CISSP Official Study Guide (2021)
CISSP Official Study Guide (2021) provides detailed explanations to help you understand key concepts.
Scarlett Anderson
Contributor
4.8
143
about 2 months ago
Preview (31 of 1250)
Sign in to access the full document!
(ISC)2®
CISSP® Certified Information
Systems Security Professional
Official Study Guide
Ninth Edition
CISSP® Certified Information
Systems Security Professional
Official Study Guide
Ninth Edition
Loading page 4...
Loading page 5...
(ISC)2®
CISSP ® Certified Information
Systems Security Professional
Official Study Guide
Ninth Edition
Mike Chapple
James Michael Stewart
Darril Gibson
CISSP ® Certified Information
Systems Security Professional
Official Study Guide
Ninth Edition
Mike Chapple
James Michael Stewart
Darril Gibson
Loading page 6...
Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada and the United Kingdom
ISBN: 978-1-119- 78623-8
ISBN: 978-1-119- 78633-7 (ebk)
ISBN: 978-1-119- 78624-5 (ebk)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646- 8600. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)
748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing
this book, they make no representations or warranties with respect to the accuracy or completeness of the contents
of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.
No warranty may be created or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be suitable for your situation. You should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or to obtain technical support, please contact our
Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317)
572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2021935479
TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2
and CISSP are trademarks or registered trademarks of (ISC) 2
, Inc. All other trademarks are the property of their
respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
Cover image(s): © Jeremy Woodhouse/Getty Images, Inc.
Cover design: Wiley
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada and the United Kingdom
ISBN: 978-1-119- 78623-8
ISBN: 978-1-119- 78633-7 (ebk)
ISBN: 978-1-119- 78624-5 (ebk)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646- 8600. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)
748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing
this book, they make no representations or warranties with respect to the accuracy or completeness of the contents
of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.
No warranty may be created or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be suitable for your situation. You should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or to obtain technical support, please contact our
Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317)
572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2021935479
TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2
and CISSP are trademarks or registered trademarks of (ISC) 2
, Inc. All other trademarks are the property of their
respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
Cover image(s): © Jeremy Woodhouse/Getty Images, Inc.
Cover design: Wiley
Loading page 7...
To Dewitt Latimer, my mentor, friend, and colleague. I miss you dearly.
—Mike Chapple
To Cathy, your perspective on the world and life often surprises me, challenges
me, and makes me love you even more.
—James Michael Stewart
To Nimfa, thanks for sharing your life with me for the past 29 years and letting
me share mine with you.
—Darril Gibson
—Mike Chapple
To Cathy, your perspective on the world and life often surprises me, challenges
me, and makes me love you even more.
—James Michael Stewart
To Nimfa, thanks for sharing your life with me for the past 29 years and letting
me share mine with you.
—Darril Gibson
Loading page 8...
Loading page 9...
Acknowledgments
We’d like to express our thanks to Wiley for continuing to support this project. Extra thanks
to the development editor, Kelly Talbot, and technical editors, Jerry Rayome, Chris Crayton,
and Aaron Kraus, who performed amazing feats in guiding us to improve this book. Thanks
as well to our agent, Carole Jelen, for continuing to assist in nailing down these projects.
—Mike, James, and Darril
Special thanks go to my many friends and colleagues in the cybersecurity community who
provided hours of interesting conversation and debate on security issues that inspired and
informed much of the material in this book.
I would like to thank the team at Wiley, who provided invaluable assistance throughout the
book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of
Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great col-
laborators and I’d like to thank them both for their thoughtful contributions to my chapters.
I’d also like to thank the many people who participated in the production of this book
but whom I never had the chance to meet: the graphics team, the production staff, and all of
those involved in bringing this book to press.
—Mike Chapple
Thanks to Mike Chapple and Darril Gibson for continuing to contribute to this project.
Thanks also to all my CISSP course students who have provided their insight and input to
improve my training courseware and ultimately this tome. To my adoring wife, Cathy: Building
a life and a family together has been more wonderful than I could have ever imagined. To
Slayde and Remi: You are growing up so fast and learning at an outstanding pace, and you
continue to delight and impress me daily. You are both growing into amazing individuals. To
my mom, Johnnie: It is wonderful to have you close by. To Mark: No matter how much time
has passed or how little we see each other, I have been and always will be your friend. And
finally, as always, to Elvis: You were way ahead of the current bacon obsession with your
peanut butter/banana/bacon sandwich; I think that’s proof you traveled through time!
—James Michael Stewart
It’s been a pleasure working with talented people like James Michael Stewart and Mike
Chapple. Thanks to both of you for all your work and collaborative efforts on this project.
The technical editors, Jerry Rayome, Chris Crayton, and Aaron Kraus, provided us with
some outstanding feedback, and this book is better because of their efforts. Thanks to the
team at Wiley (including project managers, editors, and graphic artists) for all the work you
did helping us get this book to print. Last, thanks to my wife, Nimfa, for putting up with my
odd hours as I worked on this book.
—Darril Gibson
We’d like to express our thanks to Wiley for continuing to support this project. Extra thanks
to the development editor, Kelly Talbot, and technical editors, Jerry Rayome, Chris Crayton,
and Aaron Kraus, who performed amazing feats in guiding us to improve this book. Thanks
as well to our agent, Carole Jelen, for continuing to assist in nailing down these projects.
—Mike, James, and Darril
Special thanks go to my many friends and colleagues in the cybersecurity community who
provided hours of interesting conversation and debate on security issues that inspired and
informed much of the material in this book.
I would like to thank the team at Wiley, who provided invaluable assistance throughout the
book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of
Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great col-
laborators and I’d like to thank them both for their thoughtful contributions to my chapters.
I’d also like to thank the many people who participated in the production of this book
but whom I never had the chance to meet: the graphics team, the production staff, and all of
those involved in bringing this book to press.
—Mike Chapple
Thanks to Mike Chapple and Darril Gibson for continuing to contribute to this project.
Thanks also to all my CISSP course students who have provided their insight and input to
improve my training courseware and ultimately this tome. To my adoring wife, Cathy: Building
a life and a family together has been more wonderful than I could have ever imagined. To
Slayde and Remi: You are growing up so fast and learning at an outstanding pace, and you
continue to delight and impress me daily. You are both growing into amazing individuals. To
my mom, Johnnie: It is wonderful to have you close by. To Mark: No matter how much time
has passed or how little we see each other, I have been and always will be your friend. And
finally, as always, to Elvis: You were way ahead of the current bacon obsession with your
peanut butter/banana/bacon sandwich; I think that’s proof you traveled through time!
