Professional Documents
Culture Documents
Ebook Cissp All in One Exam Guide 3 Full Chapter PDF
Ebook Cissp All in One Exam Guide 3 Full Chapter PDF
PDF
Visit to download the full and correct content document:
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-ebook-pdf-3/
Praise for CISSP® All-in-One Exam Guide
A must-have reference for any cyber security practitioner, this book provides invaluable
practical knowledge on the increasingly complex universe of security concepts, controls,
and best practices necessary to do business in today’s world.
Steve Zalewski,
Chief Security Architect,
Levi Strauss & Co.
Shon Harris put the CISSP certification on the map with this golden bible of the CISSP.
Fernando Maymí carries that legacy forward beautifully with clarity, accuracy, and balance.
I am sure that Shon would be proud.
David R. Miller, CISSP; GIAC GISP; PCI QSA;
SME; MCT; MCITPro Enterprise Admin;
MCSE NT 4.0, 2000, 2003, 2008; CEH;
ECSA; LPT; CCNA; CWNA; CNE;
GIAC GISF; CompTIA Security+, etc.…
An excellent reference. Written clearly and concisely, this book is invaluable to students,
educators, and practitioners alike.
Dr. Joe Adams, Founder and Executive
Director, Michigan Cyber Range
A lucid, enlightening, and comprehensive tour de force through the breadth of cyber
security. Maymí and Harris are masters of the craft.
Dr. Greg Conti, Founder,
Kopidion LLC
I wish I found this book earlier in my career. It certainly was the single tool I used to pass
the CISSP exam, but more importantly it has taught me about security from many aspects I
did not even comprehend previously. I think the knowledge that I gained from this book is
going to help me in many years to come. Terrific book and resource!
Janet Robinson,
Chief Security Officer
The “All-in-One Exam Guide” is probably responsible for preventing tens of thousands of
cyberattacks and for providing the strategic, operational, and tactical knowledge to secure
vital government and corporate data centers and networks.
I personally used Shon’s work to achieve my CISSP and I have globally recommended it
to many audiences. I have led many large organizations and one of my fundamental
2
requirements for any of the budding CISSPs that I have mentored on their path to achieve
a CISSP certificate was that they had to do two things before I would send them to a
CISSP training boot camp. First, they had to prove to me they read Shon’s Gold Book, as I
called it, and second they had to attend a free online CISSP preparation seminar. I had
great success with this methodology.
I look forward to all future editions.
Bill Ross, CISSP, CISM, IAM,
SABSA Master Intelligence Officer, ITIL
Shon Harris and the “All-in-One CISSP” book have been the secret to my success. While at
RSA I engaged Shon in getting 90 percent of the worldwide sales engineers CISSP certified,
all with the assistance of this book. I took this same program with me to Symantec, and
Shon worked with me to ensure we had the same type of results with both security
engineers and security executives at Symantec. Her straightforward approach contained in
this book gave each individual the specific information they needed to take the CISSP
exam. As a plus, each of them gained a great deal of knowledge and solid base that is
required by today’s security professionals. I count myself as fortunate to have been
introduced to Shon and the “All-in-One CISSP” early in my security career!
Rick Hanson,
CISSP Symantec Security Business Practice
Shon Harris is amazing at explaining the most complicated technologies in very simplified
terms. This is a great book for studying for the CISSP exam, but also the only reference
manual needed for any technical library.
Casey Batz,
3
Network Security Engineer, VMware
Shon’s “CISSP All-in-One Guide” has been the go-to study guide for the more than 200
new CISSP holders developed in our region over the last two years. It continues to be a
great asset for both the novice and experienced security practitioner.
Alex Humber, Symantec Corporation
Not coming from a technical background, your guide was exactly what was needed to
prepare for the CISSP exam. The material was presented in a way that allowed for not only
grasping the concepts but also understanding them. The CISSP exam is one of the toughest
out there, and your guide is a great tool for preparing for that rigorous undertaking.
Dr. Kevin Schatzle, CISSP, CFE, CPP
I heard from others for years that Harris’ CISSP book was the gold star and now that I am
getting around to preparing for the exam—I see exactly what they mean. I thought I had a
firm grasp on most items that make up information security, but this book really showed
me that there is a lot more involved than I imagined. This book has broadened my horizons
and provided me deep insight. And by the way, I passed the CISSP exam easily from just
studying this one book.
