(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

CISSP Study Guide - fully updated for the 2021 CISSP Body of Knowledge(ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition has been completely updated based on the latest 2021 CISSP Exam Outline. This bestselling Sybex Study Guide covers 100% of the exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, knowledge from our real-world experience, advice on mastering this adaptive exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.The three co-authors of this book bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you'll need to successfully pass the CISSP exam. Combined, they've taught cybersecurity concepts to millions of students through their books, video courses, and live training programs.Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:* Over 900 new and improved practice test questions with complete answer explanations. This includes all of the questions from the book plus four additional online-only practice exams, each with 125 unique questions. You can use the online-only practice exams as full exam simulations. Our questions will help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.* More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam* A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam* New for the 9th edition: Audio Review. Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare.Coverage of all of the exam topics in the book means you'll be ready for:* Security and Risk Management* Asset Security* Security Architecture and Engineering* Communication and Network Security* Identity and Access Management (IAM)* Security Assessment and Testing* Security Operations* Software Development Security

Introduction xxxviiAssessment Test lixChapter 1 Security Governance Through Principles and Policies 1Security 101 3Understand and Apply Security Concepts 4Confidentiality 5Integrity 6Availability 7DAD, Overprotection, Authenticity, Non-repudiation, and AAA Services 7Protection Mechanisms 11Security Boundaries 13Evaluate and Apply Security Governance Principles 14Third-Party Governance 15Documentation Review 15Manage the Security Function 16Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives 17Organizational Processes 19Organizational Roles and Responsibilities 21Security Control Frameworks 22Due Diligence and Due Care 23Security Policy, Standards, Procedures, and Guidelines 23Security Policies 24Security Standards, Baselines, and Guidelines 24Security Procedures 25Threat Modeling 26Identifying Threats 26Determining and Diagramming Potential Attacks 28Performing Reduction Analysis 28Prioritization and Response 30Supply Chain Risk Management 31Summary 33Exam Essentials 33Written Lab 36Review Questions 37Chapter 2 Personnel Security and Risk Management Concepts 43Personnel Security Policies and Procedures 45Job Descriptions and Responsibilities 45Candidate Screening and Hiring 46Onboarding: Employment Agreements and Policies 47Employee Oversight 48Offboarding, Transfers, and Termination Processes 49Vendor, Consultant, and Contractor Agreements and Controls 52Compliance Policy Requirements 53Privacy Policy Requirements 54Understand and Apply Risk Management Concepts 55Risk Terminology and Concepts 56Asset Valuation 58Identify Threats and Vulnerabilities 60Risk Assessment/Analysis 60Risk Responses 66Cost vs. Benefit of Security Controls 69Countermeasure Selection and Implementation 72Applicable Types of Controls 74Security Control Assessment 76Monitoring and Measurement 76Risk Reporting and Documentation 77Continuous Improvement 77Risk Frameworks 79Social Engineering 81Social Engineering Principles 83Eliciting Information 85Prepending 85Phishing 85Spear Phishing 87Whaling 87Smishing 88Vishing 88Spam 89Shoulder Surfing 90Invoice Scams 90Hoax 90Impersonation and Masquerading 91Tailgating and Piggybacking 91Dumpster Diving 92Identity Fraud 93Typo Squatting 94Influence