Table of Contents
Introduction
The Goals of the CISSP Certification
Sponsoring Bodies
Stated Goals
The Value of the CISSP Certification
To the Security Professional
To the Enterprise
The Common Body of Knowledge
Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity)
Asset Security (Protecting Security of Assets)
Security Engineering (Engineering and Management of Security)
Communication and Network Security (Designing and Protecting Network Security)
Identity and Access Management (Controlling Access and Managing Identity)
Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
Software Development Security (Understanding, Applying, and Enforcing Software Security)
Steps to Becoming a CISSP
Qualifying for the Exam
Signing Up for the Exam
About the CISSP Exam
Chapter 1 Security and Risk Management
Security Terms
CIA
Confidentiality
Integrity
Availability
Default Stance
Defense in Depth
Job Rotation
Separation of Duties
Security Governance Principles
Security Function Alignment
Organizational Strategy and Goals
Organizational Mission and Objectives
Business Case
Security Budget, Metrics, and Effectiveness
Resources
Organizational Processes
Acquisitions and Divestitures
Governance Committees
Security Roles and Responsibilities
Board of Directors
Management
Audit Committee
Data Owner
Data Custodian
System Owner
System Administrator
Security Administrator
Security Analyst
Application Owner
Supervisor
User
Auditor
Control Frameworks
ISO/IEC 27000 Series
Zachman Framework
The Open Group Architecture Framework (TOGAF)
Department of Defense Architecture Framework (DoDAF)
British Ministry of Defence Architecture Framework (MODAF)
Sherwood Applied Business Security Architecture (SABSA)
Control Objectives for Information and Related Technology (CobiT)
National Institute of Standards and Technology (NIST) Special Publication (SP)
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
Information Technology Infrastructure Library (ITIL)
Six Sigma
Capability Maturity Model Integration (CMMI)
CCTA Risk Analysis and Management Method (CRAMM)
Top-Down Versus Bottom-Up Approach
Security Program Life Cycle
Due Care
Due Diligence
Compliance
Legislative and Regulatory Compliance
Privacy Requirements Compliance
Legal and Regulatory Issues
Computer Crime Concepts
Computer-Assisted Crime
Computer-Targeted Crime
Incidental Computer Crime
Computer Prevalence Crime
Hackers Versus Crackers
Computer Crime Examples
Major Legal Systems
Civil Code Law
Common Law
Criminal Law
Civil/Tort Law
Administrative/Regulatory Law
Customary Law
Religious Law
Mixed Law
Licensing and Intellectual Property
Patent
Trade Secret
Trademark
Copyright
Software Piracy and Licensing Issues
Internal Protection
Digital Rights Management (DRM)
Import/Export Controls
Trans-Border Data Flow
Privacy
Personally Identifiable Information (PII)
Laws and Regulations
Data Breaches
Professional Ethics
(ISC)2 Code of Ethics
Computer Ethics Institute
Internet Architecture Board
Organizational Ethics
Security Documentation
Policies
Organizational Security Policy
System-Specific Security Policy
Issue-Specific Security Policy
Policy Categories
Standards
Baselines
Guidelines
Procedures
Business Continuity
Business Continuity and Disaster Recovery Concepts
Disruptions
Disasters
Disaster Recovery and the Disaster Recovery Plan (DRP)
Continuity Planning and the Business Continuity Plan (BCP)
Business Impact Analysis (BIA)
Contingency Plan
Availability
Reliability
Project Scope and Plan
Personnel Components
Project Scope
Business Continuity Steps
Business Impact Analysis Development
Identify Critical Processes and Resources
Identify Outage Impacts, and Estimate Downtime
Identify Resource Requirements
Identify Recovery Priorities
Recoverability
Fault Tolerance
Personnel Security Policies
Employment Candidate Screening
Employment Agreement and Policies
Employment Termination Policies
Vendor, Consultant, and Contractor Controls
Compliance
Privacy
Risk Management Concepts
Vulnerability
Threat
Threat Agent
Risk
Exposure
Countermeasure
Risk Management Policy
Risk Management Team
Risk Analysis Team
Risk Assessment
Information and Asset (Tangible/Intangible) Value and Costs
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Countermeasure (Safeguard) Selection
Total Risk Versus Residual Risk
Handling Risk
Implementation
Access Control Categories