Paul Rose, CEH, CISA, and now
CISSP Security Compliance Officer
Shon Harris really takes a different approach to writing, which helped me tremendously.
The explanations, scenarios, metaphors, and a sprinkle of humor here and there made this
book enjoyable—instead of a dreaded task. Some of the technical concepts I learned ten or
more years ago, but after reading this book I now see how I did not understand these
concepts to the necessary depth and I also understand how these technologies work
together in the real world. The book has made me a much better security professional and
allowed me to get my CISSP certification. Thanks for such a great piece of work!
Mike Peterson, Information Security Officer
4
5
Copyright © 2019 by McGraw-Hill Education. All rights reserved. Except as permitted
under the United States Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval
system, without the prior written permission of the publisher, with the exception that the
program listings may be entered, stored, and executed in a computer system, but they may
not be reproduced for publication.
ISBN: 978-1-26-014264-8
MHID: 1-26-014264-7
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-
014265-5, MHID: 1-26-014265-5.
All trademarks are trademarks of their respective owners. Rather than put a trademark
symbol after every occurrence of a trademarked name, we use names in an editorial fashion
only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with
initial caps.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights
in and to the work. Use of this work is subject to these terms. Except as permitted under
the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you
may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative
works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or
any part of it without McGraw-Hill Education’s prior consent. You may use the work for
your own noncommercial and personal use; any other use of the work is strictly prohibited.
Your right to use the work may be terminated if you fail to comply with these terms.
6
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS
LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE
OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION
THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR
OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill
Education and its licensors do not warrant or guarantee that the functions contained in the
work will meet your requirements or that its operation will be uninterrupted or error free.
Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for
any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill Education has no responsibility for the content of any
information accessed through the work. Under no circumstances shall McGraw-Hill
Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work,
even if any of them has been advised of the possibility of such damages. This limitation of
liability shall apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.
7
We dedicate this book to all those who have served selflessly.
8
ABOUT THE AUTHORS
Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logical
Security LLC, a security consultant, a former engineer in the Air Force’s Information
Warfare unit, an instructor, and an author. Shon owned and ran her own training and
consulting companies for 13 years prior to her death in 2014. She consulted with Fortune
100 corporations and government agencies on extensive security issues. She authored three
best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical
Hacker’s Handbook and Security Information and Event Management (SIEM)
Implementation, and a technical editor for Information Security Magazine.
Fernando Maymí, Ph.D., CISSP, is Lead Scientist in the Cyber and Secure Autonomy
division of Soar Technology, Inc., an artificial intelligence research and development
company, a retired Army officer, and a former West Point faculty member with over 25
years’ experience in the field. He is currently leading multiple advanced research projects
developing autonomous cyberspace agents for the Department of Defense. Fernando has
developed and conducted large-scale cyber security exercises for major cities in the United
States and abroad, and served as advisor for senior leaders around the world. He worked
closely with Shon Harris, advising her on a multitude of projects, including the sixth
edition of the CISSP All-in-One Exam Guide.
9
A+, Network+, Security+, and Mobility+ certifications.
10
CONTENTS AT A GLANCE
Index
11
CONTENTS
12
Trademark
Patent
Internal Protection of Intellectual Property
Software Piracy
Privacy
The Increasing Need for Privacy Laws
Laws, Directives, and Regulations
Employee Privacy Issues
Data Breaches
U.S. Laws Pertaining to Data Breaches
Other Nations’ Laws Pertaining to Data Breaches
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Risk Management
Holistic Risk Management
Information Systems Risk Management Policy
The Risk Management Team
The Risk Management Process
Threat Modeling
Threat Modeling Concepts
Threat Modeling Methodologies
Risk Assessment and Analysis
Risk Assessment Team
The Value of Information and Assets
Costs That Make Up the Value
13
Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
Risk Analysis Approaches
Qualitative Risk Analysis
Protection Mechanisms
Total Risk vs. Residual Risk
Handling Risk
Supply Chain Risk Management
Upstream and Downstream Suppliers
Service Level Agreements
Risk Management Frameworks
Categorize Information System
Select Security Controls
Implement Security Controls
Assess Security Controls
Authorize Information System
Monitor Security Controls
Business Continuity and Disaster Recovery
Standards and Best Practices
Making BCM Part of the Enterprise Security Program
BCP Project Components
Personnel Security
Hiring Practices
Onboarding
Termination
Security Awareness Training
Degree or Certification?