Campaigns 94Establish and Maintain a Security Awareness, Education, and Training Program 96Awareness 97Training 97Education 98Improvements 98Effectiveness Evaluation 99Summary 100Exam Essentials 101Written Lab 106Review Questions 107Chapter 3 Business Continuity Planning 113Planning for Business Continuity 114Project Scope and Planning 115Organizational Review 116BCP Team Selection 117Resource Requirements 119Legal and Regulatory Requirements 120Business Impact Analysis 121Identifying Priorities 122Risk Identification 123Likelihood Assessment 125Impact Analysis 126Resource Prioritization 128Continuity Planning 128Strategy Development 129Provisions and Processes 129Plan Approval and Implementation 131Plan Approval 131Plan Implementation 132Training and Education 132BCP Documentation 132Summary 136Exam Essentials 137Written Lab 138Review Questions 139Chapter 4 Laws, Regulations, and Compliance 143Categories of Laws 144Criminal Law 144Civil Law 146Administrative Law 146Laws 147Computer Crime 147Intellectual Property (IP) 152Licensing 158Import/Export 158Privacy 160State Privacy Laws 168Compliance 169Contracting and Procurement 171Summary 171Exam Essentials 172Written Lab 173Review Questions 174Chapter 5 Protecting Security of Assets 179Identifying and Classifying Information and Assets 180Defining Sensitive Data 180Defining Data Classifications 182Defining Asset Classifications 185Understanding Data States 185Determining Compliance Requirements 186Determining Data Security Controls 186Establishing Information and Asset Handling Requirements 188Data Maintenance 189Data Loss Prevention 189Marking Sensitive Data and Assets 190Handling Sensitive Information and Assets 192Data Collection Limitation 192Data Location 193Storing Sensitive Data 193Data Destruction 194Ensuring Appropriate Data and Asset Retention 197Data Protection Methods 199Digital Rights Management 199Cloud Access Security Broker 200Pseudonymization 200Tokenization 201Anonymization 202Understanding Data Roles 204Data Owners 204Asset Owners 205Business/Mission Owners 206Data Processors and Data Controllers 206Data Custodians 207Administrators 207Users and Subjects 208Using Security Baselines 208Comparing Tailoring and Scoping 209Standards Selection 210Summary 211Exam Essentials 211Written Lab 213Review Questions 214Chapter 6 Cryptography and Symmetric Key Algorithms 219Cryptographic Foundations 220Goals of Cryptography 220Cryptography Concepts 223Cryptographic Mathematics 224Ciphers 230Modern Cryptography 238Cryptographic Keys 238Symmetric Key Algorithms 239Asymmetric Key Algorithms 241Hashing Algorithms 244Symmetric Cryptography 244Cryptographic Modes of Operation 245Data Encryption Standard 247Triple DES 247International Data Encryption Algorithm 248Blowfish 249Skipjack 249Rivest Ciphers 249Advanced Encryption Standard 250CAST 250Comparison of Symmetric Encryption Algorithms 251Symmetric Key Management 252Cryptographic Lifecycle 255Summary 255Exam Essentials 256Written Lab 257Review Questions 258Chapter 7 PKI and Cryptographic Applications 263Asymmetric Cryptography 264Public and Private Keys 264RSA 265ElGamal 267Elliptic Curve 268Diffie-Hellman Key Exchange 269Quantum Cryptography 270Hash Functions 271SHA 272MD5 273RIPEMD 273Comparison of Hash Algorithm Value Lengths 274Digital Signatures 275HMAC 276Digital Signature Standard 277Public Key Infrastructure 277Certificates 278Certificate Authorities 279Certificate Lifecycle 280Certificate Formats 283Asymmetric Key Management 284Hybrid Cryptography 285Applied Cryptography 285Portable Devices 285Email 286Web Applications 290Steganography and Watermarking 292Networking 294Emerging Applications 295Cryptographic Attacks 297Summary 301Exam Essentials 302Written Lab 303Review Questions 304Chapter 8 Principles of Security Models, Design, and Capabilities 309Secure Design Principles 310Objects and Subjects 311Closed and Open Systems 312Secure Defaults 314Fail