CISSP Cert Guide

CISSP Cert Guide

3 (1 rating by Goodreads)
By (author)  , By (author) 

List price: US$58.99

Currently unavailable

Add to wishlist

AbeBooks may have this title (opens in new window).

Try AbeBooks

Description

Learn, prepare, and practice for CISSP exam success with the CISSP Cert Guide from Pearson IT Certification, a leader in IT Certification.





Master CISSP exam topics
Assess your knowledge with chapter-ending quizzes
Review key concepts with exam preparation tasks
Practice with realistic exam questions on the CD



CISSP Cert Guide is a best-of-breed exam study guide. Leading IT certification experts Troy McMillan and Robin Abernathy share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.



You'll get a complete test preparation routine organized around proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.



The companion CD contains the powerful Pearson IT Certification Practice Test engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most, so you can succeed on the exam the first time.



This study guide helps you master all the topics on the CISSP exam, including





Access control
Telecommunications and network security
Information security governance and risk management
Software development security
Cryptography
Security architecture and design
Operation security
Business continuity and disaster recovery planning
Legal, regulations, investigations, and compliance
Physical (environmental) security



Troy McMillan, Product Developer and Technical Editor at Kaplan Cert Prep, specializes in creating certification practice tests and study guides. He has 12 years of experience teaching Cisco, Microsoft, CompTIA, and Security classes for top training companies, including Global Knowledge and New Horizons. He holds more than 20 certifications from Microsoft, Cisco, VMware, and other leading technology organizations.

Robin M. Abernathy has more than a decade of experience in IT certification prep. For Kaplan IT Certification Preparation, she has written and edited preparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITIL certifications. She holds multiple IT certifications from these vendors.



Companion CD

The CD contains two free, complete practice exams, plus memory tables and answers to help you study more efficiently and effectively.



Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), Windows 7, or Windows 8; Microsoft .NET Framework 4.0 Client; Pentium-class 1GHz processor (or equivalent); 512MB RAM; 650MB disk space plus 50MB for each downloaded practice exam; access to the Internet to register and download exam databases
show more

Product details

  • Mixed media product | 656 pages
  • 193.04 x 233.68 x 43.18mm | 1,224.69g
  • Pearson It Certification
  • Upper Saddle River, United States
  • English
  • 0789751518
  • 9780789751515
  • 923,070