Security Governance
Metrics
Ethics
14
The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 2 Asset Security
Information Life Cycle
Acquisition
Use
Archival
Disposal
Classification
Classifications Levels
Classification Controls
Layers of Responsibility
Executive Management
Data Owner
Data Custodian
System Owner
Security Administrator
Supervisor
Change Control Analyst
Data Analyst
User
Auditor
Why So Many Roles?
Retention Policies
Developing a Retention Policy
15
Protecting Privacy
Data Owners
Data Processers
Data Remanence
Limits on Collection
Protecting Assets
Data Security Controls
Media Controls
Protecting Mobile Devices
Paper Records
Safes
Selecting Standards
Data Leakage
Data Leak Prevention
Summary
Quick Tips
Questions
Answers
Chapter 3 Security Architecture and Engineering
System Architecture
Computer Architecture
The Central Processing Unit
Multiprocessing
Memory Types
Operating Systems
Process Management
Memory Management
Input/Output Device Management
CPU Architecture Integration
Operating System Architectures
16
Virtual Machines
System Security Architecture
Security Policy
Security Architecture Requirements
Security Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Noninterference Model
Brewer and Nash Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Systems Evaluation
Common Criteria
Why Put a Product Through Evaluation?
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
Systems Security
Client-Based Systems
Client-Server Systems
Distributed Systems
Cloud Computing
Parallel Computing
Database Systems
Web-Based Systems
Mobile Systems
17
Cyber-Physical Systems
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Cryptography in Context
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems
18
Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD4
MD5
SHA
Attacks Against One-Way Hash Functions
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Applying Cryptography
Services of Cryptosystems
Digital Signatures
Digital Signature Standard
Key Management
Trusted Platform Module
Digital Rights Management
Attacks on Cryptography
Ciphertext-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks
19
Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Social Engineering Attacks
Meet-in-the-Middle Attacks
Site and Facility Security
The Site Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Internal Support Systems
Electric Power
Environmental Issues
Fire Prevention, Detection, and Suppression
Summary
Quick Tips
Questions
Answers
Chapter 4 Communication and Network Security
Principles of Network Architectures
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
20
Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
Multilayer Protocols
TCP/IP Model
TCP
IP Addressing
IPv6
Layer 2 Security Standards
Converged Protocols
Transmission Media
Types of Transmission
Cabling
Wireless Networks
Wireless Communications Techniques
WLAN Components
Evolution of WLAN Security
Wireless Standards
Best Practices for Securing WLANs
Satellites
Mobile Wireless Communication
Networking Foundations
Network Topology
Media Access Technologies
Transmission Methods
Network Protocols and Services
Address Resolution Protocol
Dynamic Host Configuration Protocol
Internet Control Message Protocol
21
Simple Network Management Protocol
Domain Name Service
E-mail Services
Network Address Translation
Routing Protocols
Network Components
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Proxy Servers
Unified Threat Management
Content Distribution Networks
Software Defined Networking
Endpoints
Honeypot
Network Access Control
Virtualized Networks
Intranets and Extranets
Metropolitan Area Networks
Metro Ethernet
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Communications Channels
Multiservice Access Technologies
22
H.323 Gateways
Digging Deeper into SIP
IP Telephony Issues
Remote Access
Dial-up Connections
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Network Encryption
Link Encryption vs. End-to-End Encryption
E-mail Encryption Standards
Internet Security
Network Attacks
Denial of Service
Sniffing
DNS Hijacking
Drive-by Download
Summary
Quick Tips
Questions
Answers
Chapter 5 Identity and Access Management
Access Controls Overview
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability
23
Identification and Authentication
Authentication Methods
Authorization
Accountability
Session Management
Federation
Integrating Identity as a Service
On-premise
Cloud
Integration Issues
Access Control Mechanisms
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Attribute-Based Access Control
Access Control Techniques and Technologies
Constrained User Interfaces
Remote Access Control Technologies
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Managing the Identity and Access Provisioning Life Cycle
Provisioning
User Access Review
System Account Access Review
Deprovisioning
Controlling Physical and Logical Access