Securely 314Keep It Simple 316Zero Trust 317Privacy by Design 319Trust but Verify 319Techniques for Ensuring CIA 320Confinement 320Bounds 320Isolation 321Access Controls 321Trust and Assurance 321Understand the Fundamental Concepts of Security Models 322Trusted Computing Base 323State Machine Model 325Information Flow Model 325Noninterference Model 326Take-Grant Model 326Access Control Matrix 327Bell-LaPadula Model 328Biba Model 330Clark-Wilson Model 333Brewer and Nash Model 334Goguen-Meseguer Model 335Sutherland Model 335Graham-Denning Model 335Harrison-Ruzzo-Ullman Model 336Select Controls Based on Systems Security Requirements 337Common Criteria 337Authorization to Operate 340Understand Security Capabilities of Information Systems 341Memory Protection 341Virtualization 342Trusted Platform Module 342Interfaces 343Fault Tolerance 343Encryption/Decryption 343Summary 343Exam Essentials 344Written Lab 347Review Questions 348Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 353Shared Responsibility 354Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 355Hardware 356Firmware 370Client-Based Systems 372Mobile Code 372Local Caches 375Server-Based Systems 375Large-Scale Parallel Data Systems 376Grid Computing 377Peer to Peer 378Industrial Control Systems 378Distributed Systems 380High-Performance Computing (HPC) Systems 382Internet of Things 383Edge and Fog Computing 385Embedded Devices and Cyber-Physical Systems 386Static Systems 387Network-Enabled Devices 388Cyber-Physical Systems 389Elements Related to Embedded and Static Systems 389Security Concerns of Embedded and Static Systems 390Specialized Devices 393Microservices 394Infrastructure as Code 395Virtualized Systems 397Virtual Software 399Virtualized Networking 400Software-Defined Everything 400Virtualization Security Management 403Containerization 405Serverless Architecture 406Mobile Devices 406Mobile Device Security Features 408Mobile Device Deployment Policies 420Essential Security Protection Mechanisms 426Process Isolation 426Hardware Segmentation 427System Security Policy 427Common Security Architecture Flaws and Issues 428Covert Channels 428Attacks Based on Design or Coding Flaws 430Rootkits 431Incremental Attacks 431Summary 432Exam Essentials 433Written Lab 440Review Questions 441Chapter 10 Physical Security Requirements 447Apply Security Principles to Site and Facility Design 448Secure Facility Plan 448Site Selection 449Facility Design 450Implement Site and Facility Security Controls 452Equipment Failure 453Wiring Closets 454Server Rooms/Data Centers 455Intrusion Detection Systems 458Cameras 460Access Abuses 462Media Storage Facilities 462Evidence Storage 463Restricted and Work Area Security 464Utility Considerations 465Fire Prevention, Detection, and Suppression 470Implement and Manage Physical Security 476Perimeter Security Controls 477Internal Security Controls 481Key Performance Indicators of Physical Security 483Summary 484Exam Essentials 485Written Lab 488Review Questions 489Chapter 11 Secure Network Architecture and Components 495OSI Model 497History of the OSI Model 497OSI Functionality 498Encapsulation/Deencapsulation 498OSI Layers 500TCP/IP Model 504Analyzing Network Traffic 505Common Application Layer Protocols 506Transport Layer Protocols 508Domain Name System 509DNS Poisoning 511Domain Hijacking 514Internet Protocol (IP) Networking 516IPv4 vs. IPv6 516IP Classes 517ICMP 519IGMP 519ARP Concerns 519Secure Communication Protocols 521Implications of Multilayer Protocols 522Converged Protocols 523Voice over Internet Protocol (VoIP) 524Software-Defined Networking 525Microsegmentation 526Wireless Networks 527Securing the SSID 529Wireless Channels 529Conducting a Site Survey 530Wireless Security 531Wi-Fi Protected Setup (WPS) 533Wireless MAC Filter 534Wireless Antenna Management 534Using Captive Portals 535General Wi-Fi Security Procedure 535Wireless Communications 536Wireless Attacks 539Other