(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide E-Book

(ISC)2

CISSP® Certified InformationSystems Security ProfessionalOfficial Study Guide

Eighth Edition

Development Editor: Kelly Talbot

Technical Editors: Jeff Parker, Bob Sipes, and David Seidl

Copy Editor: Kim Wimpsett

Editorial Manager: Pete Gaughan

Production Manager: Kathleen Wisor

Executive Editor: Jim Minatel

Proofreader: Amy Schneider

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: ©Getty Images Inc./Jeremy Woodhouse

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-47593-4

ISBN: 978-1-119-47595-8 (ebk.)

ISBN: 978-1-119-47587-3 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2018933561

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of (ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

To Dewitt Latimer, my mentor, friend, and colleague. I miss you dearly. —Mike Chapple

To Cathy, your perspective on the world and life often surprises me, challenges me, and makes me love you even more. —James Michael Stewart

To Nimfa, thanks for sharing your life with me for the past 26 years and letting me share mine with you.—Darril Gibson

Dear Future (ISC)2 Member,

Congratulations on starting your journey to CISSP® certification. Earning your CISSP is an exciting and rewarding milestone in your cybersecurity career. Not only does it demonstrate your ability to develop and manage nearly all aspects of an organization’s cybersecurity operations, but you also signal to employers your commitment to life-long learning and taking an active role in fulfilling the (ISC)² vision of inspiring a safe and secure cyber world.

The material in this study guide is based upon the (ISC)² CISSP Common Body of Knowledge. It will help you prepare for the exam that will assess your competency in the following eight domains:

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

While this study guide will help you prepare, passing the CISSP exam depends on your mastery of the domains combined with your ability to apply those concepts using your real-world experience.

I wish you the best of luck as you continue on your path to become a CISSP and certified member of (ISC)2.

Sincerely,

David Shearer, CISSPCEO(ISC)2

Acknowledgments

We’d like to express our thanks to Sybex for continuing to support this project. Extra thanks to the eighth edition developmental editor, Kelly Talbot, and technical editors, Jeff Parker, Bob Sipes, and David Seidl, who performed amazing feats in guiding us to improve this book. Thanks as well to our agent, Carole Jelen, for continuing to assist in nailing down these projects.

—Mike, James, and Darril

Special thanks go to the information security team at the University of Notre Dame, who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book.

I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. Jeff Parker, Bob Sipes, and David Seidl, our diligent and knowledgeable technical editors, provided valuable in-sight as we brought this edition to press.

I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press.

—Mike Chapple

Thanks to Mike Chapple and Darril Gibson for continuing to contribute to this project. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. To my adoring wife, Cathy: Building a life and a family together has been more wonderful than I could have ever imagined. To Slayde and Remi: You are growing up so fast and learning at an outstanding pace, and you continue to delight and impress me daily. You are both growing into amazing individuals. To my mom, Johnnie: It is wonderful to have you close by. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis: You were way ahead of the current bacon obsession with your peanut butter/banana/bacon sandwich; I think that’s proof you traveled through time!

—James Michael Stewart

Thanks to Jim Minatel and Carole Jelen for helping get this update in place before (ISC)2 released the objectives. This helped us get a head start on this new edition, and we appreciate your efforts. It’s been a pleasure working with talented people like James Michael Stewart and Mike Chapple. Thanks to both of you for all your work and collaborative efforts on this project. The technical editors, Jeff Parker, Bob Sipes, and David Seidl, provided us with some outstanding feedback, and this book is better because of their efforts. Thanks to the team at Sybex (including project managers, editors, and graphics artists) for all the work you did helping us get this book to print. Last, thanks to my wife, Nimfa, for putting up with my odd hours as I worked on this book.

—Darril Gibson

About the Authors

Mike Chapple, CISSP, PhD, Security+, CISA, CySA+, is an associate teaching professor of IT, analytics, and operations at the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of more than 25 books including the companion book to this study guide: CISSP Official (ISC)2 Practice Tests, the CompTIA CSA+ Study Guide, and Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for the CISSP, SSCP, Security+, and CSA+ certifications on his website at www.certmike.com.

James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has been writing and training for more than 20 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 75 books and numerous courseware sets on security certification, Microsoft topics, and network administration, including the Security+ (SY0-501) Review Guide. More information about Michael can be found at his website at www.impactonline.com.

Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short for You Can Do Anything), and he has authored or coauthored more than 40 books. Darril regularly writes, consults, and teaches on a wide variety of technical and security topics and holds several certifications. He regularly posts blog articles at http://blogs.getcertifiedgetahead.com/ about certification topics and uses that site to help people stay abreast of changes in certification exams. He loves hearing from readers, especially when they pass an exam after using one of his books, and you can contact him through the blogging site.

About the Technical Editors

Jeff T. Parker, CISSP, is a technical editor and reviewer across many focuses of information security. Jeff regularly contributes to books, adding experience and practical know-how where needed. Jeff’s experience comes from 10 years of consulting with Hewlett-Packard in Boston and from 4 years with Deutsche-Post in Prague, Czech Republic. Now residing in Canada, Jeff teaches his and other middle-school kids about building (and destroying) a home lab. He recently coauthored Wireshark for Security Professionals and is now authoring CySA+ Practice Exams. Keep learning!

Bob Sipes, CISSP, is an enterprise security architect and account security officer at DXC Technology providing tactical and strategic leadership for DXC clients. He holds several certifications, is actively involved in security organizations including ISSA and Infragard, and is an experienced public speaker on topics including cybersecurity, communications, and leadership. In his spare time, Bob is an avid antiquarian book collector with an extensive library of 19th and early 20th century boys’ literature. You can follow Bob on Twitter at @bobsipes.

David Seidl, CISSP, is the senior director for Campus Technology Services at the University of Notre Dame, where he has also taught cybersecurity and networking in the Mendoza College of Business. David has written multiple books on cybersecurity certification and cyberwarfare, and he has served as the technical editor for the sixth, seventh, and eighth editions of CISSP Study Guide. David holds a master’s degree in information security and a bachelor’s degree in communication technology from Eastern Michigan University, as well as CISSP, GPEN, GCIH, and CySA+ certifications.

Contents

Introduction

Overview of the CISSP Exam

Notes on This Book’s Organization

Assessment Test

Answers to Assessment Test

Chapter 1 Security Governance Through Principles and Policies

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Evaluate and Apply Security Governance Principles

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines

Understand and Apply Threat Modeling Concepts and Methodologies

Apply Risk-Based Management Concepts to the Supply Chain

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 2 Personnel Security and Risk Management Concepts

Personnel Security Policies and Procedures

Security Governance

Understand and Apply Risk Management Concepts

Establish and Maintain a Security Awareness, Education, and Training Program

Manage the Security Function

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 3 Business Continuity Planning

Planning for Business Continuity

Project Scope and Planning

Business Impact Assessment

Continuity Planning

Plan Approval and Implementation

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 4 Laws, Regulations, and Compliance

Categories of Laws

Laws

Compliance

Contracting and Procurement

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 5 Protecting Security of Assets

Identify and Classify Assets

Determining Ownership

Using Security Baselines

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 6 Cryptography and Symmetric Key Algorithms

Historical Milestones in Cryptography

Cryptographic Basics

Modern Cryptography

Symmetric Cryptography

Cryptographic Lifecycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 7 PKI and Cryptographic Applications

Asymmetric Cryptography

Hash Functions

Digital Signatures

Public Key Infrastructure

Asymmetric Key Management

Applied Cryptography

Cryptographic Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 8 Principles of Security Models, Design, and Capabilities

Implement and Manage Engineering Processes Using Secure Design Principles

Understand the Fundamental Concepts of Security Models

Select Controls Based On Systems Security Requirements

Understand Security Capabilities of Information Systems

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures

Assess and Mitigate Security Vulnerabilities

Client-Based Systems

Server-Based Systems

Database Systems Security

Distributed Systems and Endpoint Security

Internet of Things

Industrial Control Systems

Assess and Mitigate Vulnerabilities in Web-Based Systems

Assess and Mitigate Vulnerabilities in Mobile Systems

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems

Essential Security Protection Mechanisms

Common Architecture Flaws and Security Issues

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 10 Physical Security Requirements

Apply Security Principles to Site and Facility Design

Implement Site and Facility Security Controls

Implement and Manage Physical Security

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 11 Secure Network Architecture and Securing Network Components

OSI Model

TCP/IP Model

Converged Protocols

Wireless Networks

Secure Network Components

Cabling, Wireless, Topology, Communications, and Transmission Media Technology

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 12 Secure Communications and Network Attacks

