O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CISSP Training Kit

Book Description

Your 2-in-1 Self-Paced Training Kit

EXAM PREP GUIDE

Ace your preparation for Certified Information Systems Security Professional (CISSP) Exam. Work at your own pace through a series of lessons and reviews that fully cover each exam objective. Then, reinforce what you’ve learned by applying your knowledge to real-world case scenarios and practice exercises. This guide is designed to help make the most of your study time.

Maximize your performance on the exam in these 10 domains:

  • Information Security Governance and Risk Management

  • Access Control

  • Cryptography

  • Physical (Environmental) Security

  • Security Architecture and Design

  • Legal, Regulations, Investigations and Compliance

  • Telecommunications and Network Security

  • Business Continuity and Disaster Recovery Planning

  • Software Development Security

  • Operations Security

  • PRACTICE TESTS

    Assess your skills with practice tests on CD. You can work through hundreds of questions using multiple testing modes to meet your specific learning needs. You get detailed explanations for right and wrong answers—including a customized learning path that describes how and where to focus your studies.

    For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.

    Table of Contents

    1. CISSP Training Kit
    2. Dedication
    3. A Note Regarding Supplemental Files
    4. Introduction
      1. Preparing for the exam
      2. Signing up for the exam
      3. The exam itself
      4. Seeing the big picture of CISSP
      5. The day of the exam
      6. After completing the exam
      7. Using the companion CD
        1. How to use the practice tests
        2. How to uninstall the practice tests
      8. Acknowledgments
      9. Support and feedback
        1. Errata
        2. We want to hear from you
        3. Stay in touch
    5. 1. Information security governance and risk management
      1. Where do information security and risk management begin?
      2. Security objectives and controls
        1. Understanding risk modeling
        2. Understanding countermeasures and controls
        3. Reducing the risk of litigation
      3. Policies and frameworks
        1. Policy documents
          1. Sources
          2. Ethical standards
          3. Certification and accreditation
          4. Awareness
          5. Revisions, updates, and change control
      4. Risk assessment and management
        1. Starting the risk management project
        2. Performing the risk assessment
          1. Inventory the assets
          2. Assign a value to each asset
          3. Classify assets
          4. Identify threats
          5. Calculate the annualized loss expectancy
          6. Identify cost-effective countermeasures
          7. The four methods of managing risk
          8. Manage speculation and uncertainty
          9. Complete the assessment
          10. Implement the security program
      5. Implementing the security program
        1. Understanding the new organization chart
        2. Understanding the information life cycle
        3. Classifying data
          1. Assign roles and responsibilities
          2. Define classification categories
          3. Define category criteria
          4. Define required protective controls for each category
          5. Inventory the information assets (data elements)
          6. Assign a value to each asset
          7. Reappraise and adjust the classification of information assets
          8. Provide security awareness training for all employees and applicable third parties
          9. Assign enforcement responsibilities
        4. Implementing hiring practices
        5. Implementing termination practices
        6. Providing security awareness training
        7. Managing third-party service providers
        8. Monitoring and auditing
      6. Exercises
        1. Exercise 1-1
        2. Exercise 1-2
      7. Chapter summary
      8. Chapter review
      9. Answers
        1. Exercise 1-1
        2. Exercise 1-2
        3. Chapter review
    6. 2. Access control
      1. Trusted path
      2. Choices, choices, choices
        1. Types of access controls
        2. The provisioning life cycle
        3. Managing fraud
      3. Authentication, authorization, and auditing
        1. Identity management
        2. Authentication
          1. Something you know
          2. Resetting passwords
          3. Attacks on passwords
            1. The Brute Force Attack
            2. The Dictionary Attack
            3. The Hybrid Attack
            4. The Rainbow Attack
            5. The Replay Attack
            6. Social Engineering
          4. Something you have
          5. Drawbacks of authentication devices (something you have)
          6. Something you are