Communication Protocols 543Cellular Networks 544Content Distribution Networks (CDNs) 545Secure Network Components 545Secure Operation of Hardware 546Common Network Equipment 547Network Access Control 549Firewalls 550Endpoint Security 556Cabling, Topology, and Transmission Media Technology 559Transmission Media 559Network Topologies 563Ethernet 565Sub-Technologies 566Summary 569Exam Essentials 570Written Lab 574Review Questions 575Chapter 12 Secure Communications and Network Attacks 581Protocol Security Mechanisms 582Authentication Protocols 582Port Security 585Quality of Service (QoS) 585Secure Voice Communications 586Public Switched Telephone Network 586Voice over Internet Protocol (VoIP) 586Vishing and Phreaking 588PBX Fraud and Abuse 589Remote Access Security Management 590Remote Access and Telecommuting Techniques 591Remote Connection Security 591Plan a Remote Access Security Policy 592Multimedia Collaboration 593Remote Meeting 593Instant Messaging and Chat 594Load Balancing 595Virtual IPs and Load Persistence 596Active-Active vs. Active-Passive 596Manage Email Security 596Email Security Goals 597Understand Email Security Issues 599Email Security Solutions 599Virtual Private Network 602Tunneling 603How VPNs Work 604Always-On 606Split Tunnel vs. Full Tunnel 607Common VPN Protocols 607Switching and Virtual LANs 610Network Address Translation 614Private IP Addresses 616Stateful NAT 617Automatic Private IP Addressing 617Third-Party Connectivity 618Switching Technologies 620Circuit Switching 620Packet Switching 620Virtual Circuits 621WAN Technologies 622Fiber-Optic Links 624Security Control Characteristics 624Transparency 625Transmission Management Mechanisms 625Prevent or Mitigate Network Attacks 625Eavesdropping 626Modification Attacks 626Summary 626Exam Essentials 628Written Lab 630Review Questions 631Chapter 13 Managing Identity and Authentication 637Controlling Access to Assets 639Controlling Physical and Logical Access 640The CIA Triad and Access Controls 640Managing Identification and Authentication 641Comparing Subjects and Objects 642Registration, Proofing, and Establishment of Identity 643Authorization and Accountability 644Authentication Factors Overview 645Something You Know 647Something You Have 650Something You Are 651Multifactor Authentication (MFA) 655Two-Factor Authentication with Authenticator Apps 655Passwordless Authentication 656Device Authentication 657Service Authentication 658Mutual Authentication 659Implementing Identity Management 659Single Sign-On 659SSO and Federated Identities 660Credential Management Systems 662Credential Manager Apps 663Scripted Access 663Session Management 663Managing the Identity and Access Provisioning Lifecycle 664Provisioning and Onboarding 665Deprovisioning and Offboarding 666Defining New Roles 667Account Maintenance 667Account Access Review 667Summary 668Exam Essentials 669Written Lab 671Review Questions 672Chapter 14 Controlling and Monitoring Access 677Comparing Access Control Models 678Comparing Permissions, Rights, and Privileges 678Understanding Authorization Mechanisms 679Defining Requirements with a Security Policy 681Introducing Access Control Models 681Discretionary Access Control 682Nondiscretionary Access Control 683Implementing Authentication Systems 690Implementing SSO on the Internet 691Implementing SSO on Internal Networks 694Understanding Access Control Attacks 699Risk Elements 700Common Access Control Attacks 700Core Protection Methods 713Summary 714Exam Essentials 715Written Lab 717Review Questions 718Chapter 15 Security Assessment and Testing 723Building a Security Assessment and Testing Program 725Security Testing 725Security Assessments 726Security Audits 727Performing Vulnerability Assessments 731Describing Vulnerabilities 731Vulnerability Scans 732Penetration Testing 742Compliance Checks 745Testing Your Software 746Code Review and Testing 746Interface Testing 751Misuse Case Testing 