(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Introduction xxxvii

Assessment Test lix

Chapter 1 Security Governance Through Principles and Policies 1

Security 101 3

Understand and Apply Security Concepts 4

Confidentiality 5

Integrity 6

Availability 7

DAD, Overprotection, Authenticity, Non-repudiation, and AAA Services 7

Protection Mechanisms 11

Security Boundaries 13

Evaluate and Apply Security Governance Principles 14

Third-Party Governance 15

Documentation Review 15

Manage the Security Function 16

Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives 17

Organizational Processes 19

Organizational Roles and Responsibilities 21

Security Control Frameworks 22

Due Diligence and Due Care 23

Security Policy, Standards, Procedures, and Guidelines 23

Security Policies 24

Security Standards, Baselines, and Guidelines 24

Security Procedures 25

Threat Modeling 26

Identifying Threats 26

Determining and Diagramming Potential Attacks 28

Performing Reduction Analysis 28

Prioritization and Response 30

Supply Chain Risk Management 31

Summary 33

Exam Essentials 33

Written Lab 36

Review Questions 37

Chapter 2 Personnel Security and Risk Management Concepts 43

Personnel Security Policies and Procedures 45

Job Descriptions and Responsibilities 45

Candidate Screening and Hiring 46

Onboarding: Employment Agreements and Policies 47

Employee Oversight 48

Offboarding, Transfers, and Termination Processes 49

Vendor, Consultant, and Contractor Agreements and Controls 52

Compliance Policy Requirements 53

Privacy Policy Requirements 54

Understand and Apply Risk Management Concepts 55

Risk Terminology and Concepts 56

Asset Valuation 58

Identify Threats and Vulnerabilities 60

Risk Assessment/Analysis 60

Risk Responses 66

Cost vs. Benefit of Security Controls 69

Countermeasure Selection and Implementation 72

Applicable Types of Controls 74

Security Control Assessment 76

Monitoring and Measurement 76

Risk Reporting and Documentation 77

Continuous Improvement 77

Risk Frameworks 79

Social Engineering 81

Social Engineering Principles 83

Eliciting Information 85

Prepending 85

Phishing 85

Spear Phishing 87

Whaling 87

Smishing 88

Vishing 88

Spam 89

Shoulder Surfing 90

Invoice Scams 90

Hoax 90

Impersonation and Masquerading 91

Tailgating and Piggybacking 91

Dumpster Diving 92

Identity Fraud 93

Typo Squatting 94

Influence Campaigns 94

Establish and Maintain a Security Awareness, Education, and Training Program 96

Awareness 97

Training 97

Education 98

Improvements 98

Effectiveness Evaluation 99

Summary 100

Exam Essentials 101

Written Lab 106

Review Questions 107

Chapter 3 Business Continuity Planning 113

Planning for Business Continuity 114

Project Scope and Planning 115

Organizational Review 116

BCP Team Selection 117

Resource Requirements 119

Legal and Regulatory Requirements 120

Business Impact Analysis 121

Identifying Priorities 122

Risk Identification 123

Likelihood Assessment 125

Impact Analysis 126

Resource Prioritization 128

Continuity Planning 128

Strategy Development 129

Provisions and Processes 129

Plan Approval and Implementation 131

Plan Approval 131

Plan Implementation 132

Training and Education 132

BCP Documentation 132

Summary 136

Exam Essentials 137

Written Lab 138

Review Questions 139

Chapter 4 Laws, Regulations, and Compliance 143

Categories of Laws 144

Criminal Law 144

Civil Law 146

Administrative Law 146

Laws 147

Computer Crime 147

Intellectual Property (IP) 152

Licensing 158

Import/Export 158

Privacy 160

State Privacy Laws 168

Compliance 169

Contracting and Procurement 171

Summary 171

Exam Essentials 172

Written Lab 173

Review Questions 174

Chapter 5 Protecting Security of Assets 179

Identifying and Classifying Information and Assets 180

Defining Sensitive Data 180

Defining Data Classifications 182

Defining Asset Classifications 185

