did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780849382314

Official (ISC)2 Guide to the CISSP CBK

by ;
  • ISBN13:

    9780849382314

  • ISBN10:

    0849382319

  • Format: Hardcover
  • Copyright: 2006-11-14
  • Publisher: Auerbach Pub
  • View Upgraded Edition
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $73.95 Save up to $37.47
  • Digital
    $36.48
    Add to Cart

    DURATION
    PRICE

Supplemental Materials

What is included with this book?

Summary

The urgency for a global standard of excellence for those who protect the networked world has never been greater. (ISC)2 created the information security industry's first and only CBK®, a global compendium of information security topics.. Continually updated to incorporate rapidly changing technologies and threats, the CBK continues to serve as the basis for (ISC)2's education and certification programs.Written as an authoritative reference, the Official (ISC)2® Guide to the CISSP® CBK® provides a better understanding of the CISSP CBK - a collection of topics relevant to information security professionals around the world. Although the book still contains the ten domains of the CISSP, some of the domain titles have been revised to reflect changing terminology and emphasis in the security professional's day-to-day environment. The ten domains include: information security and risk management, access control, cryptography, physical (environmental) security, security architecture and design, business continuity (BCP) and disaster recovery planning (DRP), telecommunications and network security, application security, operations security, legal, regulations, and compliance and investigations.Endorsed by the (ISC)2, this valuable resource follows the newly revised CISSP CBK, providing reliable, current, and thorough information. Moreover, the Official (ISC)2® Guide to the CISSP® CBK® helps information security professionals gain awareness of the requirements of their profession and acquire knowledge validated by the CISSP certification.

Table of Contents

Domain 1 Information Security and Risk Management 1(92)
Todd Fitzgerald, CISSP, Bonnie Goins, CISSP, and Rebecca Herold, CISSP
Introduction
1(3)
CISSP Expectations
2(2)
The Business Case for Information Security Management
4(3)
Core Information Security Principles: Confidentiality, Availability, Integrity (CIA)
5(2)
Confidentiality
5(1)
Integrity
6(1)
Availability
6(1)
Security Management Practice
7(1)
Information Security Management Governance
7(12)
Security Governance Defined
8(1)
Security Policies, Procedures, Standards, Guidelines, and Baselines
9(8)
Security Policy Best Practices
10(2)
Types of Security Policies
12(1)
Standards
13(1)
Procedures
14(1)
Baselines
15(1)
Guidelines
16(1)
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
16(1)
Policy Analogy
16(1)
Audit Frameworks for Compliance
17(2)
COSO
17(1)
ITIL
18(1)
COBIT
18(1)
ISO 17799/BS 7799
18(1)
Organizational Behavior
19(32)
Organizational Structure Evolution
20(2)
Today's Security Organizational Structure
21(1)
Best Practices
22(4)
Job Rotation
23(1)
Separation of Duties
23(2)
Least Privilege (Need to Know)
25(1)
Mandatory Vacations
25(1)
Job Position Sensitivity
25(1)
Responsibilities of the Information Security Officer
26(5)
Communicate Risks to Executive Management
26(1)
Budget for Information Security Activities
27(1)
Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines
28(1)
Develop and Provide Security Awareness Program
28(1)
Understand Business Objectives
28(1)
Maintain Awareness of Emerging Threats and Vulnerabilities
29(1)
Evaluate Security Incidents and Response
29(1)
Develop Security Compliance Program
29(1)
Establish Security Metrics
29(1)
Participate in Management Meetings
30(1)
Ensure Compliance with Government Regulations
30(1)
Assist Internal and External Auditors
30(1)
Stay Abreast of Emerging Technologies
30(1)
Reporting Model
31(3)
Business Relationships
31(1)
Reporting to the CEO
31(1)
Reporting to the Information Technology (IT) Department
32(1)
Reporting to Corporate Security
32(1)
Reporting to the Administrative Services Department
33(1)
Reporting to the Insurance and Risk Management Department
33(1)
Reporting to the Internal Audit Department
33(1)
Reporting to the Legal Department
34(1)
Determining the Best Fit
34(1)
Enterprisewide Security Oversight Committee
34(8)
Vision Statement
34(1)
Mission Statement
35(7)
Security Planning
42(2)
Strategic Planning
43(1)
Tactical Planning
43(1)
Operational and Project Planning
43(1)
Personnel Security
44(7)
Hiring Practices
44(7)
Security Awareness, Training, and Education
51(5)
Why Conduct Formal Security Awareness Training?