Access Control Layers
Administrative Controls
24
Physical Controls
Technical Controls
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
Intrusion Detection Systems
Intrusion Prevention Systems
Threats to Access Control
Dictionary Attack
Brute-Force Attacks
Spoofing at Logon
Phishing and Pharming
Summary
Quick Tips
Questions
Answers
Chapter 6 Security Assessment and Testing
Assessment, Test, and Audit Strategies
Internal Audits
External Audits
Third-Party Audits
Test Coverage
Auditing Technical Controls
Vulnerability Testing
Penetration Testing
War Dialing
Other Vulnerability Types
Postmortem
Log Reviews
Synthetic Transactions
25
Misuse Case Testing
Code Reviews
Code Testing
Interface Testing
Auditing Administrative Controls
Account Management
Backup Verification
Disaster Recovery and Business Continuity
Security Training and Security Awareness Training
Key Performance and Risk Indicators
Reporting
Analyzing Results
Writing Technical Reports
Executive Summaries
Management Review and Approval
Before the Management Review
Reviewing Inputs
Management Approval
Summary
Quick Tips
Questions
Answers
Chapter 7 Security Operations
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Physical Security
Facility Access Control
26
Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Internal Security Controls
Secure Resource Provisioning
Asset Inventory
Asset Management
Configuration Management
Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Provisioning Cloud Assets
Network and Resource Availability
Mean Time Between Failures
Mean Time to Repair
Single Points of Failure
Backups
Contingency Planning
Preventing and Detecting
Continuous Monitoring
Firewalls
Intrusion Detection and Prevention Systems
Whitelisting and Blacklisting
Antimalware
Vulnerability Management
Patch Management
27
Sandboxing
Honeypots and Honeynets
Egress Monitoring
Security Information and Event Management
Outsourced Services
The Incident Management Process
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Investigations
Computer Forensics and Proper Collection of Evidence
Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
Types of Investigations
The Forensic Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Disaster Recovery
Business Process Recovery
Recovery Site Strategies
Supply and Technology Recovery
Backup Storage Strategies
End-User Environment
Availability
Liability and Its Ramifications
Liability Scenarios
28
Third-Party Risk
Contractual Agreements
Procurement and Vendor Processes
Insurance
Implementing Disaster Recovery
Personnel
Assessment
Restoration
Communications
Training
Personal Safety Concerns
Emergency Management
Duress
Travel
Training
Summary
Quick Tips
Questions
Answers
Chapter 8 Software Development Security
Building Good Code
Where Do We Place Security?
Different Environments Demand Different Security
Environment vs. Application
Functionality vs. Security
Implementation and Default Issues
Software Development Life Cycle
Project Management
Requirements Gathering Phase
Design Phase
29
Development Phase
Testing Phase
Operations and Maintenance Phase
Software Development Methodologies
Waterfall Methodology
V-Shaped Methodology
Prototyping
Incremental Methodology
Spiral Methodology
Rapid Application Development
Agile Methodologies
Integrated Product Team
DevOps
Capability Maturity Model Integration
Change Management
Change Control
Security of Development Environments
Security of Development Platforms
Security of Code Repositories
Software Configuration Management
Secure Coding
Source Code Vulnerabilities
Secure Coding Practices
Programming Languages and Concepts
Assemblers, Compilers, Interpreters
Object-Oriented Concepts
Other Software Development Concepts
Application Programming Interfaces
Distributed Computing
Distributed Computing Environment
30
CORBA and ORBs
COM and DCOM
Java Platform, Enterprise Edition
Service-Oriented Architecture
Mobile Code
Java Applets
ActiveX Controls
Web Security
Specific Threats for Web Environments
Web Application Security Principles
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
Malicious Software (Malware)
Viruses
Worms
Rootkit
Spyware and Adware
Botnets
Logic Bombs
Trojan Horses
Antimalware Software
Spam Detection
Antimalware Programs
Assessing the Security of Acquired Software
31
Summary
Quick Tips
Questions
Answers
Appendix A Comprehensive Questions
Answers
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Single User License Terms and Conditions
TotalTester Online
Hotspot and Drag-and-Drop Questions
Online Flash Cards
Single User License Terms and Conditions
Technical Support
Glossary
Index
32
IN MEMORY OF SHON HARRIS
In the summer of 2014, Shon asked me to write a foreword for the new edition of her
CISSP All-in-One Exam Guide. I was honored to do that, and the following two paragraphs
are that original foreword. Following that, I will say more about my friend, the late Shon
Harris.