Compensative
Corrective
Detective
Deterrent
Directive
Preventive
Recovery
Access Control Types
Administrative (Management) Controls
Logical (Technical) Controls
Physical Controls
Control Assessment, Monitoring, and Measurement
Reporting and Continuous Improvement
Risk Frameworks
Threat Modeling
Identifying Threats
Potential Attacks
Remediation Technologies and Processes
Security Risks in Acquisitions
Hardware, Software, and Services
Third-Party Governance
Onsite Assessment
Document Exchange/Review
Process/Policy Review
Other Third-Party Governance Issues
Minimum Security Requirements
Minimum Service-Level Requirements
Security Education, Training, and Awareness
Levels Required
Periodic Review
Exam Preparation Tasks
Review All Key Topics
Complete the Tables and Lists from Memory
Define Key Terms
Answer Review Questions
Answers and Explanations
Chapter 2 Asset Security
Asset Security Concepts
Data Policy
Roles and Responsibilities
Data Owner
Data Custodian
Data Quality
Data Documentation and Organization
Classify Information and Assets
Sensitivity and Criticality
Commercial Business Classifications
Military and Government Classifications
Information Life Cycle
Databases
DBMS Architecture and Models
Database Interface Languages
Data Warehouses and Data Mining
Database Maintenance
Database Threats
Data Audit
Asset Ownership
Data Owners
System Owners
Business/Mission Owners
Asset Management
Redundancy and Fault Tolerance
Backup and Recovery Systems
Identity and Access Management
RAID
SAN
NAS
HSM
Network and Resource Management
Asset Privacy
Data Processors
Data Storage and Archiving
Data Remanence
Collection Limitation
Data Retention
Data Security and Controls
Data Security
Data at Rest
Data in Transit
Data Access and Sharing
Baselines
Scoping and Tailoring
Standards Selection
Crytography
Link Encryption
End-to-End Encryption
Asset Handling Requirements
Marking, Labeling, and Storing
Destruction
Exam Preparation Tasks
Review All Key Topics
Complete the Tables and Lists from Memory
Define Key Terms
Answers and Explanations
Chapter 3 Security Engineering
Engineering Using Secure Design Principles
Security Model Concepts
Confidentiality, Integrity, and Availability
Security Modes
Dedicated Security Mode
System High Security Mode
Compartmented Security Mode
Multilevel Security Mode
Assurance
Defense in Depth
Security Model Types
Security Model Types
State Machine Models
Multilevel Lattice Models
Matrix-Based Models
Non-inference Models
Information Flow Models
Security Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Integrity Model
Lipner Model
Brewer-Nash (Chinese Wall) Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
System Architecture Steps
ISO/IEC 42010:2011
Computing Platforms
Mainframe/Thin Clients
Distributed Systems
Middleware
Embedded Systems
Mobile Computing
Virtual Computing
Security Services
Boundary Control Services
Access Control Services
Integrity Services
Cryptography Services
Auditing and Monitoring Services
System Components
CPU and Multiprocessing
Memory and Storage
Input/Output Devices
Operating Systems
Multitasking
Memory Management
System Security Evaluation Models
TCSEC
Rainbow Series
Orange Book
Red Book
ITSEC
Common Criteria
Security Implementation Standards
ISO/IEC 27001
ISO/IEC 27002
Payment Card Industry Data Security Standard (PCI-DSS)
Controls and Countermeasures
Security Capabilities of Information Systems
Memory Protection
Virtualization
Trusted Platform Module (TPM)
Interfaces
Fault Tolerance
Certification and Accreditation
Security Architecture Maintenance
Vulnerabilities of Security Architectures, Designs, and Solution Elements
Client-Based
Server-Based
Data Flow Control
Database Security
Inference
Aggregation
Contamination
Data Mining Warehouse
Distributed Systems
Cloud Computing
Grid Computing
Peer-to-Peer Computing
Large-Scale Parallel Data Systems
Cryptographic Systems
Industrial Control Systems
Vulnerabilities in Web-Based Systems
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Web-Based Attacks
XML
SAML
OWASP
Vulnerabilities in Mobile Systems
Vulnerabilities in Embedded Devices and Cyber-Physical Systems
Cryptography
Cryptography Concepts
Cryptographic Life Cycle
Cryptography History
Julius Caesar and the Caesar Cipher
Vigenere Cipher
Kerckhoff’s Principle
World War II Enigma
Lucifer by IBM