51(3)
Training Topics
52(1)
What Might a Course in Security Awareness Look Like?
52(2)
Awareness Activities and Methods
54(2)
Job Training
55(1)
Professional Education
56(1)
Performance Metrics
56(1)
Risk Management
56(15)
Risk Management Concepts
57(7)
Qualitative Risk Assessments
58(2)
Quantitative Risk Assessments
60(2)
Selecting Tools and Techniques for Risk Assessment
62(1)
Risk Assessment Methodologies
62(2)
Risk Management Principles
64(2)
Risk Avoidance
64(1)
Risk Transfer
64(1)
Risk Mitigation
65(1)
Risk Acceptance
65(1)
Who Owns the Risk?
66(1)
Risk Assessment
66(5)
Identify Vulnerabilities
66(1)
Identify Threats
67(1)
Determination of Likelihood
67(1)
Determination of Impact
68(1)
Determination of Risk
68(1)
Reporting Findings
69(1)
Countermeasure Selection
69(1)
Information Valuation
70(1)
Ethics
71(16)
Regulatory Requirements for Ethics Programs
73(1)
Example Topics in Computer Ethics
74(1)
Computers in the Workplace
74(1)
Computer Crime
74(1)
Privacy and Anonymity
75(1)
Intellectual Property
75(1)
Professional Responsibility and Globalization
75(1)
Common Computer Ethics Fallacies
75(2)
The Computer Game Fallacy
76(1)
The Law-Abiding Citizen Fallacy
76(1)
The Shatterproof Fallacy
76(1)
The Candy-from-a-Baby Fallacy
77(1)
The Hacker's Fallacy
77(1)
The Free Information Fallacy
77(1)
Hacking and Hacktivism
77(1)
The Hacker Ethic
78(1)
Ethics Codes of Conduct and Resources
78(4)
The Code of Fair Information Practices
78(1)
Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087
79(1)
Computer Ethics Institute (CEI)
79(1)
National Conference on Computing and Values
80(1)
The Working Group on Computer Ethics
80(1)
National Computer Ethics and Responsibilities Campaign (NC ERC)
80(1)
(ISC)² Code of Ethics
81(1)
Organizational Ethics Plan of Action
82(2)
How a Code of Ethics Applies to CISSPs
84(3)
References
87(1)
Other References
87(1)
Sample Questions
88(5)
Domain 2 Access Control 93(126)
James S. Tiller, CISSP
Introduction
93(1)
CISSP® Expectations
93(1)
Confidentiality, Integrity, and Availability
93(1)
Definitions and Key Concepts
94(14)
Determining Users
95(1)
Defining Resources
96(1)
Specifying Use
97(1)
Accountability
97(1)
Access Control Principles
98(3)
Separation of Duties
98(3)
Least Privilege
101(1)
Information Classification
101(7)
Data Classification Benefits
102(1)
Establishing a Data Classification Program
103(4)
Labeling and Marking
107(1)
Data Classification Assurance
107(1)
Summary
108(1)
Access Control Categories and Types
108(22)
Control Categories
108(4)
Preventative
108(1)
Deterrent
109(1)
Detective
109(1)
Corrective
110(1)
Recovery
111(1)
Compensating
111(1)
Types of Controls
112(18)
Administrative
113(11)
Physical
124(1)
Technical
125(5)
Access Control Threats
130(17)
Denial of Service
130(1)
Buffer Overflows
131(1)
Mobile Code
132(1)
Malicious Software
133(1)
Password Crackers
134(2)
Spoofing/Masquerading
136(1)
Sniffers, Eavesdropping, and Tapping
137(1)
Emanations
138(1)
Shoulder Surfing
139(1)
Object Reuse
139(1)
Data Remanence
140(2)
Unauthorized Targeted Data Mining
142(1)
Dumpster Diving
143(1)
Backdoor/Trapdoor
144(1)
Theft
144(1)
Social Engineering
145(2)
E-mail Social Engineering
145(1)
Help Desk Fraud
146(1)
Access to Systems
147(39)
Identification and Authentication
147(22)
Types of Identification
148(1)
Types of Authentication
149(18)
Authentication Method Summary
167(2)
Identity and Access Management
169(1)
Identity Management
170(9)
Identity Management Challenges
172(1)
Identity Management Technologies
173(6)
Access Control Technologies
179(7)
Single Sign-On
179(2)
Kerberos