The cyber security field is still relatively new and has been evolving as technology
advances. Every decade or so, we have an advance or two that seems to change the game.
For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of
money was spent on perimeter devices like firewalls to keep the bad guys out. Around
2000, recognizing that perimeter defense alone was insufficient, the “defense in depth”
approach became popular, and we spent another decade trying to build layers of defense
and detect the bad guys who were able to get past our perimeter defenses. Again, lots of
money was spent, this time on intrusion detection, intrusion prevention, and end-point
solutions. Then, around 2010, following the lead of the U.S. government in particular, we
began to focus on “continuous monitoring,” the goal being to catch the bad guys inside the
network if they get past the perimeter defense and the defense in depth. Security
information and event management (SIEM) technology has emerged as the best way to
handle this continuous monitoring requirement. The latest buzz phrase is “active defense,”
which refers to the ability to respond in real time through a dynamic and changing defense
that works to contain the attacker and allow the organization to recover quickly and get
back to business. We are starting to see the re-emergence of honeypots combined with
sandbox technology to bait and trap attackers for further analysis of their activity. One
thing is common throughout this brief historical survey: the bad guys keep getting in and
we keep responding to try and keep up, if not prevent them in the first place. This cat-and-
mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats, each
new strategy and tactic brings with it a new set of terminology and concepts for the security
professional to master. The sheer bulk of the body of knowledge can be overwhelming,
particularly to newcomers. As a security practitioner, consultant, and business leader, I am
often asked by aspiring security practitioners where to start when trying to get into the
field. I often refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the
purpose of becoming a CISSP, but so that they may have in one resource the body of
knowledge in the field. I am also often asked by experienced security practitioners how to
advance in the field. I encourage them to pursue CISSP certification and, once again, I refer
them to Shon’s book. Some are destined to become leaders in the field, and the CISSP is a
solid certificate for managers. Other security professionals I encounter are just looking for
more breadth of knowledge, and I recommend Shon’s book to them too as a good one-stop
reference for that. This book has stood the test of time. It has evolved as the field has
evolved and stands as the single most important book in the cyber security field, period. I
33
have personally referred to it several times throughout my career and keep a copy near me
at all times on my Kindle. Simply put, if you are in the cyber security field, you need a copy
of this book.
On a personal note, little did I know that within months of writing the preceding
foreword, Shon would no longer be with us. I counted Shon as a good friend and still
admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002. I
had just learned of the CISSP and within weeks found myself in her class. I had no clue
that she had already written several books by that time and was a true leader in the field. I
must have chattered away during our lunch sessions, because a few months after the class,
she reached out to me and said, “Hey, I remember you were interested in writing. I have a
new project that I need help on. Would you like to help?” After an awkward pause, as I
picked myself up from the floor, I told her that I felt underqualified, but yes! That started a
journey that has blessed me many times over. The book was called Gray Hat Hacking and is
now in the fourth edition. From the book came many consulting, writing, and teaching
opportunities, such as Black Hat. Then, as I retired from the Marine Corps, in 2008, there
was Shon, right on cue: “Hey, I have an opportunity to provide services to a large company.
