Title:
The CISSP prep guide mastering CISSP and CAP
Personal Author:
Edition:
3rd ed.
Publication Information:
Hoboken, NJ : Wiley, 2006
Physical Description:
1 CD-ROM ; 12 cm.
ISBN:
9780470007921
General Note:
Accompanies text of the same title : QA76.3 K78 2006
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010123211 | CP 4729 | Computer File Accompanies Open Access Book | Compact Disc Accompanies Open Access Book | Searching... |
Searching... | 30000010123212 | CP 4729 | Computer File Accompanies Open Access Book | Compact Disc Accompanies Open Access Book | Searching... |
On Order
Summary
Summary
This follow-on edition to The CISSP Prep Guide: Mastering CISSP and ISSEP offers value-add coverage not featured anywhere else! You'll prepare for passing CISSP with a revised review of each of the ten CISSP domains, updated to reflect current thinking/technology, especially in the areas of cyber-terrorism prevention and disaster recovery. You'll also cover CAP, a major section of the ISSEP that has been elevated from its status as part of an advanced concentration to its own certification. The accompanying CD-ROM contains revised test questions to make your preparation complete. Order your copy today and make your exam preparation complete!
Author Notes
Ronald L. Krutz , PhD, PE, CISSP, ISSEP, is Chief Knowledge Officer for Cybrinth, LLC. He was a faculty member in the Carnegie Mellon ECE Department and Associate Director of the Carnegie Mellon Research Institute. He was a former lead instructor for the ISC2 CISSP review seminars. Dr. Krutz is also a Distinguished Special Lecturer in the Center for Forensic Computer Investigation at the University of New Haven and consulting editor for the Wiley Infosec series.
Russell Dean Vines , CISSP, CISM, Security +, CCNA, MCSE, MCNE, is President and Founder of The RDV Group Inc., a New York-based security consulting services firm. He has been active in the prevention, detection, and remediation of security vulnerabilities for international corporations, including government, finance, and new media organizations, for many years. He is the author of several bestselling information system security texts, a consulting editor for the Wiley Infosec series, and a professional musician and composer in the NY area.
Table of Contents
| About the Authors | p. vii |
| Foreword | p. xxiii |
| Acknowledgments | p. xxv |
| Introduction | p. xxvii |
| Part 1 Focused Review of the CISSP Ten Domains | p. 1 |
| Chapter 1 Information Security and Risk Management | p. 3 |
| Our Approach | p. 4 |
| Security Management Concepts | p. 5 |
| System Security Life Cycle | p. 5 |
| The Three Fundamentals | p. 6 |
| Other Important Concepts | p. 7 |
| Objectives of Security Controls | p. 10 |
| Information Classification Process | p. 12 |
| Information Classification Objectives | p. 12 |
| Information Classification Benefits | p. 13 |
| Information Classification Concepts | p. 13 |
| Information Classification Roles | p. 16 |
| Security Policy Implementation | p. 20 |
| Policies, Standards, Guidelines, and Procedures | p. 20 |
| Roles and Responsibilities | p. 25 |
| Risk Management and Assessment | p. 27 |
| Principles of Risk Management | p. 27 |
| RM Roles | p. 30 |
| Overview of Risk Analysis | p. 30 |
| Security Posture Assessment Methodologies | p. 39 |
| Security Awareness | p. 42 |
| Awareness | p. 44 |
| Training and Education | p. 45 |
| Assessment Questions | p. 46 |
| Chapter 2 Access Control | p. 55 |
| Rationale | p. 55 |
| Controls | p. 56 |
| Models for Controlling Access | p. 57 |
| Control Combinations | p. 59 |
| Access Control Attacks | p. 61 |
| Denial of Service/Distributed Denial of Service (DoS/DDoS) | p. 61 |
| Back Door | p. 62 |
| Spoofing | p. 62 |
| Man-in-the-Middle | p. 63 |
| Replay | p. 63 |
| TCP Hijacking | p. 63 |