181(3)
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
184(1)
Security Domain
185(1)
Section Summary
186(1)
Access to Data
186(8)
Discretionary and Mandatory Access Control
186(8)
Access Control Lists
188(1)
Access Control Matrix
188(1)
Rule-Based Access Control
188(1)
Role-Based Access Control
189(2)
Content-Dependent Access Control
191(1)
Constrained User Interface
191(1)
Capability Tables
191(1)
Temporal (Time-Based) Isolation
192(1)
Centralized Access Control
192(1)
Decentralized Access Control
192(1)
Section Summary
192(2)
Intrusion Detection and Prevention Systems
194(11)
Intrusion Detection Systems
195(3)
Network Intrusion Detection System
196(1)
Host-Based Intrusion Detection System
197(1)
Analysis Engine Methods
198(3)
Pattern/Stateful Matching Engine
199(1)
Anomaly-Based Engine
200(1)
Intrusion Responses
201(3)
Alarms and Signals
203(1)
IDS Management
204(1)
Access Control Assurance
205(10)
Audit Trail Monitoring
205(2)
Audit Event Types
205(1)
Auditing Issues and Concerns
206(1)
Information Security Activities
207(12)
Penetration Testing
208(5)
Types of Testing
213(2)
Summary
215(1)
References
215(1)
Sample Questions
215(4)
Domain 3 Cryptography 219(62)
Kevin Henry, CISSP
Introduction
219(1)
CISSP Expectations
219(1)
Core Information Security Principles: Confidentiality, Integrity, and Availability
219(1)
Key Concepts and Definitions
220(9)
The History of Cryptography
222(1)
The Early (Manual) Era
222(1)
The Mechanical Era
222(1)
The Modern Era
223(1)
Emerging Technology
223(2)
Quantum Cryptography
223(2)
Protecting Information
225(1)
Data Storage
225(1)
Data Transmission
225(1)
Uses of Cryptography
226(1)
Availability
226(1)
Confidentiality
226(1)
Integrity
226(1)
Additional Features of Cryptographic Systems
226(1)
Nonrepudiation
227(1)
Authentication
227(1)
Access Control
227(1)
Methods of Cryptography
227(2)
Stream-Based Ciphers
227(2)
Block Ciphers
229(1)
Encryption Systems
229(31)
Substitution Ciphers
229(24)
Playfair Cipher
229(1)
Transposition Ciphers
230(1)
Monoalphabetic and Polyalphabetic Ciphers
231(2)
Modular Mathematics and the Running Key Cipher
233(1)
One-Time Pads
234(1)
Steganography
235(1)
Watermarking
235(1)
Code Words
235(1)
Symmetric Ciphers
236(1)
Examples of Symmetric Algorithms
237(15)
Advantages and Disadvantages of Symmetric Algorithms
252(1)
Asymmetric Algorithms
253(7)
Confidential Messages
253(1)
Open Message
254(1)
Confidential Messages with Proof of Origin
254(1)
RSA
254(3)
Diffie—Hellmann Algorithm
257(1)
El Gamal
258(1)
Elliptic Curve Cryptography
258(1)
Advantages and Disadvantages of Asymmetric Key Algorithms
258(1)
Hybrid Cryptography
259(1)
Message Integrity Controls
260(5)
Checksums
260(1)
Hash Function
260(4)
Simple Hash Functions
261(1)
MD5 Message Digest Algorithm
261(1)
Secure Hash Algorithm (SHA) and SHA-1
262(1)
HAVAL
262(1)
RIPEMD-160
262(1)
Attacks on Hashing Algorithms and Message Authentication Codes
263(1)
Message Authentication Code (MAC)
264(1)
HMAC
264(1)
Digital Signatures
265(1)
Digital Signature Standard (DSS)
265(1)
Uses of Digital Signatures
266(1)
Encryption Management
266(5)
Key Management
266(2)
Key Recovery
267(1)
Key Distribution Centers
268(1)
Standards for Financial Institutions
268(1)
Public Key Infrastructure (PKI)
269(2)
Revocation of a Certificate
271(1)
Cross-Certification
271(1)
Legal Issues Surrounding Cryptography
271(1)
Cryptanalysis and Attacks
271(3)
Ciphertext-Only Attack
271(1)
Known Plaintext Attack
271(1)
Chosen Plaintext Attack
272(1)
Chosen Ciphertext Attack
272(1)
Social Engineering
272(1)
Brute Force
272(1)
Differential Power Analysis
