CramX Logo
RegisterLog in

All in One CISSP Exam Guide (2022)

All in One CISSP Exam Guide (2022) is designed to make certification prep easy and effective.

Madison Taylor
Contributor
4.4
143
about 1 year ago
Preview (31 of 1361 Pages)
100%
Log in to unlock

Page 1

All in One CISSP Exam Guide (2022) - Page 1 preview image

Loading page ...

Page 2

All in One CISSP Exam Guide (2022) - Page 2 preview image

Loading page ...

Page 3

All in One CISSP Exam Guide (2022) - Page 3 preview image

Loading page ...

Praise forCISSP® All-in-One Exam GuideFernando’s latest update to theCISSP All-In-OneExam Guidecontinues the traditionstarted in past collaborations with Shon Harris of breaking down key concepts and criti-cal skills in a way that prepares the reader for the exam. Once again the material proves tobe not only a vital asset to exam preparation but a valued resource reference for use wellafter the exam has been passed.Stefanie Keuser, CISSP,Chief Information Officer,Military Officers Association of AmericaTheCISSP All-in-One Exam Guideis the only book one needs to pass the CISSP exam.Fernando Maymí is not just an author, he is a leader in the cybersecurity industry. Hisinsight, knowledge, and expertise is reflected in the content provided in this book. Thebook will not only give you what you need to pass the exam, it can also be used to helpyou further your career in cybersecurity.Marc Coady, CISSP,Compliance Analyst,Costco WholesaleA must-have reference for any cyber security practitioner, this book provides invaluablepractical knowledge on the increasingly complex universe of security concepts, controls,and best practices necessary to do business in today’s world.Steve Zalewski,Former Chief Information Security Officer,Levi Strauss & Co.Shon Harris put the CISSP certification on the map with this golden bible of the CISSP.Fernando Maymí carries that legacy forward beautifully with clarity, accuracy, andbalance. I am sure that Shon would be proud.David R. Miller, CISSP, CCSP, GIAC GISP GSEC GISF,PCI QSA, LPT, ECSA, CEH, CWNA, CCNA, SME, MCT,MCIT Pro EA, MCSE: Security, CNE, Security+, etc.

Page 4

All in One CISSP Exam Guide (2022) - Page 4 preview image

Loading page ...

An excellent reference. Written clearly and concisely, this book is invaluable to students,educators, and practitioners alike.Dr. Joe Adams,Founder and Executive Director,Michigan Cyber RangeA lucid, enlightening, and comprehensive tour de force through the breadth of cybersecurity. Maymí and Harris are masters of the craft.Dr. Greg Conti,Founder,Kopidion LLCI wish I found this book earlier in my career. It certainly was the single tool I used topass the CISSP exam, but more importantly it has taught me about security from manyaspects I did not even comprehend previously. I think the knowledge that I gained fromthis book is going to help me in many years to come. Terrific book and resource!Janet Robinson,Chief Security Officer

Page 5

All in One CISSP Exam Guide (2022) - Page 5 preview image

Loading page ...

ALLINONECISSP®E X A MG U I D E

Page 6

All in One CISSP Exam Guide (2022) - Page 6 preview image

Loading page ...

ABOUT THE AUTHORSFernando Maymí, PhD, CISSP, is a security practitioner withover 25 years’ experience in the field. He is currently Vice Presidentof Training at IronNet Cybersecurity, where, besides develop-ing cyber talent for the company, its partners, and customers,he has led teams providing strategic consultancy, security assess-ments, red teaming, and cybersecurity exercises around the world.Previously, he led advanced research and development projects atthe intersection of artificial intelligence and cybersecurity, stoodup the U.S. Army’s think tank for strategic cybersecurity issues,and was a West Point faculty member for over 12 years. Fernando worked closely withShon Harris, advising her on a multitude of projects, including the sixth edition of theCISSP All-in-One Exam Guide.Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC andLogical Security LLC, a security consultant, a former engineer in the Air Force’s Infor-mation Warfare unit, an instructor, and an author. Shon owned and ran her owntraining and consulting companies for 13 years prior to her death in 2014. She consultedwith Fortune 100 corporations and government agencies on extensive security issues. Sheauthored three best-selling CISSP books, was a contributing author toGray Hat Hacking:The Ethical Hacker’s HandbookandSecurity Information and Event Management (SIEM)Implementation, and a technical editor forInformation Security Magazine.About the Contributor/Technical EditorBobby E. Rogersis an information security engineer working as a contractor for Depart-ment of Defense agencies, helping to secure, certify, and accredit their information sys-tems. His duties include information system security engineering, risk management, andcertification and accreditation efforts. He retired after 21 years in the U.S. Air Force,serving as a network security engineer and instructor, and has secured networks all overthe world. Bobby has a master’s degree in information assurance (IA) and is pursuing adoctoral degree in cybersecurity from Capitol Technology University in Maryland. Hismany certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as theCompTIA A+, Network+, Security+, and Mobility+ certifications.

