CISSP Exam Cram Book

Introduction. . . . 1

How to Prepare for the Exam. . . 1

Practice Tests . . . 2

Taking a Certification Exam . . . 2

Arriving at the Exam Location . . 2

In the Testing Center . . . 3

After the Exam. . . 3

Retaking a Test . . . 3

Tracking Your CISSP Status . . 3

About This Book. . . 4

The Chapter Elements. . . 4

Other Book Elements. . . 7

Chapter Contents . . . 7

Pearson IT Certification Practice Test Engine and Questions on the CD . . . . 9

Install the Software from the CD. . 10

Activate and Download the Practice Exam . . 11

Activating Other Exams . . . 11

Contacting the Author . . . 12

Self-Assessment. . . 12

CISSPs in the Real World . . . 12

The Ideal CISSP Candidate . . 12

Put Yourself to the Test . . . 13

After the Exam . . . 15

Chapter 1: The CISSP Certification Exam . . . 17

Introduction. . . . 18

Assessing Exam Readiness . . . 18

Taking the Exam . . . 19

Multiple-Choice Question Format . . 21

Exam Strategy . . . 21

Question-Handling Strategies . . . 22

Mastering the Inner Game . . . 23

Need to Know More? . . . 24

Chapter 2: Physical Security . . . . 25

Introduction. . . . 26

Physical Security Risks. . . 26

Natural Disasters. . . 27

Man-Made Threats. . . 28

Technical Problems. . . 28

Facility Concerns and Requirements . . 29

CPTED . . . 30

Area Concerns . . . 30

Location . . . 31

Construction . . . 32

Doors, Walls, Windows, and Ceilings . . 32

Asset Placement. . . 35

Physical Port Controls . . . 36

Perimeter Controls. . . 36

Fences . . . . 36

Gates. . . . 38

Bollards. . . . 39

CCTV Cameras . . . 40

Lighting . . . 41

Guards and Dogs . . . 42

Locks. . . . 43

Employee Access Control . . . 46

Badges, Tokens, and Cards . . 47

Biometric Access Controls. . . 48

Environmental Controls . . . 49

Heating, Ventilating, and Air Conditioning . . 50

Electrical Power . . . 51

Uninterruptible Power Supply . . 52

Equipment Life Cycle . . . 53

Fire Prevention, Detection, and Suppression . . 53

Fire-Detection Equipment . . 54

Fire Suppression . . . 54

Alarm Systems . . . 57

Intrusion Detection Systems . . 57

Monitoring and Detection. . . 58

Exam Prep Questions. . . 60

Answers to Exam Prep Questions . . 62

Suggested Reading and Resources . . 64

Chapter 3: Access Control Systems and Methodology. . 65

Introduction. . . . 66

Identification, Authentication, and Authorization . . 67

Authentication . . . 67

Access Management . . . 79

Single Sign-On . . . 80

Kerberos. . . 81

SESAME . . . 83

Authorization and Access Controls Techniques . . 84

Discretionary Access Control . . 84

Mandatory Access Control . . 85

Role-Based Access Control . . 87

Other Types of Access Controls . . 88

Access Control Methods . . . 89

Centralized Access Control . . 89

Decentralized Access Control . . 92

Access Control Types . . . 93

Administrative Controls. . . 93

Technical Controls . . . 94

Physical Controls . . . 94

Access Control Categories. . . 95

Audit and Monitoring . . . 96

Monitoring Access and Usage. . 96

Intrusion Detection Systems . . 97

Intrusion Prevention Systems . . 101

Network Access Control . . . 102

Keystroke Monitoring . . . 102

Emanation Security . . . 103

Access Control Attacks. . . 104

Unauthorized Access . . . 104

Access Aggregation . . . 105

Password Attacks. . . 105

Spoofing . . . 109

Sniffing . . . 109

Eavesdropping and Shoulder Surfing. . 110

Wiretapping. . . 110

Identity Theft . . . 110

Denial of Service Attacks . . . 111

Distributed Denial of Service Attacks . . 113

Botnets . . . 113

Exam Prep Questions. . . 116

Answers to Exam Prep Questions . . 119

Suggesting Reading and Resources . . 121

Chapter 4: Cryptography. . . . 123

Introduction. . . . 124

Cryptographic Basics . . . 124

History of Encryption . . . 127

Steganography. . . 132

Steganography Operation . . 133

Digital Watermark . . . 134

Algorithms . . . . 135

Cipher Types and Methods . . . 137

Symmetric Encryption . . . 137

Data Encryption Standard. . 140

Triple-DES . . . 144

Advanced Encryption Standard. . 145

International Data Encryption Algorithm. . 146

Rivest Cipher Algorithms . . 146

Asymmetric Encryption . . . 147

Diffie-Hellman . . . 149

RSA. . . . 150

El Gamal . . . 151

Elliptical Curve Cryptosystem . . 152

Merkle-Hellman Knapsack . . 152

Review of Symmetric and Asymmetric Cryptographic Systems . . . 153

Hybrid Encryption . . . 153

Integrity and Authentication. . . 154

Hashing and Message Digests. . 155

Digital Signatures . . . 158

Cryptographic System Review . . 159

Public Key Infrastructure . . . 160

Certificate Authority . . . 160

