CISSP study guide /
CISSP® Study Guide, Fourth Edition provides the latest updates on CISSP® certification, the most prestigious, globally-recognized, vendor neutral exam for information security professionals. In this new edition, readers will learn about what's included in the newest version of the exam's C...
| Main Authors: | , , |
|---|---|
| Corporate Author: | |
| Format: | eBook |
| Language: | English |
| Published: |
Cambridge, MA :
Syngress,
[2023]
|
| Edition: | Fourth edition. |
| Subjects: | |
| Online Access: | Connect to the full text of this electronic book |
Table of Contents:
- Intro
- CISSP® Study Guide
- Copyright
- Contents
- About the authors
- Chapter 1: Introduction
- How to Prepare for the Exam
- The CISSP Exam Is a Management Exam
- The 2021 Update
- The Notes Card Approach
- Practice Tests
- Read the Glossary
- Readiness Checklist
- How to Take the Exam
- Steps to Becoming a CISSP
- Computer-Based Testing (CBT)
- CISSP CAT
- Taking the Exam
- After the Exam
- Good Luck!
- References
- Chapter 2: Domain 1: Security and Risk Management
- Unique Terms and Definitions
- Introduction
- Cornerstone Information Security Concepts
- Confidentiality, Integrity, and Availability
- Confidentiality
- Integrity
- Availability
- Tension Between the Concepts
- Disclosure, Alteration, and Destruction
- Identity and Authentication, Authorization, and Accountability (AAA)
- Identity and Authentication
- Authorization
- Accountability
- Non-repudiation
- Least Privilege and Need to Know
- Subjects and Objects
- Defense-in-Depth
- Due Care and Due Diligence
- Gross Negligence
- Legal and Regulatory Issues
- Compliance With Laws and Regulations
- Major Legal Systems
- Civil Law (Legal System)
- Common Law
- Religious Law
- Other Systems
- Criminal, Civil, and Administrative Law
- Criminal Law
- Civil Law
- Administrative Law
- Liability
- Due Care
- Due Diligence
- Legal Aspects of Investigations
- Evidence
- Real Evidence
- Direct Evidence
- Circumstantial Evidence
- Corroborative Evidence
- Hearsay
- Best Evidence Rule
- Secondary Evidence
- Evidence Integrity
- Chain of Custody
- Reasonable Searches
- Entrapment and Enticement
- Computer Crime
- Intellectual Property
- Trademark
- Patent
- Copyright
- Copyright Limitations
- Licenses
- Trade Secrets
- Intellectual Property Attacks
- Privacy
- European Union Privacy
- OECD Privacy Guidelines.
- General Data Protection Regulation
- EU-US Safe Harbor
- US Privacy Act of 1974
- International Cooperation
- Import/Export Restrictions
- Trans-border Data Flow
- Important Laws and Regulations
- US Computer Fraud and Abuse Act
- HIPAA
- United States Breach Notification Laws
- Ethics
- The (ISC)2 Code of Ethics
- The (ISC)2 Code of Ethics Canons in Detail
- Computer Ethics Institute
- IABs Ethics and the Internet
- Information Security Governance
- Security Policy and Related Documents
- Policy
- Components of Program Policy
- Policy Types
- Procedures
- Standards
- Guidelines
- Baselines
- Personnel Security
- Candidate Screening and Hiring
- Onboarding
- Employee Termination
- Security Awareness and Training
- Gamification
- Security Champions
- Access Control Defensive Categories and Types
- Preventive
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
- Comparing Access Controls
- Risk Analysis
- Assets
- Threats and Vulnerabilities
- Risk=Threat x Vulnerability
- Impact
- Risk Analysis Matrix
- Calculating Annualized Loss Expectancy
- Asset Value
- Exposure Factor
- Single Loss Expectancy
- Annual Rate of Occurrence
- Annualized Loss Expectancy
- Total Cost of Ownership
- Return on Investment
- Budget and Metrics
- Risk Response
- Accept the Risk
- Risk Acceptance Criteria
- Mitigate the Risk
- Transfer the Risk
- Risk Avoidance
- Quantitative and Qualitative Risk Analysis
- The Risk Management Process
- Risk Maturity Modeling
- Security and Third Parties
- Service Provider Contractual Security
- Minimum Security Requirements
- Service Level Agreements and Service Level Requirements
- Attestation
- Right to Penetration Test/Right to Audit
- Supply Chain Risk Management
- Risks Associated With Hardware, Software, and Services
- Vendor Governance
- Acquisitions.