Network and Protocol Security Mechanisms

Secure Voice Communications

Multimedia Collaboration

Manage Email Security

Remote Access Security Management

Virtual Private Network

Virtualization

Network Address Translation

Switching Technologies

WAN Technologies

Miscellaneous Security Control Characteristics

Security Boundaries

Prevent or Mitigate Network Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 13 Managing Identity and Authentication

Controlling Access to Assets

Comparing Identification and Authentication

Implementing Identity Management

Managing the Identity and Access Provisioning Lifecycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 14 Controlling and Monitoring Access

Comparing Access Control Models

Understanding Access Control Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 15 Security Assessment and Testing

Building a Security Assessment and Testing Program

Performing Vulnerability Assessments

Testing Your Software

Implementing Security Management Processes

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 16 Managing Security Operations

Applying Security Operations Concepts

Securely Provisioning Resources

Managing Configuration

Managing Change

Managing Patches and Reducing Vulnerabilities

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 17 Preventing and Responding to Incidents

Managing Incident Response

Implementing Detective and Preventive Measures

Logging, Monitoring, and Auditing

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 18 Disaster Recovery Planning

The Nature of Disaster

Understand System Resilience and Fault Tolerance

Recovery Strategy

Recovery Plan Development

Training, Awareness, and Documentation

Testing and Maintenance

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 19 Investigations and Ethics

Investigations

Major Categories of Computer Crime

Ethics

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 20 Software Development Security

Introducing Systems Development Controls

Establishing Databases and Data Warehousing

Storing Data and Information

Understanding Knowledge-Based Systems

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 21 Malicious Code and Application Attacks

Malicious Code

Password Attacks

Application Attacks

Web Application Security

Reconnaissance Attacks

Masquerading Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Appendix A Answers to Review Questions