273(1)
Frequency Analysis
273(1)
Birthday Attack
273(1)
Dictionary Attack
273(1)
Replay Attack
273(1)
Factoring Attacks
273(1)
Reverse Engineering
273(1)
Attacking the Random Number Generators
274(1)
Temporary Files
274(1)
Encryption Usage
274(2)
E-mail Security Using Cryptography
274(1)
Protocols and Standards
275(1)
Pretty Good Privacy (PGP)
275(1)
Secure/Multipurpose Internet Mail Extension (S/MIME)
275(1)
Internet and Network Security
275(6)
IPSec
275(1)
SSL/TLS
276(1)
References
276(1)
Sample Questions
277(4)
Domain 4 Physical (Environmental) Security 281(26)
Paul Hansford, CISSP
Introduction
281(1)
CISSP Expectations
282(1)
Physical (Environmental) Security Challenges
282(3)
Threats and Vulnerabilities
283(2)
Threat Types
283(2)
Vulnerabilities
285(1)
Site Location
285(1)
Site Fabric and Infrastructure
285(1)
The Layered Defense Model
286(14)
Physical Considerations
287(3)
Working with Others to Achieve Physical and Procedural Security
287(1)
Physical and Procedural Security Methods, Tools, and Techniques
288(1)
Procedural Controls
288(2)
Infrastructure Support Systems
290(3)
Fire Prevention, Detection, and Suppression
290(2)
Boundary Protection
292(1)
Building Entry Points
293(7)
Keys and Locking Systems
293(2)
Walls, Doors, and Windows
295(1)
Access Controls
296(1)
Closed-Circuit Television (CCTV)
296(2)
Intrusion Detection Systems
298(1)
Portable Device Security
299(1)
Asset and Risk Registers
299(1)
Information Protection and Management Services
300(2)
Managed Services
300(1)
Audits, Drills, Exercises, and Testing
300(1)
Vulnerability and Penetration Tests
301(1)
Maintenance and Service Issues
301(1)
Education, Training, and Awareness
301(1)
Summary
302(1)
References
302(1)
Sample Questions
303(4)
Domain 5 Security Architecture and Design 307(30)
William Lipiczky, CISSP
Introduction
307(1)
CISSP® Expectations
307(1)
Security Architecture and Design Components and Principles
308(16)
Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001
308(1)
Design Principles
309(2)
Diskless Workstations, Thin Clients, and Thin Processing
309(1)
Operating System Protection
310(1)
Hardware
311(9)
Personal Digital Assistants (PDAs) and Smart Phones
314(1)
Central Processing Unit (CPU)
315(1)
Storage
316(2)
Input/Output Devices
318(1)
Communications Devices
319(1)
Networks and Partitioning
319(1)
Software
320(3)
Operating Systems
320(1)
Application Programs
321(1)
Processes and Threads
322(1)
Firmware
323(1)
Trusted Computer Base (TCB)
323(1)
Reference Monitor
324(1)
Security Models and Architecture Theory
324(5)
Lattice Models
324(1)
State Machine Models
325(1)
Research Models
325(1)
Noninterference Models
325(1)
Information Flow Models
325(1)
Bell—LaPadula Confidentiality Model
325(1)
Biba Integrity Model
326(1)
Clark—Wilson Integrity Model
326(1)
Access Control Matrix and Information Flow Models
327(2)
Information Flow Models
328(1)
Graham—Denning Model
328(1)
Harrison—Ruzzo—Ullman Model
328(1)
Brewer—Nash (Chinese Wall)
328(1)
Security Product Evaluation Methods and Criteria
329(3)
Rainbow Series
329(1)
Trusted Computer Security Evaluation Criteria (TCSEC)
329(1)
Information Technology Security Evaluation Criteria (ITSEC)
330(1)
Common Criteria
331(1)
Software Engineering Institute's Capability Maturity Model Integration (SEI-CMMI)
331(1)
Certification and Accreditation
332(1)
Sample Questions
332(5)
Domain 6 Business Continuity and Disaster Recovery Planning 337(70)
Carl B. Jackson, CISSP
Introduction
337(7)
CISSP Expectations
338(1)
Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)
339(1)
Why Continuity Planning?
