Cissp All-In-One Exam Guide - eBook

PDF
Visit to download the full and correct content document:
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-ebook-pdf-3/
 Praise for CISSP® All-in-One Exam Guide
A must-have reference for any cyber security practitioner, this book provides invaluable
practical knowledge on the increasingly complex universe of security concepts, controls,
and best practices necessary to do business in today’s world.
Steve Zalewski,
Chief Security Architect,
Levi Strauss & Co.

Shon Harris put the CISSP certification on the map with this golden bible of the CISSP.
Fernando Maymí carries that legacy forward beautifully with clarity, accuracy, and balance.
I am sure that Shon would be proud.
David R. Miller, CISSP; GIAC GISP; PCI QSA;
SME; MCT; MCITPro Enterprise Admin;
MCSE NT 4.0, 2000, 2003, 2008; CEH;
ECSA; LPT; CCNA; CWNA; CNE;
GIAC GISF; CompTIA Security+, etc.…

An excellent reference. Written clearly and concisely, this book is invaluable to students,
educators, and practitioners alike.
Dr. Joe Adams, Founder and Executive
Director, Michigan Cyber Range

A lucid, enlightening, and comprehensive tour de force through the breadth of cyber
security. Maymí and Harris are masters of the craft.
Dr. Greg Conti, Founder,
Kopidion LLC

I wish I found this book earlier in my career. It certainly was the single tool I used to pass
the CISSP exam, but more importantly it has taught me about security from many aspects I
did not even comprehend previously. I think the knowledge that I gained from this book is
going to help me in many years to come. Terrific book and resource!
Janet Robinson,
Chief Security Officer

The “All-in-One Exam Guide” is probably responsible for preventing tens of thousands of
cyberattacks and for providing the strategic, operational, and tactical knowledge to secure
vital government and corporate data centers and networks.
I personally used Shon’s work to achieve my CISSP and I have globally recommended it
to many audiences. I have led many large organizations and one of my fundamental

2
requirements for any of the budding CISSPs that I have mentored on their path to achieve
a CISSP certificate was that they had to do two things before I would send them to a
CISSP training boot camp. First, they had to prove to me they read Shon’s Gold Book, as I
called it, and second they had to attend a free online CISSP preparation seminar. I had
great success with this methodology.
I look forward to all future editions.
Bill Ross, CISSP, CISM, IAM,
SABSA Master Intelligence Officer, ITIL

Shon Harris and the “All-in-One CISSP” book have been the secret to my success. While at
RSA I engaged Shon in getting 90 percent of the worldwide sales engineers CISSP certified,
all with the assistance of this book. I took this same program with me to Symantec, and
Shon worked with me to ensure we had the same type of results with both security
engineers and security executives at Symantec. Her straightforward approach contained in
this book gave each individual the specific information they needed to take the CISSP
exam. As a plus, each of them gained a great deal of knowledge and solid base that is
required by today’s security professionals. I count myself as fortunate to have been
introduced to Shon and the “All-in-One CISSP” early in my security career!
Rick Hanson,
CISSP Symantec Security Business Practice

I have no hesitation in recommending Shon Harris’ “All-in-One Exam Guide”—the

consummate guide to (a) passing the prestigious CISSP examination specifically and (b)
more generally—a great insight into the wider world of information security.
Mike Rabbitt, CISSP,
CISA Information Security Officer

A must-have for anyone serious about becoming a CISSP.

Clément Dupuis, CD,
Owner and Founder of The CCCure
Family of Portals, www.cccure.org

This is the best book to prepare for CISSP exam. Period.

Sabyasachi Hazra, CISSP, CISA,
CISM, PMP, CCSE, ISO 2700 1LA,
CEH, CCSP, CCSA, CCSE, CCSE+,
MCSA, CCNP, Deloitte & Touche

Shon Harris is amazing at explaining the most complicated technologies in very simplified
terms. This is a great book for studying for the CISSP exam, but also the only reference
manual needed for any technical library.
Casey Batz,

3
 Network Security Engineer, VMware

Shon’s “CISSP All-in-One Guide” has been the go-to study guide for the more than 200
new CISSP holders developed in our region over the last two years. It continues to be a
great asset for both the novice and experienced security practitioner.
Alex Humber, Symantec Corporation

Not coming from a technical background, your guide was exactly what was needed to
prepare for the CISSP exam. The material was presented in a way that allowed for not only
grasping the concepts but also understanding them. The CISSP exam is one of the toughest
out there, and your guide is a great tool for preparing for that rigorous undertaking.
Dr. Kevin Schatzle, CISSP, CFE, CPP

I heard from others for years that Harris’ CISSP book was the gold star and now that I am
getting around to preparing for the exam—I see exactly what they mean. I thought I had a
firm grasp on most items that make up information security, but this book really showed
me that there is a lot more involved than I imagined. This book has broadened my horizons
and provided me deep insight. And by the way, I passed the CISSP exam easily from just
studying this one book.
Paul Rose, CEH, CISA, and now
CISSP Security Compliance Officer

Shon Harris really takes a different approach to writing, which helped me tremendously.
The explanations, scenarios, metaphors, and a sprinkle of humor here and there made this
book enjoyable—instead of a dreaded task. Some of the technical concepts I learned ten or
more years ago, but after reading this book I now see how I did not understand these
concepts to the necessary depth and I also understand how these technologies work
together in the real world. The book has made me a much better security professional and
allowed me to get my CISSP certification. Thanks for such a great piece of work!
Mike Peterson, Information Security Officer

4
5
Copyright © 2019 by McGraw-Hill Education. All rights reserved. Except as permitted
under the United States Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval
system, without the prior written permission of the publisher, with the exception that the
program listings may be entered, stored, and executed in a computer system, but they may
not be reproduced for publication.

ISBN: 978-1-26-014264-8
MHID: 1-26-014264-7

The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-
014265-5, MHID: 1-26-014265-5.

eBook conversion by codeMantra

Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a trademark
symbol after every occurrence of a trademarked name, we use names in an editorial fashion
only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with
initial caps.

McGraw-Hill Education eBooks are available at special quantity discounts to use as

premiums and sales promotions or for use in corporate training programs. To contact a
representative, please visit the Contact Us page at www.mhprofessional.com.

