranets and Extranets
    10. Metropolitan Area Networks
      1. Metro Ethernet
    11. Wide Area Networks
      1. Telecommunications Evolution
      2. Dedicated Links
      3. WAN Technologies
    12. Communications Channels
      1. Multiservice Access Technologies
      2. H.323 Gateways
      3. Digging Deeper into SIP
      4. IP Telephony Issues
    13. Remote Access
      1. Dial-up Connections
      2. ISDN
      3. DSL
      4. Cable Modems
      5. VPN
      6. Authentication Protocols
    14. Network Encryption
      1. Link Encryption vs. End-to-End Encryption
      2. E-mail Encryption Standards
      3. Internet Security
    15. Network Attacks
      1. Denial of Service
      2. Sniffing
      3. DNS Hijacking
      4. Drive-by Download
    16. Summary
    17. Quick Tips
      1. Questions
      2. Answers
  17. Chapter 5 Identity and Access Management
    1. Access Controls Overview
    2. Security Principles
      1. Availability
      2. Integrity
      3. Confidentiality
    3. Identification, Authentication, Authorization, and Accountability
      1. Identification and Authentication
      2. Authentication Methods
      3. Authorization
      4. Accountability
      5. Session Management
      6. Federation
    4. Integrating Identity as a Service
      1. On-premise
      2. Cloud
      3. Integration Issues
    5. Access Control Mechanisms
      1. Discretionary Access Control
      2. Mandatory Access Control
      3. Role-Based Access Control
      4. Rule-Based Access Control
      5. Attribute-Based Access Control
    6. Access Control Techniques and Technologies
      1. Constrained User Interfaces
      2. Remote Access Control Technologies
      3. Access Control Matrix
      4. Content-Dependent Access Control
      5. Context-Dependent Access Control
    7. Managing the Identity and Access Provisioning Life Cycle
      1. Provisioning
      2. User Access Review
      3. System Account Access Review
      4. Deprovisioning
    8. Controlling Physical and Logical Access
      1. Access Control Layers
      2. Administrative Controls
      3. Physical Controls
      4. Technical Controls
    9. Access Control Practices
      1. Unauthorized Disclosure of Information
    10. Access Control Monitoring
      1. Intrusion Detection Systems
      2. Intrusion Prevention Systems
    11. Threats to Access Control
      1. Dictionary Attack
      2. Brute-Force Attacks
      3. Spoofing at Logon
      4. Phishing and Pharming
    12. Summary
    13. Quick Tips
      1. Questions
      2. Answers
  18. Chapter 6 Security Assessment and Testing
    1. Assessment, Test, and Audit Strategies
      1. Internal Audits
      2. External Audits
      3. Third-Party Audits
      4. Test Coverage
    2. Auditing Technical Controls
      1. Vulnerability Testing
      2. Penetration Testing
      3. War Dialing
      4. Other Vulnerability Types
      5. Postmortem
      6. Log Reviews
      7. Synthetic Transactions
      8. Misuse Case Testing
      9. Code Reviews
      10. Code Testing
      11. Interface Testing
    3. Auditing Administrative Controls
      1. Account Management
      2. Backup Verification
      3. Disaster Recovery and Business Continuity
      4. Security Training and Security Awareness Training
      5. Key Performance and Risk Indicators
    4. Reporting
      1. Analyzing Results
      2. Writing Technical Reports
      3. Executive Summaries
    5. Management Review and Approval
      1. Before the Management Review
      2. Reviewing Inputs
      3. Management Approval
    6. Summary
    7. Quick Tips
      1. Questions
      2. Answers
  19. Chapter 7 Security Operations
    1. The Role of the Operations Department
    2. Administrative Management
      1. Security and Network Personnel
      2. Accountability
      3. Clipping Levels
    3. Physical Security
      1. Facility Access Control
      2. Personnel Access Controls
      3. External Boundary Protection Mechanisms
      4. Intrusion Detection Systems
      5. Patrol Force and Guards
      6. Dogs
      7. Auditing Physical Access
      8. Internal Security Controls
    4. Secure Resource Provisioning
      1. Asset Inventory
      2. Asset Management
      3. Configuration Management
      4. Trusted Recovery
      5. Input and Output Controls
      6. System Hardening
      7. Remote Access Security
      8. Provisioning Cloud Assets
    5. Network and Resource Availability
      1. Mean Time Between Failures
      2. Mean Time to Repair