—James Michael Stewart
It’s been a pleasure working with talented people like James Michael Stewart and Mike
Chapple. Thanks to both of you for all your work and collaborative efforts on this project.
The technical editors, Jerry Rayome, Chris Crayton, and Aaron Kraus, provided us with
some outstanding feedback, and this book is better because of their efforts. Thanks to the
team at Wiley (including project managers, editors, and graphic artists) for all the work you
did helping us get this book to print. Last, thanks to my wife, Nimfa, for putting up with my
odd hours as I worked on this book.
—Darril Gibson
Loading page 10...
Loading page 11...
About the Authors
Mike Chapple, PhD, CISSP, Security+, CySA+, PenTest+, CISA, CISM, CCSP, CIPP/US, is
a teaching professor of IT, analytics, and operations at the University of Notre Dame. In
the past, he was chief information officer of Brand Institute and an information security
researcher with the National Security Agency and the U.S. Air Force. His primary areas of
expertise include network intrusion detection and access controls. Mike is a frequent con-
tributor to TechTarget’s SearchSecurity site and the author of more than 25 books, including
the companion book to this study guide: CISSP Official (ISC)2 Practice Tests, CompTIA
CySA+ Study Guide: Exam CS0-001, CompTIA Security+ Study Guide: Exam SY0-601, and
Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for
the CISSP, SSCP, Security+, and CSA+ certifications on his website at www.certmike.com.
James Michael Stewart, CISSP, CEH, CHFI, ECSA, CND, ECIH, CySA+, PenTest+, CASP+,
Security+, Network+, A+, CISM, and CFR, has been writing and training for more than 25
years, with a current focus on security. He has been teaching CISSP training courses since
2002, not to mention other courses on internet security and ethical hacking/penetration
testing. He is the author of and contributor to more than 75 books on security certification,
Microsoft topics, and network administration, including CompTIA Security+ Review Guide:
Exam SY0-601. More information about Michael can be found at his website at www
.impactonline.com.
Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short for You Can Do
Anything), and he has authored or coauthored more than 40 books. Darril regularly writes,
consults, and teaches on a wide variety of technical and security topics and holds several cer-
tifications. He regularly posts blog articles at blogs.getcertifiedgetahead.com about
certification topics and uses that site to help people stay abreast of changes in certification
exams. He loves hearing from readers, especially when they pass an exam after using one of
his books, and you can contact him through the blogging site.
Mike Chapple, PhD, CISSP, Security+, CySA+, PenTest+, CISA, CISM, CCSP, CIPP/US, is
a teaching professor of IT, analytics, and operations at the University of Notre Dame. In
the past, he was chief information officer of Brand Institute and an information security
researcher with the National Security Agency and the U.S. Air Force. His primary areas of
expertise include network intrusion detection and access controls. Mike is a frequent con-
tributor to TechTarget’s SearchSecurity site and the author of more than 25 books, including
the companion book to this study guide: CISSP Official (ISC)2 Practice Tests, CompTIA
CySA+ Study Guide: Exam CS0-001, CompTIA Security+ Study Guide: Exam SY0-601, and
Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for
the CISSP, SSCP, Security+, and CSA+ certifications on his website at www.certmike.com.
James Michael Stewart, CISSP, CEH, CHFI, ECSA, CND, ECIH, CySA+, PenTest+, CASP+,
Security+, Network+, A+, CISM, and CFR, has been writing and training for more than 25
years, with a current focus on security. He has been teaching CISSP training courses since
2002, not to mention other courses on internet security and ethical hacking/penetration
testing. He is the author of and contributor to more than 75 books on security certification,
Microsoft topics, and network administration, including CompTIA Security+ Review Guide:
Exam SY0-601. More information about Michael can be found at his website at www
.impactonline.com.
Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short for You Can Do
Anything), and he has authored or coauthored more than 40 books. Darril regularly writes,
consults, and teaches on a wide variety of technical and security topics and holds several cer-
tifications. He regularly posts blog articles at blogs.getcertifiedgetahead.com about
certification topics and uses that site to help people stay abreast of changes in certification
exams. He loves hearing from readers, especially when they pass an exam after using one of
his books, and you can contact him through the blogging site.
Loading page 12...
Loading page 13...
About the Technical Editors
Jerry Rayome, BS/MS Computer Science, CISSP, has been employed as a member of the
Cyber Security Program at Lawrence Livermore National Laboratory for over 20 years,
providing cybersecurity services that include software development, penetrative testing, inci-
dent response, firewall implementation/administration, firewall auditing, honeynet deploy-
ment/monitoring, cyber forensic investigations, NIST 800-53 control implementation/
assessment, cloud risk assessment, and cloud security auditing.
Chris Crayton is a technical consultant, trainer, author, and industry-leading technical
editor. He has worked as a computer technology and networking instructor, information
security director, network administrator, network engineer, and PC specialist. Chris has
authored several print and online books on PC repair, CompTIA A+, CompTIA Security+,
and Microsoft Windows. He has also served as technical editor and content contributor
on numerous technical titles for several leading publishing companies. He holds numerous
industry certifications, including CISSP, MCSE, CompTIA S+, N+, A+, and many others. He
has also been recognized with many professional and teaching awards, and he has served as
a state-level SkillsUSA final competition judge.
Aaron Kraus, CISSP, CCSP, is an information security practitioner, instructor, and author
who has worked across industries and around the world. He has spent more than 15 years as
a consultant or security risk manager in roles with government, financial services, and tech
startups, including most recently in cyber risk insurance, and has spent 13 years teaching,
writing, and developing security courseware at Learning Tree International, where he is also
dean of cybersecurity curriculum. His writing and editing experience includes official (ISC)2
reference books, practice exams, and study guides for both CISSP and CCSP.
Jerry Rayome, BS/MS Computer Science, CISSP, has been employed as a member of the
Cyber Security Program at Lawrence Livermore National Laboratory for over 20 years,
providing cybersecurity services that include software development, penetrative testing, inci-
dent response, firewall implementation/administration, firewall auditing, honeynet deploy-
ment/monitoring, cyber forensic investigations, NIST 800-53 control implementation/
assessment, cloud risk assessment, and cloud security auditing.
Chris Crayton is a technical consultant, trainer, author, and industry-leading technical
editor. He has worked as a computer technology and networking instructor, information
security director, network administrator, network engineer, and PC specialist. Chris has
authored several print and online books on PC repair, CompTIA A+, CompTIA Security+,
and Microsoft Windows. He has also served as technical editor and content contributor
on numerous technical titles for several leading publishing companies. He holds numerous
industry certifications, including CISSP, MCSE, CompTIA S+, N+, A+, and many others. He
has also been recognized with many professional and teaching awards, and he has served as
a state-level SkillsUSA final competition judge.