- Divestitures
- Third Party Assessment and Monitoring
- Outsourcing and Offshoring
- Types of Attackers
- Hackers
- Script Kiddies
- Outsiders
- Insiders
- Hacktivist
- Bots and Botnets
- Phishers and Spear Phishers
- Summary of Exam Objectives
- Self-Test
- Self-Test Quick Answer Key
- References
- Chapter 3: Domain 2: Asset Security
- Unique Terms and Definitions
- Introduction
- Classifying Data
- Labels
- Security Compartments
- Clearance
- Formal Access Approval
- Need to Know
- Sensitive Information/Media Security
- Sensitive Information
- Handling
- Storage
- Retention
- Ownership and Inventory
- Asset Inventory
- Asset Retention
- Business or Mission Owners
- Data Owners
- System Owner
- Custodian
- Users
- Data Controllers and Data Processors
- Data Location
- Data Maintenance
- Data Loss Prevention
- Digital Rights Management
- Cloud Access Security Brokers
- Data Collection Limitation
- Memory and Remanence
- Data Remanence
- Memory
- Cache Memory
- RAM and ROM
- DRAM and SRAM
- Firmware
- Flash Memory
- Solid State Drives (SSDs)
- Data Destruction
- Overwriting
- Degaussing
- Destruction
- Shredding
- Determining Data Security Controls
- Certification and Accreditation
- Standards and Control Frameworks
- Standards Selection
- PCI-DSS
- OCTAVE
- ISO 17799 and the ISO 27000 Series
- COBIT
- ITIL
- Scoping and Tailoring
- Data States
- Protecting Data in Use
- Protecting Data in Transit
- Drive and Tape Encryption
- Media Storage and Transportation
- Summary of Exam Objectives
- Self-Test
- Self-Test Quick Answer Key
- References
- Chapter 4: Domain 3: Security Architecture and Engineering
- Unique Terms and Definitions
- Introduction
- Secure Design Principles
- Threat Modeling
- Least Privilege and Defense-in-Depth
- Secure Defaults
- Privacy by Design.
- Fail Securely
- Separation of Duties (SoD)
- Keep It Simple
- Trust, but Verify
- Zero Trust
- Security Models
- Reading Down and Writing Up
- State Machine Model
- Bell-LaPadula Model
- Simple Security Property
- *Security Property (Star Security Property)
- Strong and Weak Tranquility Property
- Lattice-Based Access Controls
- Integrity Models
- Biba Model
- Simple Integrity Axiom
- * Integrity Axiom
- Clark-Wilson
- Well Formed Transactions
- Certification, Enforcement, and Separation of Duties
- Information Flow Model
- Chinese Wall Model
- Non-interference
- Take-Grant
- Access Control Matrix
- Zachman Framework for Enterprise Architecture
- Graham-Denning Model
- Harrison-Ruzzo-Ullman Model
- Evaluation Methods, Certification, and Accreditation
- The International Common Criteria
- Common Criteria Terms
- Levels of Evaluation
- Secure System Design Concepts
- Layering
- Abstraction
- Security Domains
- The Ring Model
- Open and Closed Systems
- Secure Hardware Architecture
- The System Unit and Motherboard
- The Computer Bus
- Northbridge and Southbridge
- The CPU
- Arithmetic Logic Unit and Control Unit
- Fetch and Execute
- Pipelining
- Interrupts
- Processes and Threads
- Multitasking and Multiprocessing
- Watchdog Timers
- CISC and RISC
- Memory Addressing
- Memory Protection
- Process Isolation
- Hardware Segmentation
- Virtual Memory
- Swapping and Paging
- BIOS
- WORM Storage
- Trusted Platform Module
- Data Execution Prevention and Address Space Layout Randomization
- Secure Operating System and Software Architecture
- The Kernel
- Reference Monitor
- Users and File Permissions
- Linux and UNIX permissions
- Microsoft NTFS Permissions
- Privileged Programs
- Virtualization, Cloud, and Distributed Computing
- Virtualization
- Hypervisor
- Virtualization Benefits.
- Virtualization Security Issues
- Cloud Computing
- Shared Responsibility
- Microservices, Containers, and Serverless
- Microservices
- Containers
- Containers vs. Virtualization
- Serverless
- High-Performance Computing (HPC) and Grid Computing
- Peer-to-Peer
- Thin Clients
- Diskless Workstations
- Thin Client Applications
- Embedded Systems and The Internet of Things (IoT)
- Distributed Systems and Edge Computing Systems
- Industrial Control Systems (ICS)
- System Vulnerabilities, Threats, and Countermeasures
- Emanations
- Covert Channels
- Covert Storage Channels
- Covert Timing Channels
- Backdoors
- Malicious Code (Malware)
- Computer Viruses
- Worms
- Trojans
- Rootkits
- Packers
- Logic Bombs
- Antivirus Software
- Server-Side Attacks
- Client-Side Attacks
- Web Architecture and Attacks
- Applets
- Java
- ActiveX
- OWASP
- XML
- Service Oriented Architecture (SOA)
- Database Security
- Polyinstantiation
- Inference and Aggregation
- Inference and Aggregation Controls
- Data Mining
- Data Analytics
- Countermeasures
- Mobile Device Attacks
- Mobile Device Defenses
- Cornerstone Cryptographic Concepts
- Key Terms
- Confidentiality, Integrity, Authentication, and Non-repudiation
- Confusion, Diffusion, Substitution, and Permutation
- Cryptographic Strength
- Monoalphabetic and Polyalphabetic Ciphers
- Modular Math
- Exclusive Or (XOR)
- Data at Rest and Data in Motion
- Protocol Governance
- Types of Cryptography
- Symmetric Encryption
- Stream and Block Ciphers
- Initialization Vectors and Chaining
- DES
- Modes of DES
- Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
- Counter Mode (CTR)
- Single DES
- Triple DES
- International Data Encryption Algorithm (IDEA)
- Advanced Encryption Standard (AES)
- Choosing AES.