Professional Documents
Culture Documents
ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter
ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter
ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-
ebook-pdf/
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-
ebook-pdf-3/
https://ebooksecure.com/download/all-in-one-cissp-exam-guide-
ebook-pdf/
https://ebooksecure.com/download/cc-certified-in-cybersecurity-
all-in-one-exam-guide-ebook-pdf/
Ccsp Certified Cloud Security Professional All-In-One
Exam Guide - eBook PDF
https://ebooksecure.com/download/ccsp-certified-cloud-security-
professional-all-in-one-exam-guide-ebook-pdf-2/
https://ebooksecure.com/download/comptia-network-certification-
all-in-one-exam-guide-seventh-edition-exam-n10-007-ebook-pdf/
https://ebooksecure.com/download/comptia-server-certification-
all-in-one-exam-guide-second-edition-exam-sk0-005-ebook-pdf/
http://ebooksecure.com/product/ceh-certified-ethical-hacker-all-
in-one-exam-guide-4th-edition-ebook-pdf/
https://ebooksecure.com/download/comptia-linux-certification-all-
in-one-exam-guide-exam-xk0-005-2nd-edition-ebook-pdf/
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Blind Folio i
ALL IN ONE
CISSP
®
EXAM GUIDE
Seventh Edition
Shon Harris
Fernando Maymí
McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/
training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and
digital content may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education
warrants that use of this publication and digital content will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®,
ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other
countries. All other trademarks are trademarks of their respective owners.
ISBN: 978-0-07-184926-5
MHID: 0-07-184926-2
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-184927-2,
MHID: 0-07-184927-0.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we
use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such
designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training
programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness
of any information and is not responsible for any errors or omissions or the results obtained from
the use of such information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms.
Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble,
reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any
part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education
nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting
therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall
McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to
any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Blind Folio iii
CONTENTS AT A GLANCE
Index....................................................................................................................... 1291
vi
CONTENTS
vii
Contents
ix
Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157
Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166
The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166
Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207
Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Contents
xi
Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333
Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335
Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340
Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343
Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353
Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364
Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378
International Data Encryption Algorithm . . . . . . . . . . . . . . . 378
Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386
Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Contents
xiii
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . 477
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Open Systems Interconnection Reference Model . . . . . . . . . . . . . . 479
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Functions and Protocols in the OSI Model . . . . . . . . . . . . . . 492
Tying the Layers Together . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Multilayer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Layer 2 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Converged Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Types of Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Analog and Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Asynchronous and Synchronous . . . . . . . . . . . . . . . . . . . . . . 514
Broadband and Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Twisted-Pair Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Fiber-Optic Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Cabling Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Networking Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Media Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Transmission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Network Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . 538
Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
E-mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . 560
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Contents
xv
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Identification, Authentication, Authorization, and Accountability . . . 724
Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 727
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Integrating Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . 786
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 787
Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 796
Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . 798
Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . 799
Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Centralized Access Control Administration . . . . . . . . . . . . . . 800
Decentralized Access Control Administration . . . . . . . . . . . . 807
Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 816
Protecting Audit Data and Log Information . . . . . . . . . . . . . 818
Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 819
Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 822
Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . 830
Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Phishing and Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Contents
xvii
Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Operational Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Unusual or Unexplained Occurrences . . . . . . . . . . . . . . . . . . 931
Deviations from Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 932
Unscheduled Initial Program Loads (aka Rebooting) . . . . . . . 932
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Trusted Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Input and Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 936
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
Facility Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Personnel Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
External Boundary Protection Mechanisms . . . . . . . . . . . . . . 950
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 960
Patrol Force and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
Dogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Auditing Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Secure Resource Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Asset Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 966
Provisioning Cloud Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Network and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . 970
Mean Time Between Failures . . . . . . . . . . . . . . . . . . . . . . . . . 971
Mean Time to Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
Single Points of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . 986
Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
The Incident Management Process . . . . . . . . . . . . . . . . . . . . . . . . . 993
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Business Process Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Facility Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Contents
xix
Secure Software Development Best Practices . . . . . . . . . . . . . . . . . . 1097
Software Development Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Build and Fix Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
Waterfall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
V-Shaped Model (V-Model) . . . . . . . . . . . . . . . . . . . . . . . . . 1100
Prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Incremental Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Spiral Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
Rapid Application Development . . . . . . . . . . . . . . . . . . . . . . 1104
Agile Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Integrated Product Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . . . . 1111
Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Software Configuration Management . . . . . . . . . . . . . . . . . . 1114
Security of Code Repositories . . . . . . . . . . . . . . . . . . . . . . . . 1116
Programming Languages and Concepts . . . . . . . . . . . . . . . . . . . . . . 1116
Assemblers, Compilers, Interpreters . . . . . . . . . . . . . . . . . . . . 1119
Object-Oriented Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 1121
Other Software Development Concepts . . . . . . . . . . . . . . . . 1129
Application Programming Interfaces . . . . . . . . . . . . . . . . . . . 1131
Distributed Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
Distributed Computing Environment . . . . . . . . . . . . . . . . . . 1132
CORBA and ORBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134
COM and DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Java Platform, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . 1138
Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1138
Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142
Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Specific Threats for Web Environments . . . . . . . . . . . . . . . . . 1146
Web Application Security Principles . . . . . . . . . . . . . . . . . . . 1154
Database Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155
Database Management Software . . . . . . . . . . . . . . . . . . . . . . 1155
Database Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
Database Programming Interfaces . . . . . . . . . . . . . . . . . . . . . 1161
Relational Database Components . . . . . . . . . . . . . . . . . . . . . 1164
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166
Database Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
Data Warehousing and Data Mining . . . . . . . . . . . . . . . . . . . 1174
Malicious Software (Malware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291
In the summer of 2014, Shon asked me to write a foreword for the new edition of her
CISSP All-in-One Exam Guide. I was honored to do that, and the following two para-
graphs are that original foreword. Following that, I will say more about my friend, the
late Shon Harris.