Aaron Kraus, CISSP, CCSP, is an information security practitioner, instructor, and author
who has worked across industries and around the world. He has spent more than 15 years as
a consultant or security risk manager in roles with government, financial services, and tech
startups, including most recently in cyber risk insurance, and has spent 13 years teaching,
writing, and developing security courseware at Learning Tree International, where he is also
dean of cybersecurity curriculum. His writing and editing experience includes official (ISC)2
reference books, practice exams, and study guides for both CISSP and CCSP.
Loading page 14...
Loading page 15...
Contents at a Glance
Introduction xxxvii
Assessment Test lix
Chapter 1 Security Governance Through Principles and Policies 1
Chapter 2 Personnel Security and Risk Management
Concepts 43
Chapter 3 Business Continuity Planning 113
Chapter 4 Laws, Regulations, and Compliance 143
Chapter 5 Protecting Security of Assets 179
Chapter 6 Cryptography and Symmetric Key Algorithms 219
Chapter 7 PKI and Cryptographic Applications 263
Chapter 8 Principles of Security Models, Design, and
Capabilities 309
Chapter 9 Security Vulnerabilities, Threats, and
Countermeasures 353
Chapter 10 Physical Security Requirements 447
Chapter 11 Secure Network Architecture and Components 495
Chapter 12 Secure Communications and Network Attacks 581
Chapter 13 Managing Identity and Authentication 637
Chapter 14 Controlling and Monitoring Access 677
Chapter 15 Security Assessment and Testing 723
Chapter 16 Managing Security Operations 763
Chapter 17 Preventing and Responding to Incidents 801
Chapter 18 Disaster Recovery Planning 861
Chapter 19 Investigations and Ethics 909
Chapter 20 Software Development Security 941
Chapter 21 Malicious Code and Application Attacks 993
Appendix A Answers to Review Questions 1041
Appendix B Answers to Written Labs 1099
Index 1117
Introduction xxxvii
Assessment Test lix
Chapter 1 Security Governance Through Principles and Policies 1
Chapter 2 Personnel Security and Risk Management
Concepts 43
Chapter 3 Business Continuity Planning 113
Chapter 4 Laws, Regulations, and Compliance 143
Chapter 5 Protecting Security of Assets 179
Chapter 6 Cryptography and Symmetric Key Algorithms 219
Chapter 7 PKI and Cryptographic Applications 263
Chapter 8 Principles of Security Models, Design, and
Capabilities 309
Chapter 9 Security Vulnerabilities, Threats, and
Countermeasures 353
Chapter 10 Physical Security Requirements 447
Chapter 11 Secure Network Architecture and Components 495
Chapter 12 Secure Communications and Network Attacks 581
Chapter 13 Managing Identity and Authentication 637
Chapter 14 Controlling and Monitoring Access 677
Chapter 15 Security Assessment and Testing 723
Chapter 16 Managing Security Operations 763
Chapter 17 Preventing and Responding to Incidents 801
Chapter 18 Disaster Recovery Planning 861
Chapter 19 Investigations and Ethics 909
Chapter 20 Software Development Security 941
Chapter 21 Malicious Code and Application Attacks 993
Appendix A Answers to Review Questions 1041
Appendix B Answers to Written Labs 1099
Index 1117
Loading page 16...
Loading page 17...
Contents
Introduction xxxvii
Assessment Test lix
Chapter 1 Security Governance Through Principles and Policies 1
Security 101 3
Understand and Apply Security Concepts 4
Confidentiality 5
Integrity 6
Availability 7
DAD, Overprotection, Authenticity, Non-repudiation,
and AAA Services 7
Protection Mechanisms 11
Security Boundaries 13
Evaluate and Apply Security Governance Principles 14
Third-Party Governance 15
Documentation Review 15
Manage the Security Function 16
Alignment of Security Function to Business Strategy, Goals,
Mission, and Objectives 17
Organizational Processes 19
Organizational Roles and Responsibilities 21
Security Control Frameworks 22
Due Diligence and Due Care 23
Security Policy, Standards, Procedures, and Guidelines 23
Security Policies 24
Security Standards, Baselines, and Guidelines 24
Security Procedures 25
Threat Modeling 26
Identifying Threats 26
Determining and Diagramming Potential Attacks 28
Performing Reduction Analysis 28
Prioritization and Response 30
Supply Chain Risk Management 31
Summary 33
Exam Essentials 33
Written Lab 36
Review Questions 37
Introduction xxxvii
Assessment Test lix
Chapter 1 Security Governance Through Principles and Policies 1
Security 101 3
Understand and Apply Security Concepts 4
Confidentiality 5
Integrity 6
Availability 7
DAD, Overprotection, Authenticity, Non-repudiation,
and AAA Services 7
Protection Mechanisms 11
Security Boundaries 13
Evaluate and Apply Security Governance Principles 14
Third-Party Governance 15
Documentation Review 15
Manage the Security Function 16
Alignment of Security Function to Business Strategy, Goals,
Mission, and Objectives 17
Organizational Processes 19
Organizational Roles and Responsibilities 21
Security Control Frameworks 22
Due Diligence and Due Care 23
Security Policy, Standards, Procedures, and Guidelines 23
Security Policies 24
Security Standards, Baselines, and Guidelines 24
Security Procedures 25
Threat Modeling 26
Identifying Threats 26
Determining and Diagramming Potential Attacks 28
Performing Reduction Analysis 28
Prioritization and Response 30
Supply Chain Risk Management 31
Summary 33
Exam Essentials 33
Written Lab 36
Review Questions 37
Loading page 18...
