The Official (ISC)2 Guide to the CISSP CBK Reference E-Book

CISSP: Certified InformationSystems Security Professional

The Official (ISC)2®CISSP® CBK®Reference

Fifth Edition

Development Editor: Kelly Talbot

Senior Production Editor: Christine O'Connor

Copy Editor: Kim Wimpsett

Editorial Manager: Pete Gaughan

Production Manager: Kathleen Wisor

Associate Publisher: Jim Minatel

Proofreader: Louise Watson, Word One New York

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Copyright © 2019 by (ISC)2

Published simultaneously in Canada

ISBN: 978-1-119-42334-8

ISBN: 978-1-119-42332-4 (ebk.)

ISBN: 978-1-119-42331-7 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019936840

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, CISSP, and CBK are registered trademarks of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Lead Author and Lead Technical Reviewer

Over the course of his 30-plus years as an information technology professional, John Warsinske has been exposed to a breadth of technologies and governance structures. He has been, at various times, a network analyst, IT manager, project manager, security analyst, and chief information officer. He has worked in local, state, and federal government; has worked in public, private, and nonprofit organizations; and has been variously a contractor, direct employee, and volunteer. He has served in the U.S. military in assignments at the tactical, operational, and strategic levels across the entire spectrum from peace to war. In these diverse environments, he has experienced both the uniqueness and the similarities in the activities necessary to secure their respective information assets.

Mr. Warsinske has been an instructor for (ISC)2 for more than five years; prior to that, he was an adjunct faculty instructor at the College of Southern Maryland. His (ISC)2 certifications include the Certified Information Systems Security Professional (CISSP), Certified CloudSecurity Professional (CCSP), and HealthCare Information Security and Privacy Practitioner (HCISPP). He maintains several other industry credentials as well.

When he is not traveling, Mr. Warsinske currently resides in Ormond Beach, Florida, with his wife and two extremely spoiled Carolina dogs.

Contributing Authors

Mark Graff (CISSP), former chief information security officer for both NASDAQ and Lawrence Livermore National Laboratory, is a seasoned cybersecurity practitioner and thought leader. He has lectured on risk analysis, cybersecurity, and privacy issues before the American Academy for the Advancement of Science, the Federal Communications Commission, the Pentagon, the National Nuclear Security Administration, and other U.S. national security facilities. Graff has twice testified before Congress on cybersecurity, and in 2018–2019 served as an expert witness on software security to the Federal Trade Commission. His books—notably Secure Coding: Principles and Practices—have been used at dozens of universities worldwide in teaching how to design and build secure software-based systems. Today, as head of the consulting firm Tellagraff LLC (www.markgraff.com), Graff provides strategic advice to large companies, small businesses, and government agencies. Recent work has included assisting multiple state governments in the area of election security.

Kevin Henry (CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP, and SSCP) is a passionate and effective educator and consultant in information security. Kevin has taught CISSP classes around the world and has contributed to the development of (ISC)2 materials for nearly 20 years. He is a frequent speaker at security conferences and the author of several books on security management. Kevin's years of work in telecommunications, government, and private industry have led to his strength in being able to combine real-world experience with the concepts and application of information security topics in an understandable and effective manner.

Chris Hoover, CISSP, CISA, is a cybersecurity and risk management professional with 20 years in the field. He spent most of his career protecting the U.S. government's most sensitive data in the Pentagon, the Baghdad Embassy, NGA Headquarters, Los Alamos Labs, and many other locations. Mr. Hoover also developed security products for RSA that are deployed across the U.S. federal government, many state governments, and internationally. He is currently consulting for the DoD and runs a risk management start-up called Riskuary. He has a master's degree in information assurance.

Ben Malisow, CISSP, CISM, CCSP, Security+, SSCP, has been involved in INFOSEC and education for more than 20 years. At Carnegie Mellon University, he crafted and delivered the CISSP prep course for CMU's CERT/SEU. Malisow was the ISSM for the FBI's most highly classified counterterror intelligence-sharing network, served as an Air Force officer, and taught grades 6–12 at a reform school in the Las Vegas public school district (probably his most dangerous employment to date). His latest work has included CCSP Practice Tests and CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, also from Sybex/Wiley, and How to Pass Your INFOSEC Certification Test: A Guide to Passing the CISSP, CISA, CISM, Network+, Security+, and CCSP, available from Amazon Direct. In addition to other consulting and teaching, Ben is a certified instructor for (ISC)2, delivering CISSP, CCSP, and SSCP courses. You can reach him at www.benmalisow.com or his INFOSEC blog, securityzed.com. Ben would also like to extend his personal gratitude to Todd R. Slack, MS, JD, CIPP/US, CIPP/E, CIPM, FIP, CISSP, for his invaluable contributions to this book.