Registration Authority . . . 161

Certificate Revocation List . . 161

Digital Certificates . . . 161

The Client’s Role in PKI . . . 163

Email Protection Mechanisms . . . 164

Pretty Good Privacy. . . 164

Other Email Security Applications. . 165

Securing TCP/IP with Cryptographic Solutions. . 165

Application/Process Layer Controls . . 166

Host to Host Layer Controls . . 167

Internet Layer Controls. . . 168

Network Access Layer Controls . . 170

Link and End-to-End Encryption . . 170

Cryptographic Attacks . . . 171

Exam Prep Questions. . . 175

Answers to Exam Prep Questions . . 178

Need to Know More? . . . 180

Chapter 5: Security Architecture and Models . . . 181

Introduction. . . . 182

Computer System Architecture . . 182

Central Processing Unit . . . 182

Storage Media . . . 186

I/O Bus Standards. . . 189

Hardware Cryptographic Components . . 190

Virtual Memory and Virtual Machines . . 190

Computer Configurations . . 191

Security Architecture . . . 192

Protection Rings . . . 192

Trusted Computer Base . . . 194

Open and Closed Systems . . 197

Security Modes of Operation . . 197

Operating States . . . 199

Recovery Procedures . . . 199

Process Isolation . . . 200

Security Models . . . 201

State Machine Model . . . 202

Information Flow Model . . . 203

Noninterference Model . . . 203

Confidentiality. . . 203

Integrity . . . 204

Other Models . . . 208

Documents and Guidelines . . . 208

The Rainbow Series . . . 209

The Red Book: Trusted Network Interpretation . 211

Information Technology Security Evaluation Criteria . 212

Common Criteria . . . 212

System Validation . . . 214

Certification and Accreditation. . 215

Governance and Enterprise Architecture . . 216

Security Architecture Threats. . . 219

Buffer Overflow . . . 219

Back Doors . . . 220

Asynchronous Attacks . . . 220

Covert Channels . . . 221

Incremental Attacks . . . 221

Exam Prep Questions. . . 223

Answers to Exam Prep Questions . . 226

Need to Know More? . . . 228

Chapter 6: Telecommunications and Network Security . . 229

Introduction. . . . 230

Network Models and Standards . . 230

OSI Model . . . 231

Encapsulation/De-Encapsulation . . 237

TCP/IP . . . . 238

Network Access Layer . . . 238

Internet Layer . . . 239

Host-to-Host (Transport) Layer. . 243

Application Layer . . . 245

LANs and Their Components . . . 249

LAN Communication Protocols . . 250

Network Topologies . . . 251

LAN Cabling. . . 253

Network Types . . . 255

Communication Standards . . . 256

Network Equipment. . . 257

Repeaters . . . 257

Hubs . . . . 257

Bridges . . . 257

Switches . . . 258

VLANs . . . 259

Routers . . . 260

Brouters . . . 261

Gateways . . . 261

Routing. . . . 262

WANs and Their Components . . 264

Packet Switching. . . 264

Circuit Switching . . . 266

Cloud Computing. . . 270

Voice Communications and Wireless Communications . 271

Voice over IP . . . 271

Cell Phones . . . 272

802.11 Wireless Networks and Standards . . 274

Network Security . . . 281

Firewalls . . . 282

Demilitarized Zone. . . 283

Firewall Design . . . 285

Remote Access. . . 285

Point-to-Point Protocol. . . 286

Virtual Private Networks . . . 287

Remote Authentication Dial-in User Service . 288

Terminal Access Controller Access Control System . 288

IPSec. . . . 288

Message Privacy . . . 289

Threats to Network Security . . . 290

DoS Attacks . . . 290

Distributed Denial of Service . . 291

Disclosure Attacks. . . 291

Destruction, Alteration, or Theft . . 292

Exam Prep Questions. . . 295

Answers to Exam Prep Questions . . 298

Need to Know More? . . . 299

Chapter 7: Business Continuity and Disaster Recovery Planning. . 301

Introduction. . . . 302

Threats to Business Operations . . 302

Disaster Recovery and Business Continuity Management . 303

Project Management and Initiation . . 305

Business Impact Analysis . . . 307

Recovery Strategy . . . 313

Plan Design and Development . . 327

Implementation. . . 330

Testing . . . 331

Monitoring and Maintenance . . 333

Disaster Life Cycle . . . 334

Teams and Responsibilities . . 336

Exam Prep Questions. . . 338

Answers to Exam Prep Questions . . 341

Need to Know More? . . . 343

Chapter 8: Legal, Regulations, Investigations, and Compliance . . 345

Introduction. . . . 346

United States Legal System and Laws. . 346

International Legal Systems and Laws . . 347

International Property Laws . . . 349

Piracy and Issues with Copyrights . . 350

Privacy Laws and Protection of Personal Information . 351

Privacy Impact Assessment . . 353

Computer Crime Laws . . . 354

Regulatory Compliance and Process Control. . 354