Page 7

All in One CISSP Exam Guide (2022) - Page 7 preview image

Loading page ...

ALLINONECISSP®E X A MG U I D ENinth EditionFernando MaymíShon HarrisNew YorkChicagoSan FranciscoAthensLondonMadridMexico CityMilanNew DelhiSingaporeSydneyTorontoMcGraw Hill is an independent entity from (ISC)²® and is not affiliated with (ISC)² in any manner. This study/trainingguide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2in any manner. This publication andaccompanying media may be used in assisting students to prepare for the CISSP exam. Neither (ISC)² nor McGraw Hillwarrants that use of this publication and accompanying media will ensure passing any exam. (ISC)²®, CISSP®, CAP®,ISSAP®, ISSEP®, ISSMP®, SSCP® and CBK® are trademarks or registered trademarks of (ISC)² in the United States andcertain other countries. All other trademarks are trademarks of their respective owners.

Page 8

All in One CISSP Exam Guide (2022) - Page 8 preview image

Loading page ...

Copyright © 2022 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrievalsystem, without the prior written permission of the publisher.ISBN: 978-1-26-046736-9MHID:1-26-046736-8The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-046737-6,MHID: 1-26-046737-6.eBook conversion by codeMantraVersion 1.0All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of atrademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention ofinfringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or foruse in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility ofhuman or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy,or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use ofsuch information.TERMS OF USEThis is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this workis subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of thework, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent.You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Yourright to use the work may be terminated if you fail to comply with these terms.THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEESOR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINEDFROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORKVIA HYPERLINK OR OTHERWISE, ANDEXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, IN-CLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PAR-TICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained inthe work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Educationnor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the workor for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information ac-cessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect,incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even ifany of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or causewhatsoever whether such claim or cause arises in contract, tort or otherwise.

Page 9

All in One CISSP Exam Guide (2022) - Page 9 preview image

Loading page ...

We dedicate this book to all thosewho have served others selflessly.

Page 10

All in One CISSP Exam Guide (2022) - Page 10 preview image

Loading page ...

This page intentionally left blank

Page 11

All in One CISSP Exam Guide (2022) - Page 11 preview image

Loading page ...

ixCONTENTS AT A GLANCEPart ISecurity and Risk ManagementChapter 1Cybersecurity Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Chapter 2Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Chapter 3Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Chapter 4Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Part IIAsset SecurityChapter 5Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213Chapter 6Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253Part IIISecurity Architecture and EngineeringChapter 7System Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Chapter 8Cryptology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317Chapter 9Security Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Chapter 10Site and Facility Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417Part IVCommunication and Network SecurityChapter 11Networking Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Chapter 12Wireless Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559Chapter 13Securing the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597Chapter 14Network Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643Chapter 15Secure Communications Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681Part VIdentity and Access ManagementChapter 16Identity and Access Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715Chapter 17Managing Identities and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765

Page 12

All in One CISSP Exam Guide (2022) - Page 12 preview image

Loading page ...

CISSP All-in-One Exam GuidexPartVISecurity Assessment and TestingChapter 18Security Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .813Chapter 19Measuring Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851Part VIISecurity OperationsChapter 20Managing Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885Chapter 21Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .939Chapter 22Security Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989Chapter 23Disasters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1029PartVIIISoftware Development SecurityChapter 24Software Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1079Chapter 25Secure Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1117Appendix AComprehensive Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1155Appendix BObjective Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1209Appendix CAbout the Online Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1225Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1231Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1253

Page 13

All in One CISSP Exam Guide (2022) - Page 13 preview image

Loading page ...

xiCONTENTSFrom the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxixAcknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiiiWhy Become a CISSP?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxvPart ISecurity and Risk ManagementChapter 1Cybersecurity Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Fundamental Cybersecurity Concepts and Terms. . . . . . . . . . . . . .4Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Authenticity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Nonrepudiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Balanced Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Other Security Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Security Governance Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . .10Aligning Security to Business Strategy. . . . . . . . . . . . . . . . . .13Organizational Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . .17Organizational Roles and Responsibilities. . . . . . . . . . . . . . .18Security Policies, Standards, Procedures, and Guidelines. . . . . . . . .25Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Baselines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Personnel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Candidate Screening and Hiring. . . . . . . . . . . . . . . . . . . . . .35Employment Agreements and Policies. . . . . . . . . . . . . . . . . .36Onboarding, Transfers, and Termination Processes. . . . . . . .37Vendors, Consultants, and Contractors. . . . . . . . . . . . . . . . .39Compliance Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Privacy Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Security Awareness, Education, and Training Programs. . . . . . . . . .40Degree or Certification?. . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Methods and Techniques to PresentAwareness and Training. . . . . . . . . . . . . . . . . . . . . . . . . . .41

Page 14

All in One CISSP Exam Guide (2022) - Page 14 preview image

Loading page ...