Information has been obtained by McGraw-Hill Education from sources believed to be

reliable. However, because of the possibility of human or mechanical error by our sources,
McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the
accuracy, adequacy, or completeness of any information and is not responsible for any
errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights
in and to the work. Use of this work is subject to these terms. Except as permitted under
the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you
may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative
works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or
any part of it without McGraw-Hill Education’s prior consent. You may use the work for
your own noncommercial and personal use; any other use of the work is strictly prohibited.
Your right to use the work may be terminated if you fail to comply with these terms.

6
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS
LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE
OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION
THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR
OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill
Education and its licensors do not warrant or guarantee that the functions contained in the
work will meet your requirements or that its operation will be uninterrupted or error free.
Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for
any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill Education has no responsibility for the content of any
information accessed through the work. Under no circumstances shall McGraw-Hill
Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work,
even if any of them has been advised of the possibility of such damages. This limitation of
liability shall apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.

7
We dedicate this book to all those who have served selflessly.

8
 ABOUT THE AUTHORS

Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logical
Security LLC, a security consultant, a former engineer in the Air Force’s Information
Warfare unit, an instructor, and an author. Shon owned and ran her own training and
consulting companies for 13 years prior to her death in 2014. She consulted with Fortune
100 corporations and government agencies on extensive security issues. She authored three
best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical
Hacker’s Handbook and Security Information and Event Management (SIEM)
Implementation, and a technical editor for Information Security Magazine.

Fernando Maymí, Ph.D., CISSP, is Lead Scientist in the Cyber and Secure Autonomy
division of Soar Technology, Inc., an artificial intelligence research and development
company, a retired Army officer, and a former West Point faculty member with over 25
years’ experience in the field. He is currently leading multiple advanced research projects
developing autonomous cyberspace agents for the Department of Defense. Fernando has
developed and conducted large-scale cyber security exercises for major cities in the United
States and abroad, and served as advisor for senior leaders around the world. He worked
closely with Shon Harris, advising her on a multitude of projects, including the sixth
edition of the CISSP All-in-One Exam Guide.

About the Contributor/Technical Editor

Bobby E. Rogers is an information security engineer working as a contractor for
Department of Defense agencies, helping to secure, certify, and accredit their information
systems. His duties include information system security engineering, risk management, and
certification and accreditation efforts. He retired after 21 years in the U.S. Air Force,
serving as a network security engineer and instructor, and has secured networks all over the
world. Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral
degree in cyber security from Capitol Technology University in Maryland. His many
certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA

9
A+, Network+, Security+, and Mobility+ certifications.

10
 CONTENTS AT A GLANCE

Chapter 1 Security and Risk Management

Chapter 2 Asset Security
Chapter 3 Security Architecture and Engineering
Chapter 4 Communication and Network Security
Chapter 5 Identity and Access Management
Chapter 6 Security Assessment and Testing
Chapter 7 Security Operations
Chapter 8 Software Development Security
Appendix A Comprehensive Questions
Appendix B About the Online Content
Glossary

Index

11
 CONTENTS

In Memory of Shon Harris

Foreword
From the Author
Acknowledgments
Why Become a CISSP?
Chapter 1 Security and Risk Management
Fundamental Principles of Security
Availability
Integrity
Confidentiality
Balanced Security
Security Definitions
Control Types
Security Frameworks
ISO/IEC 27000 Series
Enterprise Architecture Development
Security Controls Development
Process Management Development
Functionality vs. Security
The Crux of Computer Crime Laws
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
International Issues
Types of Legal Systems
Intellectual Property Laws
Trade Secret
Copyright

12
 Trademark
Patent
Internal Protection of Intellectual Property
Software Piracy
Privacy
The Increasing Need for Privacy Laws
Laws, Directives, and Regulations
Employee Privacy Issues
Data Breaches
U.S. Laws Pertaining to Data Breaches
Other Nations’ Laws Pertaining to Data Breaches
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Risk Management
Holistic Risk Management
Information Systems Risk Management Policy
The Risk Management Team
The Risk Management Process
Threat Modeling
Threat Modeling Concepts
Threat Modeling Methodologies
Risk Assessment and Analysis
Risk Assessment Team
The Value of Information and Assets
Costs That Make Up the Value

13
 Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
Risk Analysis Approaches
Qualitative Risk Analysis
Protection Mechanisms
Total Risk vs. Residual Risk
Handling Risk
Supply Chain Risk Management
Upstream and Downstream Suppliers
Service Level Agreements
Risk Management Frameworks
Categorize Information System
Select Security Controls
Implement Security Controls
Assess Security Controls
Authorize Information System
Monitor Security Controls
Business Continuity and Disaster Recovery
Standards and Best Practices
Making BCM Part of the Enterprise Security Program
BCP Project Components
Personnel Security
Hiring Practices
Onboarding
Termination
Security Awareness Training
Degree or Certification?
Security Governance
Metrics
Ethics

14
 The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 2 Asset Security
Information Life Cycle
Acquisition
Use
Archival
Disposal
Classification
Classifications Levels
Classification Controls
Layers of Responsibility
Executive Management
Data Owner
Data Custodian
System Owner
Security Administrator
Supervisor
Change Control Analyst
Data Analyst
User
Auditor
Why So Many Roles?
Retention Policies
Developing a Retention Policy

15
 Protecting Privacy
Data Owners
Data Processers
Data Remanence
Limits on Collection
Protecting Assets
Data Security Controls
Media Controls
Protecting Mobile Devices
Paper Records
Safes
Selecting Standards
Data Leakage
Data Leak Prevention
Summary
Quick Tips
Questions
Answers
Chapter 3 Security Architecture and Engineering
System Architecture
Computer Architecture
The Central Processing Unit
Multiprocessing
Memory Types
Operating Systems
Process Management
Memory Management
Input/Output Device Management
CPU Architecture Integration
Operating System Architectures

16
 Virtual Machines
System Security Architecture
Security Policy
Security Architecture Requirements
Security Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Noninterference Model
Brewer and Nash Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Systems Evaluation
Common Criteria
Why Put a Product Through Evaluation?
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
Systems Security
Client-Based Systems
Client-Server Systems
Distributed Systems
Cloud Computing
Parallel Computing
Database Systems
Web-Based Systems
Mobile Systems

17
 Cyber-Physical Systems
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Cryptography in Context
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems

18
 Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD4
MD5
SHA
Attacks Against One-Way Hash Functions
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Applying Cryptography
Services of Cryptosystems
Digital Signatures
Digital Signature Standard
Key Management
Trusted Platform Module
Digital Rights Management
Attacks on Cryptography
Ciphertext-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks

19
 Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Social Engineering Attacks
Meet-in-the-Middle Attacks
Site and Facility Security
The Site Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Internal Support Systems
Electric Power
Environmental Issues
Fire Prevention, Detection, and Suppression
Summary
Quick Tips
Questions
Answers
Chapter 4 Communication and Network Security
Principles of Network Architectures
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer

20
 Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
Multilayer Protocols
TCP/IP Model
TCP
IP Addressing
IPv6
Layer 2 Security Standards
Converged Protocols
Transmission Media
Types of Transmission
Cabling
Wireless Networks
Wireless Communications Techniques
WLAN Components
Evolution of WLAN Security
Wireless Standards
Best Practices for Securing WLANs
Satellites
Mobile Wireless Communication
Networking Foundations
Network Topology
Media Access Technologies
Transmission Methods
Network Protocols and Services
Address Resolution Protocol
Dynamic Host Configuration Protocol
Internet Control Message Protocol

21
 Simple Network Management Protocol
Domain Name Service
E-mail Services
Network Address Translation
Routing Protocols
Network Components
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Proxy Servers
Unified Threat Management
Content Distribution Networks
Software Defined Networking
Endpoints
Honeypot
Network Access Control
Virtualized Networks
Intranets and Extranets
Metropolitan Area Networks
Metro Ethernet
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Communications Channels
Multiservice Access Technologies

22
 H.323 Gateways
Digging Deeper into SIP
IP Telephony Issues
Remote Access
Dial-up Connections
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Network Encryption
Link Encryption vs. End-to-End Encryption
E-mail Encryption Standards
Internet Security
Network Attacks
Denial of Service
Sniffing
DNS Hijacking
Drive-by Download
Summary
Quick Tips
Questions
Answers
Chapter 5 Identity and Access Management
Access Controls Overview
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability

23
 Identification and Authentication
Authentication Methods
Authorization
Accountability
Session Management
Federation
Integrating Identity as a Service
On-premise
Cloud
Integration Issues
Access Control Mechanisms
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Attribute-Based Access Control
Access Control Techniques and Technologies
Constrained User Interfaces
Remote Access Control Technologies
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Managing the Identity and Access Provisioning Life Cycle
Provisioning
User Access Review
System Account Access Review
Deprovisioning
Controlling Physical and Logical Access
Access Control Layers
Administrative Controls

24
 Physical Controls
Technical Controls
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
Intrusion Detection Systems
Intrusion Prevention Systems
Threats to Access Control
Dictionary Attack
Brute-Force Attacks
Spoofing at Logon
Phishing and Pharming
Summary
Quick Tips
Questions
Answers
Chapter 6 Security Assessment and Testing
Assessment, Test, and Audit Strategies
Internal Audits
External Audits
Third-Party Audits
Test Coverage
Auditing Technical Controls
Vulnerability Testing
Penetration Testing
War Dialing
Other Vulnerability Types
Postmortem
Log Reviews
Synthetic Transactions

25
 Misuse Case Testing
Code Reviews
Code Testing
Interface Testing
Auditing Administrative Controls
Account Management
Backup Verification
Disaster Recovery and Business Continuity
Security Training and Security Awareness Training
Key Performance and Risk Indicators
Reporting
Analyzing Results
Writing Technical Reports
Executive Summaries
Management Review and Approval
Before the Management Review
Reviewing Inputs
Management Approval
Summary
Quick Tips
Questions
Answers
Chapter 7 Security Operations
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Physical Security
Facility Access Control

26
 Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Internal Security Controls
Secure Resource Provisioning
Asset Inventory
Asset Management
Configuration Management
Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Provisioning Cloud Assets
Network and Resource Availability
Mean Time Between Failures
Mean Time to Repair
Single Points of Failure
Backups
Contingency Planning
Preventing and Detecting
Continuous Monitoring
Firewalls
Intrusion Detection and Prevention Systems
Whitelisting and Blacklisting
Antimalware
Vulnerability Management
Patch Management

27
 Sandboxing
Honeypots and Honeynets
Egress Monitoring
Security Information and Event Management
Outsourced Services
The Incident Management Process
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Investigations
Computer Forensics and Proper Collection of Evidence
Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
Types of Investigations
The Forensic Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Disaster Recovery
Business Process Recovery
Recovery Site Strategies
Supply and Technology Recovery
Backup Storage Strategies
End-User Environment
Availability
Liability and Its Ramifications
Liability Scenarios

28
 Third-Party Risk
Contractual Agreements
Procurement and Vendor Processes
Insurance
Implementing Disaster Recovery
Personnel
Assessment
Restoration
Communications
Training
Personal Safety Concerns
Emergency Management
Duress
Travel
Training
Summary
Quick Tips
Questions
Answers
Chapter 8 Software Development Security
Building Good Code
Where Do We Place Security?
Different Environments Demand Different Security
Environment vs. Application
Functionality vs. Security
Implementation and Default Issues
Software Development Life Cycle
Project Management
Requirements Gathering Phase
Design Phase

29
 Development Phase
Testing Phase
Operations and Maintenance Phase
Software Development Methodologies
Waterfall Methodology
V-Shaped Methodology
Prototyping
Incremental Methodology
Spiral Methodology
Rapid Application Development
Agile Methodologies
Integrated Product Team
DevOps
Capability Maturity Model Integration
Change Management
Change Control
Security of Development Environments
Security of Development Platforms
Security of Code Repositories
Software Configuration Management
Secure Coding
Source Code Vulnerabilities
Secure Coding Practices
Programming Languages and Concepts
Assemblers, Compilers, Interpreters
Object-Oriented Concepts
Other Software Development Concepts
Application Programming Interfaces
Distributed Computing
Distributed Computing Environment

30
 CORBA and ORBs
COM and DCOM
Java Platform, Enterprise Edition
Service-Oriented Architecture
Mobile Code
Java Applets
ActiveX Controls
Web Security
Specific Threats for Web Environments
Web Application Security Principles
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
Malicious Software (Malware)
Viruses
Worms
Rootkit
Spyware and Adware
Botnets
Logic Bombs
Trojan Horses
Antimalware Software
Spam Detection
Antimalware Programs
Assessing the Security of Acquired Software