Sean Murphy, CISSP, HCISSP, is the vice president and chief information security officer for Premera Blue Cross (Seattle). He is responsible for providing and optimizing an enterprise-wide security program and architecture that minimizes risk, enables business imperatives, and further strengthens the health plan company's security posture. He's a healthcare information security expert with more than 20 years of experience in highly regulated, security-focused organizations. Sean retired from the U.S. Air Force (Medical Service Corps) after achieving the rank of lieutenant colonel. He has served as CIO and CISO in the military service and private sector at all levels of healthcare organizations. Sean has a master's degree in business administration (advanced IT concentration) from the University of South Florida, a master's degree in health services administration from Central Michigan University, and a bachelor's degree in human resource management from the University of Maryland. He is a board chair of the Association for Executives in Healthcare Information Security (AEHIS). Sean is a past chairman of the HIMSS Privacy and Security Committee. He served on the (ISC)2 committee to develop the HCISPP credential. He is also a noted speaker at the national level and the author of numerous industry whitepapers, articles, and educational materials, including his book Healthcare Information Security and Privacy.

C. Paul Oakes, CISSP, CISSP-ISSAP, CCSP, CCSK, CSM, and CSPO, is an author, speaker, educator, technologist, and thought leader in cybersecurity, software development, and process improvement. Paul has worn many hats over his 20-plus years of experience. In his career he has been a security architect, consultant, software engineer, mentor, educator, and executive. Paul has worked with companies in various industries such as the financial industry, banking, publishing, utilities, government, e-commerce, education, training, research, and technology start-ups. His work has advanced the cause of software and information security on many fronts, ranging from writing security policy to implementing secure code and showing others how to do the same. Paul's passion is to help people develop the skills they need to most effectively defend the line in cyberspace and advance the standard of cybersecurity practice. To this end, Paul continuously collaborates with experts across many disciplines, ranging from cybersecurity to accelerated learning to mind-body medicine, to create and share the most effective strategies to rapidly learn cybersecurity and information technology subject matter. Most of all, Paul enjoys his life with his wife and young son, both of whom are the inspirations for his passion.

George E. Pajari, CISSP-ISSAP, CISM, CIPP/E, is a fractional CISO, providing cybersecurity leadership on a consulting basis to a number of cloud service providers. Previously he was the chief information security officer (CISO) at Hootsuite, the most widely used social media management platform, trusted by more than 16 million people and employees at 80 percent of the Fortune 1000. He has presented at conferences including CanSecWest, ISACA CACS, and BSides Vancouver. As a volunteer, he helps with the running of BSides Vancouver, the (ISC)² Vancouver chapter, and the University of British Columbia's Cybersecurity Summit. He is a recipient of the ISACA CISM Worldwide Excellence Award.

Jeff Parker, CISSP, CySA+, CASP, is a certified technical trainer and security consultant specializing in governance, risk management, and compliance (GRC). Jeff began his information security career as a software engineer with an HP consulting group out of Boston. Enterprise clients for which Jeff has consulted on site include hospitals, universities, the U.S. Senate, and a half-dozen UN agencies. Jeff assessed these clients' security posture and provided gap analysis and remediation. In 2006 Jeff relocated to Prague, Czech Republic, for a few years, where he designed a new risk management strategy for a multinational logistics firm. Presently, Jeff resides in Halifax, Canada, while consulting primarily for a GRC firm in Virginia.

David Seidl, CISSP, GPEN, GCIH, CySA+, Pentest+, is the vice president for information technology and CIO at Miami University of Ohio. During his IT career, he has served in a variety of technical and information security roles, including serving as the senior director for Campus Technology Services at the University of Notre Dame and leading Notre Dame's information security team as director of information security. David has taught college courses on information security and writes books on information security and cyberwarfare, including CompTIA CySA+ Study Guide: Exam CS0-001, CompTIA PenTest+ Study Guide: Exam PT0-001, CISSP Official (ISC)2 Practice Tests, and CompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett. David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University.

Michael Neal Vasquez has more than 25 years of IT experience and has held several industry certifications, including CISSP, MCSE: Security, MCSE+I, MCDBA, and CCNA. Mike is a senior security engineer on the red team for a Fortune 500 financial services firm, where he spends his days (and nights) looking for security holes. After obtaining his BA from Princeton University, he forged a security-focused IT career, both working in the trenches and training other IT professionals. Mike is a highly sought-after instructor because his classes blend real-world experience and practical knowledge with the technical information necessary to comprehend difficult material, and his students praise his ability to make any course material entertaining and informative. Mike has taught CISSP, security, and Microsoft to thousands of students across the globe through local colleges and online live classes. He has performed penetration testing engagements for healthcare, financial services, retail, utilities, and government entities. He also runs his own consulting and training company and can be reached on LinkedIn at https://www.linkedin.com/in/mnvasquez.

Technical Reviewers

Bill Burke, CISSP, CCSP, CRISC, CISM, CEH, is a security professional with more than 35 years serving the information technology and services community. He specializes in security architecture, governance, and compliance, primarily in the cloud space. He previously served on the board of directors of the Silicon Valley (ISC)2 chapter, in addition to the board of directors of the Cloud Services Alliance – Silicon Valley. Bill can be reached via email at [email protected].