CISSP All-in-One Exam GuidexiiPeriodic Content Reviews. . . . . . . . . . . . . . . . . . . . . . . . . . .43Program Effectiveness Evaluation. . . . . . . . . . . . . . . . . . . . .43Professional Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44(ISC)2Code of Professional Ethics. . . . . . . . . . . . . . . . . . . . .44Organizational Code of Ethics. . . . . . . . . . . . . . . . . . . . . . . .45The Computer Ethics Institute. . . . . . . . . . . . . . . . . . . . . . .45Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51Chapter 2Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Risk Management Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Holistic Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . .54Information Systems Risk Management Policy. . . . . . . . . . .56The Risk Management Team. . . . . . . . . . . . . . . . . . . . . . . . .56The Risk Management Process. . . . . . . . . . . . . . . . . . . . . . .57Overview of Vulnerabilities and Threats. . . . . . . . . . . . . . . .58Identifying Threats and Vulnerabilities. . . . . . . . . . . . . . . . .62Assessing Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63Asset Valuation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Risk Assessment Teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Methodologies for Risk Assessment. . . . . . . . . . . . . . . . . . . .67Risk Analysis Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . .72Qualitative Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . .76Responding to Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Total Risk vs. Residual Risk. . . . . . . . . . . . . . . . . . . . . . . . . .81Countermeasure Selection and Implementation. . . . . . . . . .81Types of Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83Control Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88Monitoring Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91Effectiveness Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . .91Change Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Compliance Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . .93Risk Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94Continuous Improvement. . . . . . . . . . . . . . . . . . . . . . . . . . .95Supply Chain Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . .96Upstream and Downstream Suppliers. . . . . . . . . . . . . . . . . .98Risks Associated with Hardware, Software, and Services. . . . .98Other Third-Party Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . .99Minimum Security Requirements. . . . . . . . . . . . . . . . . . . . .100Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . .101Business Continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101Standards and Best Practices. . . . . . . . . . . . . . . . . . . . . . . . .104Making BCM Part of the Enterprise Security Program. . . . .106Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Page 15

All in One CISSP Exam Guide (2022) - Page 15 preview image

Loading page ...

ContentsxiiiChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121Chapter 3Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Laws and Regulations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Types of Legal Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . .126Common Law Revisited. . . . . . . . . . . . . . . . . . . . . . . . . . . .129Cybercrimes and Data Breaches. . . . . . . . . . . . . . . . . . . . . . . . . . .130Complexities in Cybercrime. . . . . . . . . . . . . . . . . . . . . . . . .132The Evolution of Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . .134International Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Data Breaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139Import/Export Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . .145Transborder Data Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147Licensing and Intellectual Property Requirements. . . . . . . . . . . . . .147Trade Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149Trademark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Patent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151Internal Protection of Intellectual Property. . . . . . . . . . . . . .152Software Piracy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Compliance Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155Contractual, Legal, Industry Standards,and Regulatory Requirements. . . . . . . . . . . . . . . . . . . . . .156Privacy Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158Liability and Its Ramifications. . . . . . . . . . . . . . . . . . . . . . . .158Requirements for Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . .161Administrative. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161Criminal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162Civil. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162Regulatory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168Chapter 4Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Overview of Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Risk Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173NIST RMF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173ISO/IEC 27005. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177OCTAVE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178FAIR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Page 16

All in One CISSP Exam Guide (2022) - Page 16 preview image

Loading page ...

CISSP All-in-One Exam GuidexivInformation Security Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . .179Security Program Frameworks. . . . . . . . . . . . . . . . . . . . . . . .180Security Control Frameworks. . . . . . . . . . . . . . . . . . . . . . . .183Enterprise Architecture Frameworks. . . . . . . . . . . . . . . . . . . . . . . .189Why Do We Need Enterprise Architecture Frameworks?. . . .191Zachman Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192The Open Group Architecture Framework. . . . . . . . . . . . . .194Military-Oriented Architecture Frameworks. . . . . . . . . . . . .195Other Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196ITIL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196Six Sigma. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197Capability Maturity Model. . . . . . . . . . . . . . . . . . . . . . . . . .197Putting It All Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208Part IIAsset SecurityChapter 5Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213Information and Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215Physical Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . .220Protecting Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . .220Paper Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221Safes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221Managing the Life Cycle of Assets. . . . . . . . . . . . . . . . . . . . . . . . . .222Ownership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223Inventories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224Secure Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227Asset Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228Data Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232Data Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237Data Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238Data Archival. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239Data Destruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240Data Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Page 17

All in One CISSP Exam Guide (2022) - Page 17 preview image

Loading page ...