Would you like to help?” Just like that, I had my first large client, launching my company,
which I was able to grow, with Shon’s help, and then sell a couple of years ago. During the
12 years I knew her, Shon continued to give me opportunities to become much more than
I could have dreamed. She never asked for a thing in return, simply saying, “You take it and
run with it, I am too busy doing other things.” As I think back over my career after the
Marine Corps, I owe most of my success to Shon. I have shared this story with others and
found that I am not the only one; Shon blessed so many people with her giving spirit. I am
convinced there are many “Shon” stories like this one out there. She touched so many
people in the security field and more than lived up to the nickname I had for her, Miss
CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in the
field. If you knew Shon, I know you would echo that sentiment. If you did not know Shon,
I hope that through these few words, you understand why she was so special and why there
had to be another edition of this book. I have been asked several times over the last year,
“Do you think there will be another edition? The security field and CISSP certification
have both changed so much, we need another edition.” For this reason, I am excited this
new edition came to be. Shon would have wanted the book to go on helping people to be
the best they can be. I believe we, as a profession, need this book to continue. So, I am
thankful that the team from McGraw-Hill and Fernando are honoring Shon in this way
and continuing her legacy. She truly deserves it. Shon, you are missed and loved by so
many. Through this book, your generous spirit lives on, helping others.
34
FOREWORD
I’m excited and honored to introduce the eighth edition of CISSP All-in-One Exam Guide
to cyber security experts worldwide. This study guide is essential for those pursuing CISSP
certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to be a
member of a profession and the importance of shared values, common language, and
identity. At the same time, expert knowledge gained through training, education, and
experience is critical to a profession, but formal certifications based on clearly articulated
standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase
digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled
with our vulnerabilities and the potential consequences create a new operational reality—
national security is at risk. When we enter any network, we must fight to ensure we
maintain our security, and cyber security experts are the professionals we will call on to out-
think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue to
grow exponentially. While our cyber workforce enabled by technology must focus on
preventing threats and reducing vulnerabilities, we will not eliminate either. This demands
professionals who understand risk management and security—experts who are trusted and
committed to creating and providing a wide range of security measures tailored to mitigate
enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is
the king of the hill. In this edition, Shon’s quality content is present and is being stewarded
forward by Fernando Maymí. You’re in good hands, and you will grow personally and
professionally from your study. As competent, trusted professionals of character, this book
is essential to you, your organization, and our national security.
Rhett Hernandez
Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command
Current West Point Cyber Chair, Army Cyber Institute
35
FROM THE AUTHOR
In April 2018, (ISC)2 released a revised version of the CISSP Common Body of Knowledge
(CBK). After reviewing the changes, and in light of an ever-changing information security
landscape, we felt compelled to update the CISSP All-in-One Exam Guide and publish its
eighth edition. What are the big changes in the CBK? None, really. What this revision did
was shuffle some topics around and make some adjustments to the emphasis that previous
topics receive. Some notable changes are listed here:
• Secure coding This is probably the biggest winner. (ISC)2 is placing increased
emphasis on this critical topic. The seventh edition of this book already placed a fair
amount of emphasis on secure coding, but we updated our coverage to ensure you
have the information you need whether or not you have a background in software
development.
• IoT It is noteworthy that, while the 2015 CBK included the more general terms
“embedded devices” and “cyber-physical systems,” the Internet of Things (IoT) is
now being singled out as an area of increased attention. We had already included a
section on IoT security in the previous edition and just call this out to help you
prepare.
• Supply chain (ISC)2 has broadened the scope of acquisition practices to look at the
entire supply chain and has integrated this new topic with risk management. It all
makes sense, particularly in the wake of multiple incidents that have come to light in
the last couple of years highlighting the vulnerabilities that the supply chain poses to
many organizations.
• Audits Whereas in the last version of the CBK this was a single topic, we now see it
broken down into internal, external, and third-party audit issues. We already covered
internal and third-party audits in the previous edition of this book, so we freshened
those up and added coverage of external audits.
The goal of this book is not just to get you to pass the CISSP exam, but to provide you
the bedrock of knowledge that will allow you to flourish as an information systems security
professional before and after you pass the certification exam. If you strive for excellence in
your own development, the CISSP certification will follow as a natural byproduct. This
approach will demand that you devote time and energy to topics and issues that may seem
to have no direct or immediate return on investment. That is OK. We each have our own
areas of strength and weakness, and many of us tend to reinforce the former while ignoring
the latter. This leads to individuals who have tremendous depth in a very specific topic, but
who lack the breadth to understand context or thrive in new and unexpected conditions.
