O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Official (ISC)2® Guide to the ISSAP® CBK, 2nd Edition

Book Description

Candidates for the CISSP-ISSAP professional certification need to not only demonstratea thorough understanding of the six domains of the ISSAP CBK, but also need to have the ability to apply this in-depth knowledge to develop a detailed security architecture.

Supplying an authoritative review of the key concepts and requirements of the ISSAP CBK, the Official (ISC) Guide to the ISSAP® CBK®,Second Edition provides the practical understanding required to implement the latest security protocols to improve productivity, profitability, security, and efficiency. Encompassing all of the knowledge elements needed to create secure architectures, the text covers the six domains: Access Control Systems and Methodology, Communications and Network Security, Cryptology, Security Architecture Analysis, BCP/DRP, and Physical Security Considerations.

Newly Enhanced Design – This Guide Has It All!

  • Only guide endorsed by (ISC)2
  • Most up-to-date CISSP-ISSAP CBK
  • Evolving terminology and changing requirements for security professionals
  • Practical examples that illustrate how to apply concepts in real-life situations
  • Chapter outlines and objectives
  • Review questions and answers
  • References to free study resources

Read It. Study It. Refer to It Often.

Build your knowledge and improve your chance of achieving certification the first time around. Endorsed by (ISC)2 and compiled and reviewed by CISSP-ISSAPs and (ISC)2 members, this book provides unrivaled preparation for the certification exam and is a reference that will serve you well into your career. Earning your ISSAP is a deserving achievement that gives you a competitive advantage and makes you a member of an elite network of professionals worldwide.