ContentsxvChapter 6Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253Data Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253Data States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258Scoping and Tailoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258Data Protection Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258Digital Asset Management. . . . . . . . . . . . . . . . . . . . . . . . . . .261Digital Rights Management. . . . . . . . . . . . . . . . . . . . . . . . . .263Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265Cloud Access Security Broker. . . . . . . . . . . . . . . . . . . . . . . .275Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279Part IIISecurity Architecture and EngineeringChapter 7System Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283General System Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Client-Based Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284Server-Based Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284Database Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285High-Performance Computing Systems. . . . . . . . . . . . . . . . .288Industrial Control Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291Distributed Control System. . . . . . . . . . . . . . . . . . . . . . . . . .293Supervisory Control and Data Acquisition. . . . . . . . . . . . . .294ICS Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294Virtualized Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Containerization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298Microservices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299Cloud-Based Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301Software as a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302Platform as a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303Infrastructure as a Service. . . . . . . . . . . . . . . . . . . . . . . . . . .304Everything as a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304Cloud Deployment Models. . . . . . . . . . . . . . . . . . . . . . . . . .305Pervasive Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305Embedded Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306Internet of Things. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306Distributed Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307Edge Computing Systems. . . . . . . . . . . . . . . . . . . . . . . . . . .308

Page 18

All in One CISSP Exam Guide (2022) - Page 18 preview image

Loading page ...

CISSP All-in-One Exam GuidexviChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314Chapter 8Cryptology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317The History of Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . .317Cryptography Definitions and Concepts. . . . . . . . . . . . . . . . . . . . .321Cryptosystems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323Kerckhoffs’ Principle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324The Strength of the Cryptosystem. . . . . . . . . . . . . . . . . . . . .325One-Time Pad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325Cryptographic Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . .328Cryptographic Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328Symmetric Key Cryptography. . . . . . . . . . . . . . . . . . . . . . . .329Asymmetric Key Cryptography. . . . . . . . . . . . . . . . . . . . . . .335Elliptic Curve Cryptography. . . . . . . . . . . . . . . . . . . . . . . . .342Quantum Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . .344Hybrid Encryption Methods. . . . . . . . . . . . . . . . . . . . . . . . .346Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351Hashing Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351Message Integrity Verification. . . . . . . . . . . . . . . . . . . . . . . .354Public Key Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359Certificate Authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360Registration Authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . .362PKI Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362Key Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364Attacks Against Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . .367Key and Algorithm Attacks. . . . . . . . . . . . . . . . . . . . . . . . . .367Implementation Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . .370Other Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381Chapter 9Security Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Threat Modeling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Attack Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386STRIDE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387The Lockheed Martin Cyber Kill Chain. . . . . . . . . . . . . . . .387The MITRE ATT&CK Framework. . . . . . . . . . . . . . . . . . .389Why Bother with Threat Modeling. . . . . . . . . . . . . . . . . . . .389

Page 19

All in One CISSP Exam Guide (2022) - Page 19 preview image

Loading page ...

ContentsxviiSecure Design Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390Defense in Depth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390Zero Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392Trust But Verify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392Shared Responsibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392Separation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393Least Privilege. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394Keep It Simple. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395Secure Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396Fail Securely. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396Privacy by Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397Security Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397Bell-LaPadula Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398Biba Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399Clark-Wilson Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400Noninterference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . .400Brewer and Nash Model. . . . . . . . . . . . . . . . . . . . . . . . . . . .402Graham-Denning Model. . . . . . . . . . . . . . . . . . . . . . . . . . . .402Harrison-Ruzzo-Ullman Model. . . . . . . . . . . . . . . . . . . . . . .402Security Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404Security Capabilities of Information Systems. . . . . . . . . . . . . . . . .404Trusted Platform Module. . . . . . . . . . . . . . . . . . . . . . . . . . .404Hardware Security Module. . . . . . . . . . . . . . . . . . . . . . . . . .406Self-Encrypting Drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407Bus Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407Secure Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415Chapter 10Site and Facility Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417Site and Facility Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417Security Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418The Site Planning Process. . . . . . . . . . . . . . . . . . . . . . . . . . .423Crime Prevention Through Environmental Design. . . . . . . .427Designing a Physical Security Program. . . . . . . . . . . . . . . . .433Site and Facility Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441Work Area Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441Data Processing Facilities. . . . . . . . . . . . . . . . . . . . . . . . . . . .443Distribution Facilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446Storage Facilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448Fire Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454Environmental Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461

Page 20

All in One CISSP Exam Guide (2022) - Page 20 preview image

Loading page ...