The cyber security field is still relatively new and has been evolving as technology
advances. Every decade or so, we have an advance or two that seems to change the game.
For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of
money was spent on perimeter devices like firewalls to keep the bad guys out. Around
2000, recognizing that perimeter defense alone was insufficient, the “defense in depth”
approach became popular, and we spent another decade trying to build layers of defense
and detect the bad guys who were able to get past our perimeter defenses. Again, lots of
money was spent, this time on intrusion detection, intrusion prevention, and end-point
solutions. Then, around 2010, following the lead of the U.S. government in particular,
we began to focus on “continuous monitoring,” the goal being to catch the bad guys
inside the network if they get past the perimeter defense and the defense in depth.
Security information and event management (SIEM) technology has emerged as the
best way to handle this continuous monitoring requirement. The latest buzz phrase is
“active defense,” which refers to the ability to respond in real time through a dynamic and
changing defense that works to contain the attacker and allow the organization to recover
quickly and get back to business. We are starting to see the re-emergence of honeypots
combined with sandbox technology to bait and trap attackers for further analysis of their
activity. One thing is common throughout this brief historical survey: the bad guys keep
getting in and we keep responding to try and keep up, if not prevent them in the first
place. This cat-and-mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats,
each new strategy and tactic brings with it a new set of terminology and concepts for
the security professional to master. The sheer bulk of the body of knowledge can be
overwhelming, particularly to newcomers. As a security practitioner, consultant, and
business leader, I am often asked by aspiring security practitioners where to start when
trying to get into the field. I often refer them to Shon’s CISSP All-in-One Exam Guide,
not necessarily for the purpose of becoming a CISSP, but so that they may have in one
resource the body of knowledge in the field. I am also often asked by experienced security
practitioners how to advance in the field. I encourage them to pursue CISSP certification
and, once again, I refer them to Shon’s book. Some are destined to become leaders in
the field, and the CISSP is a solid certificate for managers. Other security professionals
I encounter are just looking for more breadth of knowledge, and I recommend Shon’s
book to them too as a good one-stop reference for that. This book has stood the test
of time. It has evolved as the field has evolved and stands as the single most important
xxi
FOREWORD
I’m excited and honored to introduce the seventh edition of CISSP All-in-One Exam
Guide to cyber security experts worldwide. This study guide is essential for those pursu-
ing CISSP certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to
be a member of a profession and the importance of shared values, common language,
and identity. At the same time, expert knowledge gained through training, education,
and experience are critical ingredients to a profession, but formal certifications based on
clearly articulated standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase
digitization, while assuming our freedom to operate was not at risk. Today’s threats
coupled with our vulnerabilities and the potential consequences create a new operational
reality—national security is at risk. When we enter any network, we must fight to ensure
we maintain our security, and cyber security experts are the professionals we will call on
to out-think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue
to grow exponentially. While our cyber workforce enabled by technology must focus
on preventing threats and reducing vulnerabilities, we will not eliminate either. This
demands professionals who understand risk management and security—experts who
are trusted and committed to creating and providing a wide range of security measures
tailored to mitigate enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is
the king of the hill. In this edition, Shon’s quality content is present and is being stewarded
forward by Fernando Maymí. You’re in good hands, and you will grow personally and
professionally, from your study. As competent, trusted professionals of character, this book
is essential to you, your organization, and our national security.
