This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book.   Learn, prepare, and practice for CISSP exam success with the CISSP Cert Guide from Pearson IT Certification, a leader in IT Certification. Master CISSP exam topics Assess your knowledge with chapter-ending quizzes Review key concepts with exam preparation tasks CISSP Cert Guide is a best-of-breed exam study guide. Leading IT certification experts Troy McMillan and Robin Abernathy share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.   You'll get a complete test preparation routine organized around proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.   This study guide helps you master all the topics on the CISSP exam, including Access control Telecommunications and network security Information security governance and risk management Software development security Cryptography Security architecture and design Operation security Business continuity and disaster recovery planning Legal, regulations, investigations, and compliance Physical (environmental) security   

Table of Contents:
Introduction   Chapter 1 The CISSP Certification 3 The Goals of the CISSP Certification 3     Sponsoring Bodies 3     Stated Goals 4 The Value of the CISSP Certification 4     To the Security Professional 5     To the Enterprise 5 The Common Body of Knowledge 5     Access Control 5     Telecommunications and Network Security 6     Information Security Governance and Risk Management 6     Software Development Security 7     Cryptography 7     Security Architecture and Design 8     Operations Security 8     Business Continuity and Disaster Recovery Planning 8     Legal, Regulations, Investigations, and Compliance 9     Physical and Environmental Security 9 Steps to Becoming a CISSP 10     Qualifying for the Exam 10     Signing Up for the Exam 10     About the CISSP Exam 10   Chapter 2 Access Control 13 Foundation Topics 13 Access Control Concepts 13     CIA 13     Default Stance 14     Defense In Depth 14     Access Control Process 15         Identify Resources 15         Identify Users 15         Identify Relationships Between Resources and Users 16 Identification and Authentication Concepts 16     Three Factors for Authentication 17     Knowledge Factors 17         Identity and Account Management 18         Password Types and Management 19     Ownership Factors 22         Synchronous and Asynchronous Token 22         Memory Cards 22         Smart Cards 23     Characteristic Factors 23         Physiological Characteristics 24         Behavioral Characteristics 25         Biometric Considerations 26 Authorization Concepts 28     Access Control Policies 28     Separation of Duties 29     Least Privilege/Need-to-Know 29     Default to No Access 30     Directory Services 30     Single Sign-on 31         Kerberos 32         SESAME 34         Federated Identity Management 35     Security Domains 35 Accountability 35     Auditing and Reporting 36     Vulnerability Assessment 37     Penetration Testing 38 Access Control Categories 39     Compensative 40     Corrective 40     Detective 40     Deterrent 40     Directive 40     Preventive 41     Recovery 41 Access Control Types 41     Administrative (Management) Controls 41     Logical (Technical) Controls 43     Physical Controls 43 Access Control Models 46     Discretionary Access Control 46     Mandatory Access Control 47     Role-based Access Control 47     Rule-based Access Control 48     Content-dependent Versus Context-dependent 48     Access Control Matrix 48         Capabilities Table 48         Access Control List (ACL) 49 Access Control Administration 49     Centralized 49     Decentralized 49     Provisioning Life Cycle 50 Access Control Monitoring 50     IDS 50     IPS 52 Access Control Threats 52     Password Threats 53         Dictionary Attack 53         Brute-Force Attack 53     Social Engineering Threats 53         Phishing/Pharming 54         Shoulder Surfing 54         Identity Theft 54         Dumpster Diving 55     DoS/DDoS 55     Buffer Overflow 55     Mobile Code 56     Malicious Software 56     Spoofing 56     Sniffing and Eavesdropping 57     Emanating 57     Backdoor/Trapdoor 57 Exam Preparation Tasks 57 Review All Key Topics 57 Complete the Tables and Lists from Memory 