751Test Coverage Analysis 752Website Monitoring 752Implementing Security Management Processes 753Log Reviews 753Account Management 754Disaster Recovery and Business Continuity 754Training and Awareness 755Key Performance and Risk Indicators 755Summary 756Exam Essentials 756Written Lab 758Review Questions 759Chapter 16 Managing Security Operations 763Apply Foundational Security Operations Concepts 765Need to Know and Least Privilege 765Separation of Duties (SoD) and Responsibilities 767Two-PersonControl 768Job Rotation 768Mandatory Vacations 768Privileged Account Management 769Service Level Agreements (SLAs) 771Addressing Personnel Safety and Security 771Duress 771Travel 772Emergency Management 773Security Training and Awareness 773Provision Resources Securely 773Information and Asset Ownership 774Asset Management 774Apply Resource Protection 776Media Management 776Media Protection Techniques 776Managed Services in the Cloud 779Shared Responsibility with Cloud Service Models 780Scalability and Elasticity 782Perform Configuration Management (CM) 782Provisioning 783Baselining 783Using Images for Baselining 783Automation 784Managing Change 785Change Management 787Versioning 788Configuration Documentation 788Managing Patches and Reducing Vulnerabilities 789Systems to Manage 789Patch Management 789Vulnerability Management 791Vulnerability Scans 792Common Vulnerabilities and Exposures 792Summary 793Exam Essentials 794Written Lab 796Review Questions 797Chapter 17 Preventing and Responding to Incidents 801Conducting Incident Management 803Defining an Incident 803Incident Management Steps 804Implementing Detective and Preventive Measures 810Basic Preventive Measures 810Understanding Attacks 811Intrusion Detection and Prevention Systems 820Specific Preventive Measures 828Logging and Monitoring 834Logging Techniques 834The Role of Monitoring 837Monitoring Techniques 840Log Management 844Egress Monitoring 844Automating Incident Response 845Understanding SOAR 845Machine Learning and AI Tools 846Threat Intelligence 847The Intersection of SOAR, Machine Learning, AI, and Threat Feeds 850Summary 851Exam Essentials 852Written Lab 855Review Questions 856Chapter 18 Disaster Recovery Planning 861The Nature of Disaster 863Natural Disasters 864Human-MadeDisasters 869Understand System Resilience, High Availability, and Fault Tolerance 875Protecting Hard Drives 875Protecting Servers 877Protecting Power Sources 878Trusted Recovery 879Quality of Service 880Recovery Strategy 880Business Unit and Functional Priorities 881Crisis Management 882Emergency Communications 882Workgroup Recovery 883Alternate Processing Sites 883Database Recovery 888Recovery Plan Development 890Emergency Response 891Personnel and Communications 891Assessment 892Backups and Off-site Storage 892Software Escrow Arrangements 896Utilities 897Logistics and Supplies 897Recovery vs. Restoration 897Training, Awareness, and Documentation 898Testing and Maintenance 899Read-ThroughTest 899Structured Walk-Through 900Simulation Test 900Parallel Test 900Full-Interruption Test 900Lessons Learned 901Maintenance 901Summary 902Exam Essentials 902Written Lab 903Review Questions 904Chapter 19 Investigations and Ethics 909Investigations 910Investigation Types 910Evidence 913Investigation Process 919Major Categories of Computer Crime 923Military and Intelligence Attacks 924Business Attacks 925Financial Attacks 926Terrorist Attacks 926Grudge Attacks 927Thrill Attacks 928Hacktivists 928Ethics 929Organizational Code of Ethics 929(ISC)² Code of Ethics 930Ethics and the Internet 931Summary 933Exam Essentials 934Written Lab 935Review Questions 936Chapter 20 Software Development Security 941Introducing Systems Development Controls 943Software Development 943Systems Development Lifecycle 952Lifecycle Models 955Gantt Charts and PERT 964Change and Configuration Management 964The DevOps Approach 966Application Programming Interfaces 967Software Testing 