Table of contents

Introduction



Chapter 1 The CISSP Certification 3

The Goals of the CISSP Certification 3

Sponsoring Bodies 3

Stated Goals 4

The Value of the CISSP Certification 4

To the Security Professional 5

To the Enterprise 5

The Common Body of Knowledge 5

Access Control 5

Telecommunications and Network Security 6

Information Security Governance and Risk Management 6

Software Development Security 7

Cryptography 7

Security Architecture and Design 8

Operations Security 8

Business Continuity and Disaster Recovery Planning 8

Legal, Regulations, Investigations, and Compliance 9

Physical and Environmental Security 9

Steps to Becoming a CISSP 10

Qualifying for the Exam 10

Signing Up for the Exam 10

About the CISSP Exam 10



Chapter 2 Access Control 13

Foundation Topics 13

Access Control Concepts 13

CIA 13

Default Stance 14

Defense In Depth 14

Access Control Process 15

Identify Resources 15

Identify Users 15

Identify Relationships Between Resources and Users 16

Identification and Authentication Concepts 16

Three Factors for Authentication 17

Knowledge Factors 17

Identity and Account Management 18

Password Types and Management 19

Ownership Factors 22

Synchronous and Asynchronous Token 22

Memory Cards 22

Smart Cards 23

Characteristic Factors 23

Physiological Characteristics 24

Behavioral Characteristics 25

Biometric Considerations 26

Authorization Concepts 28

Access Control Policies 28

Separation of Duties 29

Least Privilege/Need-to-Know 29

Default to No Access 30

Directory Services 30

Single Sign-on 31

Kerberos 32

SESAME 34

Federated Identity Management 35

Security Domains 35

Accountability 35

Auditing and Reporting 36

Vulnerability Assessment 37

Penetration Testing 38

Access Control Categories 39

Compensative 40

Corrective 40

Detective 40

Deterrent 40

Directive 40

Preventive 41

Recovery 41

Access Control Types 41

Administrative (Management) Controls 41

Logical (Technical) Controls 43

Physical Controls 43

Access Control Models 46

Discretionary Access Control 46

Mandatory Access Control 47

Role-based Access Control 47

Rule-based Access Control 48

Content-dependent Versus Context-dependent 48

Access Control Matrix 48

Capabilities Table 48

Access Control List (ACL) 49

Access Control Administration 49

Centralized 49

Decentralized 49

Provisioning Life Cycle 50

Access Control Monitoring 50

IDS 50

IPS 52

Access Control Threats 52

Password Threats 53

Dictionary Attack 53

Brute-Force Attack 53

Social Engineering Threats 53

Phishing/Pharming 54

Shoulder Surfing 54

Identity Theft 54

Dumpster Diving 55

DoS/DDoS 55

Buffer Overflow 55

Mobile Code 56

Malicious Software 56

Spoofing 56

Sniffing and Eavesdropping 57

Emanating 57

Backdoor/Trapdoor 57

Exam Preparation Tasks 57

Review All Key Topics 57

Complete the Tables and Lists from Memory 58

Define Key Terms 59

Review Questions 59

Answers and Explanations 61



Chapter 3 Telecommunications and Network Security 65

Foundation Topics 66

OSI Model 66

Application Layer 67

Presentation Layer 67

Session Layer 67

Transport Layer 68

Network Layer 68

Data Link Layer 68

Physical Layer 69

Multi-Layer Protocols 70

TCP/IP Model 71

Application Layer 72

Transport Layer 72

Internet Layer 74

Link Layer 76

Encapsulation 76

Common TCP/UDP Ports 77

Logical and Physical Addressing 78

IPv4 78

IP Classes 80

Public Versus Private IP Addresses 81

NAT 81

IPv4 Versus IPv6 82

MAC Addressing 82

Network Transmission 83

Analog Versus Digital 83

Asynchronous Versus Synchronous 84