Cryptosystem Features
Authentication
Confidentiality
Integrity
Authorization
Non-repudiation
Key Management
Cryptographic Types
Running Key and Concealment Ciphers
Substitution Ciphers
Transposition Ciphers
Symmetric Algorithms
Stream-based Ciphers
Block Ciphers
Initialization Vectors (IVs)
Asymmetric Algorithms
Hybrid Ciphers
Substitution Ciphers
One-Time Pads
Steganography
Symmetric Algorithms
Digital Encryption Standard (DES) and Triple DES (3DES)
DES Modes
Triple DES (3DES) and Modes
Advanced Encryption Standard (AES)
IDEA
Skipjack
Blowfish
Twofish
RC4/RC5/RC6
CAST
Asymmetric Algorithms
Diffie-Hellman
RSA
El Gamal
ECC
Knapsack
Zero Knowledge Proof
Public Key Infrastructure
Certification Authority (CA) and Registration Authority (RA)
OCSP
Certificates
Certificate Revocation List (CRL)
PKI Steps
Cross-Certification
Key Management Practices
Digital Signatures
Digital Rights Management (DRM)
Message Integrity
Hashing
One-Way Hash
MD2/MD4/MD5/MD6
SHA/SHA-2/SHA-3
HAVAL
RIPEMD-160
Tiger
Message Authentication Code
HMAC
CBC-MAC
CMAC
Salting
Cryptanalytic Attacks
Ciphertext-Only Attack
Known Plaintext Attack
Chosen Plaintext Attack
Chosen Ciphertext Attack
Social Engineering
Brute Force
Differential Cryptanalysis
Linear Cryptanalysis
Algebraic Attack
Frequency Analysis
Birthday Attack
Dictionary Attack
Replay Attack
Analytic Attack
Statistical Attack
Factoring Attack
Reverse Engineering
Meet-in-the-Middle Attack
Geographical Threats
Internal Versus External Threats
Natural Threats
Hurricanes/Tropical Storms
Tornadoes
Earthquakes
Floods
System Threats
Electrical
Communications
Utilities
Human-Caused Threats
Explosions
Fire
Vandalism
Fraud
Theft
Collusion
Politically Motivated Threats
Strikes
Riots
Civil Disobedience
Terrorist Acts
Bombing
Site and Facility Design
Layered Defense Model
CPTED
Natural Access Control
Natural Surveillance
Natural Territorials Reinforcement
Physical Security Plan
Deter Criminal Activity
Delay Intruders
Detect Intruders
Assess Situation
Respond to Intrusions and Disruptions
Facility Selection Issues
Visibility
Surrounding Area and External Entities
Accessibility
Construction
Internal Compartments
Computer and Equipment Rooms
Building and Internal Security
Doors
Door Lock Types
Turnstiles and Mantraps
Locks
Biometrics
Glass Entries
Visitor Control
Equipment Rooms
Work Areas
Secure Data Center
Restricted Work Area
Media Storage Facilities
Evidence Storage
Environmental Security
Fire Protection
Fire Detection
Fire Suppression
Power Supply
Types of Outages
Preventive Measures
HVAC
Water Leakage and Flooding
Environmental Alarms
Equipment Security
Corporate Procedures
Tamper Protection
Encryption
Inventory
Physical Protection of Security Devices
Tracking Devices
Portable Media Procedures
Safes, Vaults, and Locking
Exam Preparation Tasks
Review All Key Topics
Complete the Tables and Lists from Memory
Define Key Terms
Answer Review Questions
Answers and Explanations
Chapter 4 Communication and Network Security
Secure Network Design Principles
OSI Model
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
TCP/IP Model
Application Layer
Transport Layer
Internet Layer
Link Layer
Encapsulation
IP Networking
Common TCP/UDP Ports
Logical and Physical Addressing
IPv4
IP Classes
Public Versus Private IP Addresses
NAT
IPv4 Versus IPv6
MAC Addressing
Network Transmission
Analog Versus Digital
Asynchronous Versus Synchronous
Broadband Versus Baseband
Unicast, Multicast, and Broadcast
Wired Versus Wireless
Network Types
LAN
Intranet
Extranet
MAN
WAN
Protocols and Services
ARP
DHCP
DNS
FTP, FTPS, SFTP
HTTP, HTTPS, SHTTP
ICMP
IMAP
LDAP
NAT
NetBIOS
NFS
PAT
POP
CIFS/SMB
SMTP
SNMP
Multi-Layer Protocols
Converged Protocols
FCoE
MPLS
VoIP
iSCSI
Wireless Networks
FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM
802.11 Techniques
Cellular or Mobile Wireless Techniques
Satellites
WLAN Structure
Access Point
SSID
Infrastructure Mode Versus Ad Hoc Mode
WLAN Standards
802.11
802.11a
802.11ac
802.11b
802.11f
802.11g
802.11n
Bluetooth
Infrared
Near Field Communication (NFC)
WLAN Security
Open System Authentication
Shared Key Authentication
WEP
WPA
WPA2
Personal Versus Enterprise
SSID Broadcast
MAC Filter
Communications Cryptography
Link Encryption
End-to-End Encryption
Email Security
PGP
MIME and S/MIME
Quantum Cryptography
Internet Security
Remote Access
SSL/TLS