Chapter 1: Security Governance Through Principles and Policies

Chapter 2: Personnel Security and Risk Management Concepts

Chapter 3: Business Continuity Planning

Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets

Chapter 6: Cryptography and Symmetric Key Algorithms

Chapter 7: PKI and Cryptographic Applications

Chapter 8: Principles of Security Models, Design, and Capabilities

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

Chapter 10: Physical Security Requirements

Chapter 11: Secure Network Architecture and Securing Network Components

Chapter 12: Secure Communications and Network Attacks

Chapter 13: Managing Identity and Authentication

Chapter 14: Controlling and Monitoring Access

Chapter 15: Security Assessment and Testing

Chapter 16: Managing Security Operations

Chapter 17: Preventing and Responding to Incidents

Chapter 18: Disaster Recovery Planning

Chapter 19: Investigations and Ethics

Chapter 20: Software Development Security

Chapter 21: Malicious Code and Application Attacks

Appendix B Answers to Written Labs

Chapter 1: Security Governance Through Principles and Policies

Chapter 2: Personnel Security and Risk Management Concepts

Chapter 3: Business Continuity Planning

Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets

Chapter 6: Cryptography and Symmetric Key Algorithms

Chapter 7: PKI and Cryptographic Applications

Chapter 8: Principles of Security Models, Design, and Capabilities

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

Chapter 10: Physical Security Requirements

Chapter 11: Secure Network Architecture and Securing Network Components

Chapter 12: Secure Communications and Network Attacks

Chapter 13: Managing Identity and Authentication

Chapter 14: Controlling and Monitoring Access

Chapter 15: Security Assessment and Testing

Chapter 16: Managing Security Operations

Chapter 17: Preventing and Responding to Incidents

Chapter 18: Disaster Recovery Planning

Chapter 19: Investigations and Ethics

Chapter 20: Software Development Security

Chapter 21: Malicious Code and Application Attacks

Advert

EULA

List of Tables

Chapter 2

Table 2.1

Table 2.2

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Chapter 6

Table 6.1

Table 6.2

Chapter 7

Table 7.1

Chapter 8

Table 8.1

Table 8.2

Table 8.3

Table 8.4

Chapter 9

Table 9.1

Chapter 10

Table 10.1

Table 10.2

Chapter 11

Table 11.1

Table 11.2

Table 11.3

Table 11.4

Table 11.5

Table 11.6

Table 11.7

Table 11.8

Table 11.9

Table 11.10

Table 11.11

Chapter 12

Table 12.1

Table 12.2

Table 12.3

Table 12.4

Chapter 18

Table 18.1

List of Illustrations

Chapter 1

FIGURE 1.1

The CIA Triad

FIGURE 1.2

The five elements of AAA services

FIGURE 1.3

Strategic, tactical, and operational plan timeline comparison

FIGURE 1.4

Levels of government/military classification

FIGURE 1.5

Commercial business/private sector classification levels

FIGURE 1.6

The comparative relationships of security policy components

FIGURE 1.7

An example of diagramming to reveal threat concerns

FIGURE 1.8

An example of diagramming to reveal threat concerns

Chapter 2

FIGURE 2.1

An example of separation of duties related to five admin tasks and seven administrators

FIGURE 2.2

An example of job rotation among management positions

FIGURE 2.3

Ex-employees must return all company property

FIGURE 2.4

The elements of risk

FIGURE 2.5

The six major elements of quantitative risk analysis

FIGURE 2.6

The categories of security controls in a defense-in-depth implementation

FIGURE 2.7

The six steps of the risk management framework

Chapter 3

FIGURE 3.1

Earthquake hazard map of the United States

Chapter 5

FIGURE 5.1

Data classifications

FIGURE 5.2

Clearing a hard drive

Chapter 6

FIGURE 6.1

Challenge-response authentication protocol

FIGURE 6.2

The magic door

FIGURE 6.3

Symmetric key cryptography

FIGURE 6.4

Asymmetric key cryptography

Chapter 7

FIGURE 7.1

Asymmetric key cryptography

FIGURE 7.2

Steganography tool

FIGURE 7.3

Image with embedded message

Chapter 8

FIGURE 8.1

The TCB, security perimeter, and reference monitor

FIGURE 8.2

The Take-Grant model’s directed graph

FIGURE 8.3

The Bell-LaPadula model

FIGURE 8.4

The Biba model

FIGURE 8.5

The Clark-Wilson model

FIGURE 8.6

The levels of TCSEC

Chapter 9

FIGURE 9.1

In the commonly used four-ring model, protection rings segregate the operating system into kernel, components, and drivers in rings 0 through 2 and applications and programs run at ring 3.

FIGURE 9.2

The process scheduler

Chapter 10

FIGURE 10.1

A typical wiring closet

FIGURE 10.2

The fire triangle

FIGURE 10.3

The four primary stages of fire

FIGURE 10.4

A secure physical boundary with a mantrap and a turnstile

Chapter 11

FIGURE 11.1

Representation of the OSI model

FIGURE 11.2

Representation of OSI model encapsulation

FIGURE 11.3

Representation of the OSI model peer layer logical channels

FIGURE 11.4

OSI model data names

FIGURE 11.5

Comparing the OSI model with the TCP/IP model

FIGURE 11.6

The four layers of TCP/IP and its component protocols

FIGURE 11.7

The TCP three-way handshake

FIGURE 11.8

Single-, two-, and three-tier firewall deployment architectures

FIGURE 11.9

A ring topology

FIGURE 11.10

A linear bus topology and a tree bus topology

FIGURE 11.11

A star topology

FIGURE 11.12

A mesh topology

Chapter 13

FIGURE 13.1

Graph of FRR and FAR errors indicating the CER point

Chapter 14

FIGURE 14.1

Defense in depth with layered security

FIGURE 14.2

Role Based Access Control

FIGURE 14.3

A representation of the boundaries provided by lattice-based access controls

FIGURE 14.4

Wireshark capture

Chapter 15

FIGURE 15.1

Nmap scan of a web server run from a Linux system

FIGURE 15.2

Default Apache server page running on the server scanned in Figure 15.1

FIGURE 15.3

Nmap scan of a large network run from a Mac system using the Terminal utility

FIGURE 15.4

Network vulnerability scan of the same web server that was port scanned in Figure 15.1

FIGURE 15.5

Web application vulnerability scan of the same web server that was port scanned in Figure 15.1 and network vulnerability scanned in Figure 15.2.

FIGURE 15.6

Scanning a database-backed application with sqlmap

FIGURE 15.7

Penetration testing process

FIGURE 15.8

The Metasploit automated system exploitation tool allows attackers to quickly execute common attacks against target systems.

FIGURE 15.9

Fagan inspections follow a rigid formal process, with defined entry and exit criteria that must be met before transitioning between stages.