| Social Engineering | p. 64 |
| Dumpster Diving | p. 64 |
| Password Guessing | p. 65 |
| Software Exploitation | p. 65 |
| Mobile Code | p. 66 |
| Trojan Horses | p. 66 |
| Logic Bomb | p. 67 |
| System Scanning | p. 67 |
| Penetration Testing | p. 68 |
| Identification and Authentication | p. 69 |
| Passwords | p. 70 |
| Biometrics | p. 72 |
| Single Sign-On (SSO) | p. 74 |
| Kerberos | p. 75 |
| Kerberos Operation | p. 76 |
| Sesame | p. 79 |
| KryptoKnight | p. 79 |
| Access Control Methodologies | p. 79 |
| Centralized Access Control | p. 80 |
| Decentralized/Distributed Access Control | p. 81 |
| Intrusion Detection | p. 86 |
| Some Access Control Issues | p. 88 |
| Assessment Questions | p. 89 |
| Chapter 3 Telecommunications and Network Security | p. 95 |
| The C.I.A. Triad | p. 96 |
| Confidentiality | p. 96 |
| Integrity | p. 96 |
| Availability | p. 97 |
| Protocols | p. 98 |
| The Layered Architecture Concept | p. 98 |
| Open Systems Interconnect (OSI) Model | p. 99 |
| Transmission Control Protocol/Internet Protocol (TCP/IP) | p. 103 |
| LAN Technologies | p. 110 |
| Ethernet | p. 110 |
| ARCnet | p. 112 |
| Token Ring | p. 112 |
| Fiber Distributed Data Interface (FDDI) | p. 113 |
| Cabling Types | p. 113 |
| Coaxial Cable (Coax) | p. 113 |
| Twisted Pair | p. 114 |
| Fiber-Optic Cable | p. 116 |
| Cabling Vulnerabilities | p. 116 |
| Transmission Types | p. 117 |
| Network Topologies | p. 118 |
| Bus | p. 118 |
| Ring | p. 118 |
| Star | p. 118 |
| Tree | p. 120 |
| Mesh | p. 120 |
| LAN Transmission Protocols | p. 121 |
| Carrier-Sense Multiple Access (CSMA) | p. 121 |
| Polling | p. 122 |
| Token Passing | p. 122 |
| Unicast, Multicast, Broadcast | p. 123 |
| Networking Devices | p. 123 |
| Hubs and Repeaters | p. 123 |
| Bridges | p. 124 |
| Spanning Tree | p. 125 |
| Switches | p. 125 |
| Transparent Bridging | p. 125 |
| Routers | p. 126 |
| VLANs | p. 129 |
| Gateways | p. 130 |
| LAN Extenders | p. 130 |
| Firewall Types | p. 130 |
| Packet-Filtering Firewalls | p. 131 |
| Application-Level Firewalls | p. 132 |
| Circuit-Level Firewalls | p. 133 |
| Stateful Inspection Firewalls | p. 133 |
| Firewall Architectures | p. 133 |
| Packet-Filtering Routers | p. 134 |
| Screened-Host Firewalls | p. 134 |
| Dual-Homed Host Firewalls | p. 134 |
| Screened-Subnet Firewalls | p. 135 |
| SOCKS | p. 137 |
| Common Data Network Services | p. 137 |
| File Transfer Services | p. 138 |
| SFTP | p. 139 |
| SSH/SSH-2 | p. 139 |
| TFTP | p. 140 |
| Data Network Types | p. 140 |
| Wide Area Networks | p. 141 |
| Internet | p. 141 |
| Intranet | p. 142 |
| Extranet | p. 142 |
| WAN Technologies | p. 142 |
| Dedicated Lines | p. 142 |
| T-carriers | p. 143 |
| WAN Switching | p. 143 |
| Circuit-Switched Networks | p. 143 |
| Packet-Switched Networks | p. 144 |
| Other WAN Protocols | p. 146 |
| Common WAN Devices | p. 146 |
| Network Address Translation (NAT) | p. 147 |
| Remote Access Technologies | p. 149 |
| Remote Access Types | p. 149 |
| Remote Access Security Methods | p. 151 |
| Virtual Private Networking (VPN) | p. 151 |
| RADIUS and TACACS | p. 160 |
| Network Availability | p. 162 |
| High Availability and Fault Tolerance | p. 162 |
| Wireless Technologies | p. 164 |
| IEEE Wireless Standards | p. 164 |
| Bluetooth | p. 170 |
| Wireless Application Protocol (WAP) | p. 171 |
| Wireless Security | p. 174 |
| Wireless Transport Layer Security Protocol | p. 174 |
| WEP Encryption | p. 175 |
| Wireless Vulnerabilities | p. 175 |
| Intrusion Detection and Response | p. 183 |
| Types of Intrusion Detection Systems | p. 183 |
| IDS Approaches | p. 184 |
| Honey Pots | p. 186 |
| Computer Incident Response Team | p. 187 |
| IDS and a Layered Security Approach | p. 188 |
| IDS and Switches | p. 188 |
| IDS Performance | p. 190 |
| Network Attacks and Abuses | p. 190 |
| Logon Abuse | p. 190 |
| Inappropriate System Use | p. 190 |
| Eavesdropping | p. 191 |
| Network Intrusion | p. 191 |
| Denial of Service (DoS) Attacks | p. 192 |
| Session Hijacking Attacks | p. 192 |
| Fragmentation Attacks | p. 193 |
| Dial-Up Attacks | p. 193 |
| Probing and Scanning | p. 194 |
| Vulnerability Scanning | p. 194 |
| Port Scanning | p. 195 |
| Issues with Vulnerability Scanning | p. 201 |
| Malicious Code | p. 202 |
| Viruses | p. 202 |
| Spyware | p. 204 |
| Trojan Horses | p. 210 |
| Remote Access Trojans (RATs) | p. 211 |
| Logic Bombs | p. 212 |
| Worms | p. 212 |
| Malicious Code Prevention | p. 212 |
| Web Security | p. 214 |
| Phishing | p. 214 |
| Browser Hijacking | p. 214 |
| SSL/TLS | p. 215 |
| S-HTTP | p. 217 |
| Instant Messaging Security | p. 217 |
| 8.3 Naming Conventions | p. 221 |
| Assessment Questions | p. 222 |
| Chapter 4 Cryptography | p. 233 |
| Introduction | p. 233 |
| Definitions | p. 234 |
| Background | p. 238 |
| Cryptographic Technologies | p. 241 |
| Classical Ciphers | p. 241 |
| Substitution | p. 241 |
| Transposition (Permutation) | p. 244 |
| Vernam Cipher (One-Time Pad) | p. 244 |
| Book or Running-Key Cipher | p. 245 |
| Codes | p. 245 |
| Steganography | p. 245 |
| Secret-Key Cryptography (Symmetric-Key) | p. 246 |
| Data Encryption Standard (DES) | p. 247 |
| Triple DES | p. 251 |
| The Advanced Encryption Standard (AES) | p. 252 |
| The Rijndael Block Cipher | p. 253 |
| The Twofish Algorithm | p. 254 |
| The IDEA Cipher | p. 255 |
| RC5/RC6 | p. 255 |
| Public-Key (Asymmetric) Cryptosystems | p. 255 |
| One-Way Functions | p. 256 |
| Public-Key Algorithms | p. 256 |
| Public-Key Cryptosystem Algorithm Categories | p. 260 |
| Asymmetric and Symmetric Key Length Strength Comparisons | p. 260 |
| Digital Signatures | p. 260 |
| Digital Signature Standard (DSS) and Secure Hash Standard (SHS) | p. 261 |
| MD5 | p. 262 |
| Sending a Message with a Digital Signature | p. 263 |
| Hashed Message Authentication Code (HMAC) | p. 263 |
| Hash Function Characteristics | p. 264 |
| Cryptographic Attacks | p. 264 |
| Public-Key Certification Systems | p. 266 |
| Digital Certificates | p. 266 |
| Public-Key Infrastructure (PKI) | p. 267 |
| Approaches to Escrowed Encryption | p. 273 |
| The Escrowed Encryption Standard | p. 273 |
| Key Escrow Approaches Using Public-Key Cryptography | p. 275 |
| Identity-Based Encryption | p. 275 |
| Cryptographic Export Issues | p. 277 |
| Quantum Computing | p. 278 |
| E-mail Security Issues and Approaches | p. 279 |
| Secure Multi-Purpose Internet Mail Extensions (S/MIME) | p. 279 |
| MIME Object Security Services (MOSS) | p. 279 |
| Privacy Enhanced Mail (PEM) | p. 279 |
| Pretty Good Privacy (PGP) | p. 280 |
| Internet Security Applications | p. 281 |
| Message Authentication Code (MAC) or the Financial Institution Message Authentication Standard (FIMAS) | p. 281 |
| Secure Electronic Transaction (SET) | p. 281 |
| Secure Sockets Layer (SSL)/Transaction Layer Security (TLS) | p. 281 |
| Internet Open Trading Protocol (IOTP) | p. 282 |
| MONDEX | p. 282 |
| IPSec | p. 282 |
| Secure Hypertext Transfer Protocol (S-HTTP) | p. 283 |
| Secure Shell (SSH-2) | p. 284 |
| Wireless Security | p. 284 |
| Wireless Application Protocol (WAP) | p. 284 |
| The IEEE 802.11 Wireless Standard | p. 286 |
| Assessment Questions | p. 289 |
| Chapter 5 Security Architecture and Design | p. 297 |
| Computer Architecture | p. 298 |
| Memory | p. 299 |
| Instruction Execution Cycle | p. 302 |
| Input/Output Structures | p. 304 |
| Software | p. 305 |
| Open and Closed Systems | p. 307 |
| Distributed Architecture | p. 307 |
| Protection Mechanisms | p. 309 |
| Rings | p. 310 |
| Logical Security Guard | p. 311 |
| Enterprise Architecture Issues | p. 311 |
| Security Labels | p. 312 |
| Security Modes | p. 312 |
| Additional Security Considerations | p. 313 |
| Recovery Procedures | p. 314 |
| Assurance | p. 314 |
| Evaluation Criteria | p. 315 |
| Certification and Accreditation | p. 317 |
| DITSCAP and NIACAP | p. 317 |
| The Systems Security Engineering Capability Maturity Model (SSE-CMM) | p. 319 |
| Information Security Models | p. 322 |
| Access Control Models | p. 322 |
| Integrity Models | p. 327 |
| Information Flow Models | p. 329 |
| Assessment Questions | p. 332 |
| Chapter 6 Operations Security | p. 339 |
| Operations Security Concepts | p. 340 |
| Triples | p. 340 |
| C.I.A. | p. 340 |
| Controls and Protections | p. 341 |
| Categories of Controls | p. 341 |
| Orange Book Controls | p. 342 |
| Operations Controls | p. 358 |
| Monitoring and Auditing | p. 365 |
| Monitoring | p. 365 |
| Auditing | p. 369 |
| Threats and Vulnerabilities | p. 373 |
| Threats | p. 373 |
| Vulnerabilities and Attacks | p. 375 |
| Maintaining Resource Availability | p. 376 |
| RAID | p. 376 |
| RAID Levels | p. 377 |
| Backup Concepts | p. 378 |
| Operational E-Mail Security | p. 382 |
| E-Mail Phishing | p. 383 |
| Fax Security | p. 387 |
| Assessment Questions | p. 388 |
| Chapter 7 Application Security | p. 397 |
| Systems Engineering | p. 398 |
| The System Life Cycle or System Development Life Cycle (SDLC) | p. 398 |
| The Software Life Cycle Development Process | p. 399 |
| The Waterfall Model | p. 400 |
| The Spiral Model | p. 403 |
| Cost Estimation Models | p. 406 |
| Information Security and the Life Cycle Model | p. 407 |
| Testing Issues | p. 408 |
| The Software Maintenance Phase and the Change Control Process | p. 408 |
| Configuration Management | p. 409 |
| The Software Capability Maturity Model (CMM) | p. 410 |
| Agile Methodology | p. 412 |
| Object-Oriented Systems | p. 413 |
| Artificial Intelligence Systems | p. 417 |
| Expert Systems | p. 417 |
| Neural Networks | p. 419 |
| Genetic Algorithms | p. 421 |
| Knowledge Management | p. 421 |
| Database Systems | p. 421 |
| Database Security Issues | p. 422 |
| Data Warehouse and Data Mining | p. 422 |
| Data Dictionaries | p. 423 |
| Application Controls | p. 423 |
| Distributed Systems | p. 425 |
| Centralized Architecture | p. 426 |
| Real-Time Systems | p. 426 |
| Assessment Questions | p. 427 |
| Chapter 8 Business Continuity Planning and Disaster Recovery Planning | p. 433 |
| Business Continuity Planning | p. 435 |
| Continuity Disruptive Events | p. 436 |
| The Four Prime Elements of BCP | p. 437 |
| Disaster Recovery Planning (DRP) | p. 446 |
| Goals and Objectives of DRP | p. 446 |
| The Disaster Recovery Planning Process | p. 447 |
| Testing the Disaster Recovery Plan | p. 455 |
| Disaster Recovery Procedures | p. 459 |
| Other Recovery Issues | p. 461 |
| Assessment Questions | p. 464 |
| Chapter 9 Legal, Regulations, Compliance, and Investigations | p. 473 |
| Types of Computer Crime | p. 473 |
| Examples of Computer Crime | p. 475 |
| Law | p. 477 |
| Example: The United States | p. 477 |
| Common Law System Categories | p. 478 |
| Computer Security, Privacy and Crime Laws | p. 489 |
| Investigation | p. 496 |
| Computer Investigation Issues | p. 496 |
| Export Issues and Technology | p. 502 |
| Liability | p. 502 |
| Ethics | p. 504 |
| (ISC)2 Code of Ethics | p. 506 |
| The Computer Ethics Institute's Ten Commandments of Computer Ethics | p. 506 |
| The Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) | p. 507 |
| The U.S. Department of Health and Human Services Code of Fair Information Practices | p. 507 |
| The Organization for Economic Cooperation and Development (OECD) | p. 508 |
| Assessment Questions | p. 510 |
| Chapter 10 Physical (Environmental) Security | p. 517 |
| Threats to Physical Security | p. 518 |
| Controls for Physical Security | p. 520 |
| Administrative Controls | p. 520 |
| Environmental and Life Safety Controls | p. 524 |
| Physical and Technical Controls | p. 534 |
| Assessment Questions | p. 550 |
| Part 2 The Certification and Accreditation Professional (CAP) Credential | p. 557 |
| Chapter 11 Understanding Certification and Accreditation | p. 559 |
| System Authorization | p. 559 |
| A Select History of Systems Authorization | p. 560 |
| More and More Standards | p. 572 |
| What Is Certification and Accreditation? | p. 572 |
| NIST C&A Documents | p. 573 |
| C&A Roles and Responsibilities | p. 573 |
| C&A Phases | p. 577 |
| DIACAP Phases | p. 578 |
| Assessment Questions | p. 580 |
| Chapter 12 Initiation of the System Authorization Process | p. 585 |
| Security Categorization | p. 586 |
| Identification of Information Types | p. 588 |
| Potential Harmful Impact Levels | p. 589 |
| Assignment of Impact Level Scores | p. 590 |
| Assignment of System Impact Level | p. 592 |
| Initial Risk Estimation | p. 593 |
| Threat-Source Identification | p. 594 |
| Threat Likelihood of Occurrence | p. 597 |
| Analyzing for Vulnerabilities | p. 597 |
| System Accreditation Boundary | p. 601 |
| Legal and Regulatory Requirements | p. 603 |
| Selection of Security Controls | p. 603 |
| The Control Section | p. 606 |
| The Supplemental Guidance Section | p. 606 |
| The Control Enhancements Section | p. 606 |
| Assurance | p. 607 |
| Common and System-Specific Security Controls | p. 608 |
| Security Controls and the Management of Organizational Risk | p. 608 |
| Documenting Security Controls in the System Security Plan | p. 610 |
| Assessment Questions | p. 613 |
| Chapter 13 The Certification Phase | p. 621 |
| Security Control Assessment | p. 622 |
| Prepare for the Assessment | p. 622 |
| Conduct the Security Assessment | p. 624 |
| Prepare the Security Assessment Report | p. 624 |
| Security Certification Documentation | p. 625 |
| Provide the Findings and Recommendations | p. 625 |
| Update the System Security Plan | p. 625 |
| Prepare the Plan of Action | p. 626 |
| Assemble the Accreditation Package | p. 626 |
| DITSCAP Certification Phases | p. 627 |
| Phase 1 Definition | p. 627 |
| The System Security Authorization Agreement (SSAA) | p. 630 |
| SSAA Outline | p. 630 |
| SSAA Additional Material | p. 632 |
| The Requirements Traceability Matrix (RTM) | p. 633 |
| Phase 2 Verification | p. 635 |
| Key DITSCAP Roles | p. 638 |
| DIACAP Certification Phases | p. 639 |
| End of the Certification Phase | p. 640 |
| Assessment Questions | p. 641 |
| Chapter 14 The Accreditation Phase | p. 645 |
| Security Accreditation Decision | p. 646 |
| Final Risk Assessment | p. 646 |
| Accreditation Decision | p. 647 |
| Security Accreditation Documentation | p. 648 |
| Accreditation Package Transmission | p. 648 |
| System Security Plan Update | p. 649 |
| DITSCAP Accreditation Phases | p. 649 |
| Phase 3 Validation | p. 649 |
| Phase 4 Post Accreditation | p. 653 |
| DIACAP Accreditation Phases | p. 656 |
| End of the Accreditation Phase | p. 657 |
| Assessment Questions | p. 658 |
| Chapter 15 Continuous Monitoring Process | p. 663 |
| Continuous Monitoring | p. 664 |
| Monitoring Security Controls | p. 665 |
| Configuration Management and Control | p. 669 |
| Environment Monitoring | p. 670 |
| Documentation and Reporting | p. 671 |
| Assessment Questions | p. 673 |
| Appendix A Answers to Assessment Questions | p. 681 |
| Appendix B Glossary of Terms and Acronyms | p. 881 |
| Appendix C The Information System Security Architecture Professional (ISSAP) Certification | p. 945 |
| Appendix D The Information System Security Engineering Professional (ISSEP) Certification | p. 951 |
| Appendix E The Information System Security Management Professional (ISSMP) Certification | p. 1039 |
| Appendix F Security Control Catalog | p. 1075 |
| Appendix G Control Baselines | p. 1185 |
| Index | p. 1193 |