HTTP, HTTPS, and S-HTTP
SET
Cookies
SSH
IPsec
Secure Network Components
Hardware
Network Devices
Network Routing
Transmission Media
Cabling
Network Topologies
Network Technologies
WAN Technologies
Network Access Control Devices
Quarantine/Remediation
Firewalls/Proxies
Endpoint Security
Content Distribution Networks
Secure Communication Channels
Voice
Multimedia Collaboration
Remote Meeting Technology
Instant Messaging
Remote Access
Remote Connection Technologies
VPN Screen Scraper
Virtual Application/Desktop
Telecommuting
Virtualized Networks
SDN
Virtual SAN
Guest Operating Systems
Network Attacks
Cabling
Noise
Attenuation
Crosstalk
Eavesdropping
Network Component Attacks
Non-Blind Spoofing
Blind Spoofing
Man-in-the-Middle Attack
MAC Flooding Attack
802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack
Double-Encapsulated 802.1Q/Nested VLAN Attack
ARP Attack
ICMP Attacks
Ping of Death
Smurf
Fraggle
ICMP Redirect
Ping Scanning
Traceroute Exploitation
DNS Attacks
DNS Cache Poisoning
DoS
DDoS
DNSSEC
URL Hiding
Domain Grabbing
Cybersquatting
Email Attacks
Email Spoofing
Spear Phishing
Whaling
Spam
Wireless Attacks
Wardriving
Warchalking
Remote Attacks
Other Attacks
SYN ACK Attacks
Session Hijacking
Port Scanning
Teardrop
IP Address Spoofing
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Answer Review Questions
Answers and Explanations
Chapter 5 Identity and Access Management
Access Control Process
Identify Resources
Identify Users
Identify the Relationships Between Resources and Users
Physical and Logical Access to Assets
Access Control Administration
Centralized
Decentralized
Provisioning Life Cycle
Information
Systems
Devices
Facilities
Identification and Authentication Concepts
Five Factors for Authentication
Knowledge Factors
Ownership Factors
Characteristic Factors
Location Factors
Time Factors
Identification and Authentication Implementation
Separation of Duties
Least Privilege/Need-to-Know
Default to No Access
Directory Services
Single Sign-on
Kerberos
SESAME
Federated Identity Management
Security Domains
Session Management
Registration and Proof of Identity
Credential Management Systems
Accountability
Auditing and Reporting
Identity as a Service (IDaaS) Implementation
Third-Party Identity Services Implementation
Authorization Mechanisms
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Content-Dependent Versus Context-Dependent
Access Control Matrix
Access Control Policies
Access Control Threats
Password Threats
Dictionary Attack
Brute-Force Attack
Social Engineering Threats
Phishing/Pharming
Shoulder Surfing
Identity Theft
Dumpster Diving
DoS/DDoS
Buffer Overflow
Mobile Code
Malicious Software
Spoofing
Sniffing and Eavesdropping
Emanating
Backdoor/Trapdoor
Prevent or Mitigate Access Control Threats
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Answers and Explanations
Chapter 6 Security Assessment and Testing
Assessment and Testing Strategies
Security Control Testing
Vulnerability Assessment
Penetration Testing
Log Reviews
NIST SP 800-92
Synthetic Transactions
Code Review and Testing
Misuse Case Testing
Test Coverage Analysis
Interface Testing
Collect Security Process Data
NIST SP 800-137
Account Management
Management Review
Key Performance and Risk Indicators
Backup Verification Data
Training and Awareness
Disaster Recovery and Business Continuity
Analyze and Report Test Outputs
Internal and Third-Party Audits
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Answers and Explanations
Chapter 7 Security Operations
Investigations
Forensic and Digital Investigations
Identify Evidence
Preserve and Collect Evidence
Examine and Analyze Evidence
Present Findings
Decide
IOCE/SWGDE and NIST
Crime Scene
MOM
Chain of Custody
Interviewing
Evidence
Five Rules of Evidence
Types of Evidence
Surveillance, Search, and Seizure
Media Analysis
Software Analysis
Network Analysis
Hardware/Embedded Device Analysis
Investigation Types
Operations
Criminal
Civil
Regulatory
eDiscovery
Logging and Monitoring Activities
Audit and Review
Intrusion Detection and Prevention
Security Information and Event Management (SIEM)
Continuous Monitoring
Egress Monitoring
Resource Provisioning
Asset Inventory
Configuration Management
Physical Assets
Virtual Assets
Cloud Assets
Applications
Security Operations Concepts
Need to Know/Least Privilege