31
 Summary
Quick Tips
Questions
Answers
Appendix A Comprehensive Questions
Answers
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Single User License Terms and Conditions
TotalTester Online
Hotspot and Drag-and-Drop Questions
Online Flash Cards
Single User License Terms and Conditions
Technical Support

Glossary
Index

32
 IN MEMORY OF SHON HARRIS

In the summer of 2014, Shon asked me to write a foreword for the new edition of her
CISSP All-in-One Exam Guide. I was honored to do that, and the following two paragraphs
are that original foreword. Following that, I will say more about my friend, the late Shon
Harris.
The cyber security field is still relatively new and has been evolving as technology
advances. Every decade or so, we have an advance or two that seems to change the game.
For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of
money was spent on perimeter devices like firewalls to keep the bad guys out. Around
2000, recognizing that perimeter defense alone was insufficient, the “defense in depth”
approach became popular, and we spent another decade trying to build layers of defense
and detect the bad guys who were able to get past our perimeter defenses. Again, lots of
money was spent, this time on intrusion detection, intrusion prevention, and end-point
solutions. Then, around 2010, following the lead of the U.S. government in particular, we
began to focus on “continuous monitoring,” the goal being to catch the bad guys inside the
network if they get past the perimeter defense and the defense in depth. Security
information and event management (SIEM) technology has emerged as the best way to
handle this continuous monitoring requirement. The latest buzz phrase is “active defense,”
which refers to the ability to respond in real time through a dynamic and changing defense
that works to contain the attacker and allow the organization to recover quickly and get
back to business. We are starting to see the re-emergence of honeypots combined with
sandbox technology to bait and trap attackers for further analysis of their activity. One
thing is common throughout this brief historical survey: the bad guys keep getting in and
we keep responding to try and keep up, if not prevent them in the first place. This cat-and-
mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats, each
new strategy and tactic brings with it a new set of terminology and concepts for the security
professional to master. The sheer bulk of the body of knowledge can be overwhelming,
particularly to newcomers. As a security practitioner, consultant, and business leader, I am
often asked by aspiring security practitioners where to start when trying to get into the
field. I often refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the
purpose of becoming a CISSP, but so that they may have in one resource the body of
knowledge in the field. I am also often asked by experienced security practitioners how to
advance in the field. I encourage them to pursue CISSP certification and, once again, I refer
them to Shon’s book. Some are destined to become leaders in the field, and the CISSP is a
solid certificate for managers. Other security professionals I encounter are just looking for
more breadth of knowledge, and I recommend Shon’s book to them too as a good one-stop
reference for that. This book has stood the test of time. It has evolved as the field has
evolved and stands as the single most important book in the cyber security field, period. I

33
have personally referred to it several times throughout my career and keep a copy near me
at all times on my Kindle. Simply put, if you are in the cyber security field, you need a copy
of this book.
On a personal note, little did I know that within months of writing the preceding
foreword, Shon would no longer be with us. I counted Shon as a good friend and still
admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002. I
had just learned of the CISSP and within weeks found myself in her class. I had no clue
that she had already written several books by that time and was a true leader in the field. I
must have chattered away during our lunch sessions, because a few months after the class,
she reached out to me and said, “Hey, I remember you were interested in writing. I have a
new project that I need help on. Would you like to help?” After an awkward pause, as I
picked myself up from the floor, I told her that I felt underqualified, but yes! That started a
journey that has blessed me many times over. The book was called Gray Hat Hacking and is
now in the fourth edition. From the book came many consulting, writing, and teaching
opportunities, such as Black Hat. Then, as I retired from the Marine Corps, in 2008, there
was Shon, right on cue: “Hey, I have an opportunity to provide services to a large company.
Would you like to help?” Just like that, I had my first large client, launching my company,
which I was able to grow, with Shon’s help, and then sell a couple of years ago. During the
12 years I knew her, Shon continued to give me opportunities to become much more than
I could have dreamed. She never asked for a thing in return, simply saying, “You take it and
run with it, I am too busy doing other things.” As I think back over my career after the
Marine Corps, I owe most of my success to Shon. I have shared this story with others and
found that I am not the only one; Shon blessed so many people with her giving spirit. I am
convinced there are many “Shon” stories like this one out there. She touched so many
people in the security field and more than lived up to the nickname I had for her, Miss
CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in the
field. If you knew Shon, I know you would echo that sentiment. If you did not know Shon,
I hope that through these few words, you understand why she was so special and why there
had to be another edition of this book. I have been asked several times over the last year,
“Do you think there will be another edition? The security field and CISSP certification
have both changed so much, we need another edition.” For this reason, I am excited this
new edition came to be. Shon would have wanted the book to go on helping people to be
the best they can be. I believe we, as a profession, need this book to continue. So, I am
thankful that the team from McGraw-Hill and Fernando are honoring Shon in this way
and continuing her legacy. She truly deserves it. Shon, you are missed and loved by so
many. Through this book, your generous spirit lives on, helping others.

Dr. Allen Harper, CISSP (thanks to Shon)

Executive Director, Center for Cyber Excellence, Liberty University

34
 FOREWORD

I’m excited and honored to introduce the eighth edition of CISSP All-in-One Exam Guide
to cyber security experts worldwide. This study guide is essential for those pursuing CISSP
certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to be a
member of a profession and the importance of shared values, common language, and
identity. At the same time, expert knowledge gained through training, education, and
experience is critical to a profession, but formal certifications based on clearly articulated
standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase
digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled
with our vulnerabilities and the potential consequences create a new operational reality—
national security is at risk. When we enter any network, we must fight to ensure we
maintain our security, and cyber security experts are the professionals we will call on to out-
think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue to
grow exponentially. While our cyber workforce enabled by technology must focus on
preventing threats and reducing vulnerabilities, we will not eliminate either. This demands
professionals who understand risk management and security—experts who are trusted and
committed to creating and providing a wide range of security measures tailored to mitigate
enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is
the king of the hill. In this edition, Shon’s quality content is present and is being stewarded
forward by Fernando Maymí. You’re in good hands, and you will grow personally and
professionally from your study. As competent, trusted professionals of character, this book
is essential to you, your organization, and our national security.