969Code Repositories 970Service-LevelAgreements 971Third-PartySoftware Acquisition 972Establishing Databases and Data Warehousing 973Database Management System Architecture 973Database Transactions 977Security for Multilevel Databases 978Open Database Connectivity 982NoSQL 982Storage Threats 983Understanding Knowledge-Based Systems 984Expert Systems 984Machine Learning 985Neural Networks 986Summary 987Exam Essentials 987Written Lab 988Review Questions 989Chapter 21 Malicious Code and Application Attacks 993Malware 994Sources of Malicious Code 995Viruses 995Logic Bombs 999Trojan Horses 1000Worms 1001Spyware and Adware 1004Ransomware 1004Malicious Scripts 1005Zero-DayAttacks 1006Malware Prevention 1006Platforms Vulnerable to Malware 1007Antimalware Software 1007Integrity Monitoring 1008Advanced Threat Protection 1008Application Attacks 1009Buffer Overflows 1009Time of Check to Time of Use 1010Backdoors 1011Privilege Escalation and Rootkits 1011Injection Vulnerabilities 1012SQL Injection Attacks 1012Code Injection Attacks 1016Command Injection Attacks 1016Exploiting Authorization Vulnerabilities 1017Insecure Direct Object References 1018Directory Traversal 1018File Inclusion 1020Exploiting Web Application Vulnerabilities 1020Cross-SiteScripting (XSS) 1021Request Forgery 1023Session Hijacking 1024Application Security Controls 1025Input Validation 1025Web Application Firewalls 1027Database Security 1028Code Security 1029Secure Coding Practices 1031Source Code Comments 1031Error Handling 1032Hard-CodedCredentials 1033Memory Management 1034Summary 1035Exam Essentials 1035Written Lab 1036Review Questions 1037Appendix A Answers to Review Questions 1041Chapter 1: Security Governance Through Principles and Policies 1042Chapter 2: Personnel Security and Risk Management Concepts 1045Chapter 3: Business Continuity Planning 1049Chapter 4: Laws, Regulations, and Compliance 1051Chapter 5: Protecting Security of Assets 1053Chapter 6: Cryptography and Symmetric Key Algorithms 1056Chapter 7: PKI and Cryptographic Applications 1058Chapter 8: Principles of Security Models, Design, and Capabilities 1060Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1062Chapter 10: Physical Security Requirements 1067Chapter 11: Secure Network Architecture and Components 1071Chapter 12: Secure Communications and Network Attacks 1075Chapter 13: Managing Identity and Authentication 1078Chapter 14: Controlling and Monitoring Access 1080Chapter 15: Security Assessment and Testing 1082Chapter 16: Managing Security Operations 1084Chapter 17: Preventing and Responding to Incidents 1086Chapter 18: Disaster Recovery Planning 1089Chapter 19: Investigations and Ethics 1091Chapter 20: Software Development Security 1093Chapter 21: Malicious Code and Application Attacks 1095Appendix B Answers to Written Labs 1099Chapter 1: Security Governance Through Principles and Policies 1100Chapter 2: Personnel Security and Risk Management Concepts 1100Chapter 3: Business Continuity Planning 1101Chapter 4: Laws, Regulations, and Compliance 1102Chapter 5: Protecting Security of Assets 1102Chapter 6: Cryptography and Symmetric Key Algorithms 1103Chapter 7: PKI and Cryptographic Applications 1104Chapter 8: Principles of Security Models, Design, and Capabilities 1104Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1105Chapter 10: Physical Security Requirements 1106Chapter 11: Secure Network Architecture and Components 1108Chapter 12: Secure Communications and Network Attacks 1109Chapter 13: Managing Identity and Authentication 1110Chapter 14: Controlling and Monitoring Access 1111Chapter 15: Security Assessment and Testing 1111Chapter 16: Managing Security Operations 1112Chapter 17: Preventing and Responding to Incidents 1113Chapter 18: Disaster Recovery Planning 1113Chapter 19: Investigations and Ethics 1114Chapter 20: Software Development Security 1114Chapter 21: Malicious Code and Application Attacks 1115Index 1117