Understanding Data States 185

Determining Compliance Requirements 186

Determining Data Security Controls 186

Establishing Information and Asset Handling Requirements 188

Data Maintenance 189

Data Loss Prevention 189

Marking Sensitive Data and Assets 190

Handling Sensitive Information and Assets 192

Data Collection Limitation 192

Data Location 193

Storing Sensitive Data 193

Data Destruction 194

Ensuring Appropriate Data and Asset Retention 197

Data Protection Methods 199

Digital Rights Management 199

Cloud Access Security Broker 200

Pseudonymization 200

Tokenization 201

Anonymization 202

Understanding Data Roles 204

Data Owners 204

Asset Owners 205

Business/Mission Owners 206

Data Processors and Data Controllers 206

Data Custodians 207

Administrators 207

Users and Subjects 208

Using Security Baselines 208

Comparing Tailoring and Scoping 209

Standards Selection 210

Summary 211

Exam Essentials 211

Written Lab 213

Review Questions 214

Chapter 6 Cryptography and Symmetric Key Algorithms 219

Cryptographic Foundations 220

Goals of Cryptography 220

Cryptography Concepts 223

Cryptographic Mathematics 224

Ciphers 230

Modern Cryptography 238

Cryptographic Keys 238

Symmetric Key Algorithms 239

Asymmetric Key Algorithms 241

Hashing Algorithms 244

Symmetric Cryptography 244

Cryptographic Modes of Operation 245

Data Encryption Standard 247

Triple DES 247

International Data Encryption Algorithm 248

Blowfish 249

Skipjack 249

Rivest Ciphers 249

Advanced Encryption Standard 250

CAST 250

Comparison of Symmetric Encryption Algorithms 251

Symmetric Key Management 252

Cryptographic Lifecycle 255

Summary 255

Exam Essentials 256

Written Lab 257

Review Questions 258

Chapter 7 PKI and Cryptographic Applications 263

Asymmetric Cryptography 264

Public and Private Keys 264

RSA 265

ElGamal 267

Elliptic Curve 268

Diffie–Hellman Key Exchange 269

Quantum Cryptography 270

Hash Functions 271

SHA 272

MD5 273

RIPEMD 273

Comparison of Hash Algorithm Value Lengths 274

Digital Signatures 275

HMAC 276

Digital Signature Standard 277

Public Key Infrastructure 277

Certificates 278

Certificate Authorities 279

Certificate Lifecycle 280

Certificate Formats 283

Asymmetric Key Management 284

Hybrid Cryptography 285

Applied Cryptography 285

Portable Devices 285

Email 286

Web Applications 290

Steganography and Watermarking 292

Networking 294

Emerging Applications 295

Cryptographic Attacks 297

Summary 301

Exam Essentials 302

Written Lab 303

Review Questions 304

Chapter 8 Principles of Security Models, Design, and Capabilities 309

Secure Design Principles 310

Objects and Subjects 311

Closed and Open Systems 312

Secure Defaults 314

Fail Securely 314

Keep It Simple 316

Zero Trust 317

Privacy by Design 319

Trust but Verify 319

Techniques for Ensuring CIA 320

Confinement 320

Bounds 320

Isolation 321

Access Controls 321

Trust and Assurance 321

Understand the Fundamental Concepts of Security Models 322

Trusted Computing Base 323

State Machine Model 325

Information Flow Model 325

Noninterference Model 326

Take-Grant Model 326

Access Control Matrix 327

Bell–LaPadula Model 328

Biba Model 330

Clark–Wilson Model 333

Brewer and Nash Model 334

Goguen–Meseguer Model 335

Sutherland Model 335

Graham–Denning Model 335

Harrison–Ruzzo–Ullman Model 336

Select Controls Based on Systems Security Requirements 337

Common Criteria 337

Authorization to Operate 340

Understand Security Capabilities of Information Systems 341

Memory Protection 341

Virtualization 342

Trusted Platform Module 342

Interfaces 343

Fault Tolerance 343

Encryption/Decryption 343

Summary 343

Exam Essentials 344

Written Lab 347

Review Questions 348

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 353

Shared Responsibility 354

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 355

Hardware 356