Rhett Hernandez
Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command
Current West Point Cyber Chair, Army Cyber Institute

35
 FROM THE AUTHOR

In April 2018, (ISC)2 released a revised version of the CISSP Common Body of Knowledge
(CBK). After reviewing the changes, and in light of an ever-changing information security
landscape, we felt compelled to update the CISSP All-in-One Exam Guide and publish its
eighth edition. What are the big changes in the CBK? None, really. What this revision did
was shuffle some topics around and make some adjustments to the emphasis that previous
topics receive. Some notable changes are listed here:

• Secure coding This is probably the biggest winner. (ISC)2 is placing increased
emphasis on this critical topic. The seventh edition of this book already placed a fair
amount of emphasis on secure coding, but we updated our coverage to ensure you
have the information you need whether or not you have a background in software
development.
• IoT It is noteworthy that, while the 2015 CBK included the more general terms
“embedded devices” and “cyber-physical systems,” the Internet of Things (IoT) is
now being singled out as an area of increased attention. We had already included a
section on IoT security in the previous edition and just call this out to help you
prepare.
• Supply chain (ISC)2 has broadened the scope of acquisition practices to look at the
entire supply chain and has integrated this new topic with risk management. It all
makes sense, particularly in the wake of multiple incidents that have come to light in
the last couple of years highlighting the vulnerabilities that the supply chain poses to
many organizations.
• Audits Whereas in the last version of the CBK this was a single topic, we now see it
broken down into internal, external, and third-party audit issues. We already covered
internal and third-party audits in the previous edition of this book, so we freshened
those up and added coverage of external audits.

The goal of this book is not just to get you to pass the CISSP exam, but to provide you
the bedrock of knowledge that will allow you to flourish as an information systems security
professional before and after you pass the certification exam. If you strive for excellence in
your own development, the CISSP certification will follow as a natural byproduct. This
approach will demand that you devote time and energy to topics and issues that may seem
to have no direct or immediate return on investment. That is OK. We each have our own
areas of strength and weakness, and many of us tend to reinforce the former while ignoring
the latter. This leads to individuals who have tremendous depth in a very specific topic, but
who lack the breadth to understand context or thrive in new and unexpected conditions.
What we propose is an inversion of this natural tendency, so that we devote appropriate
amounts of effort to those areas in which we are weakest. What we propose is that we

36
balance the urge to be specialists with the need to be well-rounded professionals. This is
what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals
that performs a critical service that societies cannot do for themselves. In the case of the
CISSP, this professional ensures the availability, integrity, and confidentiality of our
information systems. This cannot be done simply by being the best firewall administrator,
or the best forensic examiner, or the best reverse engineer. Instead, our service requires a
breadth of knowledge that will allow us to choose the right tool for the job. This relevant
knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon
which we can build our expertise. This is why, in order to be competent professionals, we
all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and
foundational knowledge. It is designed, as it always was, to be both a study guide and an
enduring reference. Our hope is that, long after you obtain your CISSP certification, you
will turn to this tome time and again to brush up on your areas of weakness as well as to
guide you in a lifelong pursuit of self-learning and excellence.

Acknowledgments
We would like to thank all the people who work in the information security industry who
are driven by their passion, dedication, and a true sense of doing right. The best security
people are the ones who are driven toward an ethical outcome.
In this eighth edition, we would also like to thank the following:

• David Miller, whose work ethic, loyalty, and friendship have continuously inspired
us.
• All the teammates from Logical Security.
• The men and women of our armed forces, who selflessly defend our way of life.
• Kathy Conlon, who, more than anyone else, set the conditions that led to eight
editions of this book.
• David Harris.
• Carol Remicci.
• Chris Gramling.

Most especially, we thank you, our readers, for standing on the frontlines of our digital
conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.

37
 WHY BECOME A CISSP?

As our world changes, the need for improvements in security and technology continues to
grow. Corporations and other organizations are desperate to identify and recruit talented
and experienced security professionals to help protect the resources on which they depend
to run their businesses and remain competitive. As a Certified Information Systems
Security Professional (CISSP), you will be seen as a security professional of proven ability
who has successfully met a predefined standard of knowledge and experience that is well
understood and respected throughout the industry. By keeping this certification current,
you will demonstrate your dedication to staying abreast of security developments.
Consider some of the reasons for attaining a CISSP certification:

• To broaden your current knowledge of security concepts and practices

• To demonstrate your expertise as a seasoned security professional
• To become more marketable in a competitive workforce
• To increase your salary and be eligible for more employment opportunities
• To bring improved security expertise to your current occupation
• To show a dedication to the security discipline

The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices; perform risk
analysis; identify necessary countermeasures; and help the organization as a whole protect
its facility, network, systems, and information. The CISSP certification also shows potential
employers you have achieved a level of proficiency and expertise in skill sets and knowledge
required by the security industry. The increasing importance placed on security in
corporate success will only continue in the future, leading to even greater demands for
highly skilled security professionals. The CISSP certification shows that a respected third-
party organization has recognized an individual’s technical and theoretical knowledge and
expertise, and distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good
network administrator, programmer, or engineer. Job descriptions that do not specifically
target security professionals still often require that a potential candidate have a good
understanding of security concepts as well as how to implement them. Due to staff size and
budget restraints, many organizations can’t afford separate network and security staffs. But
they still believe security is vital to their organization. Thus, they often try to combine
knowledge of technology and security into a single role. With a CISSP designation, you can
put yourself head and shoulders above other individuals in this regard.

The CISSP Exam

38
Because the CISSP exam covers the eight domains making up the CISSP CBK, it is often
described as being “an inch deep and a mile wide,” a reference to the fact that many
questions on the exam are not very detailed and do not require you to be an expert in every
subject. However, the questions do require you to be familiar with many different security
subjects.
As of 18 December 2017, the CISSP exam comes in two versions depending on the
language in which the test is written. The English version is now a Computer Adaptive
Test (CAT) in which the number of questions you are asked depends on your measured
level of knowledge but ranges from 100 to 150. Of these, 25 questions will not count
toward your score, as they are being evaluated for inclusion in future exams (this is why
they are sometimes called pre-test questions). Essentially, the easier it is for the test software
to determine your level of proficiency, the fewer questions you’ll get. Regardless of how
many questions you are presented, though, you will have no more than three hours to
complete the test. When the system has successfully assessed your level of knowledge, the
test will end regardless of how long you’ve been at it.