            1. Enrollment
            2. Errors in the Biometric Systems
            3. Finding a Matching Record
            4. Drawbacks of Biometric Authentication (Something You Are)
          7. Multi-factor authentication
          8. Mutual authentication
            1. The Zero Knowledge Proof
          9. Single sign on
          10. Kerberos
            1. Weaknesses With Kerberos
          11. Directory services
          12. Secure European System for Applications in a Multivendor Environment (SESAME)
          13. Web-based authentication
        3. Authorization
          1. The authorization life cycle
          2. Mandatory access control
          3. Discretionary access control
          4. Role-based access control
          5. Rule-based access control
          6. Decentralized access control
          7. Centralized access control
          8. Hybrid access control
          9. Centralized access control technologies
            1. RADIUS
            2. TACACS
            3. Diameter
          10. Other types of access controls
            1. The Constrained Interface
            2. The Hardware Guard
            3. The Software Guard
            4. Temporal Access Controls
        4. Auditing
          1. Intrusion detection systems and intrusion prevention systems
          2. The honeypot, the honeynet, and the padded cell
      4. Exercises
        1. Exercise 2-1
        2. Exercise 2-2
      5. Chapter summary
      6. Chapter review
      7. Answers
        1. Exercise 2-1
        2. Exercise 2-2
        3. Chapter review
    7. 3. Cryptography
      1. What is cryptography?
      2. The basics of cryptography
        1. Cryptanalysis
        2. The strength of a cryptosystem—its work factor
      3. Historical review of cryptography
        1. Hieroglyphics: 3000 BC
        2. The Atbash cipher: 500 BC
        3. The Scytale cipher: 400 BC
        4. The Caesar or Shift cipher: 100 BC
        5. Cryptanalysis: AD 800
        6. The Vigenere cipher: AD 1586
        7. The Jefferson disk: AD 1795
        8. The Vernam cipher/the one-time pad: AD 1917
        9. The Enigma machine: AD 1942
        10. Hashing algorithms: AD 1953
        11. The Data Encryption Algorithm (DEA) and the Data Encryption Standard (DES): AD 1976
        12. Diffie-Hellman (or Diffie-Hellman-Merkle): AD 1976
        13. RC4: AD 1987
        14. Triple DES (3DES): AD 1999
        15. The Rijndael algorithm and the Advanced Encryption Standard (AES): AD 2002
        16. Other points of interest
      4. Cryptographic keys
        1. Key creation
        2. Key length
        3. Key distribution
        4. Secure key storage
        5. Quantities of keys
        6. Key escrow (archival) and recovery
        7. Key lifetime or the cryptoperiod
        8. Initialization vectors
      5. Hashing algorithm/message digest
        1. Attacks on hashing algorithms
      6. Strong cryptography
      7. Symmetric key algorithms and cryptosystems
        1. Symmetric keystream ciphers
          1. RC4
        2. Symmetric key block ciphers
          1. Data Encryption Algorithm (DEA) and Data Encryption Standard (DES)
          2. Double DES (2DES)
          3. Triple DES (TDES or 3DES)
          4. Advanced Encryption Standard (AES)
          5. International Data Encryption Algorithm (IDEA)
          6. Rivest Cipher 5 (RC5) and RC6
          7. Blowfish and Twofish
        3. Modes of symmetric key block ciphers
          1. Electronic Code Book (ECB)
          2. Cipher block chaining (CBC)
          3. Output Feedback mode (OFB)
          4. Cipher Feedback mode (CFB)
          5. Counter mode (CTR)
        4. Signing and sealing using symmetric key algorithms
          1. Signing by using symmetric key algorithms
            1. MAC Versus Digital Signature
            2. Hashed Message Authentication Code (HMAC)
            3. Cipher Block Chaining Message Authentication Code (CBC-MAC)
            4. Cipher-Based Message Authentication Code (CMAC)
          2. Sealing by using symmetric key algorithms
        5. Weaknesses in symmetric key algorithms
      8. Asymmetric key algorithms and cryptosystems
        1. Signing by using asymmetric key algorithms in a hybrid cryptosystem
        2. Sealing by using asymmetric key algorithms in a hybrid cryptosystem
        3. Sending to multiple recipients when sealing
        4. Signing and sealing messages
        5. Asymmetric key algorithms
          1. Diffie-Hellman-Merkle (or just Diffie-Hellman)
          2. RSA
          3. Elliptic Curve Cryptography (ECC)
          4. ElGamal
          5. Digital Signature Standard (DSS)
          6. LUC
          7. XTR
          8. Knapsack
      9. Cryptography in use
        1. Link encryption
        2. End-to-end encryption
        3. Public key infrastructure
          1. The certification authority (CA)