Rhett Hernandez
Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command
Current West Point Cyber Chair, Army Cyber Institute
xxiii
ACKNOWLEDGMENTS
We would like to thank all the people who work in the information security industry
who are driven by their passion, dedication, and a true sense of doing right. The best
security people are the ones who are driven toward an ethical outcome.
In this seventh edition, we would also like to thank the following:
•• Ronald Dodge, who brought the two authors of this book together and, in doing
so, set off a sequence of events that he couldn’t have possibly anticipated.
•• David Miller, whose work ethic, loyalty, and friendship have continuously in-
spired us.
•• All the teammates from Logical Security.
•• The men and women of our armed forces, who selflessly defend our way of life.
•• Kathy Conlon, who, more than anyone else, set the conditions that led to seven
editions of this book.
•• David Harris.
•• Emma Fernandez.
Most especially, we thank you, our readers, for standing on the frontlines of our digital
conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
xxv
For the first time in seven editions, the CISSP All-in-One Exam Guide bears the names
of two authors. For the first time in 15 years, Shon Harris will not be with us as we go to
print on a new edition of her seminal work. Still, she remains with us in the pages of the
hundreds of thousands of books sold, which have enriched the lives of security profes-
sionals worldwide. It is no exaggeration to say that Shon was one of the most influential
authors in our field. Her legacy lives on in the pages of this latest edition.
Our goal in this seventh edition of Shon’s book was both to address the newly revised
CISSP body of knowledge and to allow you to hear Shon’s voice as you read the words on
its pages. You see, much of the content in this book was actually authored by Shon. We
have reorganized, enhanced, augmented, and updated it, but the content is still largely
hers. If you have read any of her multitude of other works or had the blessing of having
met her, you will recognize her distinctive tone in these pages. We also hope that you will
perceive her penchant for excellence in every aspect of professional development.
The goal of this book is not just to get you to pass the CISSP exam, but to provide
you the bedrock of knowledge that will allow you to flourish as an information systems
security professional before and after you pass the certification exam. If you strive for
excellence in your own development, the CISSP certification will follow as a natural
byproduct. This approach will demand that you devote time and energy to topics and
issues that may seem to have no direct or immediate return on investment. That is OK.
We each have our own areas of strength and weakness, and many of us tend to reinforce
the former while ignoring the latter. This leads to individuals who have tremendous
depth in a very specific topic, but who lack the breadth to understand context or thrive
in new and unexpected conditions. What we propose is an inversion of this natural
tendency, so that we devote appropriate amounts of effort to those areas in which we are
weakest. What we propose is that we balance the urge to be specialists with the need to
be well-rounded professionals. This is what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals
that performs a critical service that societies cannot do for themselves. In the case of
the CISSP, this professional ensures the confidentiality, integrity, and availability of our
information systems. This cannot be done simply by being the best firewall administrator,
or the best forensic examiner, or the best reverse engineer. Instead, our service requires a
breadth of knowledge that will allow us to choose the right tool for the job. This relevant
knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon
which we can build our expertise. This is why, in order to be competent professionals,
we all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and
foundational knowledge. It is designed, as it always was, to be both a study guide and an
enduring reference. Our hope is that, long after you obtain your CISSP certification, you
will turn to this tome time and again to brush up on your areas of weakness as well as to
guide you in a lifelong pursuit of self-learning and excellence.
xxvii
As our world changes, the need for improvements in security and technology continues
to grow. Corporations and other organizations are desperate to identify and recruit
talented and experienced security professionals to help protect the resources on which
they depend to run their businesses and remain competitive. As a Certified Information
Systems Security Professional (CISSP), you will be seen as a security professional of
proven ability who has successfully met a predefined standard of knowledge and expe-
rience that is well understood and respected throughout the industry. By keeping this
certification current, you will demonstrate your dedication to staying abreast of security
developments.
Consider some of the reasons for attaining a CISSP certification:
•• To broaden your current knowledge of security concepts and practices
•• To demonstrate your expertise as a seasoned security professional
•• To become more marketable in a competitive workforce
•• To increase your salary and be eligible for more employment opportunities
•• To bring improved security expertise to your current occupation
•• To show a dedication to the security discipline
The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices; perform
risk analysis; identify necessary countermeasures; and help the organization as a whole
protect its facility, network, systems, and information. The CISSP certification also
shows potential employers you have achieved a level of proficiency and expertise in
skill sets and knowledge required by the security industry. The increasing importance
placed on security in corporate success will only continue in the future, leading to even
greater demands for highly skilled security professionals. The CISSP certification shows
that a respected third-party organization has recognized an individual’s technical and
theoretical knowledge and expertise, and distinguishes that individual from those who
lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good
network administrator, programmer, or engineer. Job descriptions that do not specifically
target security professionals still often require that a potential candidate have a good
understanding of security concepts as well as how to implement them. Due to staff size
and budget restraints, many organizations can’t afford separate network and security staffs.