Ethics . . . . 355

ISC2 Code of Ethics. . . 356

Computer Ethics Institute . . 357

Internet Architecture Board . . 357

NIST 800-14. . . 358

Computer Crime and Criminals. . 359

Pornography . . . 361

Well-Known Computer Crimes . . 362

How Computer Crime Has Changed . . 363

Attack Vectors . . . 364

Keystroke Logging . . . 365

Wiretapping. . . 365

Spoofing Attacks . . . 366

Manipulation Attacks . . . 367

Social Engineering . . . 367

Dumpster Diving . . . 368

Investigating Computer Crime. . . 368

Computer Crime Jurisdiction . . 369

Incident Response. . . 369

Forensics . . . . 374

Standardization of Forensic Procedures . . 375

Computer Forensics . . . 376

Investigations. . . 381

Search, Seizure, and Surveillance . . 381

Interviews and Interrogations . . 381

Honeypots and Honeynets . . 381

Evidence Types . . . 383

Trial . . . . 384

The Evidence Life Cycle . . . 384

Exam Prep Questions. . . 385

Answers to Exam Prep Questions . . 388

Need to Know More? . . . 390

Chapter 9: Software Development Security . . . 391

Introduction. . . . 392

Software Development. . . 392

Avoiding System Failure . . . 393

The System Development Life Cycle . . 394

System Development Methods. . . 402

The Waterfall Model . . . 402

The Spiral Model . . . 402

Joint Application Development . . 403

Rapid Application Development. . 404

Incremental Development . . 404

Prototyping . . . 404

Computer-Aided Software Engineering . . 405

Agile Development Methods. . 405

Capability Maturity Model . . 406

Scheduling . . . 407

Change Management . . . 408

Programming Languages. . . 409

Object-Oriented Programming . . 412

CORBA . . . 413

Database Management. . . 413

Database Terms. . . 414

Integrity . . . 416

Transaction Processing. . . 416

Data Warehousing . . . 416

Data Mining . . . 417

Knowledge Management . . . 418

Artificial Intelligence and Expert Systems. . 418

Malicious Code . . . 419

Viruses . . . 420

Worms . . . 421

Spyware . . . 422

Back Doors and Trapdoors . . 423

Change Detection. . . 423

Mobile Code . . . 424

Financial Attacks . . . 424

Buffer Overflow . . . 424

Input Validation and Injection Attacks . . 426

Exam Prep Questions. . . 429

Answers to Exam Prep Questions . . 432

Need to Know More? . . . 434

Chapter 10: Information Security Governance and Risk Management . . 435

Introduction. . . . 436

Basic Security Principles . . . 436

Security Management and Governance. . 438

Asset Identification . . . 440

Risk Assessment . . . 441

Risk Management . . . 442

Policies Development. . . 458

Security Policy. . . 459

Standards . . . 461

Baselines . . . 461

Guidelines . . . 461

Procedures . . . 462

Data Classification . . . 462

Implementation. . . 465

Roles and Responsibility . . . 465

Security Controls . . . 467

Training and Education . . . 469

Security Awareness . . . 470

Social Engineering . . . 471

Auditing Your Security Infrastructure . . 472

The Risk of Poor Security Management. . 474

Exam Prep Questions. . . 475

Answers to Exam Prep Questions . . 478

Need to Know More? . . . 480

Chapter 11: Security Operations . . . 481

Introduction. . . . 482

Security Operations . . . 482

Employee Recruitment . . . 483

New-Hire Orientation . . . 484

Separation of Duties. . . 484

Job Rotation. . . 485

Least Privilege. . . 485

Mandatory Vacations . . . 486

Termination . . . 486

Accountability . . . 486

Controls . . . . 488

Security Controls . . . 489

Operational Controls . . . 490

Auditing and Monitoring. . . 498

Auditing . . . 498

Security Information and Event Management (SIEM) . 499

Monitoring Controls . . . 499

Clipping Levels . . . 501

Intrusion Detection . . . 501

Keystroke Monitoring . . . 502

Antivirus . . . 503

Facility Access Control . . . 504

Telecommunication Controls . . . 504

Fax. . . . 505

PBX. . . . 506

Email. . . . 507

Backup, Fault Tolerance, and Recovery Controls . . 509

Backups. . . 509

Fault Tolerance . . . 511

RAID . . . . 513

Recovery Controls . . . 515

Security Assessments . . . 516

Policy Reviews. . . 516

Vulnerability Scanning . . . 517

Penetration Testing. . . 518

Operational Security Threats and Vulnerabilities . . 521

Common Attack Methodologies. . 522

Attack Terms and Techniques . . 524

Exam Prep Questions. . . 526

Answers to Exam Prep Questions . . 529

Need to Know More? . . . 531

Practice Exam I. . . . 533

Practice Exam Questions. . . 533

Answers to Practice Exam I . . . 547

Practice Exam II . . . . 563

Practice Exam Questions. . . 563

Answers to Practice Exam II . . . 577

TOC, 9780789749574, 11/2/2012