58     Define Key Terms 59     Review Questions 59     Answers and Explanations 61   Chapter 3 Telecommunications and Network Security 65 Foundation Topics 66 OSI Model 66     Application Layer 67     Presentation Layer 67     Session Layer 67     Transport Layer 68     Network Layer 68     Data Link Layer 68     Physical Layer 69 Multi-Layer Protocols 70 TCP/IP Model 71     Application Layer 72     Transport Layer 72     Internet Layer 74     Link Layer 76     Encapsulation 76 Common TCP/UDP Ports 77 Logical and Physical Addressing 78     IPv4 78     IP Classes 80     Public Versus Private IP Addresses 81     NAT 81     IPv4 Versus IPv6 82     MAC Addressing 82 Network Transmission 83     Analog Versus Digital 83     Asynchronous Versus Synchronous 84     Broadband Versus Baseband 84     Unicast, Multicast, and Broadcast 85     Wired Versus Wireless 86 Cabling 87     Coaxial 87     Twisted Pair 88     Fiberoptic 90 Network Topologies 91     Ring 91     Bus 92     Star 92     Mesh 93     Hybrid 94 Network Technologies 94     Ethernet 802.3 94     Token Ring 802.5 96     FDDI 97     Contention Methods 97         CSMA/CD Versus CSMA/CA 98         Collision Domains 98         CSMA/CD 99         CSMA/CA 100         Token Passing 101         Polling 101 Network Protocols/Services 101     ARP 101     DHCP 102     DNS 103     FTP, FTPS, SFTP 103     HTTP, HTTPS, SHTTP 104     ICMP 104     IMAP 105     NAT 105     PAT 105     POP 105     SMTP 105     SNMP 105 Network Routing 106     Distance Vector, Link State, or Hybrid Routing 106     RIP 107     OSPF 107     IGRP 108     EIGRP 108     VRRP 108     IS-IS 108     BGP 108 Network Devices 109     Patch Panel 109     Multiplexer 109     Hub 109     Switch 110         VLANs 111         Layer 3 Versus Layer 4 111     Router 111     Gateway 112     Firewall 112         Types 113         Architecture 114         Virtualization 116     Proxy Server 116     PBX 116     Honeypot 117     Cloud Computing 117     Endpoint Security 119 Network Types 119     LAN 119     Intranet 119     Extranet 120     MAN 120     WAN 120 WAN Technologies 121     T Lines 121     E Lines 121     OC Lines (SONET) 122     CSU/DSU 122     Circuit-Switching Versus Packet-Switching 123     Frame Relay 123     ATM 123     X.25 124     Switched Multimegabit Data Service 124     Point-to-Point Protocol 124     High-Speed Serial Interface 124     PSTN (POTS, PBX) 125     VoIP 125 Remote Connection Technologies 126     Dial-up 126     ISDN 127     DSL 127     Cable 128     VPN 129     RADIUS and TACACS 132     Remote Authentication Protocols 133     Telnet 134     TLS/SSL 134     Multimedia Collaboration 134 Wireless Networks 135     FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 135         802.11 Techniques 136         Cellular or Mobile Wireless Techniques 136     WLAN Structure 137         Access Point 137         SSID 137         Infrastructure Mode Versus Ad Hoc Mode 137     WLAN Standards 137         802.11a 138         802.11b 138         802.11f 138         802.11g 138         802.11n 138         Bluetooth 139         Infrared 139     WLAN Security 139         WEP 139         WPA 140         WPA2 140         Personal Versus Enterprise 140         SSID Broadcast 141         MAC Filter 141     Satellites 141 Network Threats 142     Cabling 142         Noise 142         Attenuation 142         Crosstalk 143         Eavesdropping 143     ICMP Attacks 143         Ping of Death 143         Smurf 144         Fraggle 144         ICMP Redirect 144         Ping Scanning 145     DNS Attacks 145         DNS Cache Poisoning 145         DoS 146         DDoS 146         DNSSEC 146         URL Hiding 146         Domain Grabbing 147         Cybersquatting 147     Email Attacks 147         Email Spoofing 147         Spear Phishing 148         Whaling 148         Spam 148     Wireless Attacks 148         Wardriving 149         Warchalking 149     Remote Attacks 149     Other Attacks 149         SYN ACK Attacks 149         Session Hijacking 150         Port Scanning 150         Teardrop 150         IP Address Spoofing 150 Exam Preparation Tasks 151 Review All Key Topics 151     Define Key Terms 151     Review Questions 153     Answers and Explanations 155   Chapter 4 Information Security