xvi Contents
Chapter 2 Personnel Security and Risk Management
Concepts 43
Personnel Security Policies and Procedures 45
Job Descriptions and Responsibilities 45
Candidate Screening and Hiring 46
Onboarding: Employment Agreements and Policies 47
Employee Oversight 48
Offboarding, Transfers, and Termination Processes 49
Vendor, Consultant, and Contractor Agreements and
Controls 52
Compliance Policy Requirements 53
Privacy Policy Requirements 54
Understand and Apply Risk Management Concepts 55
Risk Terminology and Concepts 56
Asset Valuation 58
Identify Threats and Vulnerabilities 60
Risk Assessment/Analysis 60
Risk Responses 66
Cost vs. Benefit of Security Controls 69
Countermeasure Selection and Implementation 72
Applicable Types of Controls 74
Security Control Assessment 76
Monitoring and Measurement 76
Risk Reporting and Documentation 77
Continuous Improvement 77
Risk Frameworks 79
Social Engineering 81
Social Engineering Principles 83
Eliciting Information 85
Prepending 85
Phishing 85
Spear Phishing 87
Whaling 87
Smishing 88
Vishing 88
Spam 89
Shoulder Surfing 90
Invoice Scams 90
Hoax 90
Impersonation and Masquerading 91
Tailgating and Piggybacking 91
Dumpster Diving 92
Identity Fraud 93
Typo Squatting 94
Influence Campaigns 94
Chapter 2 Personnel Security and Risk Management
Concepts 43
Personnel Security Policies and Procedures 45
Job Descriptions and Responsibilities 45
Candidate Screening and Hiring 46
Onboarding: Employment Agreements and Policies 47
Employee Oversight 48
Offboarding, Transfers, and Termination Processes 49
Vendor, Consultant, and Contractor Agreements and
Controls 52
Compliance Policy Requirements 53
Privacy Policy Requirements 54
Understand and Apply Risk Management Concepts 55
Risk Terminology and Concepts 56
Asset Valuation 58
Identify Threats and Vulnerabilities 60
Risk Assessment/Analysis 60
Risk Responses 66
Cost vs. Benefit of Security Controls 69
Countermeasure Selection and Implementation 72
Applicable Types of Controls 74
Security Control Assessment 76
Monitoring and Measurement 76
Risk Reporting and Documentation 77
Continuous Improvement 77
Risk Frameworks 79
Social Engineering 81
Social Engineering Principles 83
Eliciting Information 85
Prepending 85
Phishing 85
Spear Phishing 87
Whaling 87
Smishing 88
Vishing 88
Spam 89
Shoulder Surfing 90
Invoice Scams 90
Hoax 90
Impersonation and Masquerading 91
Tailgating and Piggybacking 91
Dumpster Diving 92
Identity Fraud 93
Typo Squatting 94
Influence Campaigns 94
Loading page 19...
Contents xvii
Establish and Maintain a Security Awareness, Education,
and Training Program 96
Awareness 97
Training 97
Education 98
Improvements 98
Effectiveness Evaluation 99
Summary 100
Exam Essentials 101
Written Lab 106
Review Questions 107
Chapter 3 Business Continuity Planning 113
Planning for Business Continuity 114
Project Scope and Planning 115
Organizational Review 116
BCP Team Selection 117
Resource Requirements 119
Legal and Regulatory Requirements 120
Business Impact Analysis 121
Identifying Priorities 122
Risk Identification 123
Likelihood Assessment 125
Impact Analysis 126
Resource Prioritization 128
Continuity Planning 128
Strategy Development 129
Provisions and Processes 129
Plan Approval and Implementation 131
Plan Approval 131
Plan Implementation 132
Training and Education 132
BCP Documentation 132
Summary 136
Exam Essentials 137
Written Lab 138
Review Questions 139
Chapter 4 Laws, Regulations, and Compliance 143
Categories of Laws 144
Criminal Law 144
Civil Law 146
Administrative Law 146
Laws 147
Computer Crime 147
Intellectual Property (IP) 152
Establish and Maintain a Security Awareness, Education,
and Training Program 96
Awareness 97
Training 97
Education 98
Improvements 98
Effectiveness Evaluation 99
Summary 100
Exam Essentials 101
Written Lab 106
Review Questions 107
Chapter 3 Business Continuity Planning 113
Planning for Business Continuity 114
Project Scope and Planning 115
Organizational Review 116
BCP Team Selection 117
Resource Requirements 119
Legal and Regulatory Requirements 120
Business Impact Analysis 121
Identifying Priorities 122
Risk Identification 123
Likelihood Assessment 125
Impact Analysis 126
Resource Prioritization 128
Continuity Planning 128
Strategy Development 129
Provisions and Processes 129
Plan Approval and Implementation 131
Plan Approval 131
Plan Implementation 132
Training and Education 132
BCP Documentation 132
Summary 136
Exam Essentials 137
Written Lab 138
Review Questions 139
Chapter 4 Laws, Regulations, and Compliance 143
Categories of Laws 144
Criminal Law 144
Civil Law 146
Administrative Law 146
Laws 147
Computer Crime 147
Intellectual Property (IP) 152
Loading page 20...
xviii Contents
Licensing 158
Import/Export 158
Privacy 160
State Privacy Laws 168
Compliance 169
Contracting and Procurement 171
Summary 171
Exam Essentials 172
Written Lab 173
Review Questions 174
Chapter 5 Protecting Security of Assets 179
Identifying and Classifying Information and Assets 180
Defining Sensitive Data 180
Defining Data Classifications 182
Defining Asset Classifications 185
Understanding Data States 185
Determining Compliance Requirements 186
Determining Data Security Controls 186
Establishing Information and Asset Handling Requirements 188
Data Maintenance 189
Data Loss Prevention 189
Marking Sensitive Data and Assets 190
Handling Sensitive Information and Assets 192
Data Collection Limitation 192
Data Location 193
Storing Sensitive Data 193
Data Destruction 194
Ensuring Appropriate Data and Asset Retention 197
Data Protection Methods 199
Digital Rights Management 199
Cloud Access Security Broker 200
Pseudonymization 200
Tokenization 201
Anonymization 202
Understanding Data Roles 204
Data Owners 204
Asset Owners 205
Business/Mission Owners 206
Data Processors and Data Controllers 206
Data Custodians 207
Administrators 207
Users and Subjects 208
Licensing 158
Import/Export 158
Privacy 160
State Privacy Laws 168
Compliance 169
Contracting and Procurement 171
Summary 171
Exam Essentials 172
Written Lab 173
Review Questions 174
Chapter 5 Protecting Security of Assets 179
Identifying and Classifying Information and Assets 180
Defining Sensitive Data 180
Defining Data Classifications 182
Defining Asset Classifications 185
Understanding Data States 185
Determining Compliance Requirements 186
Determining Data Security Controls 186
Establishing Information and Asset Handling Requirements 188
Data Maintenance 189
Data Loss Prevention 189
Marking Sensitive Data and Assets 190
Handling Sensitive Information and Assets 192
Data Collection Limitation 192
Data Location 193
Storing Sensitive Data 193
Data Destruction 194
Ensuring Appropriate Data and Asset Retention 197
Data Protection Methods 199
Digital Rights Management 199
Cloud Access Security Broker 200
Pseudonymization 200
Tokenization 201
Anonymization 202
Understanding Data Roles 204
Data Owners 204
Asset Owners 205
Business/Mission Owners 206
Data Processors and Data Controllers 206
Data Custodians 207
Administrators 207
Users and Subjects 208
Loading page 21...