Firmware 370

Client-Based Systems 372

Mobile Code 372

Local Caches 375

Server-Based Systems 375

Large-Scale Parallel Data Systems 376

Grid Computing 377

Peer to Peer 378

Industrial Control Systems 378

Distributed Systems 380

High-Performance Computing (HPC) Systems 382

Internet of Things 383

Edge and Fog Computing 385

Embedded Devices and Cyber-Physical Systems 386

Static Systems 387

Network-Enabled Devices 388

Cyber-Physical Systems 389

Elements Related to Embedded and Static Systems 389

Security Concerns of Embedded and Static Systems 390

Specialized Devices 393

Microservices 394

Infrastructure as Code 395

Virtualized Systems 397

Virtual Software 399

Virtualized Networking 400

Software-Defined Everything 400

Virtualization Security Management 403

Containerization 405

Serverless Architecture 406

Mobile Devices 406

Mobile Device Security Features 408

Mobile Device Deployment Policies 420

Essential Security Protection Mechanisms 426

Process Isolation 426

Hardware Segmentation 427

System Security Policy 427

Common Security Architecture Flaws and Issues 428

Covert Channels 428

Attacks Based on Design or Coding Flaws 430

Rootkits 431

Incremental Attacks 431

Summary 432

Exam Essentials 433

Written Lab 440

Review Questions 441

Chapter 10 Physical Security Requirements 447

Apply Security Principles to Site and Facility Design 448

Secure Facility Plan 448

Site Selection 449

Facility Design 450

Implement Site and Facility Security Controls 452

Equipment Failure 453

Wiring Closets 454

Server Rooms/Data Centers 455

Intrusion Detection Systems 458

Cameras 460

Access Abuses 462

Media Storage Facilities 462

Evidence Storage 463

Restricted and Work Area Security 464

Utility Considerations 465

Fire Prevention, Detection, and Suppression 470

Implement and Manage Physical Security 476

Perimeter Security Controls 477

Internal Security Controls 481

Key Performance Indicators of Physical Security 483

Summary 484

Exam Essentials 485

Written Lab 488

Review Questions 489

Chapter 11 Secure Network Architecture and Components 495

OSI Model 497

History of the OSI Model 497

OSI Functionality 498

Encapsulation/Deencapsulation 498

OSI Layers 500

TCP/IP Model 504

Analyzing Network Traffic 505

Common Application Layer Protocols 506

Transport Layer Protocols 508

Domain Name System 509

DNS Poisoning 511

Domain Hijacking 514

Internet Protocol (IP) Networking 516

IPv4 vs. IPv6 516

IP Classes 517

ICMP 519

IGMP 519

ARP Concerns 519

Secure Communication Protocols 521

Implications of Multilayer Protocols 522

Converged Protocols 523

Voice over Internet Protocol (VoIP) 524

Software-Defined Networking 525

Microsegmentation 526

Wireless Networks 527

Securing the SSID 529

Wireless Channels 529

Conducting a Site Survey 530

Wireless Security 531

Wi-Fi Protected Setup (WPS) 533

Wireless MAC Filter 534

Wireless Antenna Management 534

Using Captive Portals 535

General Wi-Fi Security Procedure 535

Wireless Communications 536

Wireless Attacks 539

Other Communication Protocols 543

Cellular Networks 544

Content Distribution Networks (CDNs) 545

Secure Network Components 545

Secure Operation of Hardware 546

Common Network Equipment 547

Network Access Control 549

Firewalls 550

Endpoint Security 556

Cabling, Topology, and Transmission Media Technology 559

Transmission Media 559

Network Topologies 563

Ethernet 565

Sub-Technologies 566

Summary 569

Exam Essentials 570

Written Lab 574

Review Questions 575

Chapter 12 Secure Communications and Network Attacks 581

Protocol Security Mechanisms 582

Authentication Protocols 582

Port Security 585

Quality of Service (QoS) 585

Secure Voice Communications 586

Public Switched Telephone Network 586

Voice over Internet Protocol (VoIP) 586

Vishing and Phreaking 588

PBX Fraud and Abuse 589

Remote Access Security Management 590