Broadband Versus Baseband 84

Unicast, Multicast, and Broadcast 85

Wired Versus Wireless 86

Cabling 87

Coaxial 87

Twisted Pair 88

Fiberoptic 90

Network Topologies 91

Ring 91

Bus 92

Star 92

Mesh 93

Hybrid 94

Network Technologies 94

Ethernet 802.3 94

Token Ring 802.5 96

FDDI 97

Contention Methods 97

CSMA/CD Versus CSMA/CA 98

Collision Domains 98

CSMA/CD 99

CSMA/CA 100

Token Passing 101

Polling 101

Network Protocols/Services 101

ARP 101

DHCP 102

DNS 103

FTP, FTPS, SFTP 103

HTTP, HTTPS, SHTTP 104

ICMP 104

IMAP 105

NAT 105

PAT 105

POP 105

SMTP 105

SNMP 105

Network Routing 106

Distance Vector, Link State, or Hybrid Routing 106

RIP 107

OSPF 107

IGRP 108

EIGRP 108

VRRP 108

IS-IS 108

BGP 108

Network Devices 109

Patch Panel 109

Multiplexer 109

Hub 109

Switch 110

VLANs 111

Layer 3 Versus Layer 4 111

Router 111

Gateway 112

Firewall 112

Types 113

Architecture 114

Virtualization 116

Proxy Server 116

PBX 116

Honeypot 117

Cloud Computing 117

Endpoint Security 119

Network Types 119

LAN 119

Intranet 119

Extranet 120

MAN 120

WAN 120

WAN Technologies 121

T Lines 121

E Lines 121

OC Lines (SONET) 122

CSU/DSU 122

Circuit-Switching Versus Packet-Switching 123

Frame Relay 123

ATM 123

X.25 124

Switched Multimegabit Data Service 124

Point-to-Point Protocol 124

High-Speed Serial Interface 124

PSTN (POTS, PBX) 125

VoIP 125

Remote Connection Technologies 126

Dial-up 126

ISDN 127

DSL 127

Cable 128

VPN 129

RADIUS and TACACS 132

Remote Authentication Protocols 133

Telnet 134

TLS/SSL 134

Multimedia Collaboration 134

Wireless Networks 135

FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 135

802.11 Techniques 136

Cellular or Mobile Wireless Techniques 136

WLAN Structure 137

Access Point 137

SSID 137

Infrastructure Mode Versus Ad Hoc Mode 137

WLAN Standards 137

802.11a 138

802.11b 138

802.11f 138

802.11g 138

802.11n 138

Bluetooth 139

Infrared 139

WLAN Security 139

WEP 139

WPA 140

WPA2 140

Personal Versus Enterprise 140

SSID Broadcast 141

MAC Filter 141

Satellites 141

Network Threats 142

Cabling 142

Noise 142

Attenuation 142

Crosstalk 143

Eavesdropping 143

ICMP Attacks 143

Ping of Death 143

Smurf 144

Fraggle 144

ICMP Redirect 144

Ping Scanning 145

DNS Attacks 145

DNS Cache Poisoning 145

DoS 146

DDoS 146

DNSSEC 146

URL Hiding 146

Domain Grabbing 147

Cybersquatting 147

Email Attacks 147

Email Spoofing 147

Spear Phishing 148

Whaling 148

Spam 148

Wireless Attacks 148

Wardriving 149

Warchalking 149

Remote Attacks 149

Other Attacks 149

SYN ACK Attacks 149

Session Hijacking 150

Port Scanning 150

Teardrop 150

IP Address Spoofing 150

Exam Preparation Tasks 151

Review All Key Topics 151

Define Key Terms 151

Review Questions 153

Answers and Explanations 155



Chapter 4 Information Security Governance and Risk Management 159

Foundation Topics 159

Security Principles and Terms 159

CIA 160

Vulnerability 160

Threat 161

Threat Agent 161

Risk 161

Exposure 161

Countermeasure 161

Due Care and Due Diligence 162

Job Rotation 163

Separation of Duties 163

Security Frameworks and Methodologies 163

ISO/IEC 27000 Series 164

Zachman Framework 166

The Open Group Architecture Framework (TOGAF) 168

Department of Defense Architecture Framework (DoDAF) 168

British Ministry of Defence Architecture Framework (MODAF) 168

Sherwood Applied Business Security Architecture (SABSA) 168

Control Objectives for Information and Related Technology (CobiT) 170

National Institute of Standards and Technology (NIST) Special Publication (SP) 170