Contents xix
Using Security Baselines 208
Comparing Tailoring and Scoping 209
Standards Selection 210
Summary 211
Exam Essentials 211
Written Lab 213
Review Questions 214
Chapter 6 Cryptography and Symmetric Key Algorithms 219
Cryptographic Foundations 220
Goals of Cryptography 220
Cryptography Concepts 223
Cryptographic Mathematics 224
Ciphers 230
Modern Cryptography 238
Cryptographic Keys 238
Symmetric Key Algorithms 239
Asymmetric Key Algorithms 241
Hashing Algorithms 244
Symmetric Cryptography 244
Cryptographic Modes of Operation 245
Data Encryption Standard 247
Triple DES 247
International Data Encryption Algorithm 248
Blowfish 249
Skipjack 249
Rivest Ciphers 249
Advanced Encryption Standard 250
CAST 250
Comparison of Symmetric Encryption Algorithms 251
Symmetric Key Management 252
Cryptographic Lifecycle 255
Summary 255
Exam Essentials 256
Written Lab 257
Review Questions 258
Chapter 7 PKI and Cryptographic Applications 263
Asymmetric Cryptography 264
Public and Private Keys 264
RSA 265
ElGamal 267
Elliptic Curve 268
Diffie–Hellman Key Exchange 269
Quantum Cryptography 270
Using Security Baselines 208
Comparing Tailoring and Scoping 209
Standards Selection 210
Summary 211
Exam Essentials 211
Written Lab 213
Review Questions 214
Chapter 6 Cryptography and Symmetric Key Algorithms 219
Cryptographic Foundations 220
Goals of Cryptography 220
Cryptography Concepts 223
Cryptographic Mathematics 224
Ciphers 230
Modern Cryptography 238
Cryptographic Keys 238
Symmetric Key Algorithms 239
Asymmetric Key Algorithms 241
Hashing Algorithms 244
Symmetric Cryptography 244
Cryptographic Modes of Operation 245
Data Encryption Standard 247
Triple DES 247
International Data Encryption Algorithm 248
Blowfish 249
Skipjack 249
Rivest Ciphers 249
Advanced Encryption Standard 250
CAST 250
Comparison of Symmetric Encryption Algorithms 251
Symmetric Key Management 252
Cryptographic Lifecycle 255
Summary 255
Exam Essentials 256
Written Lab 257
Review Questions 258
Chapter 7 PKI and Cryptographic Applications 263
Asymmetric Cryptography 264
Public and Private Keys 264
RSA 265
ElGamal 267
Elliptic Curve 268
Diffie–Hellman Key Exchange 269
Quantum Cryptography 270
Loading page 22...
xx Contents
Hash Functions 271
SHA 272
MD5 273
RIPEMD 273
Comparison of Hash Algorithm Value Lengths 274
Digital Signatures 275
HMAC 276
Digital Signature Standard 277
Public Key Infrastructure 277
Certificates 278
Certificate Authorities 279
Certificate Lifecycle 280
Certificate Formats 283
Asymmetric Key Management 284
Hybrid Cryptography 285
Applied Cryptography 285
Portable Devices 285
Email 286
Web Applications 290
Steganography and Watermarking 292
Networking 294
Emerging Applications 295
Cryptographic Attacks 297
Summary 301
Exam Essentials 302
Written Lab 303
Review Questions 304
Chapter 8 Principles of Security Models, Design, and
Capabilities 309
Secure Design Principles 310
Objects and Subjects 311
Closed and Open Systems 312
Secure Defaults 314
Fail Securely 314
Keep It Simple 316
Zero Trust 317
Privacy by Design 319
Trust but Verify 319
Techniques for Ensuring CIA 320
Confinement 320
Bounds 320
Isolation 321
Access Controls 321
Trust and Assurance 321
Hash Functions 271
SHA 272
MD5 273
RIPEMD 273
Comparison of Hash Algorithm Value Lengths 274
Digital Signatures 275
HMAC 276
Digital Signature Standard 277
Public Key Infrastructure 277
Certificates 278
Certificate Authorities 279
Certificate Lifecycle 280
Certificate Formats 283
Asymmetric Key Management 284
Hybrid Cryptography 285
Applied Cryptography 285
Portable Devices 285
Email 286
Web Applications 290
Steganography and Watermarking 292
Networking 294
Emerging Applications 295
Cryptographic Attacks 297
Summary 301
Exam Essentials 302
Written Lab 303
Review Questions 304
Chapter 8 Principles of Security Models, Design, and
Capabilities 309
Secure Design Principles 310
Objects and Subjects 311
Closed and Open Systems 312
Secure Defaults 314
Fail Securely 314
Keep It Simple 316
Zero Trust 317
Privacy by Design 319
Trust but Verify 319
Techniques for Ensuring CIA 320
Confinement 320
Bounds 320
Isolation 321
Access Controls 321
Trust and Assurance 321
Loading page 23...
Contents xxi
Understand the Fundamental Concepts of Security Models 322
Trusted Computing Base 323
State Machine Model 325
Information Flow Model 325
Noninterference Model 326
Take-Grant Model 326
Access Control Matrix 327
Bell–LaPadula Model 328
Biba Model 330
Clark–Wilson Model 333
Brewer and Nash Model 334
Goguen–Meseguer Model 335
Sutherland Model 335
Graham–Denning Model 335
Harrison–Ruzzo–Ullman Model 336
Select Controls Based on Systems Security Requirements 337
Common Criteria 337
Authorization to Operate 340
Understand Security Capabilities of Information Systems 341
Memory Protection 341
Virtualization 342
Trusted Platform Module 342
Interfaces 343
Fault Tolerance 343
Encryption/Decryption 343
Summary 343
Exam Essentials 344
Written Lab 347
Review Questions 348
Chapter 9 Security Vulnerabilities, Threats, and
Countermeasures 353
Shared Responsibility 354
Assess and Mitigate the Vulnerabilities of Security
Architectures, Designs, and Solution Elements 355
Hardware 356
Firmware 370
Client-Based Systems 372
Mobile Code 372
Local Caches 375
Server-Based Systems 375
Large-Scale Parallel Data Systems 376
Grid Computing 377
Peer to Peer 378
Understand the Fundamental Concepts of Security Models 322
Trusted Computing Base 323
State Machine Model 325
Information Flow Model 325
Noninterference Model 326
Take-Grant Model 326
Access Control Matrix 327
Bell–LaPadula Model 328
Biba Model 330
Clark–Wilson Model 333
Brewer and Nash Model 334
Goguen–Meseguer Model 335
Sutherland Model 335
Graham–Denning Model 335
Harrison–Ruzzo–Ullman Model 336
Select Controls Based on Systems Security Requirements 337
Common Criteria 337
Authorization to Operate 340
Understand Security Capabilities of Information Systems 341
Memory Protection 341
Virtualization 342
Trusted Platform Module 342
Interfaces 343
Fault Tolerance 343
Encryption/Decryption 343
Summary 343
Exam Essentials 344
Written Lab 347
Review Questions 348
Chapter 9 Security Vulnerabilities, Threats, and
Countermeasures 353
Shared Responsibility 354
Assess and Mitigate the Vulnerabilities of Security
Architectures, Designs, and Solution Elements 355
Hardware 356
Firmware 370
Client-Based Systems 372
Mobile Code 372
Local Caches 375
Server-Based Systems 375
Large-Scale Parallel Data Systems 376
Grid Computing 377
Peer to Peer 378
Loading page 24...