          2. The registration authority (RA)
          3. Trusting a certification authority or PKI
          4. The X.509 digital certificate
          5. The certificate repository
          6. Certificate revocation
        4. Pretty Good Privacy (PGP)
        5. Secure channels for LAN-based applications
          1. Secure shell (SSH)
          2. Point-to-Point Tunneling Protocol (PPTP)
          3. Internet Protocol Security (IPsec)
            1. Internet Key Exchange (IKE)
            2. Authentication Header (AH)
            3. Encapsulating Security Payload (ESP)
            4. Transport Mode
            5. Tunnel Mode
          4. Layer Two Tunneling Protocol (L2TP)
          5. Secure Socket Tunneling Protocol (SSTP)
        6. Secure channels for web-based applications
          1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
          2. Hypertext Transfer Protocol over SSL/TLS (HTTPS)
          3. Secure Hypertext Transfer Protocol (S-HTTP)
          4. Secure File Transfer Protocol (SFTP) and FTP over SSL (FTPS)
          5. Secure Electronic Transaction (SET)
          6. Secure Multipurpose Internet Message Extensions (S/MIME)
        7. Steganography
          1. Watermarks
      10. Attacks on cryptography
        1. Ciphertext-only attack
        2. Known plaintext attack
        3. Chosen plaintext attack
        4. Chosen ciphertext attack
        5. Adaptive attacks
      11. Exercises
        1. Exercise 3-1
        2. Exercise 3-2
      12. Chapter summary
      13. Chapter review
      14. Answers
        1. Exercise 3-1
        2. Exercise 3-2
        3. Chapter review
    8. 4. Physical (environmental) security
      1. Physical security in a layered defense model
      2. Planning the design of a secure facility
        1. First line of defense
        2. Threats to physical security
        3. Liability of physical design
      3. Designing a physical security program
        1. Crime prevention through environmental design
          1. Physical controls
            1. Building Materials
            2. Security Zones
            3. Data Center Location
        2. Target hardening
          1. Full wall versus partition
          2. Window design
          3. Doors
          4. Locks
          5. Key management
          6. Fences
          7. Emanations protection
            1. Wireless Communications
            2. CABLES
            3. Tempest
            4. Faraday Cage
            5. White Noise
          8. Security guards: Advantages and disadvantages
          9. Guard dogs
          10. Piggybacking or tailgating
          11. Physical access controls
          12. Fail safe and fail secure
          13. Signage
          14. Lighting
          15. CCTV cameras
            1. Field of View and Focal Lengths
            2. Depth of Field and Irises
            3. Camera Mounting
            4. Monitoring Station
        3. Securing portable devices
          1. Cable locks
          2. Password policy
          3. Disk encryption
          4. Asset tracking
          5. Wiping the disk
          6. Suggested target-hardening procedures
        4. Intrusion detection
          1. Acoustic sensors
          2. Photoelectric sensors
          3. Proximity detectors
          4. Pressure mats
          5. Contact switches
        5. Heating, ventilation, and air conditioning systems
          1. Temperature and humidity considerations
        6. Failure recovery
          1. Service-level agreements
          2. Secondary power supplies
          3. Electricity considerations
          4. Water detectors
        7. Periodic walkthroughs and inspections
        8. Auditing and logging
      4. Fire prevention, detection, and suppression
        1. Four legs of a fire
        2. Fire detection
          1. Fire detectors
        3. Five classes of fires
        4. Sprinkler systems
          1. Wet pipe sprinkler systems
          2. Dry pipe sprinkler systems
          3. Pre-action sprinkler systems
          4. Deluge sprinkler systems
        5. Fire suppression agents
          1. Gases
            1. Halon Gases and Their Alternatives
            2. CO2
            3. Countdown Timers
          2. Dry chemicals
        6. Fire extinguishers
          1. Fire extinguisher ratings
          2. Fire extinguisher suppressants
          3. Fire extinguisher status/inspection
        7. Fire plan and drill
          1. Roles and responsibilities
          2. Evacuation routes
          3. Training and awareness
      5. Exercises
        1. Exercise 4-1
        2. Exercise 4-2
        3. Exercise 4-3
        4. Exercise 4-4
        5. Exercise 4-5
      6. Chapter summary
      7. Chapter review
      8. Answers
        1. Exercise 4-1
        2. Exercise 4-2
        3. Exercise 4-3
        4. Exercise 4-4
        5. Exercise 4-5
        6. Chapter review