Table of Contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. Foreword
  7. Introduction
  8. Editors
  9. Domain 1 - Access Control Systems & Methodology
    1. Introduction
    2. Access Control Concepts
      1. Discretionary Access Control
      2. DAC Implementation Strategies
      3. Nondiscretionary Access Control
      4. Mandatory Access Control (MAC)
      5. Least Privilege
      6. Separation of Duties
      7. Architectures
    3. Authentication, Authorization, and Accounting (AAA)
      1. Centralized Access Control
      2. Common Implementations
      3. Design Considerations
      4. Decentralized Access Control
      5. Design Considerations
      6. Federated Access Control
      7. Design Considerations
      8. Directories and Access Control
      9. Design Considerations
      10. Identity Management
      11. Accounting
    4. Access Control Administration and Management Concepts
      1. Access Control Administration
      2. Database Access
      3. Inherent Rights
      4. Granted Rights
      5. Change of Privilege Levels
      6. Groups
      7. Role Based
      8. Task Based
      9. Dual Control
      10. Location
      11. Topology
      12. Subnet
      13. Geographical Considerations
      14. Device Type
      15. Authentication
      16. Strengths and Weaknesses of Authentication Tools
      17. Token-Based Authentication Tools
      18. Common Issues with Token Management
      19. Biometric Authentication Tools
      20. Performance Characteristics
      21. Implementation Considerations
      22. Fingerprints
      23. Hand Geometry
      24. Iris
      25. Retina
      26. Facial Recognition
      27. Authentication Tool Considerations
      28. Design Validation
      29. Architecture Effectiveness Assurance
      30. Testing Strategies
      31. Testing Objectives
      32. Testing Paradigms
      33. Repeatability
      34. Methodology
      35. Developing Test Procedures
      36. Risk-Based Considerations
  10. Domain 2 - Communications & Network Security
    1. Voice and Facsimile Communications
      1. Pulse Code Modulation (PCM)
      2. Circuit-Switched versus Packet-Switched Networks
      3. VoIP Architecture Concerns
      4. End-to-End Delay
      5. Jitter
      6. Method of Voice Digitization Used
      7. Packet Loss Rate
      8. Security
      9. Voice Security Policies and Procedures
      10. Encryption
      11. Authentication
      12. Administrative Change Control
      13. Integrity
      14. Availability
      15. Voice Protocols
    2. Network Architecture
      1. Redundancy and Availability
      2. Internet versus Intranet
      3. Extranet
      4. Network Types
      5. Perimeter Controls
      6. Security Modems
      7. Communications and Network Polices
      8. Overview of Firewalls
      9. Firewalls vs. Routers
      10. Demilitarized Zone’s Perimeter Controls
      11. IDS/IPS
      12. IDS Architecture
      13. Intrusion Prevention System
      14. Security Information & Event Management Considerations (SIEM)
      15. Wireless Considerations
      16. Architectures
      17. Security Issues
      18. WPA and WPA2
      19. IEEE 802.11i and 802.1X
      20. 802.1X
      21. Zones of Control
      22. Network Security
      23. Content Filtering
      24. Anti-malware
      25. Anti-spam
      26. Outbound Traffic Filtering
      27. Mobile Code
      28. Policy Enforcement Design
      29. Application and Transport Layer Security
      30. Social Media
      31. Secure E-Commerce Protocols
      32. SSL/TSL and the TCP/IP Protocol Stack
      33. Encryption
      34. Authentication
      35. Certificates and Certificate Authorities
      36. Data Integrity
      37. SSL/TLS Features
      38. Limitations of SSL/TLS
      39. Other Security Protocols
      40. Secure Remote Procedure Calls
      41. Network Layer Security and VPNs
      42. Types of VPN Tunneling
      43. VPN Tunneling Protocols
      44. Layer 2 Tunneling Protocol (L2TP)
      45. IPSec
      46. Authentication Header (AH)
      47. Encapsulating Security Payload (ESP)
      48. Cryptographic Algorithms
      49. L2TP/IPSec
      50. Authentication Using EAP
      51. TCP Wrapper
      52. SOCKS
      53. Comparing SOCKS and HTTP Proxies
      54. VPN Selection
      55. Topology Supported
      56. Authentication Supported
      57. Encryption Supported
      58. Scalability
      59. Management
      60. VPN Client Software
      61. Operating System and Browser Support
      62. Performance
      63. Endpoint Security
      64. Encryption
    3. Network Security Design Considerations
    4. Interoperability and Associated Risks
      1. Cross-Domain Risks and Solutions
    5. Audits and Assessments
      1. Monitoring
    6. Operating Environment
      1. Remote Access
      2. Monitoring
      3. Design Validation
      4. Penetration Testing
      5. Vulnerability Assessment
      6. Monitoring and Network Attacks
      7. Risk-Based Architecture
    7. Secure Sourcing Strategy
  11. Domain 3 - Cryptography
    1. Cryptographic Principles
    2. Applications of Cryptography
      1. Benefits
      2. Uses
      3. Message Encryption
      4. Secure IP Communication
      5. Remote Access
      6. Secure Wireless Communication
      7. Other Types of Secure Communication
      8. Identification and Authentication
      9. Storage Encryption
      10. Electronic Commerce (E-Commerce)
      11. Software Code Signing
      12. Interoperability
      13. Methods of Cryptography
      14. Symmetric Cryptosystems
      15. Block Cipher Modes
      16. Stream Ciphers
      17. Asymmetric Cryptosystems
      18. Hash Functions and Message Authentication Codes
      19. Digital Signatures