xxii Contents
Industrial Control Systems 378
Distributed Systems 380
High-Performance Computing (HPC) Systems 382
Internet of Things 383
Edge and Fog Computing 385
Embedded Devices and Cyber-Physical
Systems 386
Static Systems 387
Network-Enabled Devices 388
Cyber-Physical Systems 389
Elements Related to Embedded and Static Systems 389
Security Concerns of Embedded and Static Systems 390
Specialized Devices 393
Microservices 394
Infrastructure as Code 395
Virtualized Systems 397
Virtual Software 399
Virtualized Networking 400
Software-Defined Everything 400
Virtualization Security Management 403
Containerization 405
Serverless Architecture 406
Mobile Devices 406
Mobile Device Security Features 408
Mobile Device Deployment Policies 420
Essential Security Protection Mechanisms 426
Process Isolation 426
Hardware Segmentation 427
System Security Policy 427
Common Security Architecture Flaws and Issues 428
Covert Channels 428
Attacks Based on Design or Coding Flaws 430
Rootkits 431
Incremental Attacks 431
Summary 432
Exam Essentials 433
Written Lab 440
Review Questions 441
Chapter 10 Physical Security Requirements 447
Apply Security Principles to Site and Facility Design 448
Secure Facility Plan 448
Site Selection 449
Facility Design 450
Industrial Control Systems 378
Distributed Systems 380
High-Performance Computing (HPC) Systems 382
Internet of Things 383
Edge and Fog Computing 385
Embedded Devices and Cyber-Physical
Systems 386
Static Systems 387
Network-Enabled Devices 388
Cyber-Physical Systems 389
Elements Related to Embedded and Static Systems 389
Security Concerns of Embedded and Static Systems 390
Specialized Devices 393
Microservices 394
Infrastructure as Code 395
Virtualized Systems 397
Virtual Software 399
Virtualized Networking 400
Software-Defined Everything 400
Virtualization Security Management 403
Containerization 405
Serverless Architecture 406
Mobile Devices 406
Mobile Device Security Features 408
Mobile Device Deployment Policies 420
Essential Security Protection Mechanisms 426
Process Isolation 426
Hardware Segmentation 427
System Security Policy 427
Common Security Architecture Flaws and Issues 428
Covert Channels 428
Attacks Based on Design or Coding Flaws 430
Rootkits 431
Incremental Attacks 431
Summary 432
Exam Essentials 433
Written Lab 440
Review Questions 441
Chapter 10 Physical Security Requirements 447
Apply Security Principles to Site and Facility Design 448
Secure Facility Plan 448
Site Selection 449
Facility Design 450
Loading page 25...
Contents xxiii
Implement Site and Facility Security Controls 452
Equipment Failure 453
Wiring Closets 454
Server Rooms/Data Centers 455
Intrusion Detection Systems 458
Cameras 460
Access Abuses 462
Media Storage Facilities 462
Evidence Storage 463
Restricted and Work Area Security 464
Utility Considerations 465
Fire Prevention, Detection, and Suppression 470
Implement and Manage Physical Security 476
Perimeter Security Controls 477
Internal Security Controls 481
Key Performance Indicators of Physical Security 483
Summary 484
Exam Essentials 485
Written Lab 488
Review Questions 489
Chapter 11 Secure Network Architecture and Components 495
OSI Model 497
History of the OSI Model 497
OSI Functionality 498
Encapsulation/Deencapsulation 498
OSI Layers 500
TCP/IP Model 504
Analyzing Network Traffic 505
Common Application Layer Protocols 506
Transport Layer Protocols 508
Domain Name System 509
DNS Poisoning 511
Domain Hijacking 514
Internet Protocol (IP) Networking 516
IPv4 vs. IPv6 516
IP Classes 517
ICMP 519
IGMP 519
ARP Concerns 519
Secure Communication Protocols 521
Implications of Multilayer Protocols 522
Converged Protocols 523
Voice over Internet Protocol (VoIP) 524
Software-Defined Networking 525
Implement Site and Facility Security Controls 452
Equipment Failure 453
Wiring Closets 454
Server Rooms/Data Centers 455
Intrusion Detection Systems 458
Cameras 460
Access Abuses 462
Media Storage Facilities 462
Evidence Storage 463
Restricted and Work Area Security 464
Utility Considerations 465
Fire Prevention, Detection, and Suppression 470
Implement and Manage Physical Security 476
Perimeter Security Controls 477
Internal Security Controls 481
Key Performance Indicators of Physical Security 483
Summary 484
Exam Essentials 485
Written Lab 488
Review Questions 489
Chapter 11 Secure Network Architecture and Components 495
OSI Model 497
History of the OSI Model 497
OSI Functionality 498
Encapsulation/Deencapsulation 498
OSI Layers 500
TCP/IP Model 504
Analyzing Network Traffic 505
Common Application Layer Protocols 506
Transport Layer Protocols 508
Domain Name System 509
DNS Poisoning 511
Domain Hijacking 514
Internet Protocol (IP) Networking 516
IPv4 vs. IPv6 516
IP Classes 517
ICMP 519
IGMP 519
ARP Concerns 519
Secure Communication Protocols 521
Implications of Multilayer Protocols 522
Converged Protocols 523
Voice over Internet Protocol (VoIP) 524
Software-Defined Networking 525
Loading page 26...