Remote Access and Telecommuting Techniques 591

Remote Connection Security 591

Plan a Remote Access Security Policy 592

Multimedia Collaboration 593

Remote Meeting 593

Instant Messaging and Chat 594

Load Balancing 595

Virtual IPs and Load Persistence 596

Active-Active vs. Active-Passive 596

Manage Email Security 596

Email Security Goals 597

Understand Email Security Issues 599

Email Security Solutions 599

Virtual Private Network 602

Tunneling 603

How VPNs Work 604

Always-On 606

Split Tunnel vs. Full Tunnel 607

Common VPN Protocols 607

Switching and Virtual LANs 610

Network Address Translation 614

Private IP Addresses 616

Stateful NAT 617

Automatic Private IP Addressing 617

Third-Party Connectivity 618

Switching Technologies 620

Circuit Switching 620

Packet Switching 620

Virtual Circuits 621

WAN Technologies 622

Fiber-Optic Links 624

Security Control Characteristics 624

Transparency 625

Transmission Management Mechanisms 625

Prevent or Mitigate Network Attacks 625

Eavesdropping 626

Modification Attacks 626

Summary 626

Exam Essentials 628

Written Lab 630

Review Questions 631

Chapter 13 Managing Identity and Authentication 637

Controlling Access to Assets 639

Controlling Physical and Logical Access 640

The CIA Triad and Access Controls 640

Managing Identification and Authentication 641

Comparing Subjects and Objects 642

Registration, Proofing, and Establishment of Identity 643

Authorization and Accountability 644

Authentication Factors Overview 645

Something You Know 647

Something You Have 650

Something You Are 651

Multifactor Authentication (MFA) 655

Two-Factor Authentication with Authenticator Apps 655

Passwordless Authentication 656

Device Authentication 657

Service Authentication 658

Mutual Authentication 659

Implementing Identity Management 659

Single Sign-On 659

SSO and Federated Identities 660

Credential Management Systems 662

Credential Manager Apps 663

Scripted Access 663

Session Management 663

Managing the Identity and Access Provisioning Lifecycle 664

Provisioning and Onboarding 665

Deprovisioning and Offboarding 666

Defining New Roles 667

Account Maintenance 667

Account Access Review 667

Summary 668

Exam Essentials 669

Written Lab 671

Review Questions 672

Chapter 14 Controlling and Monitoring Access 677

Comparing Access Control Models 678

Comparing Permissions, Rights, and Privileges 678

Understanding Authorization Mechanisms 679

Defining Requirements with a Security Policy 681

Introducing Access Control Models 681

Discretionary Access Control 682

Nondiscretionary Access Control 683

Implementing Authentication Systems 690

Implementing SSO on the Internet 691

Implementing SSO on Internal Networks 694

Understanding Access Control Attacks 699

Risk Elements 700

Common Access Control Attacks 700

Core Protection Methods 713

Summary 714

Exam Essentials 715

Written Lab 717

Review Questions 718

Chapter 15 Security Assessment and Testing 723

Building a Security Assessment and Testing Program 725

Security Testing 725

Security Assessments 726

Security Audits 727

Performing Vulnerability Assessments 731

Describing Vulnerabilities 731

Vulnerability Scans 732

Penetration Testing 742

Compliance Checks 745

Testing Your Software 746

Code Review and Testing 746

Interface Testing 751

Misuse Case Testing 751

Test Coverage Analysis 752

Website Monitoring 752

Implementing Security Management Processes 753

Log Reviews 753

Account Management 754

Disaster Recovery and Business Continuity 754

Training and Awareness 755

Key Performance and Risk Indicators 755

Summary 756

Exam Essentials 756

Written Lab 758

Review Questions 759

Chapter 16 Managing Security Operations 763

Apply Foundational Security Operations Concepts 765

Need to Know and Least Privilege 765

Separation of Duties (SoD) and Responsibilities 767

Two-Person

Control 768

Job Rotation 768