FIGURE 15.10

Prefuzzing input file containing a series of 1s

FIGURE 15.11

The input file from Figure 15.10 after being run through the zzuf mutation fuzzing tool

Chapter 16

FIGURE 16.1

A segregation of duties control matrix

FIGURE 16.2

Creating and deploying images

FIGURE 16.3

Web server and database server

Chapter 17

FIGURE 17.1

Incident response

FIGURE 17.2

SYN flood attack

FIGURE 17.3

A man-in-the-middle attack

FIGURE 17.4

Intrusion prevention system

FIGURE 17.5

Viewing a log entry

Chapter 18

FIGURE 18.1

Flood hazard map for Miami–Dade County, Florida

FIGURE 18.2

Failover cluster with network load balancing

Chapter 20

FIGURE 20.1

Security vs. user-friendliness vs. functionality

FIGURE 20.2

The waterfall lifecycle model

FIGURE 20.3

The spiral lifecycle mode

FIGURE 20.4

The IDEAL model

FIGURE 20.5

Gantt chart

FIGURE 20.6

The DevOps model

FIGURE 20.7

Hierarchical data model

FIGURE 20.8

Customers table from a relational database

FIGURE 20.9

ODBC as the interface between applications and a backend database system

Chapter 21

FIGURE 21.1

Social Security phishing message

FIGURE 21.2

Typical database-driven website architecture

Guide

Cover

Table of Contents

Introduction

Pages

v

vi

vii

ix

xi

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

xlvii

xlviii

xlix

l

li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

306

307

308

309

310

311

312

313

314

315

316

317

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

861

862

863

864

865

866

867

868

869

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

934

935

936

937

938

939

940

941

942

943

944

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

974

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

991

992

993

994

995

996

997

998

999

1000

Introduction

The (ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, Eighth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of full-time paid work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section.

(ISC)2 also allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the (ISC)2 prerequisite pathway. These include certifications such as CAP, CISM, CISA, CCNA Security, Security+, MCSA, MCSE, and many of the GIAC certifications. For a complete list of qualifying certifications, visit https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway. Note: You can use only one of the experience reduction measures, either a college degree or a certification, not both.

(ISC)2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2. (ISC)2 is a global not-for-profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of information systems security.

Provide certification for information systems security professionals and practitioners.

Conduct certification training and administer the certification exams.

Oversee the ongoing accreditation of qualified certification candidates through continued education.

The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners.

(ISC)2 supports and provides a wide variety of certifications, including CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC)2 and its other certifications from its website at www.isc2.org.

The Certified Information Systems Security Professional (CISSP) credential is for security professionals responsible for designing and maintaining security infrastructure within an organization.

Topical Domains

The CISSP certification covers material from the eight topical domains. These eight domains are as follows:

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.

The most recent revision of the topical domains will be reflected in exams starting April 15, 2018. For a complete view of the breadth of topics covered on the CISSP exam from the eight domain groupings, visit the (ISC)2 website at www.isc2.org to request a copy of the Candidate Information Bulletin. This document includes a complete exam outline as well as other relevant facts about the certification.

Prequalifications

(ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ full-time paid work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (see www.isc2.org for details). Professional experience is defined as security work performed for salary or commission within two or more of the eight CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org.

(ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years’ of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification.

Overview of the CISSP Exam

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain but not necessarily be a master of each domain.

As of December 18, 2017, the CISSP exam is in an adaptive format. (ISC)2 calls the new version CISSP-CAT (Computerized Adaptive Testing). For complete details of this new version of exam presentation, please see https://www.isc2.org/certifications/CISSP/CISSP-CAT.

The CISSP-CAT exam will be a minimum of 100 questions and a maximum of 150. Not all items you are presented with count toward your score or passing status. These unscored items are called pretest questions by (ISC)2, while the scored items are called operational items. The questions are not labeled on the exam as to whether they are scored or unscored. Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions.

The CISSP-CAT grants a maximum of three hours to take the exam. If you run out of time before achieving a passing rank, you will automatically fail.

The CISSP-CAT does not allow you to return to a previous question to change your answer. Your answer selection is final once you leave a question.

The CISSP-CAT does not have a published or set score to achieve. Instead, you must demonstrate the ability to answer above the (ISC)2 bar for passing, called the passing standard (which is not disclosed), within the last 75 operational items (i.e., questions).

