did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780782144437

CISSP?: Certified Information Systems Security Professional Study Guide, 3rd Edition

by ; ;
  • ISBN13:

    9780782144437

  • ISBN10:

    0782144438

  • Edition: 3rd
  • Format: Paperback
  • Copyright: 2005-09-01
  • Publisher: Sybex
  • Purchase Benefits
List Price: $69.99

Summary

CISSP Certified Information Systems Security Professional Study Guide Here's the book you need to prepare for the challenging CISSP exam from (ISC)?2. This third edition was developed to meet the exacting requirements of today's security certification candidates, and has been thoroughly updated to cover recent technological advances in the field of IT security. In addition to the consistent and accessible instructional approach that readers have come to expect from Sybex, this book provides: Clear and concise information on critical security technologies and topics Practical examples and insights drawn from real-world experience Expanded coverage of key topics such as biometrics, auditing and accountability, and software security testing Leading-edge exam preparation software, including a testing engine and electronic flashcards for your PC, Pocket PC, and Palm handheld You'll find authoritative coverage of key exam topics including: Access Control Systems & Methodology Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation, & Ethics Operations Security & Physical Security Security Architecture, Models, and Management Practices Telecommunications, Network, & Internet Security

Author Biography

James Michael Stewart, CISSP, is a security expert who has authored numerous publications, books, and courseware.

Ed Tittel, CISSP, is a freelance writer and a regular contributor to numerous publications, including C|Net, InfoWorld, and Windows IT Pro. Ed has authored over 130 books.

Mike Chapple, CISSP, is an IT security professional with the University of Notre Dame.