EXAM TIP CAT questions are intentionally designed to “feel” hard (based on the
system’s estimate of your knowledge), so don’t be discouraged. Just don’t get bogged
down, because you must answer at least 100 questions in three hours.

The non-English version of the CISSP exam is also computer-based but not adaptive
and comprises 250 questions, which must be answered in no more than six hours. Like the
CAT version, 25 questions are pre-test (unscored), so you will be graded on the other 225
questions. The 25 research questions are integrated into the exam, so you won’t know
which go toward your final grade. To pass the exam, you need a scale score of 700 points
out of 1,000.
Regardless of which version of the exam you take, you can expect multiple choice and
innovative questions. Innovative questions incorporate drag-and-drop (i.e., take a term or
item and drag it to the correct position in the frame) or hotspot (i.e., click the item or term
that correctly answers the question) interfaces, but are otherwise weighed and scored just
like any other question. The questions are pulled from a much larger question bank to
ensure the exam is as unique as possible for each examinee. In addition, the test bank
constantly changes and evolves to more accurately reflect the real world of security. The
exam questions are continually rotated and replaced in the bank as necessary. Questions are
weighted based on their difficulty; not all questions are worth the same number of points.
The exam is not product or vendor oriented, meaning no questions will be specific to
certain products or vendors (for instance, Windows, Unix, or Cisco). Instead, you will be

39
tested on the security models and methodologies used by these types of systems.

EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer
in a reasonable amount of time, then you should guess and move on to the next
question.

(ISC)2, which stands for International Information Systems Security Certification

Consortium, also includes scenario-based questions in the CISSP exam. These questions
present a short scenario to the test taker rather than asking the test taker to identify terms
and/or concepts. The goal of the scenario-based questions is to ensure that test takers not
only know and understand the concepts within the CBK but also can apply this knowledge
to real-life situations. This is more practical because in the real world, you won’t be
challenged by having someone asking you, “What is the definition of collusion?” You need
to know how to detect and prevent collusion from taking place, in addition to knowing the
definition of the term.
After passing the exam, you will be asked to supply documentation, supported by a
sponsor, proving that you indeed have the type of experience required to obtain this
certification. The sponsor must sign a document vouching for the security experience you
are submitting. So, make sure you have this sponsor lined up prior to registering for the
exam and providing payment. You don’t want to pay for and pass the exam, only to find
you can’t find a sponsor for the final step needed to achieve your certification.
The reason behind the sponsorship requirement is to ensure that those who achieve the
certification have real-world experience to offer organizations. Book knowledge is extremely
important for understanding theory, concepts, standards, and regulations, but it can never
replace hands-on experience. Proving your practical experience supports the relevance of
the certification.
A small sample group of individuals selected at random will be audited after passing the
exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’
sponsors and contacts to verify the test taker’s related experience.
One of the factors that makes the CISSP exam challenging is that most candidates,
although they work in the security field, are not necessarily familiar with all eight CBK
domains. If a security professional is considered an expert in vulnerability testing or
application security, for example, she may not be familiar with physical security,
cryptography, or forensics. Thus, studying for this exam will broaden your knowledge of
the security field.
The exam questions address the eight CBK security domains, which are described in

40
Table 1.

41
42
Table 1 Security Domains That Make Up the CISSP CBK

(ISC)2 attempts to keep up with changes in technology and methodologies in the

security field by adding numerous new questions to the test question bank each year. These
questions are based on current technologies, practices, approaches, and standards. For
example, the CISSP exam given in 1998 did not have questions pertaining to wireless
security, cross-site scripting attacks, or IPv6.

What Does This Book Cover?

This book covers everything you need to know to become an (ISC)2-certified CISSP. It
teaches you the hows and whys behind organizations’ development and implementation of
policies, procedures, guidelines, and standards. It covers network, application, and system
vulnerabilities; what exploits them; and how to counter these threats. The book explains
physical security, operational security, and why systems implement the security mechanisms
they do. It also reviews the U.S. and international security criteria and evaluations
performed on systems for assurance ratings, what these criteria mean, and why they are
used. This book also explains the legal and liability issues that surround computer systems
and the data they hold, including such subjects as computer crimes, forensics, and what
should be done to properly prepare computer evidence associated with these topics for
court.
While this book is mainly intended to be used as a study guide for the CISSP exam, it is
also a handy reference guide for use after your certification.

Tips for Taking the CISSP Exam

Many people feel as though the exam questions are tricky. Make sure to read each question
and its answer choices thoroughly instead of reading a few words and immediately
assuming you know what the question is asking. Some of the answer choices may have only
subtle differences, so be patient and devote time to reading through the question more than
once.
A common complaint heard about the CISSP exam is that some questions seem a bit
subjective. For example, whereas it might be easy to answer a technical question that asks
for the exact mechanism used in Transport Layer Security (TLS) that protects against man-
in-the-middle attacks, it’s not quite as easy to answer a question that asks whether an eight-
foot perimeter fence provides low, medium, or high security. Many questions ask the test
taker to choose the “best” approach, which some people find confusing and subjective.
These complaints are mentioned here not to criticize (ISC)2 and the exam writers, but to
help you better prepare for the exam. This book covers all the necessary material for the
exam and contains many questions and self-practice tests. Most of the questions are
formatted in such a way as to better prepare you for what you will encounter on the actual

43
exam. So, make sure to read all the material in the book, and pay close attention to the
questions and their formats. Even if you know the subject well, you may still get some
answers wrong—it is just part of learning how to take tests.
In answering many questions, it is important to keep in mind that some things are
inherently more valuable than others. For example, the protection of human lives and
welfare will almost always trump all other responses. Similarly, if all other factors are equal
and you are given a choice between an expensive and complex solution and a simpler and
cheaper one, the second will win most of the time. Expert advice (e.g., from an attorney) is
more valuable than that offered by someone with lesser credentials. If one of the possible
responses to a question is to seek or obtain advice from an expert, pay close attention to
that question. The correct response may very well be to seek out that expert.
Familiarize yourself with industry standards and expand your technical knowledge and
methodologies outside the boundaries of what you use today. We cannot stress enough that
just because you are the top dog in your particular field, it doesn’t mean you are properly
prepared for every domain the exam covers.
When you take the CISSP exam at the Pearson VUE test center, other certification
exams may be taking place simultaneously in the same room. Don’t feel rushed if you see
others leaving the room early; they may be taking a shorter exam.