      3. Single Points of Failure
      4. Backups
      5. Contingency Planning
    6. Preventing and Detecting
      1. Continuous Monitoring
      2. Firewalls
      3. Intrusion Detection and Prevention Systems
      4. Whitelisting and Blacklisting
      5. Antimalware
      6. Vulnerability Management
      7. Patch Management
      8. Sandboxing
      9. Honeypots and Honeynets
      10. Egress Monitoring
      11. Security Information and Event Management
      12. Outsourced Services
    7. The Incident Management Process
      1. Detection
      2. Response
      3. Mitigation
      4. Reporting
      5. Recovery
      6. Remediation
    8. Investigations
      1. Computer Forensics and Proper Collection of Evidence
      2. Motive, Opportunity, and Means
      3. Computer Criminal Behavior
      4. Incident Investigators
      5. Types of Investigations
      6. The Forensic Investigation Process
      7. What Is Admissible in Court?
      8. Surveillance, Search, and Seizure
    9. Disaster Recovery
      1. Business Process Recovery
      2. Recovery Site Strategies
      3. Supply and Technology Recovery
      4. Backup Storage Strategies
      5. End-User Environment
      6. Availability
    10. Liability and Its Ramifications
      1. Liability Scenarios
      2. Third-Party Risk
      3. Contractual Agreements
      4. Procurement and Vendor Processes
    11. Insurance
    12. Implementing Disaster Recovery
      1. Personnel
      2. Assessment
      3. Restoration
      4. Communications
      5. Training
    13. Personal Safety Concerns
      1. Emergency Management
      2. Duress
      3. Travel
      4. Training
    14. Summary
    15. Quick Tips
      1. Questions
      2. Answers
  20. Chapter 8 Software Development Security
    1. Building Good Code
      1. Where Do We Place Security?
      2. Different Environments Demand Different Security
      3. Environment vs. Application
      4. Functionality vs. Security
      5. Implementation and Default Issues
    2. Software Development Life Cycle
      1. Project Management
      2. Requirements Gathering Phase
      3. Design Phase
      4. Development Phase
      5. Testing Phase
      6. Operations and Maintenance Phase
    3. Software Development Methodologies
      1. Waterfall Methodology
      2. V-Shaped Methodology
      3. Prototyping
      4. Incremental Methodology
      5. Spiral Methodology
      6. Rapid Application Development
      7. Agile Methodologies
      8. Integrated Product Team
      9. DevOps
    4. Capability Maturity Model Integration
    5. Change Management
      1. Change Control
    6. Security of Development Environments
      1. Security of Development Platforms
      2. Security of Code Repositories
      3. Software Configuration Management
    7. Secure Coding
      1. Source Code Vulnerabilities
      2. Secure Coding Practices
    8. Programming Languages and Concepts
      1. Assemblers, Compilers, Interpreters
      2. Object-Oriented Concepts
      3. Other Software Development Concepts
      4. Application Programming Interfaces
    9. Distributed Computing
      1. Distributed Computing Environment
      2. CORBA and ORBs
      3. COM and DCOM
      4. Java Platform, Enterprise Edition
      5. Service-Oriented Architecture
    10. Mobile Code
      1. Java Applets
      2. ActiveX Controls
    11. Web Security
      1. Specific Threats for Web Environments
      2. Web Application Security Principles
    12. Database Management
      1. Database Management Software
      2. Database Models
      3. Database Programming Interfaces
      4. Relational Database Components
      5. Integrity
      6. Database Security Issues
      7. Data Warehousing and Data Mining
    13. Malicious Software (Malware)
      1. Viruses
      2. Worms
      3. Rootkit
      4. Spyware and Adware
      5. Botnets
      6. Logic Bombs
      7. Trojan Horses
      8. Antimalware Software
      9. Spam Detection
      10. Antimalware Programs
    14. Assessing the Security of Acquired Software
    15. Summary
    16. Quick Tips
      1. Questions
      2. Answers
  21. Appendix A Comprehensive Questions
    1. Answers
  22. Appendix B About the Online Content
    1. System Requirements
    2. Your Total Seminars Training Hub Account
      1. Single User License Terms and Conditions
    3. TotalTester Online
    4. Hotspot and Drag-and-Drop Questions
    5. Online Flash Cards
      1. Single User License Terms and Conditions
      2. Technical Support
  23. Glossary
  24. Index