    3. Vet Proprietary Cryptography & Design Testable Cryptographic Systems
    4. Computational Overhead & Useful Life
    5. Key Management
      1. Purpose of the Keys and Key Types
      2. Cryptographic Strength and Key Size
    6. Key Life Cycle
      1. Key Creation
      2. Key Distribution and Crypto Information in Transit
      3. Symmetric Keys Distribution
      4. Public and Private Keys Distribution
      5. Key Storage
      6. Key Update
      7. Key Revocation
      8. Key Escrow
      9. Backup and Recovery
      10. Backup
      11. Key Recovery
    7. Public Key Infrastructure
      1. Key Distribution
      2. Certificate and Key Storage
      3. PKI Registration
      4. How the Subject Proves Its Organizational Entity
      5. How a Person, Acting on Behalf of the Subject, Authenticates to Request a Certificate (Case Studies)
      6. Certificate Issuance
      7. Trust Models
      8. Subordinate Hierarchy
      9. Cross-Certified Mesh
      10. Certificate Chains
      11. Certificate Revocation
      12. Traditional CRL Model
      13. Modified CRL-Based Models
      14. Cross-Certification
      15. How Applications Use Cross-Certification
      16. How Cross-Certification Is Set Up
      17. How Cross-Certification with a Bridge CA Is Implemented in Practice
    8. Design Validation
      1. Review of Cryptanalytic Attacks
      2. Attack Models
      3. Symmetric Attacks
      4. Asymmetric Attacks
      5. Hash Function Attacks
      6. Network-Based Cryptanalytic Attacks
      7. Attacks against Keys
      8. Brute Force Attacks
      9. Side-Channel Cryptanalysis
      10. Risk-Based Cryptographic Architecture
      11. Identifying Risk and Requirements by Cryptographic Areas
      12. Case Study
      13. Cryptographic Compliance Monitoring
      14. Cryptographic Standards Compliance
      15. Industry- and Application-Specific Cryptographic Standards Compliance
  12. Domain 4 - Security Architecture Analysis
    1. Risk Analysis
      1. Quantitative Risk Analysis
      2. Qualitative Risk Analysis
      3. Risk Theory
      4. Attack Vectors
      5. Methods of “Vector” Attack
      6. Attack by E-Mail
      7. Attack by Deception
      8. Hoaxes
      9. Hackers
      10. Web Page Attack
      11. Attack of the Worms
      12. Malicious Macros
      13. Instant Messaging, IRC, and P2P File-Sharing Networks
      14. Viruses
      15. Asset and Data Valuation
      16. Context and Data Value
      17. Corporate versus Departmental: Valuation
      18. Business, Legal, and Regulatory Requirements
    2. Product Assurance Evaluation Criteria
      1. Common Criteria (CC) Part 1
      2. Common Criteria (CC) Part 2
      3. The Target of Evaluation (TOE)
      4. Evaluation Assurance Level (EAL) Overview
      5. Evaluation Assurance Level 1 (EAL1) - Functionally Tested
      6. Evaluation Assurance Level 2 (EAL2) - Structurally Tested
      7. Evaluation Assurance Level 3 (EAL3) - Methodically Tested and Checked
      8. Evaluation Assurance Level 4 (EAL4) - Methodically Designed, Tested, and Reviewed
      9. Evaluation Assurance Level 5 (EAL5) - Semiformally Designed and Tested
      10. Evaluation Assurance Level 6 (EAL6) - Semiformally Verified Design and Tested
      11. Evaluation Assurance Level 7 (EAL7) - Formally Verified Design and Tested
      12. Common Criteria (CC) Part 3: Assurance Paradigm
      13. Significance of Vulnerabilities
      14. The Causes of Vulnerabilities
      15. Common Criteria Assurance
    3. Assurance through Evaluation
      1. The Common Criteria Evaluation Assurance Scale
      2. ISO/IEC 27000 Series
      3. Software Engineering Institute - Capability Maturity Model (CMMI-DEV) Key Practices Version 1.3
      4. Introducing the Capability Maturity Model
      5. Sources of the Capability Maturity Model (CMM)
      6. Structure of the CMMI-DEV V1.3
      7. Intergroup Coordination
      8. Peer Reviews
      9. ISO 7498
      10. Concepts of a Layered Architecture
      11. Payment Card Industry Data Security Standard (PCI-DSS)
      12. Architectural Solutions
    4. Architecture Frameworks
      1. Department of Defense Architecture Framework (DoDAF)
      2. The Zachman Framework
    5. Design Process
      1. System Security Engineering Methodologies
      2. Design Validation
      3. Certification
      4. Peer Reviews
      5. Documentation
  13. Domain 5 - Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
    1. Planning Phases and Deliverables
    2. Risk Analysis
      1. Natural Hazard Risks
      2. Human-Made Risks and Threats
      3. Industry Risks
      4. Do Not Forget the Neighbors!
    3. Business Impact Analysis
      1. Data Stored in Electronic Form
      2. Remote Replication and Off-Site Journaling
      3. Backup Strategies
    4. Selecting a Recovery Strategy for Technology
      1. Cost–Benefit Analysis
      2. Implementing Recovery Strategies
      3. Documenting the Plan
      4. The Human Factor
      5. Logistics
      6. Plan Maintenance Strategies
    5. Bringing It All Together – A Sample “Walk Through” of a DR Plan
    6. Step by Step Guide for Disaster Recovery Planning for Security Architects
      1. I. Information Gathering
      2. II. Plan Development and Testing
      3. III. Ongoing Maintenance
    7. References
  14. Domain 6 - Physical Security Considerations
    1. Physical Security Policies and Standards
    2. Physical Security Risks
      1. Unauthorized Access
      2. Physical Security Needs and Organization Drivers
      3. Facility Risk
      4. Restricted Work Areas
    3. Protection Plans
      1. Evacuation Drills
      2. Incident Response
      3. Design Validation
      4. Penetration Tests
      5. Access Control Violation Monitoring
  15. Appendix A
  16. Index