How to Use This Book

Much effort has gone into putting all the necessary information into this book. Now it’s up
to you to study and understand the material and its various concepts. To best benefit from
this book, you might want to use the following study method:

• Study each chapter carefully and make sure you understand each concept presented.
Many concepts must be fully understood, and glossing over a couple here and there
could be detrimental to you. The CISSP CBK contains hundreds of individual topics,
so take the time needed to understand them all.
• Make sure to study and answer all of the questions. If any questions confuse you, go
back and study those sections again. Remember, some of the questions on the actual
exam are a bit confusing because they do not seem straightforward. Do not ignore the
confusing questions, thinking they’re not well worded. Instead, pay even closer
attention to them because they are there for a reason.
• If you are not familiar with specific topics, such as firewalls, laws, physical security, or
protocol functionality, use other sources of information (books, articles, and so on) to
attain a more in-depth understanding of those subjects. Don’t just rely on what you
think you need to know to pass the CISSP exam.
• After reading this book, study the questions and answers, and take the practice tests.
Then review the (ISC)2 exam outline and make sure you are comfortable with each
bullet item presented. If you are not comfortable with some items, revisit those

44
 chapters.
• If you have taken other certification exams—such as Cisco, Novell, or Microsoft—
you might be used to having to memorize details and configuration parameters. But
remember, the CISSP test is “an inch deep and a mile wide,” so make sure you
understand the concepts of each subject before trying to memorize the small, specific
details.
• Remember that the exam is looking for the “best” answer. On some questions test
takers do not agree with any or many of the answers. You are being asked to choose
the best answer out of the four being offered to you.

45
Another random document with
no related content on Scribd:
 "Oi! sen sulosointu ja majesteetillisyys ihan hurmaavat minut —
varsinkin kun kuulen sitä niin viehättävän olennon suusta. Mutta
valitettavasti en sitä paljon osaa," vastasin minä. "Ettekö tahtoisi
ruveta minulle opettajaksi?"

Tein tuon rohkean kysymyksen puoliksi leikillä, mutta ihmeekseni

ja ilokseni antoi Fatma siihen aivan vakavan, myöntävän
vastauksen. Sillä vaikka hän piti kunniassa ja hartaasti puolusti
itämaalaisia tapoja, olivat häneen kuitenkin vaistomaisesti ja
ikäänkuin tietämättään vaikuttaneet lännen vapaat aatteet, ja
kuumaverisenä etelän lapsena toimi hän pikemmin tunteen kuin
järjen vaatimuksien mukaan. Viimein antoi äitikin myöntymyksensä.

Jättäessäni jäähyväiset oli siis minulla se suloinen tieto, että

vastedeskin saisin käydä uutta tuttavaani tervehtimässä.

Olikin jo yli puoliyön, ennenkuin läksin. Naiset toivottelivat minulle

Allahin siunausta ja lupasivat iltahartaudessaan muistaa minuakin.

Päästyäni kotiin, minä haaveilin kauan valveilla vuoteellani,

ajatellen rakasta osmaanitartani, ja kun nukuin, niin näin unta
moslemin paradiisista, jossa mustasilmäiset huurit tarjoilivat kahvia,
soittivat kitaraa ja, puhallellen ilmaan sinerviä savurenkaita,
muodostivat sinne kiemurtelevia arabialaisia kirjaimia, jotka leijaillen
oikealta vasemmalle vähitellen järjestyivät turkinkielisiksi sanoiksi ja
lauseiksi.
RUNOJEN KÄÄNNÖKSIÄ
ISRAELIN UNELMA

Kirj. Thomas Moore (Suomennos englanninkielestä)

Jo nouse, oi! jo salamoi sun valos yli kansain muiden —

sun Herras sulle armon soi, sä jalo joukko valituiden!

Sä nouse, sinun säteesi

on valaisevat pakanoita
ja mailman prinssit, kuninkaat
sun korkeuttas kunnioittaa.

Sun silmäs nosta, katseles:

kuink' yli maiden, meren aavan
sun poikas palaa, tyttäres.
Jo parvi kotiin saapuu taaja.

On Libanoni loistossaan, sen seetrit, palmut voitokkaina

kuin juhlapuku pyhän maan. Sun kunniasi kestää aina!
KUN OKSAT AKKUNAHAN LYÖ

Kirj. M. Eminescu
(Suomennos rumaniankielestä)

Kun oksat akkunahan lyö

ja poppelit sen alla
jo verhoo vaipallansa yö,
oon miellä oottavalla.

Kun tähdin väikkyy virran vuo

ja järven tyyni pinta,
sä silloin saavu kultas luo
ja rauhoita sen rinta!

Kun kuuhut pilven lomasta jo pilkistääpi esiin, mun valtaa

kaiho tunnelma ja silmät käyvät vesiin.
TOIVO

Kirj. Gioachino Ricotta

(Suomennos italiankielestä)

Mä kerran lainehelta kysyin näin,

mi vaahtoin vyöri: "eikö konsanaan
tuo nainen syömmetön mun lempeäin
voi palkita?" Se vastas: "ehkä vaan."

Ja vielä kysyin lainehelta näin: "tää tunne tuskaisa, mi

rauhan vei, mua seuranneeko kautta elämäin?" "Sä toivo,"
kuiski aalto, "ehkä ei!"
KIRJOITUS KIVEN KYLJESSÄ

Kirj. Lorenzo Stecchetti

(Suomennos italiasta)

Nään teidät, mi keveesti kuiskien siinä

lempenne vuoksi
nousette vuorelle siimeeseen metsän
ja lähtehen luoksi.

Tien vieressä synkkänä katselen teitä; ketään en hemmi,

ääneti yksinäin murjotan yhä, en konsana lemmi.
HALUNI

(Suomennos italiankielestä)

Sä yksin vain, sä yksin, armahainen, mun sydäntäni

huojennella voisit; sä yksin kyyneleeni kuivaat, nainen, ja
elämääni luottamusta loisit.