If the computer determines that you have a less than 5 percent chance of achieving a passing standard and you have seen 75 operational items, your test will automatically end with a failure. You are not guaranteed to see any more questions than are necessary for the computer grading system to determine with 95 percent confidence your ability to achieve a passing standard or to fail to meet the passing standard.

If you do not pass the CISSP exam on your first attempt, you are allowed to retake the CISSP exam under the following conditions:

You can take the CISSP exam a maximum of 3 times per 12-month period.

You must wait 30 days after your first attempt before trying a second time.

You must wait an additional 90 days after your second attempt before trying a third time.

You must wait an additional 180 days after your third attempt before trying again or as long as needed to reach 12 months from the date of your first attempt.

You will need to pay full price for each additional exam attempt.

It is not possible to take the previous paper-based or CBT (computer based testing) flat 250 question version of the exam. CISSP is now available only in the CBT CISSP-CAT format in English.

The refreshed CISSP exam is available in English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean.

Effective December 18, 2017, the Certified Information Systems Security Professional (CISSP) exam (English version only) will be available exclusively via CAT through (ISC)2-authorized Pearson VUE test centers in authorized markets. CISSP exams administered in languages other than English and all other (ISC)2 certification exams will continue to be available as fixed-form, linear examinations.

CISSP Exam Question Types

Most of the questions on the CISSP exam are four-option, multiple-choice questions with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:

What is the most important goal and top priority of a security solution?

Preventing disclosure

Maintaining integrity

Maintaining human safety

Sustaining availability

You must select the one correct or best answer and mark it. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.

 By the way, the correct answer for this sample question is C. Maintaining human safety is always your first priority.

In addition to the standard multiple-choice question format, (ISC)2 has added a few advanced question formats, which it calls advanced innovative questions. These include drag-and-drop questions and hotspot questions. These types of questions require you to place topics or concepts in order of operations, in priority preference, or in relation to proper positioning for the needed solution. Specifically, the drag-and-drop questions require the test taker to move labels or icons to mark items on an image. The hotspot questions require the test taker to pinpoint a location on an image with a cross-hair marker. These question concepts are easy to work with and understand, but be careful about your accuracy of dropping or marking.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the eight domains. Second, you must have good test-taking skills. You have a maximum of 3 hours to achieve a passing standard with the potential to see up to 150 questions. Thus, you will have on average just over a minute for each question. Thus, it is important to work quickly, without rushing but also without wasting time.

Question skipping is no longer allowed on the CISSP exam, and you’re also not allowed to jump around, so one way or another, you have to come up with your best answer. We recommend you attempt to eliminate as many answer selections as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct.

Also note that (ISC)2 does not disclose if there is partial credit given for multiple-part questions if you get only some of the elements correct. So, pay attention to questions with check boxes instead of radio buttons, and be sure to select as many items as necessary to properly address the question.

You will be provided a dry-erase board and a marker to jot down thoughts and make notes. But nothing written on that board will be used to alter your score. And that board must be returned to the test administrator prior to departing the test facility.

To maximize your test-taking activities, here are some general guidelines:

Read each question, then read the answer options, and then reread the question.

Eliminate wrong answers before selecting the correct one.

Watch for double negatives.

Be sure you understand what the question is asking.

Manage your time. You can take breaks during your test, but this might consume some of your test time. You might consider bringing a drink and snacks, but your food and drink will be stored for you away from the testing area, and that break time will count against your test time limit. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. You should avoid wearing anything on your wrists, including watches, fitness trackers, and jewelry. You are not allowed to bring any form of noise-canceling headsets or ear buds, although you can use foam earplugs. We also recommend wearing comfortable clothes and taking a light jacket with you (some testing locations are a bit chilly).

If English is not your first language, you may register for one of several other language versions of the exam (when applicable). Or, if you choose to use the English version of the exam you may reference the translated (ISC)2 Certification Acronym and (ISC)2 Certification Terms glossaries, a complete list of acronyms and terms you may encounter during your (ISC)2 exam which is available from www.isc2.org.

Finally, (ISC)2 exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam.

 Occasionally, small changes are made to the exam or exam objectives. When that happens, Sybex will post updates to its website. Visit www.wiley.com/go/cissp8e before you sit for the exam to make sure you have the latest information.

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

Take one or two evenings to read each chapter in this book and work through its review material.