CISSP All-in-One Exam GuidexviiiChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465Part IVCommunication and Network SecurityChapter 11Networking Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Data Communications Foundations. . . . . . . . . . . . . . . . . . . . . . . .469Network Reference Models. . . . . . . . . . . . . . . . . . . . . . . . . .470Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471Application Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474Presentation Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475Session Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477Transport Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479Network Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480Data Link Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480Physical Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483Functions and Protocols in the OSI Model. . . . . . . . . . . . . .483Tying the Layers Together. . . . . . . . . . . . . . . . . . . . . . . . . . .485Local Area Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487Network Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487Medium Access Control Mechanisms. . . . . . . . . . . . . . . . . .489Layer 2 Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494Transmission Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499Layer 2 Security Standards. . . . . . . . . . . . . . . . . . . . . . . . . . .500Internet Protocol Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . .502TCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503IP Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512Address Resolution Protocol. . . . . . . . . . . . . . . . . . . . . . . . .515Dynamic Host Configuration Protocol. . . . . . . . . . . . . . . . .517Internet Control Message Protocol. . . . . . . . . . . . . . . . . . . .520Simple Network Management Protocol. . . . . . . . . . . . . . . . .522Domain Name Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . .531Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533Intranets and Extranets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537Metropolitan Area Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .538Metro Ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539Wide Area Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .540Dedicated Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541WAN Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543

Page 21

All in One CISSP Exam Guide (2022) - Page 21 preview image

Loading page ...

ContentsxixChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557Chapter 12Wireless Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559Wireless Communications Techniques. . . . . . . . . . . . . . . . . . . . . .559Spread Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561Orthogonal Frequency Division Multiplexing. . . . . . . . . . . .563Wireless Networking Fundamentals. . . . . . . . . . . . . . . . . . . . . . . .564WLAN Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564WLAN Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565Other Wireless Network Standards. . . . . . . . . . . . . . . . . . . .568Other Important Standards. . . . . . . . . . . . . . . . . . . . . . . . . .573Evolution of WLAN Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .574802.11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575802.11i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .576802.11w. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578WPA3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578802.1X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579Best Practices for Securing WLANs. . . . . . . . . . . . . . . . . . . . . . . . .582Mobile Wireless Communication. . . . . . . . . . . . . . . . . . . . . . . . . .582Multiple Access Technologies. . . . . . . . . . . . . . . . . . . . . . . . .584Generations of Mobile Wireless. . . . . . . . . . . . . . . . . . . . . . .585Satellites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594Chapter 13Securing the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597Applying Secure Design Principles to Network Architectures. . . . .597Secure Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599Link Encryption vs. End-to-End Encryption. . . . . . . . . . . . .600TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605Secure Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611Web Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611Domain Name System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .616Electronic Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621Multilayer Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626Distributed Network Protocol 3. . . . . . . . . . . . . . . . . . . . . .626Controller Area Network Bus. . . . . . . . . . . . . . . . . . . . . . . .627Modbus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627

Page 22

All in One CISSP Exam Guide (2022) - Page 22 preview image

Loading page ...

CISSP All-in-One Exam GuidexxConverged Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627Encapsulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628Fiber Channel over Ethernet. . . . . . . . . . . . . . . . . . . . . . . . .628Internet Small Computer Systems Interface. . . . . . . . . . . . . .629Network Segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630Virtual eXtensible Local Area Network. . . . . . . . . . . . . . . . .632Software-Defined Networks. . . . . . . . . . . . . . . . . . . . . . . . . .632Software-Defined Wide Area Network. . . . . . . . . . . . . . . . .635Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640Chapter 14Network Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643Transmission Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643Types of Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644Cabling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648Bandwidth and Throughput. . . . . . . . . . . . . . . . . . . . . . . . .654Network Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655Repeaters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655Bridges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662Proxy Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663PBXs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665Network Access Control Devices. . . . . . . . . . . . . . . . . . . . . .667Network Diagramming. . . . . . . . . . . . . . . . . . . . . . . . . . . . .668Operation of Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . .670Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673Content Distribution Networks. . . . . . . . . . . . . . . . . . . . . . . . . . .674Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678Chapter 15Secure Communications Channels. . . . . . . . . . . . . . . . . . . . . . . . . . .681Voice Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682Public Switched Telephone Network. . . . . . . . . . . . . . . . . . .682DSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683ISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .685Cable Modems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .686IP Telephony. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687

Page 23

All in One CISSP Exam Guide (2022) - Page 23 preview image

Loading page ...

ContentsxxiMultimedia Collaboration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .693Meeting Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694Unified Communications. . . . . . . . . . . . . . . . . . . . . . . . . . .695Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .697Desktop Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . .699Secure Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .701Data Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .702Network Sockets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703Remote Procedure Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . .703Virtualized Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .704Third-Party Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .705Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .709Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .711Part VIdentity and Access ManagementChapter 16Identity and Access Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . .715Identification, Authentication, Authorization, and Accountability. . . .715Identification and Authentication. . . . . . . . . . . . . . . . . . . . .718Knowledge-Based Authentication. . . . . . . . . . . . . . . . . . . . .720Biometric Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . .723Ownership-Based Authentication. . . . . . . . . . . . . . . . . . . . .729Credential Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736Password Managers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736Password Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . .737Self-Service Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . .737Assisted Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . .738Just-in-Time Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .738Registration and Proofing of Identity. . . . . . . . . . . . . . . . . . .738Profile Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .740Session Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .740Accountability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .741Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745Directory Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .747Directories’ Role in Identity Management. . . . . . . . . . . . . . .748Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .750Federated Identity Management. . . . . . . . . . . . . . . . . . . . . .752Federated Identity with a Third-Party Service. . . . . . . . . . . . . . . . .754Integration Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .754On-Premise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756Hybrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756

Page 24

All in One CISSP Exam Guide (2022) - Page 24 preview image

Loading page ...

CISSP All-in-One Exam GuidexxiiChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .757Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .762Chapter 17Managing Identities and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765Authorization Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765Discretionary Access Control. . . . . . . . . . . . . . . . . . . . . . . . .766Mandatory Access Control. . . . . . . . . . . . . . . . . . . . . . . . . .768Role-Based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . .771Rule-Based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . .774Attribute-Based Access Control. . . . . . . . . . . . . . . . . . . . . . .774Risk-Based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . .775Implementing Authentication and Authorization Systems. . . . . . . .776Access Control and Markup Languages. . . . . . . . . . . . . . . . .776OAuth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782OpenID Connect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .783Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784Remote Access Control Technologies. . . . . . . . . . . . . . . . . . .789Managing the Identity and Access Provisioning Life Cycle. . . . . . .795Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796Configuration Management. . . . . . . . . . . . . . . . . . . . . . . . .799Deprovisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .800Controlling Physical and Logical Access. . . . . . . . . . . . . . . . . . . . .801Information Access Control. . . . . . . . . . . . . . . . . . . . . . . . . .801System and Application Access Control. . . . . . . . . . . . . . . . .802Access Control to Devices. . . . . . . . . . . . . . . . . . . . . . . . . . .802Facilities Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . .802Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808PartVISecurity Assessment and TestingChapter 18Security Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .813Test, Assessment, and Audit Strategies. . . . . . . . . . . . . . . . . . . . . . .813Designing an Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . .814Validating an Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . .815Testing Technical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817Vulnerability Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817Other Vulnerability Types. . . . . . . . . . . . . . . . . . . . . . . . . . .819Penetration Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .822Red Teaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .827

Page 25

All in One CISSP Exam Guide (2022) - Page 25 preview image

Loading page ...

ContentsxxiiiBreach Attack Simulations. . . . . . . . . . . . . . . . . . . . . . . . . . .828Log Reviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .828Synthetic Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .832Code Reviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .833Code Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834Misuse Case Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .835Test Coverage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837Interface Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837Compliance Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838Conducting Security Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838Internal Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .840External Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842Third-Party Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .843Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .844Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .845Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .846Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848Chapter 19Measuring Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851Quantifying Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851Security Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853Key Performance and Risk Indicators. . . . . . . . . . . . . . . . . .855Security Process Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .858Backup Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .860Security Training and Security Awareness Training. . . . . . . .863Disaster Recovery and Business Continuity. . . . . . . . . . . . . .867Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .869Analyzing Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870Writing Technical Reports. . . . . . . . . . . . . . . . . . . . . . . . . . .872Executive Summaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .873Management Review and Approval. . . . . . . . . . . . . . . . . . . . . . . . .875Before the Management Review. . . . . . . . . . . . . . . . . . . . . .876Reviewing Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .876Management Approval. . . . . . . . . . . . . . . . . . . . . . . . . . . . .877Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .877Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .878Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .879Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .881Part VIISecurity OperationsChapter 20Managing Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885Foundational Security Operations Concepts. . . . . . . . . . . . . . . . . .885Accountability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .887Need-to-Know/Least Privilege. . . . . . . . . . . . . . . . . . . . . . . .888

Page 26

All in One CISSP Exam Guide (2022) - Page 26 preview image

Loading page ...