339(2)
Reality of Terrorist Attack
339(1)
Natural Disasters
340(1)
Internal and External Audit Oversight
340(1)
Legislative and Regulatory Requirements
340(1)
Industry and Professional Standards
341(1)
NFPA 1600
341(1)
ISO 17799
341(1)
Defense Security Service (DSS)
341(1)
National Institute of Standards and Technology (NIST)
341(1)
Good Business Practice or the Standard of Due Care
341(1)
Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning
341(3)
Revenue Loss
342(1)
Extra Expense
343(1)
Compromised Customer Service
343(1)
Embarrassment or Loss of Confidence Impact
343(1)
Hidden Benefits of Continuity Planning
343(1)
Organization of the BCP/DRP Domain Chapter
344(51)
Project Initiation Phase
344(1)
Current State Assessment Phase
345(1)
Design and Development Phase
345(1)
Implementation Phase
345(1)
Management Phase
346(1)
Project Initiation Phase Description
346(8)
Project Scope Development and Planning
346(2)
Executive Management Support
348(1)
BCP Project Scope and Authorization
348(2)
Executive Management Leadership and Awareness
350(1)
Continuity Planning Project Team Organization and Management
351(2)
Disaster or Disruption Avoidance and Mitigation
353(1)
Project Initiation Phase Activities and Tasks Work Plan
354(1)
Current State Assessment Phase Description
354(2)
Understanding Enterprise Strategy, Goals, and Objectives
354(1)
Enterprise Business Processes Analysis
355(1)
People and Organizations
355(1)
Time Dependencies
355(1)
Motivation, Risks, and Control Objectives
355(1)
Budgets
355(1)
Technical Issues and Constraints
356(1)
Continuity Planning Process Support Assessment
356(7)
Threat Assessment
356(2)
Risk Management
358(1)
Business Impact Assessment (BIA)
359(3)
Benchmarking and Peer Review
362(1)
Sample Current State Assessment Phase Activities and Tasks Work Plan
363(1)
Development Phase Description
363(23)
Recovery Strategy Development
363(3)
Work Plan Development
366(1)
Develop and Design Recovery Strategies
366(3)
Data and Software Backup Approaches
369(1)
DRP Recovery Strategies for IT
370(1)
BCP Recovery Strategies for Enterprise Business Processes
371(2)
Developing Continuity Plan Documents and Infrastructure Strategies
373(1)
Developing Testing/Maintenance/Training Strategies
373(1)
Plan Development Phase Description
374(1)
Building Continuity Plans
375(4)
Contrasting Crisis Management and Continuity Planning Approaches
379(1)
Building Crisis Management Plans
379(2)
Testing/Maintenance/Training Development Phase Description
381(5)
Developing Continuity and Crisis Management Process Training and Awareness Strategies
386(1)
Sample Phase Activities and Tasks Work Plan
386(1)
Implementation Phase Description
386(6)
Analyze CPPT Implementation Work Plans
386(2)
Program Short- and Long-Term Testing
388(1)
Continuity Plan Testing (Exercise) Procedure Deployment
388(3)
Program Training, Awareness, and Education
391(1)
Emergency Operations Center (EOC)
392(1)
Management Phase Description
392(9)
Program Oversight
392(1)
Continuity Planning Manager Roles and Responsibilities
392(3)
Terminology
395(3)
References
398(1)
Sample Questions
398(3)
Appendix A: Addressing Legislative Compliance within Business Continuity Plans
401(6)
Rebecca Herold, CISSP
HIPAA
401(1)
GLB
402(1)
Patriot Act
402(2)
Other Issues
404(1)
OCC Banking Circular 177
404(3)
Domain 7 Telecommunications and Network Security 407(130)
Alec Bass, CISSP and Peter Berlich, CISSP-ISSMP
Introduction
407(1)
CISSP® Expectations
408(1)
Basic Concepts
408(15)
Network Models
408(6)
OSI Reference Model
409(4)
TCP/IP Model
413(1)
Network Security Architecture
414(9)
The Role of the Network in IT Security