Jos aina oisit luonain, kaunokainen, ja lemmenloihtujas

mun kuulla soisit, sä rakkaudellasi, sillä vainen, mun rintahani
levon, onnen toisit.

Mun pääni painuneena hartioillas mä levähtäisin elon

ongelmista, mun verhoaisit otsan kutriloillas —

Näin uinuisin. Ja nektaria oisi mun sielulleni välke

katsehistas, kun huultes hymyn suudelmilla joisin.
ILTASOITTELU

(Suomennos italiankielestä)

Kun eilen neidolleni lempimälle mä huviketta mielin

laulamalla, niin mandoliinin otin ma ja hälle sen soinnuttelin
akkunansa alla.

Mä hänen, ihastuksissansa tälle, jo mulle kätösellä

valkealla noin luulin viittailevan empivälle ja lemmenlehden
luovan armahalla.

Ja kas! hän käärii, viskas kaunokainen jo mulle paperin,

min poimijaksi mä riemusyömmin riensin luottavainen.

Vaan haipuipa mun mielein haikeaksi — kaks' löysin lanttia!

mun oli nainen tuo luullut soittoniekaks kulkevaksi.
TAVOITTELUA

Kirj. Edo Bacia

(Suomennos espanjankielestä)

Jos tuulonen oisin,

sun ohitses tullen
se suukkosen sullen
niin viehkeän tois.

Jos öisin mä lintu,

sun rintasi rai'un
ja säveltes kai'un
se toistella vois.

Jos oisin ma aalto,

sun puhtoista pohta
mun haluni kohta
kas huuhdella ois!

Jos oisin mä kukka,

mi tuoksuten puhkee,
sun tähtesi uhkee
ois umppuni mun…

En kukka, en tuuli, en lintu, en laine: oon, impeni, vainen

mä lempijäs sun!
PIKKUTYTTÖ

Kirj. Czuczor Gergely

(Suomennos unkarinkielestä)

Kuin taivaan ranta ruskottuu päivän laskiessa tyttö pieni

punastuu poikain katsoessa, aatteleepi itsekseen: mit
töllistääpi nuo? Kuink' kaunis on, ei tiedäkään viel pikku
hupsu tuo.

Ei tiedä, ett' on kaunis hän kuin punaomenainen, lempi

vielä sydäntään ei vienyt valtavainen; äidin armaan luona hän
vain riemuin hyppelee ja pelokkaana katseilta pois poikain
pakenee.

Vaan vielä saapuu aika se, saapuu kyllä kohta, jolloin

sulosilmät ne kaihomieltä hohtaa. Hiutuen hän ikävöi, ei
enään pakoile, ei juokse pois, — jos juokseekin, lyö sydän
lemmelle.
VALKOVERINEN

Kirj. Dionísios Solomós

(Suomennos uuskreikasta)

Näin eilen iltasella

mä immen vaalakan,
mi aikoi matkustella,
pois astui laivahan.

Jo tuuli purjeet täytti

nuo vaahtovalkoiset;
ne kyyhkyseltä näytti,
nuo siivet avoimet.

Niin siskot, tuttavansa

jo kaipuu valtasi,
kun nenäliinallansa
hän viittoi hyvästi.

Mä seisoin rannelmalla
ja häntä katselin,
siks' kuin jo ulapalla
pois häipyi pursikin.

En tiennyt enää, näinkö

vain vaahdon valkean,
vai parveen ystäväinkö
viel immen viittovan.

Mä katsoin yhtenänsä,
jo purje poistuikin;
nyt itki ystävänsä
ja itkin minäkin.

En itke laivaa suotta,

en itke purjeita,
vaan itken neittä tuota,
mi pois on matkaava.

En purjeita, vaan neittä mä itken vaalakkaa, mi meren

vaahtoteitä pois kaukomaihin saa.
EVRIKÓMI

Kirj. Dionísios Solomós

(Suomennos uuskreikasta)

"Oi meri, milloin nähdä saan mä Evrikomi-immen?

sä minne hänet saattelit, ah sano mulle, minne?

Sun rantojesi kallioilla häntä vuotellunna

mä olen, vuodet vieri pois, ei armas saapununna.

Jo purjehiksi vaahtopäät mä luulin monta kertaa!" —

näin lausuu Thirsis itkien ja suuteleepi merta.

Ei onneton hän tiedä, että meri povehensa

jo kateellinen haudannut on hänen armaisensa.
NUOREN NAISEN HAUDALLA

Kirj. Fâzil
(Suomennos turkinkielestä)

Miksi taitoit, Asrael,

tään kukan kaunihimman pois
elon uhkuin parhaillaan?
Hän shaahin ilo ollut ois…

Hellin hänet hyväilyin, oi, povehesi tuudi, maa, kunnes

kutsuun serafin hän paratiisiin havahtaa!
LEMMITYN HUULET

Kirj. Husnî
(Suomennos turkinkielestä)

Vertasin armaani huulia mä punervaan karneolikivehen.

Kysyttiin: erämaan paateenko sä vaihtaisit elämän lähtehen!?
SYKINTÄÄ

(Mukaelma)

Tuo sokea raivo, nuo himojen myrskyt mi rinnoissa riehuu

ja halujen tyrskyt, kuin vaahtoova syksyllä pauhaava meri, tuo
kiehuva kuumien suonien veri, tuo inehmon sydäntä polttava
tuli, min edeltä rauha ja tyyneys suli, nuo pyytehet hurjat mi
sielua syöpi — on sukumme uusi, mi povessa lyöpi.
INTOHIMOJEN PUUTARHASSA

Kirj. Hélène Vacarescu

(Suomennos englanninkielisestä käännöksestä)

Mä tunnen tarhan,
mi tuliruusuin
kukkii, sielut sen hehkuun uupuin.

Ei kerro kieli
sen hurman öitä,
ei täällä lasketa hetkilöitä.

Kas lemmen ruususet

punaisimmat
ne täällä tuoksuvat ihanimmat!

Käy aamuin illoin niin viima vieno, se kuiskii kaihoja

kukkatienoon.
*** END OF THE PROJECT GUTENBERG EBOOK ITÄMAALAISIA
HAAVEILUJA ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE