With each new advance in connectivity and convenience comes a new wave of threats to privacy and security capable of destroying a company’s reputation, violating a consumer’s privacy, compromising intellectual property, and in some cases endangering personal safety. This is why it is essential for information security professionals to stay up to date with the latest advances in technology and the new security threats they create. Recognized as one of the best tools available for the information security professional and especially for candidates studying for the (ISC)2 CISSP examination, the Official (ISC)2® Guide to the CISSP® CBK®, Second Edition has been updated and revised to reflect the latest developments in this ever-changing field. Endorsed by the (ISC)2, this book provides unrivaled preparation for the certification exam that is both up to date and authoritative. Compiled and reviewed by CISSPs and (ISC)2 members, the text provides an exhaustive review of the 10 current domains of the CBK—and the high-level topics contained in each domain. Unique and exceptionally thorough, this edition includes a CD with over 200 sample questions, sample exams, and a full test simulation that provides the same number and types of questions with the same allotment of time allowed in the actual exam. It will even grade the exam, provide the correct answers, and identify areas where more study is needed. Earning your CISSP is a deserving achievement that makes you a member of an elite network of professionals. This book not only provides you with the tools to effectively study for the exam, but also supplies you with ready access to best practices for implementing new technologies, dealing with current threats, incorporating new security tools, and managing the human factor of security—that will serve you well into your career.
Information Security and Risk Management Todd Fitzgerald, CISSP Bonnie Goins, CISSP Rebecca Herold, CISSP 1Introduction 1CISSP Expectations 2The Business Case for Information Security Management 4Core Information Security Principles: Confidentiality, Availability, Integrity (CIA) 5Confidentiality 5Integrity 6Availability 6Security Management Practice 7Information Security Management Governance 7Security Governance Defined 8Security Policies, Procedures, Standards, Guidelines, and Baselines 9Security Policy Best Practices 10Types of Security Policies 12Standards 13Procedures 14Baselines 15Guidelines 16Combination of Policies, Standards, Baselines, Procedures, and Guidelines 16Policy Analogy 16Audit Frameworks for Compliance 17COSO 17ITIL 18COBIT 18ISO 17799/BS 7799 18Organizational Behavior 19Organizational Structure Evolution 20Today's Security Organizational Structure 21Best Practices 22Job Rotation 23Separation of Duties 23Least Privilege (Need to Know) 25Mandatory Vacations 25Job Position Sensitivity 25Responsibilities of the Information Security Officer 26Communicate Risks to Executive Management 26Budget for Information Security Activities 27Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines 28Develop and Provide Security Awareness Program 28Understand Business Objectives 28Maintain Awareness of Emerging Threats and Vulnerabilities 29Evaluate Security Incidents and Response 29Develop Security Compliance Program 29Establish Security Metrics 29Participate in Management Meetings 30Ensure Compliance with Government Regulations 30Assist Internal and External Auditors 30Stay Abreast of Emerging Technologies 30Reporting Model 31Business Relationships 31Reporting to the CEO 31Reporting to the Information Technology (IT) Department 32Reporting to Corporate Security 32Reporting to the Administrative Services Department 33Reporting to the Insurance and Risk Management Department 33Reporting to the Internal Audit Department 33Reporting to the Legal Department 34Determining the Best Fit 34Enterprisewide Security Oversight Committee 34Vision Statement 34Mission Statement 35Security Planning 42Strategic Planning 43Tactical Planning 43Operational and Project Planning 43Personnel Security 44Hiring Practices 44Security Awareness, Training, and Education 51Why Conduct Formal Security Awareness Training? 51Training Topics 52What Might a Course in Security Awareness Look Like? 52Awareness Activities and Methods 54Job Training 55Professional Education 56Performance Metrics 56Risk Management 56Risk Management Concepts 57Qualitative Risk Assessments 58Quantitative Risk Assessments 60Selecting Tools and Techniques for Risk Assessment 62Risk Assessment Methodologies 62Risk Management Principles 64Risk Avoidance 64Risk Transfer 64Risk Mitigation 65Risk Acceptance 65Who Owns the Risk? 66Risk Assessment 66Identify Vulnerabilities 66Identify Threats 67Determination of Likelihood 67Determination of Impact 68Determination of Risk 68Reporting Findings 69Countermeasure Selection 69Information Valuation 70Ethics 71Regulatory Requirements for Ethics Programs 73Example Topics in Computer Ethics 74Computers in the Workplace 74Computer Crime 74Privacy and Anonymity 75Intellectual Property 75Professional Responsibility and Globalization 75Common Computer Ethics Fallacies 75The Computer Game Fallacy 76The Law-Abiding Citizen Fallacy 76The Shatterproof Fallacy 76The Candy-from-a-Baby Fallacy 77The Hacker's Fallacy 77The Free Information Fallacy 77Hacking and Hacktivism 77The Hacker Ethic 78Ethics Codes of Conduct and Resources 78The Code of Fair Information Practices 78Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087 79Computer Ethics Institute (CEI) 79National Conference on Computing and Values 80The Working Group on Computer Ethics 80National Computer Ethics and Responsibilities Campaign (NCERC) 80(ISC)[superscript 2] Code of Ethics 81Organizational Ethics Plan of Action 82How a Code of Ethics Applies to CISSPs 84References 87Other References 87Sample Questions 88Access Control James S. Tiller, CISSP 93Introduction 93CISSP Expectations 93Confidentiality, Integrity, and Availability 93Definitions and Key Concepts 94Determining Users 95Defining Resources 96Specifying Use 97Accountability 97Access Control Principles 98Separation of Duties 98Least Privilege 101Information Classification 101Data Classification Benefits 102Establishing a Data Classification Program 103Labeling and Marking 107Data Classification Assurance 107Summary 108Access Control Categories and Types 108Control Categories 108Preventative 108Deterrent 109Detective 109Corrective 110Recovery 111Compensating 111Types of Controls 112Administrative 113Physical 124Technical 125Access Control Threats 130Denial of Service 130Buffer Overflows 131Mobile Code 132Malicious Software 133Password Crackers 134Spoofing/Masquerading 136Sniffers, Eavesdropping, and Tapping 137Emanations 138Shoulder Surfing 139Object Reuse 139Data Remanence 140Unauthorized Targeted Data Mining 142Dumpster Diving 143Backdoor/Trapdoor 144Theft 144Social Engineering 145E-mail Social Engineering 145Help Desk Fraud 146Access to Systems 147Identification and Authentication 147Types of Identification 148Types of Authentication 149Authentication Method Summary 167Identity and Access Management 169Identity Management 170Identity Management Challenges 172Identity Management Technologies 173Access Control Technologies 179Single Sign-On 179Kerberos 181Secure European System for Applications in a Multi-Vendor Environment (SESAME) 184Security Domain 185Section Summary 186Access to Data 186Discretionary and Mandatory Access Control 186Access Control Lists 188Access Control Matrix 188Rule-Based Access Control 188Role-Based Access Control 189Content-Dependent Access Control 191Constrained User Interface 191Capability Tables 191Temporal (Time-Based) Isolation 192Centralized Access Control 192Decentralized Access Control 192Section Summary 192Intrusion Detection and Prevention Systems 194Intrusion Detection Systems 195Network Intrusion Detection System 196Host-Based Intrusion Detection System 197Analysis Engine Methods 198Pattern/Stateful Matching Engine 199Anomaly-Based Engine 200Intrusion Responses 201Alarms and Signals 203IDS Management 204Access Control Assurance 205Audit Trail Monitoring 205Audit Event Types 205Auditing Issues and Concerns 206Information Security Activities 207Penetration Testing 208Types of Testing 213Summary 215References 215Sample Questions 215Cryptography Kevin Henry, CISSP 219Introduction 219CISSP Expectations 219Core Information Security Principles: Confidentiality, Integrity, and Availability 219Key Concepts and Definitions 220The History of Cryptography 222The Early (Manual) Era 222The Mechanical Era 222The Modern Era 223Emerging Technology 223Quantum Cryptography 223Protecting Information 225Data Storage 225Data Transmission 225Uses of Cryptography 226Availability 226Confidentiality 226Integrity 226Additional Features of Cryptographic Systems 226Nonrepudiation 227Authentication 227Access Control 227Methods of Cryptography 227Stream-Based Ciphers 227Block Ciphers 229Encryption Systems 229Substitution Ciphers 229Playfair Cipher 229Transposition Ciphers 230Monoalphabetic and Polyalphabetic Ciphers 231Modular Mathematics and the Running Key Cipher 233One-Time Pads 234Steganography 235Watermarking 235Code words 235Symmetric Ciphers 236Examples of Symmetric Algorithms 237Advantages and Disadvantages of Symmetric Algorithms 252Asymmetric Algorithms 253Confidential Messages 253Open Message 254Confidential Messages with Proof of Origin 254RSA 254Diffie-Hellmann Algorithm 257El Gamal 258Elliptic Curve Cryptography 258Advantages and Disadvantages of Asymmetric Key Algorithms 258Hybrid Cryptography 259Message Integrity Controls 260Checksums 260Hash Function 260Simple Hash Functions 261MD5 Message Digest Algorithm 261Secure Hash Algorithm (SHA) and SHA-1 262HAVAL 262RIPEMD-160 262Attacks on Hashing Algorithms and Message Authentication Codes 263Message Authentication Code (MAC) 264HMAC 264Digital Signatures 265Digital Signature Standard (DSS) 265Uses of Digital Signatures 266Encryption Management 266Key Management 266Key Recovery 267Key Distribution Centers 268Standards for Financial Institutions 268Public Key Infrastructure (PKI) 269Revocation of a Certificate 271Cross-Certification 271Legal Issues Surrounding Cryptography 271Cryptanalysis and Attacks 271Ciphertext-Only Attack 271Known Plaintext Attack 271Chosen Plaintext Attack 272Chosen Ciphertext Attack 272Social Engineering 272Brute Force 272Differential Power Analysis 273Frequency Analysis 273Birthday Attack 273Dictionary Attack 273Replay Attack 273Factoring Attacks 273Reverse Engineering 273Attacking the Random Number Generators 274Temporary Files 274Encryption Usage 274E-mail Security Using Cryptography 274Protocols and Standards 275Pretty Good Privacy (PGP) 275Secure/Multipurpose Internet Mail Extension (S/MIME) 275Internet and Network Security 275IPSec 275SSL/TLS 276References 276Sample Questions 277Physical (Environmental) Security Paul Hansford, CISSP 281Introduction 281CISSP Expectations 282Physical (Environmental) Security Challenges 282Threats and Vulnerabilities 283Threat Types 283Vulnerabilities 285Site Location 285Site Fabric and Infrastructure 285The Layered Defense Model 286Physical Considerations 287Working with Others to Achieve Physical and Procedural Security 287Physical and Procedural Security Methods, Tools, and Techniques 288Procedural Controls 288Infrastructure Support Systems 290Fire Prevention, Detection, and Suppression 290Boundary Protection 292Building Entry Points 293Keys and Locking Systems 293Walls, Doors, and Windows 295Access Controls 296Closed-Circuit Television (CCTV) 296Intrusion Detection Systems 298Portable Device Security 299Asset and Risk Registers 299Information Protection and Management Services 300Managed Services 300Audits, Drills, Exercises, and Testing 300Vulnerability and Penetration Tests 301Maintenance and Service Issues 301Education, Training, and Awareness 301Summary 302References 302Sample Questions 303Security Architecture and Design William Lipiczky, CISSP 307Introduction 307CISSP Expectations 307Security Architecture and Design Components and Principles 308Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001 308Design Principles 309Diskless Workstations, Thin Clients, and Thin Processing 309Operating System Protection 310Hardware 311Personal Digital Assistants (PDAs) and Smart Phones 314Central Processing Unit (CPU) 315Storage 316Input/Output Devices 318Communications Devices 319Networks and Partitioning 319Software 320Operating Systems 320Application Programs 321Processes and Threads 322Firmware 323Trusted Computer Base (TCB) 323Reference Monitor 324Security Models and Architecture Theory 324Lattice Models 324State Machine Models 325Research Models 325Noninterference Models 325Information Flow Models 325Bell-LaPadula Confidentiality Model 325Biba Integrity Model 326Clark-Wilson Integrity Model 326Access Control Matrix and Information Flow Models 327Information Flow Models 328Graham-Denning Model 328Harrison-Ruzzo-Ullman Model 328Brewer-Nash (Chinese Wall) 328Security Product Evaluation Methods and Criteria 329Rainbow Series 329Trusted Computer Security Evaluation Criteria (TCSEC) 329Information Technology Security Evaluation Criteria (ITSEC) 330Common Criteria 331Software Engineering Institute's Capability Maturity Model Integration (SEI-CMMI) 331Certification and Accreditation 332Sample Questions 332Business Continuity and Disaster Recovery Planning Carl B. Jackson, CISSP 337Introduction 337CISSP Expectations 338Core Information Security Principles: Availability, Integrity, Confidentiality (AIC) 339Why Continuity Planning? 339Reality of Terrorist Attack 339Natural Disasters 340Internal and External Audit Oversight 340Legislative and Regulatory Requirements 340Industry and Professional Standards 341NFPA 1600 341ISO 17799 341Defense Security Service (DSS) 341National Institute of Standards and Technology (NIST) 341Good Business Practice or the Standard of Due Care 341Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning 341Revenue Loss 342Extra Expense 343Compromised Customer Service 343Embarrassment or Loss of Confidence Impact 343Hidden Benefits of Continuity Planning 343Organization of the BCP/DRP Domain Chapter 344Project Initiation Phase 344Current State Assessment Phase 345Design and Development Phase 345Implementation Phase 345Management Phase 346Project Initiation Phase Description 346Project Scope Development and Planning 346Executive Management Support 348BCP Project Scope and Authorization 348Executive Management Leadership and Awareness 350Continuity Planning Project Team Organization and Management 351Disaster or Disruption Avoidance and Mitigation 353Project Initiation Phase Activities and Tasks Work Plan 354Current State Assessment Phase Description 354Understanding Enterprise Strategy, Goals, and Objectives 354Enterprise Business Processes Analysis 355People and Organizations 355Time Dependencies 355Motivation, Risks, and Control Objectives 355Budgets 355Technical Issues and Constraints 356Continuity Planning Process Support Assessment 356Threat Assessment 356Risk Management 358Business Impact Assessment (BIA) 359Benchmarking and Peer Review 362Sample Current State Assessment Phase Activities and Tasks Work Plan 363Development Phase Description 363Recovery Strategy Development 363Work Plan Development 366Develop and Design Recovery Strategies 366Data and Software Backup Approaches 369DRP Recovery Strategies for IT 370BCP Recovery Strategies for Enterprise Business Processes 371Developing Continuity Plan Documents and Infrastructure Strategies 373Developing Testing/Maintenance/Training Strategies 373Plan Development Phase Description 374Building Continuity Plans 375Contrasting Crisis Management and Continuity Planning Approaches 379Building Crisis Management Plans 379Testing/Maintenance/Training Development Phase Description 381Developing Continuity and Crisis Management Process Training and Awareness Strategies 386Sample Phase Activities and Tasks Work Plan 386Implementation Phase Description 386Analyze CPPT Implementation Work Plans 386Program Short- and Long-Term Testing 388Continuity Plan Testing (Exercise) Procedure Deployment 388Program Training, Awareness, and Education 391Emergency Operations Center (EOC) 392Management Phase Description 392Program Oversight 392Continuity Planning Manager Roles and Responsibilities 392Terminology 395References 398Sample Questions 398Addressing Legislative Compliance within Business Continuity Plans Rebecca Herold, CISSP 401HIPAA 401GLB 402Patriot Act 402Other Issues 404OCC Banking Circular 177 404Telecommunications and Network Security Alec Bass, CISSP Peter Berlich, CISSP-ISSMPIntroduction 407CISSP Expectations 408Basic Concepts 408Network Models 408OSI Reference Model 409TCP/IP Model 413Network Security Architecture 414The Role of the Network in IT Security 414Network Security Objectives and Attack Modes 416Methodology of an Attack 419Network Security Tools 421Physical Layer 423Concepts and Architecture 423Communication Technology 423Network Topology 424Technology and Implementation 427Cable 427Twisted Pair 428Coaxial Cable 429Fiber Optics 429Patch Panels 430Modems 430Wireless Transmission Technologies 431Data-Link Layer 433Concepts and Architecture 433Architecture 433Transmission Technologies 434Technology and Implementation 441Ethernet 441Wireless Local Area Networks 445Address Resolution Protocol (ARP) 450Point-to-Point Protocol (PPP) 450Network Layer 450Concepts and Architecture 450Local Area Network (LAN) 450Wide Area Network (WAN) Technologies 452Metropolitan Area Network (MAN) 462Global Area Network (GAN) 463Technology and Implementation 464Routers 464Firewalls 464End Systems 468Internet Protocol (IP) 471Virtual Private Network (VPN) 475Tunneling 479Dynamic Host Configuration Protocol (DHCP) 479Internet Control Message Protocol (ICMP) 480Internet Group Management Protocol (IGMP) 481Transport Layer 482Concepts and Architecture 482Transmission Control Protocol (TCP) 483User Datagram Protocol (UDP) 484Technology and Implementation 484Scanning Techniques 484Denial of Service 486Session Layer 486Concepts and Architecture 486Technology and Implementation 486Remote Procedure Calls 486Directory Services 487Access Services 493Presentation Layer 495Concepts and Architecture 495Technology and Implementation 496Transport Layer Security (TLS) 496Application Layer 497Concepts and Architecture 497Technology and Implementation 497Asynchronous Messaging (E-mail and News) 497Instant Messaging 502Data Exchange (World Wide Web) 506Peer-to-Peer Applications and Protocols 512Administrative Services 512Remote-Access Services 514Information Services 517Voice-over-IP (VoIP) 518General References 520Sample Questions 521Endnotes 525Application Security Robert M. Slade, CISSP 537Domain Description and Introduction 537Current Threats and Levels 537Application Development Security Outline 538Expectation of the CISSP in This Domain 539Applications Development and Programming Concepts and Protection 540Current Software Environment 541Open Source 542Full Disclosure 543Programming 543Process and Elements 544The Programming Procedure 545The Software Environment 547Threats in the Software Environment 549Buffer Overflow 549Citizen Programmers 550Covert Channel 550Malicious Software (Malware) 551Malformed Input Attacks 551Memory Reuse (Object Reuse) 551Executable Content/Mobile Code 551Social Engineering 552Time of Check/Time of Use (TOC/TOU) 553Trapdoor/Backdoor 553Application Development Security Protections and Controls 554System Life Cycle and Systems Development 554Systems Development Life Cycle (SDLC) 555Software Development Methods 561Java Security 564Object-Oriented Technology and Programming 566Object-Oriented Security 568Distributed Object-Oriented Systems 569Software Protection Mechanisms 571Security Kernels 571Processor Privilege States 571Security Controls for Buffer Overflows 573Controls for Incomplete Parameter Check and Enforcement 573Memory Protection 574Covert Channel Controls 575Cryptography 575Password Protection Techniques 575Inadequate Granularity of Controls 576Control and Separation of Environments 576Time of Check/Time of Use (TOC/TOU) 577Social Engineering 577Backup Controls 577Software Forensics 578Mobile Code Controls 580Programming Language Support 582Audit and Assurance Mechanisms 582Information Integrity 583Information Accuracy 583Information Auditing 583Certification and Accreditation 584Information Protection Management 584Change Management 585Configuration Management 586Malicious Software (Malware) 586Malware Types 589Viruses 589Worms 592Hoaxes 593Trojans 593Remote-Access Trojans (RATs) 595DDoS Zombies 596Logic Bombs 596Spyware and Adware 597Pranks 597Malware Protection 598Scanners 599Activity Monitors 599Change Detection 599Antimalware Policies 600Malware Assurance 601The Database and Data Warehousing Environment 602DBMS Architecture 602Hierarchical Database Management Model 604Network Database Management Model 605Relational Database Management Model 605Object-Oriented Database Model 609Database Interface Languages 609Open Database Connectivity (ODBC) 609Java Database Connectivity (JDBC) 610eXtensible Markup Language (XML) 610Object Linking and Embedding Database (OLE DB) 611Accessing Databases through the Internet 612Data Warehousing 613Metadata 614Online Analytical Processing (OLAP) 616Data Mining 616Database Vulnerabilities and Threats 617DBMS Controls 620Lock Controls 621Other DBMS Access Controls 622View-Based Access Controls 622Grant and Revoke Access Controls 622Security for Object-Oriented (OO) Databases 623Metadata Controls 623Data Contamination Controls 623Online Transaction Processing (OLTP) 623Knowledge Management 624Web Application Environment 626Web Application Threats and Protection 627Summary 628References 629Sample Questions 629Operations Security Sean M. Price, CISSP 633Introduction 633Privileged Entity Controls 633Operators 633Ordinary Users 634System Administrators 635Security Administrators 637File Sensitivity Labels 637System Security Characteristics 637Clearances 637Passwords 637Account Characteristics 638Security Profiles 638Audit Data Analysis and Management 639System Accounts 640Account Management 640Resource Protection 642Facilities 642Hardware 642Software 644Documentation 644Threats to Operations 645Disclosure 645Destruction 645Interruption and Nonavailability 645Corruption and Modification 645Theft 645Espionage 646Hackers and Crackers 646Malicious Code 646Control Types 646Preventative Controls 646Detective Controls 646Corrective Controls 647Directive Controls 647Recovery Controls 647Deterrent Controls 647Compensating Controls 647Control Methods 648Separation of Responsibilities 648Least Privilege 648Job Rotation 648Need to Know 648Security Audits and Reviews 649Supervision 649Input/Output Controls 650Antivirus Management 650Media Types and Protection Methods 650Object Reuse 651Sensitive Media Handling 653Marking 653Handling 653Storing 653Destruction 653Declassification 654Misuse Prevention 654Record Retention 655Continuity of Operations 655Fault Tolerance 656Data Protection 657Software 659Hardware 660Communications 660Facilities 661Problem Management 663System Component Failure 664Power Failure 664Telecommunications Failure 664Physical Break-In 664Tampering 664Production Delay 665Input/Output Errors 665System Recovery 667Intrusion Detection System 668Vulnerability Scanning 668Business Continuity Planning 669Change Control Management 669Configuration Management 670Production Software 671Software Access Control 671Change Control Process 672Requests 672Impact Assessment 672Approval/Disapproval 672Build and Test 672Notification 673Implementation 673Validation 673Documentation 673Library Maintenance 673Patch Management 673Summary 677References 677Sample Questions 678Legal, Regulations, Compliance and Investigations Marcus K. Rogers, Ph.D., CISSP 683Introduction 683CISSP Expectations 684Major Legal Systems 685Common Law 686Criminal Law 687Tort Law 687Administrative Law 687Civil Law 688Customary Law 688Religious Law 689Mixed Law 689Information Technology Laws and Regulations 690Intellectual Property Laws 690Patent 690Trademark 690Copyright 691Trade Secret 691Licensing Issues 691Privacy 692Liability 694Computer Crime 695International Cooperation 697Incident Response 698Response Capability 699Incident Response and Handling 700Triage 700Investigative Phase 701Containment 701Analysis and Tracking 702Recovery Phase 703Recovery and Repair 704Debriefieng/Feedback 704Computer Forensics 705Crime Scene 707Digital/Electronic Evidence 708General Guidelines 709Conclusions 710References 712Sample Questions 715Answers to Sample Questions 719Information Security and Risk Management 719Access Control 724Cryptography 728Physical (Environmental) Security 731Security Architecture and Design 734Business Continuity and Disaster Recovery Planning 737Telecommunications and Network Security 740Application Security 746Operations Security 748Legal, Regulations, Compliance and Investigation 752Certified Information Systems Security Professional (CISSP) Candidate Information Bulletin 757Information Security and Risk Management 758Overview 758Key Areas of Knowledge 759Access Control 759Overview 759Key Areas of Knowledge 760Cryptography 760Overview 760Key Areas of Knowledge 760Physical (Environmental) Security 760Overview 760Key Areas of Knowledge 761Security Architecture and Design 761Overview 761Key Areas of Knowledge 761Business Continuity and Disaster Recovery Planning 762Overview 762Key Areas of Knowledge 762Telecommunications and Network Security 763Overview 763Key Areas of Knowledge 763Application Security 764Overview 764Key Areas of Knowledge 764Operations Security 764Overview 764Key Areas of Knowledge 764Legal, Regulations, Compliance and Investigations 765Overview 765Key Areas of Knowledge 765References 766General Examination Information 770Glossary 775Index 1023