Committee of Sponsoring Organizations (COSO) of the Treadway

Commission Framework 171

Information Technology Infrastructure Library (ITIL) 172

Six Sigma 173

Capability Maturity Model Integration (CMMI) 174

Top-Down Versus Bottom-Up Approach 174

Security Program Life Cycle 174

Risk Assessment 175

Information and Asset (Tangible/Intangible) Value and Costs 177

Vulnerabilities and Threats Identification 177

Quantitative Risk Analysis 178

Qualitative Risk Analysis 179

Safeguard Selection 179

Total Risk Versus Residual Risk 180

Handling Risk 180

Risk Management Principles 181

Risk Management Policy 181

Risk Management Team 181

Risk Analysis Team 182

Information Security Governance Components 182

Policies 183

Organizational Security Policy 184

System-Specific Security Policy 185

Issue-Specific Security Policy 185

Policy Categories 185

Standards 185

Baselines 185

Guidelines 186

Procedures 186

Information Classification and Life Cycle 186

Commercial Business Classifications 186

Military and Government Classifications 187

Information Life Cycle 188

Security Governance Responsibilities and Roles 188

Board of Directors 188

Management 189

Audit Committee 189

Data Owner 190

Data Custodian 190

System Owner 190

System Administrator 190

Security Administrator 190

Security Analyst 191

Application Owner 191

Supervisor 191

User 191

Auditor 191

Third-Party Governance 191

Onsite Assessment 192

Document Exchange/Review 192

Process/Policy Review 192

Personnel Security (Screening, Hiring, and Termination) 192

Security Awareness Training 193

Security Budget, Metrics, and Effectiveness 194

Exam Preparation Tasks 195

Review All Key Topics 195

Complete the Tables and Lists from Memory 195

Define Key Terms 196

Review Questions 196

Answers and Explanations 198



Chapter 5 Software Development Security 203

Foundation Topics 203

System Development Life Cycle 203

Initiate 204

Acquire/Develop 204

Implement 205

Operate/Maintain 205

Dispose 205

Software Development Life Cycle 206

Gather Requirements 206

Design 207

Develop 207

Test/Validate 208

Release/Maintain 209

Change Management and Configuration Management 209

Software Development Security Best Practices 209

WASC 210

OWASP 210

BSI 210

ISO/IEC 27000 210

Software Development Methods 211

Build and Fix 211

Waterfall 212

V-Shaped 213

Prototyping 214

Incremental 214

Spiral 215

Rapid Application Development (RAD) 216

Agile 216

JAD 218

Cleanroom 218

CMMI 218

Programming Concepts 219

Machine Languages 219

Assembly Languages and Assemblers 219

High-level Languages, Compilers, and Interpreters 219

Object-Oriented Programming 220

Polymorphism 221

Cohesion 221

Coupling 221

Data Structures 221

Distributed Object-Oriented Systems 222

CORBA 222

COM and DCOM 222

OLE 223

Java 223

SOA 223

Mobile Code 223

Java Applets 223

ActiveX 224

Database Concepts and Security 224

DBMS Architecture and Models 224

Database Interface Languages 226

ODBC 226

JDBC 227

XML 227

OLE DB 227

Data Warehouses and Data Mining 227

Database Threats 228

Database Views 228

Database Locks 228

Polyinstantiation 228

OLTP ACID Test 229

Knowledge-Based Systems 229

Software Threats 230

Malware 230

Virus 230

Worm 231

Trojan Horse 231

Logic Bomb 232

Spyware/Adware 232

Botnet 232

Rootkit 233

Source Code Issues 233

Buffer Overflow 233

Escalation of Privileges 235

Backdoor 235

Malware Protection 235

Antivirus Software 235

Antimalware Software 236

Security Policies 236

Software Security Effectiveness 236

Certification and Accreditation 236

Auditing 237

Exam Preparation Tasks 237

Review All Key Topics 237

Define Key Terms 238

Complete the Tables and Lists from Memory 238

Review Questions 238

Answers and Explanations 240



Chapter 6 Cryptography 243

Foundation Topics 244

Cryptography Concepts 244

Cryptographic Life Cycle 246

Cryptography History 246

Julius Caesar and the Caesar Cipher 247

Vigenere Cipher 248

Kerckhoff's Principle 249

World War II Enigma 249

Lucifer by IBM 250

Cryptosystem Features 250

Authentication 250

Confidentiality 250

Integrity 251

Authorization 251

Non-repudiation 251

Encryption Systems 251

Running Key and Concealment Ciphers 251

Substitution Ciphers 252

Transposition Ciphers 253

Symmetric Algorithms 253

Stream-based Ciphers 254

Block Ciphers 255

Initialization Vectors (IVs) 255

Asymmetric Algorithms 255

Hybrid Ciphers 256

Substitution Ciphers 257

One-Time Pads 257

Steganography 258

Symmetric Algorithms 258

Digital Encryption Standard (DES) and Triple DES (3DES) 259

DES Modes 259