Table of Contents

Introduction xxiii
Assessment Test xxxi
Accountability and Access Control
1(42)
Access Control Overview
2(7)
Types of Access Control
2(3)
Access Control in a Layered Environment
5(1)
The Process of Accountability
5(4)
Identification and Authentication Techniques
9(14)
Passwords
10(3)
Biometrics
13(5)
Tokens
18(2)
Tickets
20(1)
Single Sign On
20(3)
Access Control Techniques
23(4)
Discretionary Access Controls (DAC)
23(1)
Nondiscretionary Access Controls
24(1)
Mandatory Access Controls
24(1)
Role-Based Access Control (RBAC)
25(1)
Lattice-Based Access Controls
26(1)
Access Control Methodologies and Implementation
27(1)
Centralized and Decentralized Access Control
27(1)
Radius and Tacacs
27(1)
Access Control Administration
28(4)
Account Administration
29(1)
Account, Log, and Journal Monitoring
30(1)
Access Rights and Permissions
30(2)
Summary
32(2)
Exam Essentials
34(2)
Review Questions
36(4)
Answers to Review Questions
40(3)
Attacks and Monitoring
43(26)
Monitoring
44(1)
Intrusion Detection
45(3)
Host-Based and Network-Based IDSs
46(1)
Knowledge-Based and Behavior-Based Detection
47(1)
IDS-Related Tools
48(1)
Penetration Testing
49(1)
Methods of Attacks
50(8)
Brute Force and Dictionary Attacks
51(1)
Denial of Service
52(3)
Spoofing Attacks
55(1)
Man-in-the-Middle Attacks
56(1)
Sniffer Attacks
57(1)
Spamming Attacks
57(1)
Crackers
58(1)
Access Control Compensations
58(1)
Summary
59(1)
Exam Essentials
59(3)
Review Questions
62(4)
Answers to Review Questions
66(3)
ISO Model, Network Security, and Protocols
69(52)
OSI Model
70(9)
History of the OSI Model
70(1)
OSI Functionality
71(1)
Encapsulation/Deencapsulation
72(1)
OSI Layers
73(5)
TCP/IP Model
78(1)
Communications and Network Security
79(17)
Network Cabling
79(5)
LAN Technologies
84(3)
Network Topologies
87(2)
TCP/IP Overview
89(7)
Internet/Intranet/Extranet Components
96(6)
Firewalls
97(3)
Other Network Devices
100(2)
Remote Access Security Management
102(1)
Network and Protocol Security Mechanisms
103(4)
VPN Protocols
103(1)
Secure Communications Protocols
104(1)
E-Mail Security Solutions
105(1)
Dial-Up Protocols
105(1)
Authentication Protocols
106(1)
Centralized Remote Authentication Services
106(1)
Network and Protocol Services
107(1)
Frame Relay
107(1)
Other WAN Technologies
108(1)
Avoiding Single Points of Failure
108(3)
Redundant Servers
109(1)
Failover Solutions
109(1)
RAID
110(1)
Summary
111(1)
Exam Essentials
112(2)
Review Questions
114(4)
Answers to Review Questions
118(3)
Communications Security and Countermeasures
121(32)
Virtual Private Network (VPN)
122(3)
Tunneling
123(1)
How VPNs Work
124(1)
Implementing VPNs
124(1)
Network Address Translation
125(1)
Private IP Addresses
125(1)
Stateful NAT
126(1)
Switching Technologies
126(2)
Circuit Switching
126(1)
Packet Switching
127(1)
Virtual Circuits
127(1)
WAN Technologies
128(3)
WAN Connection Technologies
129(1)
Encapsulation Protocols
130(1)
Miscellaneous Security Control Characteristics
131(1)
Transparency
131(1)
Verifying Integrity
131(1)
Transmission Mechanisms
132(1)
Managing E-Mail Security
132(4)
E-Mail Security Goals
132(1)
Understanding E-Mail Security Issues
133(1)
E-Mail Security Solutions
134(2)
Securing Voice Communications
136(3)
Social Engineering
136(1)
Fraud and Abuse
137(1)
Phreaking
138(1)
Security Boundaries
139(1)
Network Attacks and Countermeasures
139(3)
Eavesdropping
140(1)
Second-Tier Attacks
140(1)
Address Resolution Protocol (ARP)
141(1)
Summary
142(1)
Exam Essentials
143(3)
Review Questions
146(4)
Answers to Review Questions
150(3)
Security Management Concepts and Principles
153(22)
Security Management Concepts and Principles
154(5)
Confidentiality
154(1)
Integrity
155(1)
Availability
156(1)
Other Security Concepts
157(2)
Protection Mechanisms
159(2)
Layering
160(1)
Abstraction
160(1)
Data Hiding
160(1)
Encryption
161(1)
Change Control/Management
161(1)
Data Classification
162(3)
Summary
165(1)
Exam Essentials
166(2)