Mandatory Vacations 768

Privileged Account Management 769

Service Level Agreements (SLAs) 771

Addressing Personnel Safety and Security 771

Duress 771

Travel 772

Emergency Management 773

Security Training and Awareness 773

Provision Resources Securely 773

Information and Asset Ownership 774

Asset Management 774

Apply Resource Protection 776

Media Management 776

Media Protection Techniques 776

Managed Services in the Cloud 779

Shared Responsibility with Cloud Service Models 780

Scalability and Elasticity 782

Perform Configuration Management (CM) 782

Provisioning 783

Baselining 783

Using Images for Baselining 783

Automation 784

Managing Change 785

Change Management 787

Versioning 788

Configuration Documentation 788

Managing Patches and Reducing Vulnerabilities 789

Systems to Manage 789

Patch Management 789

Vulnerability Management 791

Vulnerability Scans 792

Common Vulnerabilities and Exposures 792

Summary 793

Exam Essentials 794

Written Lab 796

Review Questions 797

Chapter 17 Preventing and Responding to Incidents 801

Conducting Incident Management 803

Defining an Incident 803

Incident Management Steps 804

Implementing Detective and Preventive Measures 810

Basic Preventive Measures 810

Understanding Attacks 811

Intrusion Detection and Prevention Systems 820

Specific Preventive Measures 828

Logging and Monitoring 834

Logging Techniques 834

The Role of Monitoring 837

Monitoring Techniques 840

Log Management 844

Egress Monitoring 844

Automating Incident Response 845

Understanding SOAR 845

Machine Learning and AI Tools 846

Threat Intelligence 847

The Intersection of SOAR, Machine Learning, AI, and Threat Feeds 850

Summary 851

Exam Essentials 852

Written Lab 855

Review Questions 856

Chapter 18 Disaster Recovery Planning 861

The Nature of Disaster 863

Natural Disasters 864

Human-Made

Disasters 869

Understand System Resilience, High Availability, and Fault Tolerance 875

Protecting Hard Drives 875

Protecting Servers 877

Protecting Power Sources 878

Trusted Recovery 879

Quality of Service 880

Recovery Strategy 880

Business Unit and Functional Priorities 881

Crisis Management 882

Emergency Communications 882

Workgroup Recovery 883

Alternate Processing Sites 883

Database Recovery 888

Recovery Plan Development 890

Emergency Response 891

Personnel and Communications 891

Assessment 892

Backups and Off-site Storage 892

Software Escrow Arrangements 896

Utilities 897

Logistics and Supplies 897

Recovery vs. Restoration 897

Training, Awareness, and Documentation 898

Testing and Maintenance 899

Read-Through

Test 899

Structured Walk-Through 900

Simulation Test 900

Parallel Test 900

Full-Interruption Test 900

Lessons Learned 901

Maintenance 901

Summary 902

Exam Essentials 902

Written Lab 903

Review Questions 904

Chapter 19 Investigations and Ethics 909

Investigations 910

Investigation Types 910

Evidence 913

Investigation Process 919

Major Categories of Computer Crime 923

Military and Intelligence Attacks 924

Business Attacks 925

Financial Attacks 926

Terrorist Attacks 926

Grudge Attacks 927

Thrill Attacks 928

Hacktivists 928

Ethics 929

Organizational Code of Ethics 929

(ISC)² Code of Ethics 930

Ethics and the Internet 931

Summary 933

Exam Essentials 934

Written Lab 935

Review Questions 936

Chapter 20 Software Development Security 941

Introducing Systems Development Controls 943

Software Development 943

Systems Development Lifecycle 952

Lifecycle Models 955

Gantt Charts and PERT 964

Change and Configuration Management 964

The DevOps Approach 966

Application Programming Interfaces 967

Software Testing 969

Code Repositories 970

Service-Level

Agreements 971

Third-Party

Software Acquisition 972

Establishing Databases and Data Warehousing 973

Database Management System Architecture 973

Database Transactions 977

Security for Multilevel Databases 978