Triple DES (3DES) and Modes 262

Advanced Encryption Standard (AES) 263

IDEA 263

Skipjack 264

Blowfish 264

Twofish 264

RC4/RC5/RC6 264

CAST 265

Asymmetric Algorithms 265

Diffie-Hellman 266

RSA 267

El Gamal 267

ECC 267

Knapsack 268

Zero Knowledge Proof 268

Message Integrity 268

Hash Functions 269

One-Way Hash 269

MD2/MD4/MD5/MD6 271

SHA/SHA-2/SHA-3 271

HAVAL 272

RIPEMD-160 272

Tiger 272

Message Authentication Code 273

HMAC 273

CBC-MAC 274

CMAC 274

Digital Signatures 274

Public Key Infrastructure 275

Certification Authority (CA) and Registration Authority (RA) 275

OCSP 276

Certificates 276

Certificate Revocation List (CRL) 277

PKI Steps 277

Cross-Certification 278

Key Management 278

Trusted Platform Module (TPM) 279

Encryption Communication Levels 280

Link Encryption 280

End-to-End Encryption 281

E-mail Security 281

PGP 281

MIME and S/MIME 282

Quantum Cryptography 282

Internet Security 282

Remote Access 283

SSL/TLS 283

HTTP, HTTPS, and SHTTP 284

SET 284

Cookies 284

SSH 285

IPsec 285

Cryptography Attacks 286

Ciphertext-Only Attack 287

Known Plaintext Attack 287

Chosen Plaintext Attack 287

Chosen Ciphertext Attack 287

Social Engineering 287

Brute Force 288

Differential Cryptanalysis 288

Linear Cryptanalysis 288

Algebraic Attack 288

Frequency Analysis 288

Birthday Attack 289

Dictionary Attack 289

Replay Attack 289

Analytic Attack 289

Statistical Attack 289

Factoring Attack 289

Reverse Engineering 289

Meet-in-the-Middle Attack 290

Exam Preparation Tasks 290

Review All Key Topics 290

Complete the Tables and Lists from Memory 290

Define Key Terms 291

Review Questions 291

Answers and Explanations 293



Chapter 7 Security Architecture and Design 297

Foundation Topics 297

Security Model Concepts 297

Confidentiality 297

Integrity 297

Availability 298

Defense in Depth 298

System Architecture 298

System Architecture Steps 299

ISO/IEC 42010:2011 299

Computing Platforms 300

Mainframe/Thin Clients 300

Distributed Systems 300

Middleware 301

Embedded Systems 301

Mobile Computing 301

Virtual Computing 301

Security Services 302

Boundary Control Services 302

Access Control Services 302
show more

About Troy McMillan

Troy McMillan is a Product Developer and Technical Editor for Kaplan Cert Prep as well as a full time trainer and writer. He became a professional trainer 12 years ago teaching Cisco, Microsoft, CompTIA, and Wireless classes. Troy's book CCNA Essentials by Sybex Publishing was released in November 2011. It has been chosen as the textbook for both online and instructor-led classes at several colleges in the United States. Troy also is a courseware developer. Among the work he has done in this area is wireless training materials for Motorola in 2011 and instructor materials for a series of books by Sybex on Windows Server 2008 R2 in 2011. Troy also teaches Cisco, Microsoft, CompTIA, and Security classes for several large corporate training companies. Among these are Global Knowledge and New Horizons. He now creates certification practice tests and study guides for the Transcender and Self-Test brands. Troy lives in Atlanta, Georgia.



Troy's professional accomplishments include B.B.A., MCSE (NT/2000/ 2003, 2008), CCNA, CCNP, MCP+I, CNA, A+, Net+, MCT, Server+, I-Net+, MCSA, CIW p, CIWa, CIW security analyst, CWNA, CWSP, CWNT, CWNE, MCTS: Vista Configuration, MCITP: Enterprise Support Technician, MCITP: Server Administrator, MCITP: Consumer Support Technician, MCTS: Forefront Client and Server Configuration, MCTS: Business Desktop Deployment with BDD, MCTS: Office Project Server 2007, MCTS: Windows Active Directory: Configuration, MCTS: Applications Infrastructure: Configuration, MCTS: Network Infrastructure: Configuration, CCSI, and VCP.





Robin M. Abernathy has been working in the IT certification preparation industry at Kaplan IT Certification Preparation, the owners of the Transcender and Self Test brands, for more than a decade. Robin has written and edited certification preparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITIL certifications and holds multiple IT certifications from these vendors. Robin provides training on computer hardware and software, networking, security, and project management. Over the past couple years, she has ventured into the traditional publishing industry by technically editing several publications. More recently, she has presented at technical conferences and hosted webinars on IT certification topics.
show more

Rating details

1 ratings
3 out of 5 stars
5 0% (0)
4 0% (0)
3 100% (1)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X