Review Questions
168(4)
Answers to Review Questions
172(3)
Asset Value, Policies, and Roles
175(34)
Employment Policies and Practices
176(3)
Security Management for Employees
176(3)
Security Roles
179(2)
Security Management Planning
181(1)
Policies, Standards, Baselines, Guidelines, and Procedures
182(3)
Security Policies
182(2)
Security Standards, Baselines, and Guidelines
184(1)
Security Procedures
184(1)
Risk Management
185(11)
Risk Terminology
186(2)
Risk Assessment Methodologies
188(2)
Quantitative Risk Analysis
190(3)
Qualitative Risk Analysis
193(2)
Handling Risk
195(1)
Security Awareness Training
196(1)
Summary
197(2)
Exam Essentials
199(3)
Review Questions
202(4)
Answers to Review Questions
206(3)
Data and Application Security Issues
209(48)
Application Issues
210(6)
Local/Nondistributed Environment
210(2)
Distributed Environment
212(4)
Databases and Data Warehousing
216(9)
Database Management System (DBMS) Architecture
216(3)
Database Transactions
219(1)
Security for Multilevel Databases
220(2)
ODBC
222(1)
Aggregation
223(1)
Data Mining
224(1)
Data/Information Storage
225(1)
Types of Storage
225(1)
Storage Threats
226(1)
Knowledge-Based Systems
226(3)
Expert Systems
227(1)
Neural Networks
228(1)
Decision Support Systems
228(1)
Security Applications
229(1)
Systems Development Controls
229(18)
Software Development
229(5)
Systems Development Life Cycle
234(3)
Life Cycle Models
237(3)
Gantt Charts and PERT
240(2)
Change Control and Configuration Management
242(1)
Software Testing
243(1)
Security Control Architecture
244(3)
Service Level Agreements
247(1)
Summary
247(1)
Exam Essentials
248(1)
Written Lab
249(1)
Review Questions
250(4)
Answers to Review Questions
254(2)
Answers to Written Lab
256(1)
Malicious Code and Application Attacks
257(36)
Malicious Code
258(10)
Sources
258(1)
Viruses
259(5)
Logic Bombs
264(1)
Trojan Horses
264(1)
Worms
265(2)
Active Content
267(1)
Countermeasures
267(1)
Password Attacks
268(3)
Password Guessing
269(1)
Dictionary Attacks
269(1)
Social Engineering
270(1)
Countermeasures
270(1)
Denial of Service Attacks
271(6)
SYN Flood
271(1)
Distributed DoS Toolkits
272(1)
Smurf
273(1)
Teardrop
274(2)
Land
276(1)
DNS Poisoning
276(1)
Ping of Death
276(1)
Application Attacks
277(1)
Buffer Overflows
277(1)
Time-of-Check-to-Time-of-Use
278(1)
Trap Doors
278(1)
Rootkits
278(1)
Reconnaissance Attacks
278(2)
IP Probes
279(1)
Port Scans
279(1)
Vulnerability Scans
279(1)
Dumpster Diving
280(1)
Masquerading Attacks
280(1)
IP Spoofing
280(1)
Session Hijacking
281(1)
Decoy Techniques
281(1)
Honey Pots
281(1)
Pseudo-Flaws
281(1)
Summary
282(1)
Exam Essentials
283(1)
Written Lab
284(1)
Review Questions
285(4)
Answers to Review Questions
289(2)
Answers to Written Lab
291(2)
Cryptography and Private Key Algorithms
293(42)
History
294(2)
Caesar Cipher
294(1)
American Civil War
295(1)
Ultra vs. Enigma
295(1)
Cryptographic Basics
296(14)
Goals of Cryptography
296(1)
Cryptography Concepts
297(2)
Cryptographic Mathematics
299(6)
Ciphers
305(5)
Modern Cryptography
310(6)
Cryptographic Keys
311(1)
Symmetric Key Algorithms
312(1)
Asymmetric Key Algorithms
313(3)
Hashing Algorithms
316(1)
Symmetric Cryptography
316(8)
Data Encryption Standard (DES)
316(2)
Triple DES (3DES)
318(1)
International Data Encryption Algorithm (IDEA)
319(1)
Blowfish
319(1)
Skipjack
320(1)
Advanced Encryption Standard (AES)
320(2)
Key Distribution
322(2)
Key Escrow
324(1)
Summary
324(1)
Exam Essentials
325(2)
Written Lab
327(1)
Review Questions
328(4)
Answers to Review Questions
332(2)
Answers to Written Lab
334(1)
PKI and Cryptographic Applications
335(34)
Asymmetric Cryptography
336(4)
Public and Private Keys
337(1)
RSA
337(1)
El Gamal
338(1)
Elliptic Curve
339(1)
Hash Functions
340(4)
SHA
341(1)
MD2
342(1)
MD4
342(1)
MD5
343(1)
Digital Signatures
344(2)
HMAC
345(1)
Digital Signature Standard
345(1)
Public Key Infrastructure
346(4)
Certificates
346(1)
Certificate Authorities
347(1)