414(2)
Network Security Objectives and Attack Modes
416(3)
Methodology of an Attack
419(2)
Network Security Tools
421(2)
Layer 1: Physical Layer
423(10)
Concepts and Architecture
423(4)
Communication Technology
423(1)
Network Topology
424(3)
Technology and Implementation
427(6)
Cable
427(1)
Twisted Pair
428(1)
Coaxial Cable
429(1)
Fiber Optics
429(1)
Patch Panels
430(1)
Modems
430(1)
Wireless Transmission Technologies
431(2)
Layer 2: Data-Link Layer
433(17)
Concepts and Architecture
433(8)
Architecture
433(1)
Transmission Technologies
434(7)
Technology and Implementation
441(9)
Ethernet
441(4)
Wireless Local Area Networks
445(5)
Address Resolution Protocol (ARP)
450(1)
Point-to-Point Protocol (PPP)
450(1)
Layer 3: Network Layer
450(32)
Concepts and Architecture
450(14)
Local Area Network (LAN)
450(2)
Wide Area Network (WAN) Technologies
452(10)
Metropolitan Area Network (MAN)
462(1)
Global Area Network (GAN)
463(1)
Technology and Implementation
464(18)
Routers
464(1)
Firewalls
464(4)
End Systems
468(3)
Internet Protocol (IP)
471(4)
Virtual Private Network (VPN)
475(4)
Tunneling
479(1)
Dynamic Host Configuration Protocol (DHCP)
479(1)
Internet Control Message Protocol (ICMP)
480(1)
Internet Group Management Protocol (IGMP)
481(1)
Layer 4: Transport Layer
482(4)
Concepts and Architecture
482(2)
Transmission Control Protocol (TCP)
483(1)
User Datagram Protocol (UDP)
484(1)
Technology and Implementation
484(2)
Scanning Techniques
484(2)
Denial of Service
486(1)
Layer 5: Session Layer
486(9)
Concepts and Architecture
486(1)
Technology and Implementation
486(9)
Remote Procedure Calls
486(1)
Directory Services
487(6)
Access Services
493(2)
Layer 6: Presentation Layer
495(2)
Concepts and Architecture
495(1)
Technology and Implementation
496(1)
Transport Layer Security (TLS)
496(1)
Layer 7: Application Layer
497(23)
Concepts and Architecture
497(1)
Technology and Implementation
497(40)
Asynchronous Messaging (E-mail and News)
497(5)
Instant Messaging
502(4)
Data Exchange (World Wide Web)
506(6)
Peer-to-Peer Applications and Protocols
512(1)
Administrative Services
512(2)
Remote-Access Services
514(3)
Information Services
517(1)
Voice-over-IP (VoIP)
518(2)
General References
520(1)
Sample Questions
521(4)
Endnotes
525(12)
Domain 8 Application Security 537(96)
Robert M. Slade, CISSP
Domain Description and Introduction
537(3)
Current Threats and Levels
537(1)
Application Development Security Outline
538(1)
Expectation of the CISSP in This Domain
539(1)
Applications Development and Programming Concepts and Protection
540(42)
Current Software Environment
541(1)
Open Source
542(1)
Full Disclosure
543(1)
Programming
543(4)
Process and Elements
544(1)
The Programming Procedure
545(2)
The Software Environment
547(2)
Threats in the Software Environment
549(5)
Buffer Overflow
549(1)
Citizen Programmers
550(1)
Covert Channel
550(1)
Malicious Software (Malware)
551(1)
Malformed Input Attacks
551(1)
Memory Reuse (Object Reuse)
551(1)
Executable Content/Mobile Code
551(1)
Social Engineering
552(1)
Time of Check/Time of Use (TOC/TOU)
553(1)
Trapdoor/Backdoor
553(1)
Application Development Security Protections and Controls
554(17)
System Life Cycle and Systems Development
554(1)
Systems Development Life Cycle (SDLC)
555(6)
Software Development Methods
561(3)
Java Security
564(2)
Object-Oriented Technology and Programming
566(2)
Object-Oriented Security
568(1)
Distributed Object-Oriented Systems
569(2)
Software Protection Mechanisms
571(11)
Security Kernels
571(1)
Processor Privilege States
571(2)
Security Controls for Buffer Overflows
573(1)