What we propose is an inversion of this natural tendency, so that we devote appropriate
amounts of effort to those areas in which we are weakest. What we propose is that we
36
balance the urge to be specialists with the need to be well-rounded professionals. This is
what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals
that performs a critical service that societies cannot do for themselves. In the case of the
CISSP, this professional ensures the availability, integrity, and confidentiality of our
information systems. This cannot be done simply by being the best firewall administrator,
or the best forensic examiner, or the best reverse engineer. Instead, our service requires a
breadth of knowledge that will allow us to choose the right tool for the job. This relevant
knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon
which we can build our expertise. This is why, in order to be competent professionals, we
all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and
foundational knowledge. It is designed, as it always was, to be both a study guide and an
enduring reference. Our hope is that, long after you obtain your CISSP certification, you
will turn to this tome time and again to brush up on your areas of weakness as well as to
guide you in a lifelong pursuit of self-learning and excellence.
Acknowledgments
We would like to thank all the people who work in the information security industry who
are driven by their passion, dedication, and a true sense of doing right. The best security
people are the ones who are driven toward an ethical outcome.
In this eighth edition, we would also like to thank the following:
• David Miller, whose work ethic, loyalty, and friendship have continuously inspired
us.
• All the teammates from Logical Security.
• The men and women of our armed forces, who selflessly defend our way of life.
• Kathy Conlon, who, more than anyone else, set the conditions that led to eight
editions of this book.
• David Harris.
• Carol Remicci.
• Chris Gramling.
Most especially, we thank you, our readers, for standing on the frontlines of our digital
conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
37
WHY BECOME A CISSP?
As our world changes, the need for improvements in security and technology continues to
grow. Corporations and other organizations are desperate to identify and recruit talented
and experienced security professionals to help protect the resources on which they depend
to run their businesses and remain competitive. As a Certified Information Systems
Security Professional (CISSP), you will be seen as a security professional of proven ability
who has successfully met a predefined standard of knowledge and experience that is well
understood and respected throughout the industry. By keeping this certification current,
you will demonstrate your dedication to staying abreast of security developments.
Consider some of the reasons for attaining a CISSP certification:
The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices; perform risk
analysis; identify necessary countermeasures; and help the organization as a whole protect
its facility, network, systems, and information. The CISSP certification also shows potential
employers you have achieved a level of proficiency and expertise in skill sets and knowledge
required by the security industry. The increasing importance placed on security in
corporate success will only continue in the future, leading to even greater demands for
highly skilled security professionals. The CISSP certification shows that a respected third-
party organization has recognized an individual’s technical and theoretical knowledge and
expertise, and distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good
network administrator, programmer, or engineer. Job descriptions that do not specifically
target security professionals still often require that a potential candidate have a good
understanding of security concepts as well as how to implement them. Due to staff size and
budget restraints, many organizations can’t afford separate network and security staffs. But
they still believe security is vital to their organization. Thus, they often try to combine
knowledge of technology and security into a single role. With a CISSP designation, you can
put yourself head and shoulders above other individuals in this regard.
EXAM TIP CAT questions are intentionally designed to “feel” hard (based on the
system’s estimate of your knowledge), so don’t be discouraged. Just don’t get bogged
down, because you must answer at least 100 questions in three hours.
The non-English version of the CISSP exam is also computer-based but not adaptive
and comprises 250 questions, which must be answered in no more than six hours. Like the
CAT version, 25 questions are pre-test (unscored), so you will be graded on the other 225
questions. The 25 research questions are integrated into the exam, so you won’t know
which go toward your final grade. To pass the exam, you need a scale score of 700 points
out of 1,000.
Regardless of which version of the exam you take, you can expect multiple choice and
innovative questions. Innovative questions incorporate drag-and-drop (i.e., take a term or
item and drag it to the correct position in the frame) or hotspot (i.e., click the item or term
that correctly answers the question) interfaces, but are otherwise weighed and scored just
like any other question. The questions are pulled from a much larger question bank to
ensure the exam is as unique as possible for each examinee. In addition, the test bank
constantly changes and evolves to more accurately reflect the real world of security. The
exam questions are continually rotated and replaced in the bank as necessary. Questions are
weighted based on their difficulty; not all questions are worth the same number of points.