Certificate Generation and Destruction
348(2)
Key Management
350(1)
Applied Cryptography
350(9)
Electronic Mail
351(2)
Web
353(1)
E-Commerce
354(1)
Networking
355(4)
Cryptographic Attacks
359(1)
Summary
360(1)
Exam Essentials
361(2)
Review Questions
363(4)
Answers to Review Questions
367(2)
Principles of Computer Design
369(46)
Computer Architecture
371(20)
Hardware
371(18)
Input/Output Structures
389(2)
Firmware
391(1)
Security Protection Mechanisms
391(6)
Technical Mechanisms
391(2)
Security Policy and Computer Architecture
393(1)
Policy Mechanisms
394(1)
Distributed Architecture
395(2)
Security Models
397(8)
State Machine Model
397(1)
Information Flow Model
398(1)
Noninterference Model
398(1)
Take-Grant Model
398(1)
Access Control Matrix
399(1)
Bell-LaPadula Model
400(2)
Biba
402(1)
Clark-Wilson
403(1)
Brewer and Nash Model (a.k.a. Chinese Wall)
403(1)
Classifying and Comparing Models
404(1)
Summary
405(1)
Exam Essentials
406(2)
Review Questions
408(4)
Answers to Review Questions
412(3)
Principles of Security Models
415(34)
Common Security Models, Architectures, and Evaluation Criteria
416(8)
Trusted Computing Base (TCB)
417(1)
Security Models
418(2)
Objects and Subjects
420(1)
Closed and Open Systems
421(1)
Techniques for Ensuring Confidentiality, Integrity, and Availability
422(1)
Controls
423(1)
Trust and Assurance
423(1)
Understanding System Security Evaluation
424(11)
Rainbow Series
424(4)
ITSEC Classes and Required Assurance and Functionality
428(1)
Common Criteria
429(3)
Certification and Accreditation
432(3)
Common Flaws and Security Issues
435(5)
Covert Channels
435(1)
Attacks Based on Design or Coding Flaws and Security Issues
435(4)
Programming
439(1)
Timing, State Changes, and Communication Disconnects
439(1)
Electromagnetic Radiation
439(1)
Summary
440(1)
Exam Essentials
441(2)
Review Questions
443(4)
Answers to Review Questions
447(2)
Administrative Management
449(28)
Operations Security Concepts
450(14)
Antivirus Management
451(1)
Operational Assurance and Life Cycle Assurance
452(1)
Backup Maintenance
452(1)
Changes in Workstation/Location
453(1)
Need-to-Know and the Principle of Least Privilege
453(1)
Privileged Operations Functions
454(1)
Trusted Recovery
455(1)
Configuration and Change Management Control
455(1)
Standards of Due Care and Due Diligence
456(1)
Privacy and Protection
457(1)
Legal Requirements
457(1)
Illegal Activities
457(1)
Record Retention
458(1)
Sensitive Information and Media
458(3)
Security Control Types
461(1)
Operations Controls
462(2)
Personnel Controls
464(2)
Summary
466(1)
Exam Essentials
467(3)
Review Questions
470(4)
Answers to Review Questions
474(3)
Auditing and Monitoring
477(32)
Auditing
478(6)
Auditing Basics
478(2)
Audit Trails
480(1)
Reporting Concepts
481(1)
Sampling
482(1)
Record Retention
483(1)
External Auditors
484(1)
Monitoring
484(2)
Monitoring Tools and Techniques
485(1)
Penetration Testing Techniques
486(5)
Planning Penetration Testing
487(1)
Penetration Testing Teams
488(1)
Ethical Hacking
488(1)
War Dialing
488(1)
Sniffing and Eavesdropping
489(1)
Radiation Monitoring
490(1)
Dumpster Diving
490(1)
Social Engineering
491(1)
Problem Management
491(1)
Inappropriate Activities
491(1)
Indistinct Threats and Countermeasures
492(5)
Errors and Omissions
492(1)
Fraud and Theft
493(1)
Collusion
493(1)
Sabotage
493(1)
Loss of Physical and Infrastructure Support
493(2)
Malicious Hackers or Crackers
495(1)
Espionage
495(1)
Malicious Code
495(1)
Traffic and Trend Analysis
495(1)
Initial Program Load Vulnerabilities
496(1)
Summary
497(1)
Exam Essentials
498(4)
Review Questions
502(4)
Answers to Review Questions
506(3)
Business Continuity Planning
509(26)
Business Continuity Planning
510(1)
Project Scope and Planning
511(4)
Business Organization Analysis
511(1)
BCP Team Selection
512(1)
Resource Requirements
513(1)
Legal and Regulatory Requirements
514(1)
Business Impact Assessment
515(4)
Identify Priorities
516(1)
Risk Identification