Charles Gaughf, CISSP, SSCP, CCSP, is both a member and an employee of (ISC)², the global nonprofit leader in educating and certifying information security professionals. For more than 15 years, he has worked in IT and security in different capacities for nonprofit, higher education, and telecommunications organizations to develop security education for the industry at large. In leading the security team for the last five years as the senior manager of security at (ISC)², he was responsible for the global security operations, security posture, and overall security health of (ISC)². Most recently he transitioned to the (ISC)² education team to develop immersive and enriching CPE opportunities and security training and education for the industry at large. He holds degrees in management of information systems and communications.

Dr. Meng-Chow Kang, CISSP, is a practicing information security professional with more than 30 years of field experience in various technical information security and risk management roles for organizations that include the Singapore government, major global financial institutions, and security and technology providers. His research and part of his experience in the field have been published in his book Responsive Security: Be Ready to Be Secure from CRC Press. Meng-Chow has been a CISSP since 1998 and was a member of the (ISC)2 board of directors from 2015 through 2017. He is also a recipient of the (ISC)2 James Wade Service Award.

Aaron Kraus, CISSP, CCSP, Security+, began his career as a security auditor for U.S. federal government clients working with the NIST RMF and Cybersecurity Framework, and then moved to the healthcare industry as an auditor working with the HIPAA and HITRUST frameworks. Next, he entered the financial services industry, where he designed a control and audit program for vendor risk management, incorporating financial compliance requirements and industry-standard frameworks including COBIT and ISO 27002. Since 2016 Aaron has been working with startups based in San Francisco, first on a GRC SaaS platform and more recently in cyber-risk insurance, where he focuses on assisting small- to medium-sized businesses to identify their risks, mitigate them appropriately, and transfer risk via insurance. In addition to his technical certifications, he is a Learning Tree certified instructor who teaches cybersecurity exam prep and risk management.

Professor Jill Slay, CISSP, CCFP, is the optus chair of cybersecurity at La Trobe University, leads the Optus La Trobe Cyber Security Research Hub, and is the director of cyber-resilience initiatives for the Australian Computer Society. Jill is a director of the Victorian Oceania Research Centre and previously served two terms as a director of the International Information Systems Security Certification Consortium. She has established an international research reputation in cybersecurity (particularly digital forensics) and has worked in collaboration with many industry partners. She was made a member of the Order of Australia (AM) for service to the information technology industry through contributions in the areas of forensic computer science, security, protection of infrastructure, and cyberterrorism. She is a fellow of the Australian Computer Society and a fellow of the International Information Systems Security Certification Consortium, both for her service to the information security industry. She also is a MACS CP.

CONTENTS

Cover

Lead Author and Lead Technical Reviewer

Contributing Authors

Technical Reviewers

Foreword

Introduction

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

DOMAIN 1 Security and Risk Management

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Evaluate and Apply Security Governance Principles

Determine Compliance Requirements

Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context

Understand, Adhere to, and Promote Professional Ethics

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines

Identify, Analyze, and Prioritize Business Continuity Requirements

Contribute to and Enforce Personnel Security Policies and Procedures

Understand and Apply Risk Management Concepts

Understand and Apply Threat Modeling Concepts and Methodologies

Apply Risk-Based Management Concepts to the Supply Chain

Establish and Maintain a Security Awareness, Education, and Training Program

Summary

DOMAIN 2 Asset Security

Asset Security Concepts

Identify and Classify Information and Assets

Determine and Maintain Information and Asset Ownership

Protect Privacy

Ensure Appropriate Asset Retention

Determine Data Security Controls

Establish Information and Asset Handling Requirements

Summary

DOMAIN 3 Security Architecture and Engineering

Implement and Manage Engineering Processes Using Secure Design Principles

Understand the Fundamental Concepts of Security Models

Select Controls Based upon Systems Security Requirements

Understand Security Capabilities of Information Systems

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Assess and Mitigate Vulnerabilities in Web-based Systems