The exam is not product or vendor oriented, meaning no questions will be specific to
certain products or vendors (for instance, Windows, Unix, or Cisco). Instead, you will be
39
tested on the security models and methodologies used by these types of systems.
EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer
in a reasonable amount of time, then you should guess and move on to the next
question.
40
Table 1.
41
42
Table 1 Security Domains That Make Up the CISSP CBK
43
exam. So, make sure to read all the material in the book, and pay close attention to the
questions and their formats. Even if you know the subject well, you may still get some
answers wrong—it is just part of learning how to take tests.
In answering many questions, it is important to keep in mind that some things are
inherently more valuable than others. For example, the protection of human lives and
welfare will almost always trump all other responses. Similarly, if all other factors are equal
and you are given a choice between an expensive and complex solution and a simpler and
cheaper one, the second will win most of the time. Expert advice (e.g., from an attorney) is
more valuable than that offered by someone with lesser credentials. If one of the possible
responses to a question is to seek or obtain advice from an expert, pay close attention to
that question. The correct response may very well be to seek out that expert.
Familiarize yourself with industry standards and expand your technical knowledge and
methodologies outside the boundaries of what you use today. We cannot stress enough that
just because you are the top dog in your particular field, it doesn’t mean you are properly
prepared for every domain the exam covers.
When you take the CISSP exam at the Pearson VUE test center, other certification
exams may be taking place simultaneously in the same room. Don’t feel rushed if you see
others leaving the room early; they may be taking a shorter exam.
• Study each chapter carefully and make sure you understand each concept presented.
Many concepts must be fully understood, and glossing over a couple here and there
could be detrimental to you. The CISSP CBK contains hundreds of individual topics,
so take the time needed to understand them all.
• Make sure to study and answer all of the questions. If any questions confuse you, go
back and study those sections again. Remember, some of the questions on the actual
exam are a bit confusing because they do not seem straightforward. Do not ignore the
confusing questions, thinking they’re not well worded. Instead, pay even closer
attention to them because they are there for a reason.
• If you are not familiar with specific topics, such as firewalls, laws, physical security, or
protocol functionality, use other sources of information (books, articles, and so on) to
attain a more in-depth understanding of those subjects. Don’t just rely on what you
think you need to know to pass the CISSP exam.
• After reading this book, study the questions and answers, and take the practice tests.
Then review the (ISC)2 exam outline and make sure you are comfortable with each
bullet item presented. If you are not comfortable with some items, revisit those
44
chapters.
• If you have taken other certification exams—such as Cisco, Novell, or Microsoft—
you might be used to having to memorize details and configuration parameters. But
remember, the CISSP test is “an inch deep and a mile wide,” so make sure you
understand the concepts of each subject before trying to memorize the small, specific
details.
• Remember that the exam is looking for the “best” answer. On some questions test
takers do not agree with any or many of the answers. You are being asked to choose
the best answer out of the four being offered to you.
45
Another random document with
no related content on Scribd:
"Oi! sen sulosointu ja majesteetillisyys ihan hurmaavat minut —
varsinkin kun kuulen sitä niin viehättävän olennon suusta. Mutta
valitettavasti en sitä paljon osaa," vastasin minä. "Ettekö tahtoisi
ruveta minulle opettajaksi?"
Kirj. M. Eminescu
(Suomennos rumaniankielestä)
(Suomennos italiankielestä)
(Suomennos italiankielestä)
Mä seisoin rannelmalla
ja häntä katselin,
siks' kuin jo ulapalla
pois häipyi pursikin.
Mä katsoin yhtenänsä,
jo purje poistuikin;
nyt itki ystävänsä
ja itkin minäkin.
Kirj. Fâzil
(Suomennos turkinkielestä)
Kirj. Husnî
(Suomennos turkinkielestä)
(Mukaelma)
Mä tunnen tarhan,
mi tuliruusuin
kukkii, sielut sen hehkuun uupuin.
Ei kerro kieli
sen hurman öitä,
ei täällä lasketa hetkilöitä.
Updated editions will replace the previous one—the old editions will
be renamed.