    9. 5. Security architecture and design
      1. Identifying architectural boundaries
      2. Computer hardware and operating systems
        1. Computer hardware
          1. The central processing unit (CPU)
            1. CISC and RISC CPU Chips
            2. Uni-Processing Systems and Multiprocessing Systems
            3. Scalar, Superscalar, and Pipelined Processors
          2. Memory
          3. The address bus and the data bus
          4. Peripherals
          5. Security opportunities within the computer hardware
        2. The operating system
          1. Multiprogramming
          2. Multitasking
          3. Multithreading
          4. Processes
          5. The buffer overflow attack
          6. The memory manager
            1. Logical Memory Addressing
            2. Virtual Memory
            3. Shared Content in Memory
          7. The mandatory access control (MAC) model and security modes
            1. Dedicated Security Mode
            2. System High Security Mode
            3. Compartmented Security Mode
            4. Multi-Level Security Mode
      3. Application architecture
        1. Service-oriented architecture
          1. Distributed systems
          2. Peer-to-peer networks
          3. Virtualization
          4. Cloud computing
          5. Grid computing
      4. Frameworks for security
        1. International Organization for Standardization (ISO) 27000 series
        2. The Zachman Framework for enterprise architecture
        3. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
        4. Control Objectives for Information and Related Technology (COBIT)
        5. Information Technology Infrastructure Library (ITIL)
        6. Generally Accepted Information Security Principles (GAISP)
        7. National Institute of Standards and Technology (NIST) Special Publication 800 (SP 800) series
        8. Security models
          1. State machine model
          2. Information flow model
          3. Noninterference model
          4. Bell-LaPadula model
          5. Biba model
          6. Clark-Wilson model
          7. Brewer-Nash model
        9. Certification and accreditation (C&A)
          1. Trusted Computing System Evaluation Criteria (TCSEC)
          2. Information Technology Security Evaluation Criteria (ITSEC)
          3. Common Criteria
        10. Legal and regulatory compliance
          1. Payment Card Industry-Data Security Standard (PCI-DSS)
          2. Sarbanes-Oxley Act of 2002 (SOX)
          3. Gramm Leach Bliley Act of 1999 (GLBA)
          4. Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
      5. Exercises
        1. Exercise 5-1
        2. Exercise 5-2
      6. Chapter summary
      7. Chapter review
      8. Answers
        1. Exercise 5-1
        2. Exercise 5-2
        3. Chapter review
    10. 6. Legal, regulations, investigations, and compliance
      1. Computer crimes
        1. Is it a crime?
      2. A global perspective of laws regarding computer crime
        1. The codified law system
        2. The common law system
          1. Criminal law
          2. Administrative law or regulatory law
          3. Civil law
        3. The customary law system
          1. The religious law system
          2. Hybrid law systems
        4. The difference between laws and regulations
        5. Protecting intellectual property
          1. Patents
          2. Copyrights
          3. Trademarks
          4. Trade secrets
        6. Protecting privacy
          1. The EU Data Protection Directive
          2. US privacy laws and regulations
          3. Industry regulations that protect privacy
        7. Auditing for compliance
          1. Employee privacy issues
          2. Trans-border information flow
        8. Litigation
        9. Governance of third parties
        10. Software licensing
        11. Investigating computer crime
        12. When to notify law enforcement
        13. Incident response
          1. CSIRT
          2. The CSIRT plan
            1. Monitor
            2. Detection
            3. Notification
            4. Triage
            5. Investigation
            6. Containment
            7. Analysis
            8. Tracking
            9. Recovery
            10. Reporting
            11. Prevention
        14. Evidence
          1. Evidence life cycle
          2. Admissibility of evidence
          3. Types of evidence
        15. Forensic investigations
          1. Forensic analysis
          2. Preparing clone disks
          3. Analyzing the content on the clone disk
            1. Free Space and Slack Space
            2. Hidden Content
            3. Other Content for Analysis
      3. Exercises
        1. Exercise 6-1
        2. Exercise 6-2
      4. Chapter summary
      5. Chapter review
      6. Answers
        1. Exercise 6-1
        2. Exercise 6-2
        3. Chapter review
    11. 7. Telecommunications and network security
      1. The Open Systems Interconnection (OSI) Model
        1. The seven layers of the OSI Model
          1. Layer 7: The Application layer
          2. Layer 6: The Presentation layer
          3. Layer 5: The Session layer
          4. Layer 4: The Transport layer
            1. TCP and UDP
            2. The TCP Three-Way-Handshake
            3. Ports and Sockets
          5. Layer 3: The Network layer
            1. Internet Protocol Version 4
            2. Internet Protocol Version 6
            3. Name Resolution to Get the Destination IP Address
            4. The Routing Decision
            5. Routing
          6. Layer 2: The Data Link layer
            1. The Institute for Electrical and Electronics Engineers (IEEE) 802 Specifications
          7. Layer 1: The Physical layer
          8. The TCP/IP model
      2. Transmission media and technologies
        1. Media types
          1. Emanations
          2. Signal degradation
          3. Cables
            1. Coax
            2. Twisted-Pair Cables—UTP and STP
            3. Fiber Optic Cables
            4. Wireless Networking
        2. Encoding data into signals
          1. Analog encoding
          2. Digital encoding
            1. Synchronous and Asynchronous Signaling
        3. Networking topologies
          1. Circuit-switched versus packet-switched networks
          2. Multiplexing
          3. Whose network is it, anyhow?
          4. Packet transmission modes
        4. Media access methods
      3. Network devices
        1. Devices within the OSI Model
          1. Layer 1 devices
          2. Layer 2 devices
          3. Layer 3 devices
          4. Layer 7 devices
        2. Mainframe computers
        3. Client/endpoint systems
        4. Remote access by client/endpoint systems
        5. Bastion hosts/hardened systems
        6. Firewalls
          1. Generation 1 firewall: Packet filter
          2. Generation 2 firewall: Proxy server
          3. Generation 3 firewall: Stateful inspection
          4. Generation 4 firewall: Dynamic packet filtering
          5. Generation 5 firewall: Kernel proxy
        7. Firewalls in use
          1. Ingress and egress filters
        8. Network address translation
        9. Name resolution
        10. Dynamic Host Configuration Protocol
        11. The virtual private network server
      4. Protocols, protocols, and more protocols
        1. Internet Protocol version 4
        2. Internet Protocol version 6
        3. The TCP/IP Protocol suite
        4. Commonly used protocols
        5. Routing protocols
        6. Virtual private network protocols
        7. Authentication protocols
      5. PAN, LAN, MAN, WAN, and more
        1. Personal area networks
        2. Local area networks
        3. Metropolitan area networks
        4. Wide area networks
        5. Private Branch Exchange (PBX)
        6. Voice over Internet Protocol
      6. Wireless networking
          1. Wireless networking basics
            1. Frequency Hopping Spread Spectrum
            2. Direct Sequence Spread Spectrum
            3. Roaming
          2. Wireless security
          3. WEP, WPA, and WPA2
          4. 802.11n and 802.11ac: multiple input, multiple output
          5. Worldwide Interoperability for Microwave Access
          6. Cellular networking
      7. Attacking the network
        1. Types of attacks
          1. Denial of service attack
          2. Distributed denial of service attack
          3. Information theft
          4. Attacks on wireless networks
          5. Attacks on phone systems and cell phones
            1. Telephone Slamming
      8. Exercises
        1. Exercise 7-1
        2. Exercise 7-2
        3. Exercise 7-3
      9. Chapter summary
      10. Chapter review
      11. Answers
        1. Exercise 7-1
        2. Exercise 7-2
        3. Exercise 7-3
        4. Chapter review
    12. 8. Business continuity and disaster recovery planning
      1. Disaster recovery plan and the business continuity plan
        1. The disaster recovery plan
        2. The business continuity plan
        3. Stages of the planning process
          1. Defining need for DRP and BCP in the enterprise framework
          2. Define the planning project leader
          3. Define the scope of the planning project
          4. Define the DRP and BCP planning team
          5. Define the DRP and BCP planning budget and schedule
          6. Perform the business impact analysis
            1. Identifying Business and Dependency Functions and Support
            2. Determine MTD for Each Business Function
            3. Perform Vulnerability, Threat, and Risk Analysis for Functions and Support
      2. Develop the plans: Proposals
        1. Identify preventive controls
        2. Develop disaster recovery plans and strategy
          1. Alternative procedures
          2. Compliance
          3. Increased operating costs
          4. Recovery of the workspace
          5. Get it settled now
          6. Location of secondary facilities
          7. Parallel processing facilities
          8. Collocation of processes
          9. Alternate (owned) sites
          10. Subscription services: Leased sites, hot, warm, and cold
            1. Hot Sites
            2. Warm Sites
            3. Cold Sites
          11. Tertiary sites
          12. Rolling hot sites
          13. Reciprocal agreements
          14. Recovery of supply systems
            1. Heating, Ventilation, and Air Conditioning
            2. Electricity
            3. Deliveries Inbound and Outbound
          15. Recovery of technologies
            1. Documentation
            2. Deliveries or In-House Inventory
            3. Redundancy and Fault Tolerance
            4. Compatibility
            5. Communications
          16. Security standards
          17. Recovery of data
            1. Recovery Point Objective (RPO)
            2. Recovery Time Objective
            3. Storage Location
            4. Security Requirements
            5. Disk Mirroring and Database Mirroring
            6. Disk Shadowing and Database Shadowing
            7. Transaction Journaling
          18. Backup strategies and storage
            1. The Full Backup
            2. The Incremental Backup
            3. The Differential Backup
            4. Electronic Vaulting
            5. Tape Vaulting
            6. Collocation of Data
            7. Practice Restores of the Data
          19. Recovery of people and critical personnel
        3. Developing the BCP (reconstitution guidelines)
        4. Presentation to senior management
      3. Implementing the approved plans
        1. Components of the plans
          1. Overview
          2. Roles and responsibilities
          3. Activation of the disaster recovery procedures
          4. Recovery plans for the critical business functions
          5. Business continuity guidelines
          6. Finishing touches
            1. Plans for Testing the Plans
            2. Maintaining the Plans
            3. Training
          7. Appendices
        2. Share the accomplishment with the world?
      4. Exercises
        1. Exercise 8-1
        2. Exercise 8-2
      5. Chapter summary
      6. Chapter review
      7. Answers
        1. Exercise 8-1
        2. Exercise 8-2
        3. Chapter review
    13. 9. Software development security
      1. The need for improved security in software
      2. Maturity models
        1. The software development life cycle
        2. Project initiation
        3. Functional design
        4. System design
        5. Software development
        6. Installation and testing
        7. Operation and maintenance
          1. Regression testing
          2. Change management
          3. Configuration management
        8. Disposal and end of life
        9. Separation of duties
        10. Software Capability Maturity Model Integration
          1. Initial level
          2. Managed level
          3. Defined level
          4. Quantitatively managed level
          5. Optimized level
        11. The IDEAL model
        12. Software development models
            1. Waterfall Model
            2. Spiral Model
            3. Rapid Application Development Model
            4. Cleanroom Model
        13. Computer-aided software engineering tools
        14. Software testing
        15. Software updating
        16. Logging requirements
        17. The software escrow
      3. Programming concepts
        1. The generations of programming languages
        2. Object-oriented programming
        3. Distributed computing
          1. Processes sharing data on a single computer
          2. Processes sharing data and processes on multiple computers across a network
          3. Client and server applications
          4. Web applications
          5. Single sign on for web-based applications
          6. The open web application security project (OWASP)
          7. Mobile code
      4. Database systems
        1. Database models
          1. Hierarchical databases
          2. Network databases
          3. Relational databases
          4. Object-oriented databases
        2. Accessing databases
          1. Open database connectivity drivers
          2. Constrained view
        3. Polyinstantiation
        4. Transaction processing
          1. The ACID test for the development of transactions
          2. Online transaction processing
          3. Distributed databases
        5. Increasing the value of data
          1. Artificial intelligence
          2. Fuzzy logic
          3. Expert systems
          4. Artificial neural network
      5. Attacks on applications
        1. Lack of validating and filtering data input
        2. Failure to release memory securely
        3. Residual maintenance hooks
        4. Unintended (covert) communications channels
          1. The covert timing channel
        5. Race conditions
        6. Malware
          1. Exploit code
          2. Virus
          3. Worm
          4. Trojan horse
          5. Rootkits
          6. Backdoors
          7. Adware
          8. Spyware
          9. Ransomware
          10. Keystroke loggers
          11. Meme
          12. Traffic analysis
        7. Attacking web-based applications
          1. Cross-site scripting attacks
            1. The Nonpersistent Cross-Site Scripting Attack
            2. The Persistent Cross-Site Scripting (XSS) Attack
            3. The Dom-Based Cross-Site Scripting (XSS) Attack
        8. Web cache poisoning
        9. Hijacking webpages
        10. Directory transversal attacks
        11. Sensitive data retrieval
          1. Cookies
        12. Malware detection mechanisms
          1. Signature-based detection
          2. Heuristic-based detection
          3. Behavior-based detection
          4. Integrity validation
      6. Exercises
        1. Exercise 9-1
        2. Exercise 9-2
      7. Chapter summary
      8. Chapter review
      9. Answers
        1. Exercise 9-1
        2. Exercise 9-2
        3. Answers to the chapter review
    14. 10. Operations security
      1. The activities of operations
        1. Roles in information technology
          1. The data owner
          2. The manager
          3. The data custodian
          4. The system custodian
          5. The user
          6. Remote access
        2. Remote administration
        3. Availability
        4. User provisioning
        5. Fraud protection
          1. Administrative controls
            1. Separation of Duties
            2. Job Rotation
            3. Mandatory Vacations
            4. Dual Control
          2. Physical access controls
          3. Technical access controls
          4. Technical detective controls
        6. Vulnerability assessments
          1. Vulnerability scanning
          2. Privileged users
          3. Penetration testing
            1. The Penetration Testing Agreement
            2. Testing Systems
            3. Testing Facilities
            4. Testing Personnel
            5. The Starting Position of the Attacker
            6. The Level of Disclosure
            7. Hold Harmless
            8. Confidentiality
          4. Reporting
            1. The Executive Summary
            2. The Technical Report
        7. Incident response
      2. Data management
        1. Data classification
        2. Media management
        3. The media library
        4. Maintaining the systems that support the data
          1. Mean time between failures (MTBF)
          2. Single points of failure
          3. Redundant Array of Independent Disks (RAID)
          4. Parity
          5. Redundant Array of Independent Tapes (RAIT)
          6. Storage area networks (SAN)
          7. Massive array of inactive disks (MAID)
          8. Hierarchical storage management
          9. Server redundancy
          10. Collocation
          11. Service-level agreements (SLAs)
          12. Data backups
            1. The Full Backup
            2. The Full Plus Incremental Backup
            3. The Full Plus Differential Backup
            4. Practice Restores
        5. Data retention
        6. Secure deletion
        7. Object reuse
        8. Secure destruction
        9. Fax security
      3. Attacks on operations
        1. Preventive measures
        2. Common attacks and losses
        3. Anatomy of a targeted attack
          1. Target selection
          2. Passive reconnaissance
          3. Active reconnaissance
          4. Exploit
          5. Privilege escalation
          6. Entrench
          7. Cover tracks
          8. Pillage
          9. Pivot and attack
      4. Exercises
        1. Exercise 10-1
        2. Exercise 10-2
      5. Chapter summary
      6. Chapter review
      7. Answers
        1. Exercise 10-1
        2. Exercise 10-2
        3. Chapter review
    15. A. Additional resources
      1. Additional resources available from (ISC)2
      2. Miscellaneous additional resources
      3. Chapter 1: Information security governance and risk management
      4. Chapter 2: Access control
      5. Chapter 3: Cryptography
      6. Chapter 4: Physical (environmental) security
      7. Chapter 5: Security architecture and design
      8. Chapter 6: Legal, regulations, investigations and compliance
      9. Chapter 7: Telecommunications and network security
      10. Chapter 8: Business continuity and disaster recovery planning
      11. Chapter 9: Software development security
      12. Chapter 10: Operations security
    16. B. About the author
    17. Index
    18. About the Author
    19. Copyright