516(1)
Likelihood Assessment
517(1)
Impact Assessment
518(1)
Resource Prioritization
519(1)
Continuity Strategy
519(4)
Strategy Development
519(1)
Provisions and Processes
520(2)
Plan Approval
522(1)
Plan Implementation
522(1)
Training and Education
522(1)
BCP Documentation
523(3)
Continuity Planning Goals
523(1)
Statement of Importance
523(1)
Statement of Priorities
524(1)
Statement of Organizational Responsibility
524(1)
Statement of Urgency and Timing
524(1)
Risk Assessment
524(1)
Risk Acceptance/Mitigation
525(1)
Vital Records Program
525(1)
Emergency Response Guidelines
525(1)
Maintenance
525(1)
Testing
526(1)
Summary
526(1)
Exam Essentials
526(2)
Review Questions
528(4)
Answers to Review Questions
532(3)
Disaster Recovery Planning
535(36)
Disaster Recovery Planning
536(9)
Natural Disasters
537(4)
Man-Made Disasters
541(4)
Recovery Strategy
545(7)
Business Unit Priorities
545(1)
Crisis Management
546(1)
Emergency Communications
546(1)
Work Group Recovery
546(1)
Alternate Processing Sites
547(3)
Mutual Assistance Agreements
550(1)
Database Recovery
551(1)
Recovery Plan Development
552(7)
Emergency Response
553(1)
Personnel Notification
553(1)
Backups and Offsite Storage
554(3)
Software Escrow Arrangements
557(1)
External Communications
558(1)
Utilities
558(1)
Logistics and Supplies
558(1)
Recovery vs. Restoration
558(1)
Training and Documentation
559(1)
Testing and Maintenance
560(1)
Checklist Test
560(1)
Structured Walk-Through
560(1)
Simulation Test
561(1)
Parallel Test
561(1)
Full-Interruption Test
561(1)
Maintenance
561(1)
Summary
561(1)
Exam Essentials
562(1)
Written Lab
563(1)
Review Questions
564(4)
Answers to Review Questions
568(2)
Answers to Written Lab
570(1)
Law and Investigations
571(34)
Categories of Laws
572(2)
Criminal Law
572(1)
Civil Law
573(1)
Administrative Law
574(1)
Laws
574(16)
Computer Crime
575(3)
Intellectual Property
578(6)
Licensing
584(1)
Import/Export
584(1)
Privacy
585(5)
Investigations
590(5)
Evidence
591(2)
Investigation Process
593(2)
Summary
595(1)
Exam Essentials
595(2)
Written Lab
597(1)
Review Questions
598(4)
Answers to Review Questions
602(2)
Answers to Written Lab
604(1)
Incidents and Ethics
605(22)
Major Categories of Computer Crime
606(4)
Military and Intelligence Attacks
607(1)
Business Attacks
607(1)
Financial Attacks
608(1)
Terrorist Attacks
608(1)
Grudge Attacks
609(1)
``Fun'' Attacks
609(1)
Evidence
610(1)
Incident Handling
610(6)
Common Types of Incidents
611(1)
Response Teams
612(2)
Abnormal and Suspicious Activity
614(1)
Confiscating Equipment, Software, and Data
614(1)
Incident Data Integrity and Retention
615(1)
Reporting Incidents
615(1)
Ethics
616(2)
(ISC)2 Code of Ethics
616(1)
Ethics and the Internet
617(1)
Summary
618(1)
Exam Essentials
619(2)
Review Questions
621(4)
Answers to Review Questions
625(2)
Physical Security Requirements
627(32)
Facility Requirements
628(3)
Secure Facility Plan
629(1)
Physical Security Controls
629(1)
Site Selection
629(1)
Visibility
630(1)
Accessibility
630(1)
Natural Disasters
630(1)
Facility Design
630(1)
Work Areas
630(1)
Server Rooms
631(1)
Visitors
631(1)
Forms of Physical Access Controls
631(5)
Fences, Gates, Turnstiles, and Mantraps
632(1)
Lighting
633(1)
Security Guards and Dogs
634(1)
Keys and Combination Locks
634(1)
Badges
635(1)
Motion Detectors
635(1)
Intrusion Alarms
635(1)
Secondary Verification Mechanisms
636(1)
Technical Controls
636(4)
Smart Cards
637(1)
Proximity Readers
637(1)
Access Abuses
638(1)
Intrusion Detection Systems
638(1)
Emanation Security
639(1)
Environment and Life Safety
640(7)
Personnel Safety
640(1)
Power and Electricity
640(2)
Noise
642(1)
Temperature, Humidity, and Static
642(1)
Water
643(1)
Fire Detection and Suppression
643(4)
Equipment Failure
647(1)
Summary
648(1)
Exam Essentials
649(3)
Review Questions
652(4)
Answers to Review Questions
656(3)
Glossary 659(66)
Index 725

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program