Controls for Incomplete Parameter Check and Enforcement
573(1)
Memory Protection
574(1)
Covert Channel Controls
575(1)
Cryptography
575(1)
Password Protection Techniques
575(1)
Inadequate Granularity of Controls
576(1)
Control and Separation of Environments
576(1)
Time of Check/Time of Use (TOC/TOU)
577(1)
Social Engineering
577(1)
Backup Controls
577(1)
Software Forensics
578(2)
Mobile Code Controls
580(2)
Programming Language Support
582(1)
Audit and Assurance Mechanisms
582(4)
Information Integrity
583(1)
Information Accuracy
583(1)
Information Auditing
583(1)
Certification and Accreditation
584(1)
Information Protection Management
584(1)
Change Management
585(1)
Configuration Management
586(1)
Malicious Software (Malware)
586(16)
Malware Types
589(9)
Viruses
589(3)
Worms
592(1)
Hoaxes
593(1)
Trojans
593(2)
Remote-Access Trojans (RATs)
595(1)
DDoS Zombies
596(1)
Logic Bombs
596(1)
Spyware and Adware
597(1)
Pranks
597(1)
Malware Protection
598(3)
Scanners
599(1)
Activity Monitors
599(1)
Change Detection
599(1)
Antimalware Policies
600(1)
Malware Assurance
601(1)
The Database and Data Warehousing Environment
602(24)
DBMS Architecture
602(7)
Hierarchical Database Management Model
604(1)
Network Database Management Model
605(1)
Relational Database Management Model
605(4)
Object-Oriented Database Model
609(1)
Database Interface Languages
609(4)
Open Database Connectivity (ODBC)
609(1)
Java Database Connectivity (JDBC)
610(1)
eXtensible Markup Language (XML)
610(1)
Object Linking and Embedding Database (OLE DB)
611(1)
Accessing Databases through the Internet
612(1)
Data Warehousing
613(4)
Metadata
614(2)
Online Analytical Processing (OLAP)
616(1)
Data Mining
616(1)
Database Vulnerabilities and Threats
617(3)
DBMS Controls
620(4)
Lock Controls
621(1)
Other DBMS Access Controls
622(1)
View-Based Access Controls
622(1)
Grant and Revoke Access Controls
622(1)
Security for Object-Oriented (00) Databases
623(1)
Metadata Controls
623(1)
Data Contamination Controls
623(1)
Online Transaction Processing (OLTP)
623(1)
Knowledge Management
624(2)
Web Application Environment
626(2)
Web Application Threats and Protection
627(1)
Summary
628(1)
References
629(1)
Sample Questions
629(4)
Domain 9 Operations Security 633(50)
Sean M. Price, CISSP
Introduction
633(1)
Privileged Entity Controls
633(9)
Operators
633(1)
Ordinary Users
634(1)
System Administrators
635(2)
Security Administrators
637(3)
File Sensitivity Labels
637(1)
System Security Characteristics
637(1)
Clearances
637(1)
Passwords
637(1)
Account Characteristics
638(1)
Security Profiles
638(1)
Audit Data Analysis and Management
639(1)
System Accounts
640(1)
Account Management
640(2)
Resource Protection
642(13)
Facilities
642(1)
Hardware
642(2)
Software
644(1)
Documentation
644(1)
Threats to Operations
645(1)
Disclosure
645(1)
Destruction
645(1)
Interruption and Nonavailability
645(1)
Corruption and Modification
645(1)
Theft
645(1)
Espionage
646(1)
Hackers and Crackers
646(1)
Malicious Code
646(1)
Control Types
646(2)
Preventative Controls
646(1)
Detective Controls
646(1)
Corrective Controls
647(1)
Directive Controls
647(1)
Recovery Controls
647(1)
Deterrent Controls
647(1)
Compensating Controls
647(1)
Control Methods
648(2)
Separation of Responsibilities
648(1)
Least Privilege
648(1)
Job Rotation
648(1)
Need to Know
648(1)
Security Audits and Reviews
649(1)
Supervision
649(1)
Input/Output Controls
650(1)
Antivirus Management
650(1)
Media Types and Protection Methods
650(1)
Object Reuse
651(2)
Sensitive Media Handling
653(1)
Marking
653(1)
Handling
653(1)
Storing
653(1)
Destruction
653(1)
Declassification
654(1)
Misuse Prevention
654(1)