Assess and Mitigate Vulnerabilities in Mobile Systems

Assess and Mitigate Vulnerabilities in Embedded Devices

Apply Cryptography

Apply Security Principles to Site and Facility Design

Implement Site and Facility Security Controls

Summary

DOMAIN 4 Communication and Network Security

Implement Secure Design Principles in Network Architectures

Secure Network Components

Implement Secure Communication Channels According to Design

Summary

DOMAIN 5 Identity and Access Management

Control Physical and Logical Access to Assets

Manage Identification and Authentication of People, Devices, and Services

Integrate Identity as a Third-Party Service

Implement and Manage Authorization Mechanisms

Manage the Identity and Access Provisioning Lifecycle

Summary

DOMAIN 6 Security Assessment and Testing

Design and Validate Assessment, Test, and Audit Strategies

Conduct Security Control Testing

Collect Security Process Data

Analyze Test Output and Generate Report

Conduct or Facilitate Security Audits

Summary

DOMAIN 7 Security Operations

Understand and Support Investigations

Understand Requirements for Investigation Types

Conduct Logging and Monitoring Activities

Securely Provision Resources

Understand and Apply Foundational Security Operations Concepts

Apply Resource Protection Techniques to Media

Conduct Incident Management

Operate and Maintain Detective and Preventative Measures

Implement and Support Patch and Vulnerability Management

Understand and Participate in Change Management Processes

Implement Recovery Strategies

Implement Disaster Recovery Processes

Test Disaster Recovery Plans

Participate in Business Continuity Planning and Exercises

Implement and Manage Physical Security

Address Personnel Safety and Security Concerns

Summary

DOMAIN 8 Domain 8 Software Development Security

Understand and Integrate Security in the Software Development Lifecycle

Identify and Apply Security Controls in Development Environments

Assess the Effectiveness of Software Security

Assess the Security Impact of Acquired Software

Define and Apply Secure Coding Standards and Guidelines

Summary

Index

End User License Agreement

List of Tables

Domain 1

Table 1.1

Domain 2

Table 2.1

Table 2.2

Table 2.3

Domain 3

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Domain 4

Table 4.1

Table 4.2

Table 4.3

Table 4.4

Domain 5

Table 5.1

Table 5.2

Domain 6

Table 6.1

Table 6.2

Domain 7

Table 7.1

Table 7.2

Domain 8

Table 8.1

Table 8.2

Table 8.3

Table 8.4

Table 8.5

Table 8.6

Table 8.7

Table 8.8

List of Illustrations

Domain 1

Figure 1.1 CIA Triad

Figure 1.2 The Parkerian Hexad

Figure 1.3 BIA

Figure 1.4 ISO 31000

Figure 1.5 International Society of Automation standards

Figure 1.6 PCI-DSS

Figure 1.7 NIST 800-30

Figure 1.8 OCTAVE Allegro

Figure 1.9 Supply chain information security risk management

Domain 2

Figure 2.1 General Benefits of Asset Classification

Figure 2.2 Asset Management Lifecycle

Figure 2.3 Relationship between Data Processor and Data Controller

Figure 2.4 Data States and Examples

Figure 2.5 Tailoring process

Figure 2.6 Side-by-side comparison of ISO 27002 and NIST SP 800-53 Family of Controls

Figure 2.7 Concepts of deduplication

Domain 3

Figure 3.1 n-tier architecture

Figure 3.2 Simple Security Property and Star Property rules

Figure 3.3 Simple Integrity Property and Star Integrity Property

Figure 3.4 Brewer-Nash security model

Figure 3.5 Plan-Do-Check-Act cycle

Figure 3.6 Operating System Memory Protection

Figure 3.7 An operating system efficiently allocates hardware resources between multiple p...

Figure 3.8 Type 1 Hypervisor

Figure 3.9 Trusted Platform Module processes

Figure 3.10 Trusted Platform Module hardware

Figure 3.11 A cryptographic module hardware device

Figure 3.12 A standalone appliance cryptographic hardware module

Figure 3.13 A smartcard

Figure 3.14 An industrial control system

Figure 3.15 The Cloud Share Responsibility Model for IaaS, PaaS, and SaaS

Figure 3.16 Components of the Mirai DDoS BotNet Attack

Figure 3.17 Electronic Code Book (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (C...

Figure 3.18 Stream cipher encryption algorithm

Figure 3.19 Clock cipher encryption algorithm

Figure 3.20 Multiple rounds of mathematical functions in block ciphers

Figure 3.21 Block cipher with substitution of S-boxes

Figure 3.22 Block cipher with permutation of P-boxes

Figure 3.23 Adding padding at the end of a message in a block cipher

Figure 3.24 Electronic Code Book (ECB) padding produces serious weaknesses for longer messa...

Figure 3.25 Cipher Block Chaining (CBC) mode encryption

Figure 3.26 Cipher Feedback (CFB) mode encryption

Figure 3.27 Counter (CTR) mode encryption

Figure 3.28 A certificate chain protects a CA’s root private key

Figure 3.29 Producing and verifying a digital signature

Figure 3.30 Steps for using a cryptographic hash to detect tampering of a message FROM NIST ...

Figure 3.31 Hash-based Message Authentication Code (HMAC) process

Figure 3.32 Cryptography is vulnerable to human weaknesses and other implementation flaws SO...