Governance and Risk Management 159 Foundation Topics 159 Security Principles and Terms 159     CIA 160     Vulnerability 160     Threat 161     Threat Agent 161     Risk 161     Exposure 161     Countermeasure 161     Due Care and Due Diligence 162     Job Rotation 163     Separation of Duties 163 Security Frameworks and Methodologies 163     ISO/IEC 27000 Series 164     Zachman Framework 166     The Open Group Architecture Framework (TOGAF) 168     Department of Defense Architecture Framework (DoDAF) 168     British Ministry of Defence Architecture Framework (MODAF) 168     Sherwood Applied Business Security Architecture (SABSA) 168     Control Objectives for Information and Related Technology (CobiT) 170     National Institute of Standards and Technology (NIST) Special Publication (SP) 170     Committee of Sponsoring Organizations (COSO) of the Treadway     Commission Framework 171     Information Technology Infrastructure Library (ITIL) 172     Six Sigma 173     Capability Maturity Model Integration (CMMI) 174     Top-Down Versus Bottom-Up Approach 174     Security Program Life Cycle 174 Risk Assessment 175     Information and Asset (Tangible/Intangible) Value and Costs 177     Vulnerabilities and Threats Identification 177     Quantitative Risk Analysis 178     Qualitative Risk Analysis 179     Safeguard Selection 179     Total Risk Versus Residual Risk 180     Handling Risk 180 Risk Management Principles 181     Risk Management Policy 181     Risk Management Team 181     Risk Analysis Team 182 Information Security Governance Components 182     Policies 183         Organizational Security Policy 184         System-Specific Security Policy 185         Issue-Specific Security Policy 185         Policy Categories 185     Standards 185     Baselines 185     Guidelines 186     Procedures 186     Information Classification and Life Cycle 186         Commercial Business Classifications 186         Military and Government Classifications 187         Information Life Cycle 188 Security Governance Responsibilities and Roles 188     Board of Directors 188     Management 189     Audit Committee 189     Data Owner 190     Data Custodian 190     System Owner 190     System Administrator 190     Security Administrator 190     Security Analyst 191     Application Owner 191     Supervisor 191     User 191     Auditor 191     Third-Party Governance 191         Onsite Assessment 192         Document Exchange/Review 192         Process/Policy Review 192     Personnel Security (Screening, Hiring, and Termination) 192 Security Awareness Training 193 Security Budget, Metrics, and Effectiveness 194 Exam Preparation Tasks 195 Review All Key Topics 195     Complete the Tables and Lists from Memory 195     Define Key Terms 196     Review Questions 196     Answers and Explanations 198   Chapter 5 Software Development Security 203 Foundation Topics 203 System Development Life Cycle 203     Initiate 204     Acquire/Develop 204     Implement 205     Operate/Maintain 205     Dispose 205 Software Development Life Cycle 206     Gather Requirements 206     Design 207     Develop 207     Test/Validate 208     Release/Maintain 209     Change Management and Configuration Management 209 Software Development Security Best Practices 209     WASC 210     OWASP 210     BSI 210     ISO/IEC 27000 210 Software Development Methods 211     Build and Fix 211     Waterfall 212     V-Shaped 213     Prototyping 214     Incremental 214     Spiral 215     Rapid Application Development (RAD) 216     Agile 216     JAD 218     Cleanroom 218     CMMI 218 Programming Concepts 219     Machine Languages 219     Assembly Languages and Assemblers 219     High-level Languages, Compilers, and Interpreters 219     Object-Oriented Programming 220         Polymorphism 221         Cohesion 221         Coupling 221         Data Structures 221     Distributed Object-Oriented Systems 222         CORBA 222         COM and DCOM 222         OLE 223         Java 223         SOA 223     Mobile Code 223         Java Applets 223         ActiveX 224 Database Concepts and Security 224     DBMS Architecture and Models 224     Database Interface Languages 226         ODBC 226         JDBC 227         XML 227         OLE DB 227     Data Warehouses and Data Mining 227     