CISSP All-in-One Exam GuidexxivSeparation of Duties and Responsibilities. . . . . . . . . . . . . . .888Privileged Account Management. . . . . . . . . . . . . . . . . . . . . .889Job Rotation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . .890Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891Change Management Practices. . . . . . . . . . . . . . . . . . . . . . .891Change Management Documentation. . . . . . . . . . . . . . . . . .893Configuration Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .893Baselining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894Automation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .895Resource Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .895System Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .896Source Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .896Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .896Vulnerability and Patch Management. . . . . . . . . . . . . . . . . . . . . . .900Vulnerability Management. . . . . . . . . . . . . . . . . . . . . . . . . .900Patch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .903Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .906External Perimeter Security Controls. . . . . . . . . . . . . . . . . . .906Facility Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . .916Internal Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . .924Personnel Access Controls. . . . . . . . . . . . . . . . . . . . . . . . . . .924Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . .925Auditing Physical Access. . . . . . . . . . . . . . . . . . . . . . . . . . . .929Personnel Safety and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .929Travel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .930Security Training and Awareness. . . . . . . . . . . . . . . . . . . . . .930Emergency Management. . . . . . . . . . . . . . . . . . . . . . . . . . . .931Duress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .932Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .932Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .934Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937Chapter 21Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .939The Security Operations Center. . . . . . . . . . . . . . . . . . . . . . . . . . .939Elements of a Mature SOC. . . . . . . . . . . . . . . . . . . . . . . . . .940Threat Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .941Preventive and Detective Measures. . . . . . . . . . . . . . . . . . . . . . . . .944Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945Intrusion Detection and Prevention Systems. . . . . . . . . . . . .967Antimalware Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .969Sandboxing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .972Outsourced Security Services. . . . . . . . . . . . . . . . . . . . . . . . .973Honeypots and Honeynets. . . . . . . . . . . . . . . . . . . . . . . . . .974Artificial Intelligence Tools. . . . . . . . . . . . . . . . . . . . . . . . . .976

Page 27

All in One CISSP Exam Guide (2022) - Page 27 preview image

Loading page ...

ContentsxxvLogging and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .978Log Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .978Security Information and Event Management. . . . . . . . . . . .979Egress Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .981User and Entity Behavior Analytics. . . . . . . . . . . . . . . . . . . .981Continuous Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . .981Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .982Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .984Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .986Chapter 22Security Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989Overview of Incident Management. . . . . . . . . . . . . . . . . . . . . . . . .989Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .995Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .996Mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .996Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .997Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .998Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .999Lessons Learned. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .999Incident Response Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1000Roles and Responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . .1000Incident Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1002Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1003Operational Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1004Runbooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1006Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1006Motive, Opportunity, and Means. . . . . . . . . . . . . . . . . . . . .1007Computer Criminal Behavior. . . . . . . . . . . . . . . . . . . . . . . .1008Evidence Collection and Handling. . . . . . . . . . . . . . . . . . . .1008What Is Admissible in Court?. . . . . . . . . . . . . . . . . . . . . . . .1013Digital Forensics Tools, Tactics, and Procedures. . . . . . . . . . .1015Forensic Investigation Techniques. . . . . . . . . . . . . . . . . . . . .1016Other Investigative Techniques. . . . . . . . . . . . . . . . . . . . . . .1018Forensic Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1020Reporting and Documenting. . . . . . . . . . . . . . . . . . . . . . . . .1021Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1022Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1022Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1024Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1026Chapter 23Disasters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1029Recovery Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1029Business Process Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . .1033Data Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1034Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041Human Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1042

Page 28

All in One CISSP Exam Guide (2022) - Page 28 preview image

Loading page ...

CISSP All-in-One Exam GuidexxviRecovery Site Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1043Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1049Disaster Recovery Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1053Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1055Personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1055Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1056Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058Restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058Training and Awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1060Lessons Learned. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1061Testing Disaster Recovery Plans. . . . . . . . . . . . . . . . . . . . . . .1061Business Continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1065BCP Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1065Information Systems Availability. . . . . . . . . . . . . . . . . . . . . .1067End-User Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1071Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1071Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1072Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1073Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1075PartVIIISoftware Development SecurityChapter 24Software Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1079Software Development Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . .1079Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1081Requirements Gathering Phase. . . . . . . . . . . . . . . . . . . . . . .1082Design Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1083Development Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1087Testing Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1089Operations and Maintenance Phase. . . . . . . . . . . . . . . . . . . .1091Development Methodologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1095Waterfall Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1095Prototyping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1096Incremental Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . .1096Spiral Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1098Rapid Application Development. . . . . . . . . . . . . . . . . . . . . .1099Agile Methodologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1100DevOps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1103DevSecOps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1104Other Methodologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1104Maturity Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1106Capability Maturity Model Integration. . . . . . . . . . . . . . . . .1107Software Assurance Maturity Model. . . . . . . . . . . . . . . . . . .1109

Page 29

All in One CISSP Exam Guide (2022) - Page 29 preview image

Loading page ...

ContentsxxviiChapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1110Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1110Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1112Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1114Chapter 25Secure Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1117Programming Languages and Concepts. . . . . . . . . . . . . . . . . . . . . .1118Assemblers, Compilers, Interpreters. . . . . . . . . . . . . . . . . . . .1120Runtime Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1122Object-Oriented Programming Concepts. . . . . . . . . . . . . . .1124Cohesion and Coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1130Application Programming Interfaces. . . . . . . . . . . . . . . . . . .1132Software Libraries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1132Secure Software Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133Source Code Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . .1133Secure Coding Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1134Security Controls for Software Development. . . . . . . . . . . . . . . . .1136Development Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1137Tool Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1138Application Security Testing. . . . . . . . . . . . . . . . . . . . . . . . .1139Continuous Integration and Delivery. . . . . . . . . . . . . . . . . .1140Security Orchestration, Automation, and Response. . . . . . . .1141Software Configuration Management. . . . . . . . . . . . . . . . . .1142Code Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1143Software Security Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1144Risk Analysis and Mitigation. . . . . . . . . . . . . . . . . . . . . . . . .1144Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1145Assessing the Security of Acquired Software. . . . . . . . . . . . . . . . . .1145Commercial Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1146Open-Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1146Third-Party Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1147Managed Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1148Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1148Quick Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1148Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1150Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1152Appendix AComprehensive Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1155Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1189Appendix BObjective Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1209Appendix CAbout the Online Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1225System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1225Your Total Seminars Training Hub Account. . . . . . . . . . . . . . . . . .1225Privacy Notice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1225