Managing Accounts, Groups, and Roles
Separation of Duties
Job Rotation
Sensitive Information Procedures
Record Retention
Monitor Special Privileges
Information Life Cycle
Service-Level Agreements
Resource Protection
Protecting Tangible and Intangible Assets
Facilities
Hardware
Software
Information Assets
Asset Management
Redundancy and Fault Tolerance
Backup and Recovery Systems
Identity and Access Management
Media Management
Media History
Media Labeling and Storage
Sanitizing and Disposing of Media
Network and Resource Management
Incident Management
Event Versus Incident
Incident Response Team and Incident Investigations
Rules of Engagement, Authorization, and Scope
Incident Response Procedures
Incident Response Management
Detect
Respond
Mitigate
Report
Recover
Remediate
Lessons Learned and Review
Preventive Measures
Clipping Levels
Deviations from Standards
Unusual or Unexplained Events
Unscheduled Reboots
Unauthorized Disclosure
Trusted Recovery
Trusted Paths
Input/Output Controls
System Hardening
Vulnerability Management Systems
IDS/IPS
Firewalls
Whitelisting/Blacklisting
Third-Party Security Services
Sandboxing
Honeypots/Honeynets
Anti-malware/Antivirus
Patch Management
Change Management Processes
Recovery Strategies
Redundant Systems, Facilities, and Power
Fault-Tolerance Technologies
Insurance
Data Backup
Fire Detection and Suppression
High Availability
Quality of Service
System Resilience
Create Recovery Strategies
Categorize Asset Recovery Priorities
Business Process Recovery
Facility Recovery
Supply and Technology Recovery
User Environment Recovery
Data Recovery
Training Personnel
Disaster Recovery
Response
Personnel
Damage Assessment Team
Legal Team
Media Relations Team
Recovery Team
Relocation Team
Restoration Team
Salvage Team
Security Team
Communications
Assessment
Restoration
Training and Awareness
Testing Recovery Plans
Read-Through Test
Checklist Test
Table-Top Exercise
Structured Walk-Through Test
Simulation Test
Parallel Test
Full-Interruption Test
Functional Drill
Evacuation Drill
Business Continuity Planning and Exercises
Physical Security
Perimeter Security
Gates and Fences
Perimeter Intrusion Detection
Lighting
Patrol Force
Access Control
Building and Internal Security
Personnel Privacy and Safety
Duress
Travel
Monitoring
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Answer Review Questions
Answers and Explanations
Chapter 8 Software Development Security
Software Development Concepts
Machine Languages
Assembly Languages and Assemblers
High-Level Languages, Compilers, and Interpreters
Object-Oriented Programming
Polymorphism
Polyinstantiation
Encapsulation
Cohesion
Coupling
Data Structures
Distributed Object-Oriented Systems
CORBA
COM and DCOM
OLE
Java
SOA
Mobile Code
Java Applets
ActiveX
Security in the System and Software Development Life Cycle
System Development Life Cycle
Initiate
Acquire/Develop
Implement
Operate/Maintain
Dispose
Software Development Life Cycle
Plan/Initiate Project
Gather Requirements
Design
Develop
Test/Validate
Release/Maintain
Certify/Accredit
Change Management and Configuration Management/Replacement
Software Development Methods and Maturity Models
Build and Fix
Waterfall
V-Shaped
Prototyping
Modified Prototype Model (MPM)
Incremental
Spiral
Agile
Rapid Application Development (RAD)
Joint Analysis Development (JAD)
Cleanroom
Structured Programming Development
Exploratory Model
Computer-Aided Software Engineering (CASE)
Component-Based Development
CMMI
ISO 9001:2015/90003:2014
Integrated Product Team
Security Controls in Development
Software Development Security Best Practices
WASC
OWASP
BSI
ISO/IEC 27000
Software Environment Security
Source Code Issues
Buffer Overflow
Escalation of Privileges
Backdoor
Rogue Programmers
Covert Channel
Object Reuse
Mobile Code
Time of Check/Time of Use (TOC/TOU)
Source Code Analysis Tools
Code Repository Security
Application Programming Interface Security
Software Threats
Malware
Malware Protection
Scanning Types
Security Policies
Software Protection Mechanisms
Assess Software Security Effectiveness
Auditing and Logging
Risk Analysis and Mitigation
Regression and Acceptance Testing
Security Impact of Acquired Software
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Answer Review Questions
Answers and Explanations
Glossary
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Index