Database Threats 228         Database Views 228         Database Locks 228         Polyinstantiation 228         OLTP ACID Test 229 Knowledge-Based Systems 229 Software Threats 230     Malware 230         Virus 230         Worm 231         Trojan Horse 231         Logic Bomb 232         Spyware/Adware 232         Botnet 232         Rootkit 233     Source Code Issues 233         Buffer Overflow 233         Escalation of Privileges 235         Backdoor 235     Malware Protection 235         Antivirus Software 235         Antimalware Software 236         Security Policies 236 Software Security Effectiveness 236     Certification and Accreditation 236     Auditing 237 Exam Preparation Tasks 237 Review All Key Topics 237     Define Key Terms 238     Complete the Tables and Lists from Memory 238     Review Questions 238     Answers and Explanations 240   Chapter 6 Cryptography 243 Foundation Topics 244 Cryptography Concepts 244     Cryptographic Life Cycle 246 Cryptography History 246     Julius Caesar and the Caesar Cipher 247     Vigenere Cipher 248     Kerckhoff’s Principle 249     World War II Enigma 249     Lucifer by IBM 250 Cryptosystem Features 250     Authentication 250     Confidentiality 250     Integrity 251     Authorization 251     Non-repudiation 251 Encryption Systems 251     Running Key and Concealment Ciphers 251     Substitution Ciphers 252     Transposition Ciphers 253     Symmetric Algorithms 253         Stream-based Ciphers 254         Block Ciphers 255         Initialization Vectors (IVs) 255     Asymmetric Algorithms 255     Hybrid Ciphers 256 Substitution Ciphers 257     One-Time Pads 257     Steganography 258 Symmetric Algorithms 258     Digital Encryption Standard (DES) and Triple DES (3DES) 259         DES Modes 259         Triple DES (3DES) and Modes 262     Advanced Encryption Standard (AES) 263     IDEA 263     Skipjack 264     Blowfish 264     Twofish 264     RC4/RC5/RC6 264     CAST 265 Asymmetric Algorithms 265     Diffie-Hellman 266     RSA 267     El Gamal 267     ECC 267     Knapsack 268     Zero Knowledge Proof 268 Message Integrity 268     Hash Functions 269         One-Way Hash 269         MD2/MD4/MD5/MD6 271         SHA/SHA-2/SHA-3 271         HAVAL 272         RIPEMD-160 272         Tiger 272     Message Authentication Code 273         HMAC 273         CBC-MAC 274         CMAC 274 Digital Signatures 274 Public Key Infrastructure 275     Certification Authority (CA) and Registration Authority (RA) 275     OCSP 276     Certificates 276     Certificate Revocation List (CRL) 277     PKI Steps 277     Cross-Certification 278 Key Management 278 Trusted Platform Module (TPM) 279 Encryption Communication Levels 280     Link Encryption 280     End-to-End Encryption 281 E-mail Security 281     PGP 281     MIME and S/MIME 282     Quantum Cryptography 282 Internet Security 282     Remote Access 283     SSL/TLS 283     HTTP, HTTPS, and SHTTP 284     SET 284     Cookies 284     SSH 285     IPsec 285 Cryptography Attacks 286     Ciphertext-Only Attack 287     Known Plaintext Attack 287     Chosen Plaintext Attack 287     Chosen Ciphertext Attack 287     Social Engineering 287     Brute Force 288     Differential Cryptanalysis 288     Linear Cryptanalysis 288     Algebraic Attack 288     Frequency Analysis 288     Birthday Attack 289     Dictionary Attack 289     Replay Attack 289     Analytic Attack 289     Statistical Attack 289     Factoring Attack 289     Reverse Engineering 289     Meet-in-the-Middle Attack 290 Exam Preparation Tasks 290 Review All Key Topics 290     Complete the Tables and Lists from Memory 290     Define Key Terms 291     Review Questions 291     Answers and Explanations 293   Chapter 7 Security Architecture and Design 297 Foundation Topics 297 Security Model Concepts 297     Confidentiality 297     Integrity 297     Availability 298     Defense in Depth 298 System Architecture 298     System Architecture Steps 299     ISO/IEC 42010:2011 299     Computing Platforms 300         Mainframe/Thin Clients 300         Distributed Systems 300         Middleware 301         Embedded Systems 301         Mobile Computing 301         Virtual Computing 301     Security Services 302         Boundary Control Services 302         Access Control Services 302