Page 30

All in One CISSP Exam Guide (2022) - Page 30 preview image

Loading page ...

CISSP All-in-One Exam GuidexxviiiSingle User License Terms and Conditions. . . . . . . . . . . . . . . . . . .1225TotalTester Online. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1227Graphical Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1227Online Flash Cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1228Single User License Terms and Conditions. . . . . . . . . . . . . .1228Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1229Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1231Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1253

Page 31

All in One CISSP Exam Guide (2022) - Page 31 preview image

Loading page ...

xxixFROM THE AUTHORThank you for investing your resources in this ninth edition of theCISSP All-in-OneExam Guide. I am confident you’ll find it helpful, not only as you prepare for the CISSPexam, but as a reference in your future professional endeavors. That was one of the over-arching goals of Shon Harris when she wrote the first six editions and is something I’vestrived to uphold in the last three. It is not always easy, but I think you’ll be pleased withhow we’ve balanced these two requirements.(ISC)2does a really good job of grounding the CISSP Common Body of Knowledge(CBK) in real-world applications, but (let’s face it) there’s always a lot of room fordiscussion and disagreements. There are very few topics in cybersecurity (or pretty muchany other field) on which there is universal agreement. To balance the content of thisbook between exam preparation and the murkiness of real-world applications, we’veincluded plenty of comments and examples drawn from our experiences.I say “our experiences” deliberately because the voice of Shon remains vibrant, infor-mative, and entertaining in this edition, years after her passing. I’ve preserved as many ofher insights as possible while ensuring the content is up to date and relevant. I also stroveto maintain the conversational tone that was such a hallmark of her work. The result isa book that (I hope) reads more like an essay (or even a story) than a textbook but isgrounded in good pedagogy. It should be easy to read but still prepare you for the exam.Speaking of the exam, the changes that (ISC)2made to the CBK in 2021 are notdramatic but are still significant. Each domain was tweaked in some way, and seven ofthe eight domains had multiple topics added (domain 1 was the exception here). Thesechanges, coupled with the number of topics that were growing stale in the eighth editionof this book, prompted me to completely restructure this edition. I tore each domain andtopic down to atomic particles and then re-engineered the entire book to integrate thenew objectives, which are listed in Table 1.Table 1CBK 2021: New Objectives (continued)Domain 2: Asset Security2.4Manage data lifecycle2.4.1Data roles (i.e., owners, controllers, custodians, processors, users/subjects)2.4.3Data location2.4.4Data maintenance2.5Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))Domain 3: Security Architecture and Engineering(Under 3.7 Understand methods of cryptanalytic attacks)3.7.1Brute force3.7.4Frequency analysis
Preview Mode

This document has 1361 pages. Sign in to access the full document!

Study Now!

X-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat

Document Details

Subject
Certified Information Systems Security Professional

Related Documents

View all
Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024)

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024) is your go-to practice exam, covering essential topics needed for your certification success.

Certification Guides

ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024)

Boost your confidence with ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024), a collection of solved certification exam papers for thorough preparation.

Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024)

Prepare confidently with ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024), offering structured revision tests to reinforce key concepts.

Certification Guides

Official ISC2 Guide to the CISSP CBK (2019)

Official ISC2 Guide to the CISSP CBK (2019) provides detailed explanations to help you understand key concepts.

Certification Guides

The Official ISC2 CISSP CBK Reference (2021)

The Official ISC2 CISSP CBK Reference (2021) helps you master complex topics with simplified explanations.

Certification Guides

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021) makes exam prep stress-free with structured learning.

Certification Guides

CISSP Official Practice Tests (2021)

CISSP Official Practice Tests (2021) is your shortcut to certification success—start preparing today!

Certification Guides

CISSP All-in-One Exam Guide (2021)

CISSP All-in-One Exam Guide (2021) ensures you are exam-ready with expert-curated content.

Certification Guides

CISSP Official Study Guide (2021)

CISSP Official Study Guide (2021) provides detailed explanations to help you understand key concepts.

Certification Guides

CISSP Cert Guide (2022)

CISSP Cert Guide (2022) is your essential resource for acing certification exams with confidence.