xxiv Contents
Microsegmentation 526
Wireless Networks 527
Securing the SSID 529
Wireless Channels 529
Conducting a Site Survey 530
Wireless Security 531
Wi-Fi Protected Setup (WPS) 533
Wireless MAC Filter 534
Wireless Antenna Management 534
Using Captive Portals 535
General Wi-Fi Security Procedure 535
Wireless Communications 536
Wireless Attacks 539
Other Communication Protocols 543
Cellular Networks 544
Content Distribution Networks (CDNs) 545
Secure Network Components 545
Secure Operation of Hardware 546
Common Network Equipment 547
Network Access Control 549
Firewalls 550
Endpoint Security 556
Cabling, Topology, and Transmission Media Technology 559
Transmission Media 559
Network Topologies 563
Ethernet 565
Sub-Technologies 566
Summary 569
Exam Essentials 570
Written Lab 574
Review Questions 575
Chapter 12 Secure Communications and Network Attacks 581
Protocol Security Mechanisms 582
Authentication Protocols 582
Port Security 585
Quality of Service (QoS) 585
Secure Voice Communications 586
Public Switched Telephone Network 586
Voice over Internet Protocol (VoIP) 586
Vishing and Phreaking 588
PBX Fraud and Abuse 589
Remote Access Security Management 590
Remote Access and Telecommuting Techniques 591
Remote Connection Security 591
Plan a Remote Access Security Policy 592
Microsegmentation 526
Wireless Networks 527
Securing the SSID 529
Wireless Channels 529
Conducting a Site Survey 530
Wireless Security 531
Wi-Fi Protected Setup (WPS) 533
Wireless MAC Filter 534
Wireless Antenna Management 534
Using Captive Portals 535
General Wi-Fi Security Procedure 535
Wireless Communications 536
Wireless Attacks 539
Other Communication Protocols 543
Cellular Networks 544
Content Distribution Networks (CDNs) 545
Secure Network Components 545
Secure Operation of Hardware 546
Common Network Equipment 547
Network Access Control 549
Firewalls 550
Endpoint Security 556
Cabling, Topology, and Transmission Media Technology 559
Transmission Media 559
Network Topologies 563
Ethernet 565
Sub-Technologies 566
Summary 569
Exam Essentials 570
Written Lab 574
Review Questions 575
Chapter 12 Secure Communications and Network Attacks 581
Protocol Security Mechanisms 582
Authentication Protocols 582
Port Security 585
Quality of Service (QoS) 585
Secure Voice Communications 586
Public Switched Telephone Network 586
Voice over Internet Protocol (VoIP) 586
Vishing and Phreaking 588
PBX Fraud and Abuse 589
Remote Access Security Management 590
Remote Access and Telecommuting Techniques 591
Remote Connection Security 591
Plan a Remote Access Security Policy 592
Loading page 27...
Contents xxv
Multimedia Collaboration 593
Remote Meeting 593
Instant Messaging and Chat 594
Load Balancing 595
Virtual IPs and Load Persistence 596
Active-Active vs. Active-Passive 596
Manage Email Security 596
Email Security Goals 597
Understand Email Security Issues 599
Email Security Solutions 599
Virtual Private Network 602
Tunneling 603
How VPNs Work 604
Always-On 606
Split Tunnel vs. Full Tunnel 607
Common VPN Protocols 607
Switching and Virtual LANs 610
Network Address Translation 614
Private IP Addresses 616
Stateful NAT 617
Automatic Private IP Addressing 617
Third-Party Connectivity 618
Switching Technologies 620
Circuit Switching 620
Packet Switching 620
Virtual Circuits 621
WAN Technologies 622
Fiber-Optic Links 624
Security Control Characteristics 624
Transparency 625
Transmission Management Mechanisms 625
Prevent or Mitigate Network Attacks 625
Eavesdropping 626
Modification Attacks 626
Summary 626
Exam Essentials 628
Written Lab 630
Review Questions 631
Chapter 13 Managing Identity and Authentication 637
Controlling Access to Assets 639
Controlling Physical and Logical Access 640
The CIA Triad and Access Controls 640
Managing Identification and Authentication 641
Comparing Subjects and Objects 642
Multimedia Collaboration 593
Remote Meeting 593
Instant Messaging and Chat 594
Load Balancing 595
Virtual IPs and Load Persistence 596
Active-Active vs. Active-Passive 596
Manage Email Security 596
Email Security Goals 597
Understand Email Security Issues 599
Email Security Solutions 599
Virtual Private Network 602
Tunneling 603
How VPNs Work 604
Always-On 606
Split Tunnel vs. Full Tunnel 607
Common VPN Protocols 607
Switching and Virtual LANs 610
Network Address Translation 614
Private IP Addresses 616
Stateful NAT 617
Automatic Private IP Addressing 617
Third-Party Connectivity 618
Switching Technologies 620
Circuit Switching 620
Packet Switching 620
Virtual Circuits 621
WAN Technologies 622
Fiber-Optic Links 624
Security Control Characteristics 624
Transparency 625
Transmission Management Mechanisms 625
Prevent or Mitigate Network Attacks 625
Eavesdropping 626
Modification Attacks 626
Summary 626
Exam Essentials 628
Written Lab 630
Review Questions 631
Chapter 13 Managing Identity and Authentication 637
Controlling Access to Assets 639
Controlling Physical and Logical Access 640
The CIA Triad and Access Controls 640
Managing Identification and Authentication 641
Comparing Subjects and Objects 642
Loading page 28...