Answer all the review questions and take the practice exams provided in the book and in the test engine. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics for which more study or time spent working through key concepts and strategies might be beneficial.

Review the (ISC)

2

’s Exam Outline:

www.isc2.org

.

Use the flashcards included with the study tools to reinforce your understanding of concepts.

 We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams. Students have reported that the more time they spent taking practice exams, the better they retained test topics. In addition to the practice tests with this Study Guide, Sybex also publishes (ISC)² CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition (ISBN: 978-1-119-47592-7). It contains 100 or more practice questions for each domain and four additional complete practice exams. Like this Study Guide, it also comes with an online version of the questions.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. The endorsement form is accessible through the email notifying you of your achievement in passing the exam. The endorser must review your résumé, ensure that you have sufficient experience in the eight CISSP domains, and then submit the signed form to (ISC)2 digitally or via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 9 months after receiving the confirmation-of-passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via USPS.

Post-CISSP Concentrations

(ISC)2 has three concentrations offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:

Information Systems Security Architecture Professional (ISSAP) Aimed at those who specialize in information security architecture. Key domains covered here include access control systems and methodology; cryptography; physical security integration; requirements analysis and security standards, guidelines, and criteria; technology-related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security. This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures.

Information Systems Security Management Professional (ISSMP) Aimed at those who focus on management of information security policies, practices, principles, and procedures. Key domains covered here include enterprise security management practices; enterprise-wide system development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery planning, and continuity of operations planning. This is a credential for professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture.

Information Systems Security Engineering Professional (ISSEP) Aimed at those who focus on the design and engineering of secure hardware and software information systems, components, or applications. Key domains covered include certification and accreditation, systems security engineering, technical management, and U.S. government information assurance rules and regulations. Most ISSEPs work for the U.S. government or for a government contractor that manages government security clearances.

For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.

Notes on This Book’s Organization

This book is designed to cover each of the eight CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 21 chapters. The domain/chapter breakdown is as follows:

Chapters 1, 2, 3, and 4: Security and Risk Management

Chapter 5: Asset Security

Chapters 6, 7, 8, 9, and 10: Security Architecture and Engineering

Chapters 11 and 12: Communication and Network Security

Chapters 13 and 14: Identity and Access Management (IAM)

Chapters 15: Security Assessment and Testing

Chapters 16, 17, 18, and 19: Security Operations

Chapters 20 and 21: Software Development Security

Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections. Note: please see the table of contents and chapter introductions for a detailed list of domain topics covered in each chapter.

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide. Here are descriptions of some of those elements:

Exam Essentials The Exam Essentials highlight topics that could appear on the exam in some form. While we obviously do not know exactly what will be included in a particular exam, this section reinforces significant concepts that are key to understanding the Common Body of Knowledge (CBK) area and the test specs for the CISSP exam.

Written Labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you’ve encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions.

Real-World Scenarios As you work through each chapter, you’ll find descriptions of typical and plausible workplace situations where an understanding of the security strategies and approaches relevant to the chapter content could play a role in fixing problems or in fending off potential difficulties. This gives readers a chance to see how specific security policies, guidelines, or practices should or may be applied to the workplace.

Summaries The summary is a brief review of the chapter to sum up what was covered.

Chapter Review Questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying the corresponding topics. The answers to the practice questions can be found at the end of each chapter.

What’s Included with the Additional Study Tools

Readers of this book can get access to a number of additional study tools. We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

 Readers can get access to the following tools by visiting

www.wiley.com/go/cissptestprep.

The Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book plus additional bonus practice exams that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions.

Electronic Flashcards

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

Glossary of Terms in PDF

Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes all of the key terms you should understand for the CISSP, in a searchable format.

Bonus Practice Exams

Sybex includes bonus practice exams, each comprising questions meant to survey your understanding of key elements in the CISSP CBK. This book has six bonus exams, each comprising 150 questions to match the longest possible length of the real exam. These exams are available digitally at www.wiley.com/go/cissptestprep.

How to Use This Book’s Study Tools

This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP Common Body of Knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The review questions at the end of each chapter and the practice exams are designed to test your retention of the material you’ve read to make sure you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and study tools (found at www.wiley.com/go/cissptestprep):

Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher.

Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.

Download the flashcards to your mobile device, and review them when you have a few minutes during the day.

Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus practice exams included with the additional study tools. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.