Figure 3.33 A man-in-the-middle (MITM) attack

Figure 3.34 Preventing replay attacks with nonce (a number used once, chosen randomly)

Domain 4

Figure 4.1 OSI model

Figure 4.2 TCP three-way handshake

Figure 4.3 TCP/IP reference model

Figure 4.4 OSI and TCP/IP block diagram

Figure 4.5 TCP flag fields

Figure 4.6 Smurfing attack

Figure 4.7 Man-in-the-middle attack

Figure 4.8 Extranet advantages and disadvantages

Figure 4.9 Multiple firewall deployment architecture

Figure 4.10 NAT implemented on a perimeter firewall

Figure 4.11 A ring topology

Figure 4.12 A linear bus topology and a tree bus topology

Figure 4.13 A star topology

Figure 4.14 A mesh topology

Figure 4.15 Network Access Control

Figure 4.16 Common areas of increased risk in remote access

Figure 4.17 Responsibility matrix for cloud versions

Domain 5

Figure 5.1 Mantrap

Figure 5.2 Features of the hand

Figure 5.3 CER

Domain 7

Figure 7.1 ISO 27002 phases

Figure 7.2 AWS dashboard

Figure 7.3 Example of an organization’s incidents resulting in breaches

Domain 8

Figure 8.1 The Waterfall Model

Figure 8.2 The incremental model

Guide

Cover

Table of Contents

Introduction

Pages

iii

iv

v

vii

viii

ix

x

xi

xii

xxv

xxvi

xxvii

xxviii

xxix

xxx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

861

862

863

864

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

Foreword

BEING RECOGNIZED AS A CISSP is an important step in investing in your information security career. Whether you are picking up this book to supplement your preparation to sit for the exam or you are an existing CISSP using this as a desk reference, you've acknowledged that this certification makes you recognized as one of the most respected and sought-after cybersecurity leaders in the world. After all, that's what the CISSP symbolizes. You and your peers are among the ranks of the most knowledgeable practitioners in our community. The designation of CISSP instantly communicates to everyone within our industry that you are intellectually curious and traveling along a path of lifelong learning and improvement. Importantly, as a member of (ISC)² you have officially committed to ethical conduct commensurate to your position of trust as a cybersecurity professional.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CISSP with all the benefits of (ISC)2 membership, you are part of a global network of more than 140,000 certified professionals who are working to inspire a safe and secure cyber world.

Being a CISSP, though, is more than a credential; it is what you demonstrate daily in your information security role. The value of your knowledge is the proven ability to effectively design, implement, and manage a best-in-class cybersecurity program within your organization. To that end, it is my great pleasure to present the Official (ISC)2 Guide to the CISSP (Certified Information Systems Security Professional) CBK. Drawing from a comprehensive, up-to-date global body of knowledge, the CISSP CBK provides you with valuable insights on how to implement every aspect of cybersecurity in your organization.

If you are an experienced CISSP, you will find this edition of the CISSP CBK to be a timely book to frequently reference for reminders on best practices. If you are still gaining the experience and knowledge you need to join the ranks of CISSPs, the CISSP CBK is a deep dive that can be used to supplement your studies.

As the largest nonprofit membership body of certified information security professionals worldwide, (ISC)² recognizes the need to identify and validate not only information security competency but also the ability to connect knowledge of several domains when building high-functioning cybersecurity teams that demonstrate cyber resiliency. The CISSP credential represents advanced knowledge and competency in security design, implementation, architecture, operations, controls, and more.

If you are leading or ready to lead your security team, reviewing the Official (ISC)2 Guide to the CISSP CBK will be a great way to refresh your knowledge of the many factors that go into securely implementing and managing cybersecurity systems that match your organization's IT strategy and governance requirements. The goal for CISSP credential holders is to achieve the highest standard for cybersecurity expertise—managing multiplatform IT infrastructures while keeping sensitive data secure. This becomes especially crucial in the era of digital transformation, where cybersecurity permeates virtually every value stream imaginable. Organizations that can demonstrate world-class cybersecurity capabilities and trusted transaction methods can enable customer loyalty and fuel success.

The opportunity has never been greater for dedicated men and women to carve out a meaningful career and make a difference in their organizations. The CISSP CBK will be your constant companion in protecting and securing the critical data assets of your organization that will serve you for years to come.

Regards,

David P. Shearer, CISSP

CEO, (ISC)2

Introduction

THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) signifies that an individual has a cross-disciplinary expertise across the broad spectrum of information security and that he or she understands the context of it within a business environment. There are two main requirements that must be met in order to achieve the status of CISSP. One must take and pass the certification exam, while also proving a minimum of five years of direct full-time security work experience in two or more of the domains of the (ISC)² CISSP CBK. The field of information security is wide, and there are many potential paths along one's journey through this constantly and rapidly changing profession.

A firm comprehension of the domains within the CISSP CBK and an understanding of how they connect back to the business and its people are important components in meeting the requirements of the CISSP credential. Every reader will connect these domains to their own background and perspective. These connections will vary based on industry, regulatory environment, geography, culture, and unique business operating environment. With that sentiment in mind, this book's purpose is not to address all of these issues or prescribe a set path in these areas. Instead, the aim is to provide an official guide to the CISSP CBK and allow you, as a security professional, to connect your own knowledge, experience, and understanding to the CISSP domains and translate the CBK into value for your organization and the users you protect.