xxvi Contents
Registration, Proofing, and Establishment of Identity 643
Authorization and Accountability 644
Authentication Factors Overview 645
Something You Know 647
Something You Have 650
Something You Are 651
Multifactor Authentication (MFA) 655
Two-Factor Authentication with Authenticator Apps 655
Passwordless Authentication 656
Device Authentication 657
Service Authentication 658
Mutual Authentication 659
Implementing Identity Management 659
Single Sign-On 659
SSO and Federated Identities 660
Credential Management Systems 662
Credential Manager Apps 663
Scripted Access 663
Session Management 663
Managing the Identity and Access Provisioning Lifecycle 664
Provisioning and Onboarding 665
Deprovisioning and Offboarding 666
Defining New Roles 667
Account Maintenance 667
Account Access Review 667
Summary 668
Exam Essentials 669
Written Lab 671
Review Questions 672
Chapter 14 Controlling and Monitoring Access 677
Comparing Access Control Models 678
Comparing Permissions, Rights, and Privileges 678
Understanding Authorization Mechanisms 679
Defining Requirements with a Security Policy 681
Introducing Access Control Models 681
Discretionary Access Control 682
Nondiscretionary Access Control 683
Implementing Authentication Systems 690
Implementing SSO on the Internet 691
Implementing SSO on Internal Networks 694
Understanding Access Control Attacks 699
Risk Elements 700
Common Access Control Attacks 700
Core Protection Methods 713
Registration, Proofing, and Establishment of Identity 643
Authorization and Accountability 644
Authentication Factors Overview 645
Something You Know 647
Something You Have 650
Something You Are 651
Multifactor Authentication (MFA) 655
Two-Factor Authentication with Authenticator Apps 655
Passwordless Authentication 656
Device Authentication 657
Service Authentication 658
Mutual Authentication 659
Implementing Identity Management 659
Single Sign-On 659
SSO and Federated Identities 660
Credential Management Systems 662
Credential Manager Apps 663
Scripted Access 663
Session Management 663
Managing the Identity and Access Provisioning Lifecycle 664
Provisioning and Onboarding 665
Deprovisioning and Offboarding 666
Defining New Roles 667
Account Maintenance 667
Account Access Review 667
Summary 668
Exam Essentials 669
Written Lab 671
Review Questions 672
Chapter 14 Controlling and Monitoring Access 677
Comparing Access Control Models 678
Comparing Permissions, Rights, and Privileges 678
Understanding Authorization Mechanisms 679
Defining Requirements with a Security Policy 681
Introducing Access Control Models 681
Discretionary Access Control 682
Nondiscretionary Access Control 683
Implementing Authentication Systems 690
Implementing SSO on the Internet 691
Implementing SSO on Internal Networks 694
Understanding Access Control Attacks 699
Risk Elements 700
Common Access Control Attacks 700
Core Protection Methods 713
Loading page 29...
Contents xxvii
Summary 714
Exam Essentials 715
Written Lab 717
Review Questions 718
Chapter 15 Security Assessment and Testing 723
Building a Security Assessment and Testing Program 725
Security Testing 725
Security Assessments 726
Security Audits 727
Performing Vulnerability Assessments 731
Describing Vulnerabilities 731
Vulnerability Scans 732
Penetration Testing 742
Compliance Checks 745
Testing Your Software 746
Code Review and Testing 746
Interface Testing 751
Misuse Case Testing 751
Test Coverage Analysis 752
Website Monitoring 752
Implementing Security Management Processes 753
Log Reviews 753
Account Management 754
Disaster Recovery and Business Continuity 754
Training and Awareness 755
Key Performance and Risk Indicators 755
Summary 756
Exam Essentials 756
Written Lab 758
Review Questions 759
Chapter 16 Managing Security Operations 763
Apply Foundational Security Operations Concepts 765
Need to Know and Least Privilege 765
Separation of Duties (SoD) and Responsibilities 767
Two-Person Control 768
Job Rotation 768
Mandatory Vacations 768
Privileged Account Management 769
Service Level Agreements (SLAs) 771
Addressing Personnel Safety and Security 771
Duress 771
Travel 772
Summary 714
Exam Essentials 715
Written Lab 717
Review Questions 718
Chapter 15 Security Assessment and Testing 723
Building a Security Assessment and Testing Program 725
Security Testing 725
Security Assessments 726
Security Audits 727
Performing Vulnerability Assessments 731
Describing Vulnerabilities 731
Vulnerability Scans 732
Penetration Testing 742
Compliance Checks 745
Testing Your Software 746
Code Review and Testing 746
Interface Testing 751
Misuse Case Testing 751
Test Coverage Analysis 752
Website Monitoring 752
Implementing Security Management Processes 753
Log Reviews 753
Account Management 754
Disaster Recovery and Business Continuity 754
Training and Awareness 755
Key Performance and Risk Indicators 755
Summary 756
Exam Essentials 756
Written Lab 758
Review Questions 759
Chapter 16 Managing Security Operations 763
Apply Foundational Security Operations Concepts 765
Need to Know and Least Privilege 765
Separation of Duties (SoD) and Responsibilities 767
Two-Person Control 768
Job Rotation 768
Mandatory Vacations 768
Privileged Account Management 769
Service Level Agreements (SLAs) 771
Addressing Personnel Safety and Security 771
Duress 771
Travel 772
Loading page 30...
xxviii Contents
Emergency Management 773
Security Training and Awareness 773
Provision Resources Securely 773
Information and Asset Ownership 774
Asset Management 774
Apply Resource Protection 776
Media Management 776
Media Protection Techniques 776
Managed Services in the Cloud 779
Shared Responsibility with Cloud Service Models 780
Scalability and Elasticity 782
Perform Configuration Management (CM) 782
Provisioning 783
Baselining 783
Using Images for Baselining 783
Automation 784
Managing Change 785
Change Management 787
Versioning 788
Configuration Documentation 788
Managing Patches and Reducing Vulnerabilities 789
Systems to Manage 789
Patch Management 789
Vulnerability Management 791
Vulnerability Scans 792
Common Vulnerabilities and Exposures 792
Summary 793
Exam Essentials 794
Written Lab 796
Review Questions 797
Chapter 17 Preventing and Responding to Incidents 801
Conducting Incident Management 803
Defining an Incident 803
Incident Management Steps 804
Implementing Detective and Preventive Measures 810
Basic Preventive Measures 810
Understanding Attacks 811
Intrusion Detection and Prevention Systems 820
Specific Preventive Measures 828
Logging and Monitoring 834
Logging Techniques 834
The Role of Monitoring 837
Monitoring Techniques 840
Emergency Management 773
Security Training and Awareness 773
Provision Resources Securely 773
Information and Asset Ownership 774
Asset Management 774
Apply Resource Protection 776
Media Management 776
Media Protection Techniques 776
Managed Services in the Cloud 779
Shared Responsibility with Cloud Service Models 780
Scalability and Elasticity 782
Perform Configuration Management (CM) 782
Provisioning 783
Baselining 783
Using Images for Baselining 783
Automation 784
Managing Change 785
Change Management 787
Versioning 788
Configuration Documentation 788
Managing Patches and Reducing Vulnerabilities 789
Systems to Manage 789
Patch Management 789
Vulnerability Management 791
Vulnerability Scans 792
Common Vulnerabilities and Exposures 792
Summary 793
Exam Essentials 794
Written Lab 796
Review Questions 797
Chapter 17 Preventing and Responding to Incidents 801
Conducting Incident Management 803
Defining an Incident 803
Incident Management Steps 804
Implementing Detective and Preventive Measures 810
Basic Preventive Measures 810
Understanding Attacks 811
Intrusion Detection and Prevention Systems 820
Specific Preventive Measures 828
Logging and Monitoring 834
Logging Techniques 834
The Role of Monitoring 837
Monitoring Techniques 840
Loading page 31...
30 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Certified Information Systems Security Professional