Record Retention
655(1)
Continuity of Operations
655(14)
Fault Tolerance
656(1)
Data Protection
657(2)
Software
659(1)
Hardware
660(1)
Communications
660(1)
Facilities
661(2)
Problem Management
663(4)
System Component Failure
664(1)
Power Failure
664(1)
Telecommunications Failure
664(1)
Physical Break-In
664(1)
Tampering
664(1)
Production Delay
665(1)
Input/Output Errors
665(2)
System Recovery
667(1)
Intrusion Detection System
668(1)
Vulnerability Scanning
668(1)
Business Continuity Planning
669(1)
Change Control Management
669(8)
Configuration Management
670(1)
Production Software
671(1)
Software Access Control
671(1)
Change Control Process
672(1)
Requests
672(1)
Impact Assessment
672(1)
Approval/Disapproval
672(1)
Build and Test
672(1)
Notification
673(1)
Implementation
673(1)
Validation
673(1)
Documentation
673(1)
Library Maintenance
673(1)
Patch Management
673(4)
Summary
677(1)
References
677(1)
Sample Questions
678(5)
Domain 10 Legal, Regulations, Compliance and Investigations 683(36)
Marcus K. Rogers, Ph.D., CISSP
Introduction
683(2)
CISSP® Expectations
684(1)
Major Legal Systems
685(5)
Common Law
686(2)
Criminal Law
687(1)
Tort Law
687(1)
Administrative Law
687(1)
Civil Law
688(1)
Customary Law
688(1)
Religious Law
689(1)
Mixed Law
689(1)
Information Technology Laws and Regulations
690(8)
Intellectual Property Laws
690(2)
Patent
690(1)
Trademark
690(1)
Copyright
691(1)
Trade Secret
691(1)
Licensing Issues
691(1)
Privacy
692(2)
Liability
694(1)
Computer Crime
695(3)
International Cooperation
697(1)
Incident Response
698(7)
Response Capability
699(1)
Incident Response and Handling
700(3)
Triage
700(1)
Investigative Phase
701(1)
Containment
701(1)
Analysis and Tracking
702(1)
Recovery Phase
703(1)
Recovery and Repair
704(1)
Debriefing/Feedback
704(1)
Computer Forensics
705(5)
Crime Scene
707(1)
Digital/Electronic Evidence
708(1)
General Guidelines
709(1)
Conclusions
710(2)
References
712(3)
Sample Questions
715(4)
Appendix A Answers to Sample Questions 719(38)
Domain 1: Information Security and Risk Management
719(5)
Domain 2: Access Control
724(4)
Domain 3: Cryptography
728(3)
Domain 4: Physical (Environmental) Security
731(3)
Domain 5: Security Architecture and Design
734(3)
Domain 6: Business Continuity and Disaster Recovery Planning
737(3)
Domain 7: Telecommunications and Network Security
740(6)
Domain 8: Application Security
746(2)
Domain 9: Operations Security
748(4)
Domain 10: Legal, Regulations, Compliance and Investigation
752(5)
Appendix B Certified Information Systems Security Professional (CISSP®) Candidate Information Bulletin 757(1)
1 Information Security and Risk Management
758(17)
Overview
758(1)
Key Areas of Knowledge
759(1)
2 Access Control
759(1)
Overview
759(1)
Key Areas of Knowledge
760(1)
3 Cryptography
760(1)
Overview
760(1)
Key Areas of Knowledge
760(1)
4 Physical (Environmental) Security
760(1)
Overview
760(1)
Key Areas of Knowledge
761(1)
5 Security Architecture and Design
761(1)
Overview
761(1)
Key Areas of Knowledge
761(1)
6 Business Continuity and Disaster Recovery Planning
762(1)
Overview
762(1)
Key Areas of Knowledge
762(1)
7 Telecommunications and Network Security
763(1)
Overview
763(1)
Key Areas of Knowledge
763(1)
8 Application Security
764(1)
Overview
764(1)
Key Areas of Knowledge
764(1)
9 Operations Security
764(1)
Overview
764(1)
Key Areas of Knowledge
764(1)
10 Legal, Regulations, Compliance and Investigations
765(1)
Overview
765(1)
Key Areas of Knowledge
765(1)
References
766(4)
General Examination Information
770(5)
Appendix C Glossary 775(248)
Index 1023

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program