Open Database Connectivity 982

NoSQL 982

Storage Threats 983

Understanding Knowledge-Based Systems 984

Expert Systems 984

Machine Learning 985

Neural Networks 986

Summary 987

Exam Essentials 987

Written Lab 988

Review Questions 989

Chapter 21 Malicious Code and Application Attacks 993

Malware 994

Sources of Malicious Code 995

Viruses 995

Logic Bombs 999

Trojan Horses 1000

Worms 1001

Spyware and Adware 1004

Ransomware 1004

Malicious Scripts 1005

Zero-Day

Attacks 1006

Malware Prevention 1006

Platforms Vulnerable to Malware 1007

Antimalware Software 1007

Integrity Monitoring 1008

Advanced Threat Protection 1008

Application Attacks 1009

Buffer Overflows 1009

Time of Check to Time of Use 1010

Backdoors 1011

Privilege Escalation and Rootkits 1011

Injection Vulnerabilities 1012

SQL Injection Attacks 1012

Code Injection Attacks 1016

Command Injection Attacks 1016

Exploiting Authorization Vulnerabilities 1017

Insecure Direct Object References 1018

Directory Traversal 1018

File Inclusion 1020

Exploiting Web Application Vulnerabilities 1020

Cross-Site

Scripting (XSS) 1021

Request Forgery 1023

Session Hijacking 1024

Application Security Controls 1025

Input Validation 1025

Web Application Firewalls 1027

Database Security 1028

Code Security 1029

Secure Coding Practices 1031

Source Code Comments 1031

Error Handling 1032

Hard-Coded

Credentials 1033

Memory Management 1034

Summary 1035

Exam Essentials 1035

Written Lab 1036

Review Questions 1037

Appendix A Answers to Review Questions 1041

Chapter 1: Security Governance Through Principles and Policies 1042

Chapter 2: Personnel Security and Risk Management Concepts 1045

Chapter 3: Business Continuity Planning 1049

Chapter 4: Laws, Regulations, and Compliance 1051

Chapter 5: Protecting Security of Assets 1053

Chapter 6: Cryptography and Symmetric Key Algorithms 1056

Chapter 7: PKI and Cryptographic Applications 1058

Chapter 8: Principles of Security Models, Design, and Capabilities 1060

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1062

Chapter 10: Physical Security Requirements 1067

Chapter 11: Secure Network Architecture and Components 1071

Chapter 12: Secure Communications and Network Attacks 1075

Chapter 13: Managing Identity and Authentication 1078

Chapter 14: Controlling and Monitoring Access 1080

Chapter 15: Security Assessment and Testing 1082

Chapter 16: Managing Security Operations 1084

Chapter 17: Preventing and Responding to Incidents 1086

Chapter 18: Disaster Recovery Planning 1089

Chapter 19: Investigations and Ethics 1091

Chapter 20: Software Development Security 1093

Chapter 21: Malicious Code and Application Attacks 1095

Appendix B Answers to Written Labs 1099

Chapter 1: Security Governance Through Principles and Policies 1100

Chapter 2: Personnel Security and Risk Management Concepts 1100

Chapter 3: Business Continuity Planning 1101

Chapter 4: Laws, Regulations, and Compliance 1102

Chapter 5: Protecting Security of Assets 1102

Chapter 6: Cryptography and Symmetric Key Algorithms 1103

Chapter 7: PKI and Cryptographic Applications 1104

Chapter 8: Principles of Security Models, Design, and Capabilities 1104

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1105

Chapter 10: Physical Security Requirements 1106

Chapter 11: Secure Network Architecture and Components 1108

Chapter 12: Secure Communications and Network Attacks 1109

Chapter 13: Managing Identity and Authentication 1110

Chapter 14: Controlling and Monitoring Access 1111

Chapter 15: Security Assessment and Testing 1111

Chapter 16: Managing Security Operations 1112

Chapter 17: Preventing and Responding to Incidents 1113

Chapter 18: Disaster Recovery Planning 1113

Chapter 19: Investigations and Ethics 1114

Chapter 20: Software Development Security 1114

Chapter 21: Malicious Code and Application Attacks 1115

Index 1117