SECURITY AND RISK MANAGEMENT

The Security and Risk Management domain entails many of the foundational security concepts and principles of information security. This domain covers a broad set of topics and demonstrates how to generally apply the concepts of confidentiality, integrity and availability across a security program. This domain also includes understanding compliance requirements, governance, building security policies and procedures, business continuity planning, risk management, security education, and training and awareness, and most importantly it lays out the ethnical canons and professional conduct to be demonstrated by (ISC)2 members.

The information security professional will be involved in all facets of security and risk management as part of the functions they perform across the enterprise. These functions may include developing and enforcing policy, championing governance and risk management, and ensuring the continuity of operations across an organization in the event of unforeseen circumstances. To that end, the information security professional must safeguard the organization's people and data.

ASSET SECURITY

The Asset Security domain covers the safeguarding of information and information assets across their lifecycle to include the proper collection, classification, handling, selection, and application of controls. Important concepts within this domain are data ownership, privacy, data security controls, and cryptography. Asset security is used to identify controls for information and the technology that supports the exchange of that information to include systems, media, transmission, and privilege.

The information security professional is expected to have a solid understanding of what must be protected, what access should be restricted, the control mechanisms available, how those mechanisms may be abused, and the appropriateness of those controls, and they should be able to apply the principles of confidentiality, integrity, availability, and privacy against those assets.

SECURITY ARCHITECTURE AND ENGINEERING

The Security Architecture and Engineering domain covers the process of designing and building secure and resilient information systems and associated architecture so that the information systems can perform their function while minimizing the threats that can be caused by malicious actors, human error, natural disasters, or system failures. Security must be considered in the design, in the implementation, and during the continuous delivery of an information system through its lifecycle. It is paramount to understand secure design principles and to be able to apply security models to a wide variety of distributed and disparate systems and to protect the facilities that house these systems.

An information security professional is expected to develop designs that demonstrate how controls are positioned and how they function within a system. The security controls must tie back to the overall system architecture and demonstrate how, through security engineering, those systems maintain the attributes of confidentiality, integrity, and availability.

COMMUNICATION AND NETWORK SECURITY

The Communication and Network Security domain covers secure design principles as they relate to network architectures. The domain provides a thorough understanding of components of a secure network, secure design, and models for secure network operation. The domain covers aspects of a layered defense, secure network technologies, and management techniques to prevent threats across a number of network types and converged networks.

It is necessary for an information security professional to have a thorough understanding of networks and the way in which organizations communicate. The connected world in which security professionals operate requires that organizations be able to access information and execute transactions in real time with an assurance of security. It is therefore important that an information security professional be able to identify threats and risks and then implement mitigation techniques and strategies to protect these communication channels.

IDENTITY AND ACCESS MANAGEMENT (IAM)

The Identity and Access Management (IAM) domain covers the mechanisms by which an information system permits or revokes the right to access information or perform an action against an information system. IAM is the mechanism by which organizations manage digital identities. IAM also includes the organizational policies and processes for managing digital identities as well as the underlying technologies and protocols needed to support identity management.

Information security professionals and users alike interact with components of IAM every day. This includes business services logon authentication, file and print systems, and nearly any information system that retrieves and manipulates data. This can mean users or a web service that exposes data for user consumption. IAM plays a critical and indispensable part in these transactions and in determining whether a user's request is validated or disqualified from access.

SECURITY ASSESSMENT AND TESTING

The Security Assessment and Testing domain covers the tenets of how to perform and manage the activities involved in security assessment and testing, which includes providing a check and balance to regularly verify that security controls are performing optimally and efficiently to protect information assets. The domain describes the array of tools and methodologies for performing various activities such as vulnerability assessments, penetration tests, and software tests.

The information security professional plays a critical role in ensuring that security controls remain effective over time. Changes to the business environment, technical environment, and new threats will alter the effectiveness of controls. It is important that the security professional be able to adapt controls in order to protect the confidentiality, integrity, and availability of information assets.

SECURITY OPERATIONS

The Security Operations domain includes a wide range of concepts, principles, best practices, and responsibilities that are core to effectively running security operations in any organization. This domain explains how to protect and control information processing assets in centralized and distributed environments and how to execute the daily tasks required to keep security services operating reliably and efficiently. These activities include performing and supporting investigations, monitoring security, performing incident response, implementing disaster recovery strategies, and managing physical security and personnel safety.

In the day-to-day operations of the organization, sustaining expected levels of confidentiality, availability, and integrity of information and business services is where the information security professional affects operational resiliency. The day-to-day securing, responding, monitoring, and maintenance of resources demonstrates how the information security professional is able to protect information assets and provide value to the organization.

SOFTWARE DEVELOPMENT SECURITY

The Software Development Security domain refers to the controls around software, its development lifecycle, and the vulnerabilities inherent in systems and applications. Applications and data are the foundation of an information system. An understanding of this process is essential to the development and maintenance required to ensure dependable and secure software. This domain also covers the development of secure coding guidelines and standards, as well as the impacts of acquired software.

Software underpins of every system that the information security professional and users in every business interact with on a daily basis. Being able to provide leadership and direction to the development process, audit mechanisms, database controls, and web application threats are all elements that the information security professional will put in place as part of the Software Development Security domain.

DOMAIN 1Security and Risk Management

IN THE POPULAR PRESS, we are bombarded with stories of technically savvy coders with nothing else to do except spend their days stealing information from computers connected to the Internet. Indeed, many security professionals have built their careers on the singular focus of defeating the wily hacker. As with all stereotypes, these exaggerations contain a grain of truth: there are capable hackers, and there are skilled defenders of systems. Yet these stereotypes obscure the greater challenge of ensuring information, in all its forms and throughout its lifecycle, is properly protected.

The Certified Information Systems Security Professional (CISSP) Common Body of Knowledge is designed to provide a broad foundational understanding of information security practice, applicable to a range of organizational structures and information systems. This foundational knowledge allows information security practitioners to communicate using a consistent language to solve technical, procedural, and policy challenges. Through this work, the security practice helps the business or organization achieve its mission efficiently and effectively.

The CBK addresses the role of information security as an essential component of an organization’s risk management activities. Organizations, regardless of type, create structures to solve problems. These structures often leverage frameworks of knowledge or practice to provide some predictability in process. The CISSP CBK provides a set of tools that allows the information security professional to integrate security practice into those frameworks, protecting the organization’s assets while respecting the unique trust that comes with the management of sensitive information.

This revision of the CISSP CBK acknowledges that the means by which we protect information and the range of information that demands protection are both rapidly evolving. One consequence of that evolution is a change in focus of the material. No longer is it enough to simply parrot a list of static facts or concepts—security professionals must demonstrate the relevance of those concepts to their particular business problems. Given the volume of information on which the CBK depends, the application of professional judgment in the study of the CBK is essential. Just as in the real world, answers may not be simple choices.

UNDERSTAND AND APPLY CONCEPTS OF CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY

For thousands of years, people have sought assurance that information has been captured, stored, communicated, and used securely. Depending on the context, differing levels of emphasis have been placed on the availability, integrity, and confidentiality of information, but achieving these basic objectives has always been at the heart of security practice.

As we moved from the time of mud tablets and papyrus scrolls into the digital era, we watched the evolution of technology to support these three objectives. In today’s world, where vast amounts of information are accessible at the click of a mouse, our security decision-making must still consider the people, processes, and systems that assure us that information is available when we need it, has not been altered, and is protected from disclosure to those not entitled to it.

This module will explore the implications of confidentiality, integrity, and availability (collectively, the CIA Triad) in current security practices. These interdependent concepts form a useful and important framework on which to base the study of information security practice.

Information Security

Information security processes, practices, and technologies can be evaluated based on how they impact the confidentiality, integrity, and availability of the information being communicated. The apparent simplicity of the CIA Triad drives a host of security principles, which translate into practices and are implemented with various technologies against a dizzying array of information sources (see Figure 1.1). Thus, a common understanding of the meaning of each of the elements in the triad allows security professionals to communicate effectively.

FIGURE 1.1 CIA Triad

Confidentiality

Ensuring that information is provided to only those people who are entitled to access that information has been one of the core challenges in effective communications. Confidentiality implies that access is limited. Controls need to be identified that separate those who need to know information from those who do not.

Once we have identified those with legitimate need, then we will apply controls to enforce their privilege to access the information. Applying the principle of least privilege ensures that individuals have only the minimum means to access the information to which they are entitled.

Information about individuals is often characterized as having higher sensitivity to disclosure. The inappropriate disclosure of other types of information may also have adverse impacts on an organization’s operations. These impacts may include statutory or regulatory noncompliance, loss of unique intellectual property, financial penalties, or the loss of trust in the ability of the organization to act with due care for the information.

Integrity

To make good decisions requires acting on valid and accurate information. Change to information may occur inadvertently, or it may be the result of intentional acts. Ensuring the information has not been inappropriately changed requires the application of control over the creation, transmission, presentation, and storage of the information.

Detection of inappropriate change is one way to support higher levels of information integrity. Many mechanisms exist to detect change in information; cryptographic hashing, reference data, and logging are only some of the means by which detection of change can occur.

Other controls ensure the information has sufficient quality to be relied upon for decisions. Executing well-formed transactions against constrained data items ensures the system maintains integrity as information is captured. Controls that address separation of duties, application of least privilege, and audit against standards also support the validity aspect of data integrity.

Availability

Availability ensures that the information is accessible when it is needed. Many circumstances can disrupt information availability. Physical destruction of the information, disruption of the communications path, and inappropriate application of access controls are only a few of the ways availability can be compromised.

Availability controls must address people, processes, and systems. High availability systems such as provided by cloud computing or clustering are of little value if the people necessary to perform the tasks for the organization are unavailable. The challenge for the information security architect is to identify those single points of failure in a system and apply a sufficient amount of control to satisfy the organization’s risk appetite.

Taken together, the CIA Triad provides a structure for characterizing the information security implications of a concept, technology, or process. It is infrequent, however, that such a characterization would have implications on only one side of the triad. For example, applying cryptographic protections over information may indeed ensure the confidentiality of information and, depending on the cryptographic approach, support higher levels of integrity, but the loss of the keys to those who are entitled to the information would certainly have an availability implication!

Limitations of the CIA Triad

The CIA Triad evolved out of theoretical work done in the mid-1960s. Precisely because of its simplicity, the rise of distributed systems and a vast number of new applications for new technology has caused researchers and security practitioners to extend the triad’s coverage.

Guaranteeing the identities of parties involved in communications is essential to confidentiality. The CIA Triad does not directly address the issues of authenticity and nonrepudiation, but the point of nonrepudiation is that neither party can deny that they participated in the communication. This extension of the triad uniquely addresses aspects of confidentiality and integrity that were never considered in the early theoretical work.

The National Institute of Standards and Technology (NIST) Special Publication 800-33, “Underlying Technical Models for Information Technology Security,” included the CIA Triad as three of its five security objectives, but added the concepts of accountability (that actions of an entity may be traced uniquely to that entity) and assurance (the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes). The NIST work remains influential as an effort to codify best-practice approaches to systems security.

Perhaps the most widely accepted extension to the CIA Triad was proposed by information security pioneer Donn B. Parker. In extending the triad, Parker incorporated three additional concepts into the model, arguing that these concepts were both atomic (could not be further broken down conceptually) and nonoverlapping. This framework has come to be known as the Parkerian Hexad (see Figure 1.2). The Parkerian Hexad contains the following concepts:

Confidentiality:

The limits on who has access to information

Integrity:

Whether the information is in its intended state

Availability:

Whether the information can be accessed in a timely manner

Authenticity:

The proper attribution of the person who created the information

Utility:

The usefulness of the information

Possession or control:

The physical state where the information is maintained

FIGURE 1.2 The Parkerian Hexad

Subsequent academic work produced dozens of other information security models, all aimed at the same fundamental issue—how to characterize information security risks. For the security professional, a solid understanding of the CIA Triad is essential when communicating about information security practice.

EVALUATE AND APPLY SECURITY GOVERNANCE PRINCIPLES

A security-aware culture requires all levels of the organization to see security as integral to its activities. The organization’s governance structure, when setting the vision for the organization, should ensure that protecting the organization’s assets and meeting the compliance requirements are integral to acting as good stewards of the organization. Once the organization’s governance structure implements policies that reflect its level of acceptable risk, management can act with diligence to implement good security practices.

Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives

Information security practice exists to support the organization in the achievement of its goals. To achieve those goals, the information security practice must take into account the organizational leadership environment, corporate risk tolerance, compliance expectations, new and legacy technologies and practices, and a constantly evolving set of threats. To be effective, the information security practitioner must be able to communicate about risk and technology in a manner that will support good corporate decision-making.

Vision, Mission, and Strategy

Every organization has a purpose. Some organizations define that purpose clearly and elegantly, in a manner that communicates to all the stakeholders of the organization the niche that the organization uniquely fills. An organization’s mission statement should drive the organization’s activities to ensure the efficient and effective allocation of time, resources, and effort.

The organization’s purpose may be defined by a governmental mandate or jurisdiction. For other organizations, the purpose may be to make products or deliver services for commercial gain. Still other organizations exist to support their stakeholders’ vision of society. Regardless, the mission clearly states why an organization exists, and this statement of purpose should drive all corporate activities.

What organizations do now, however, is usually different from what they will do in the future. For an organization to evolve to its future state, a clear vision statement should inspire the members of the organization to work toward that end. Often, this will require the organization to change the allocation of time, resources, and efforts to that new and desired state.

How the organization will go about achieving its vision is the heart of the organization’s strategy. At the most basic level, a corporate strategy is deciding where to spend time and resources to accomplish a task. Deciding what that task is, however, is often the hardest part of the process. Many organizations lack the focus on what it is they want to achieve, resulting in inefficient allocation of time and resources.

Protecting an organization’s information assets is a critical part of the organization’s strategy. Whether that information is written on paper, is managed by an electronic system, or exists in the minds of the organization’s people, the basic challenge remains the same: ensuring the confidentiality, integrity, and availability of the information.

It is a long-held tenet that an organization’s information security practice should support the organization’s mission, vision, and strategy. Grounded in a solid base of information security theory, the application of the principles of information security should enable the organization to perform its mission efficiently and effectively with an acceptable level of risk.

Governance

The organization’s mission and vision must be defined at the highest levels of the organization. In public-sector organizations, governance decisions are made through the legislative process. In corporate environments, the organization’s board of directors serves a similar role, albeit constrained by the laws of the jurisdictions in which that entity conducts business.