But they still believe security is vital to their organization. Thus, they often try to combine
knowledge of technology and security into a single role. With a CISSP designation, you
can put yourself head and shoulders above other individuals in this regard.
xxix
It happened that just then it was full high tide, when the current
changes from its usual course, and in consequence the logs floated
in favor of Hemling.
In days gone by, so the story goes, it happened that a milkmaid did
not produce as much milk and butter from her herd as usual, for
which her master took her severely to task. The girl sought
vindication by charging it upon the Vätts, who, she claimed,
possessed the place and appropriated a share of the product of the
herd. This, the master was not willing to believe, but, to satisfy
himself, went one autumn evening, after the cattle had been brought
home, to the dairy house, where he secreted himself, as he
supposed, under an upturned cheese kettle. He had not sat in his
hiding place long when a Vätt mother with her family—a large one—
came trooping in and began preparation for their meal.
The mother, who was busy at the fireplace, finally inquired if all had
spoons.
“Yes,” replied one of the Vätts. “All except him under the kettle.”
When St. Jaffen, “the Apostle of the North,” was one time riding
through Jämtland from the borders of Norway, his way led along a
beautiful green valley, in the parish of Åre. Becoming weary, he
dismounted and laid himself down for a nap. When he awoke it
occurred to him that such a garden spot must some day be inhabited
by mankind, so, selecting a slab of stone, he cut in its surface the
following prophetic lines:
Some time later he was again hunting, when he lost his way. After a
long and wearisome wandering he reached a Lapp hut, where he
found a woman stirring something in a kettle. When she had
concluded her cooking, she invited the hunter to dine, and gave him
the same knife to eat with that he had thrown at the storm.
The following day he wished to return home, but could not possibly
discover the course he should take, whereupon the Troll woman—for
his hostess was none other—directed him to get into the Lapp sled,
and attach to it a rope, in which he must tie three knots.
“Now, untie one knot at a time,” said she, “and you will soon reach
home.”
The hunter untied one knot, as instructed, and away went the rope,
dragging the sled after it into the air. After a time he untied another
knot, and his speed was increased. Finally he untied the last knot,
increasing the speed to such a rate that when the sled came to a
standstill, as it did, suddenly, not long after, he concluded his
journey, falling into his own yard with such force as to break his leg.
[219]
[Contents]
The Lapp Genesis, or the First of Mankind.
The Lapps, like other people, have their legends, and many of them
the same, or nearly so, as are found among other nations. Others
reflect more particularly the national characteristics of the Lapp folk.
Thus, for instance, there is to be found among them a tradition of a
general deluge, a universal catastrophe, whereof there still remains
a dim reminiscence in the consciences of so many other primitive
people.
Before the Lord destroyed mankind, so says the Lapp legend, there
were people in Samelads (Lappland), but when the Flood came
upon the earth every living creature perished except two, a brother
and sister, whom God conducted to a high mountain—Passevare
—“The Holy Mountain.”
When the waters had subsided and the land was again dry, the
brother and sister separated, going in opposite directions in search
of others, if any might be left. After three years’ fruitless search they
met, and, recognizing each other, they once more went into the
world, to meet again in three years, but, recognizing one another
now, also, they parted a third time. When they met at the end of
these three years neither knew the other, whereafter they lived
together, and from them came the Lapps and Swedes.
More than with anything else, the Lapp legends have to do with
giants and the adventures of mankind with them. The giant is feared
because of his great size and strength and his insatiable appetite for
human flesh. His laziness, clumsiness, and that he is inferior to the
man in intelligence are, however, often the cause of his overthrow.
There was one time a giant who made love to a rich Lapp girl.
Neither she nor her father were much inclined toward the match, but
they did not dare do otherwise than appear to consent and at the
same time thank the Giant for the high honor he would bestow upon
them. The father, nevertheless, determined that the union should not
take place, and consoled himself with the hope that when the time
arrived some means of defeating the Giant’s project would be
presented. Meantime he was obliged to set the day when the Giant
might come and claim his bride. Before the Giant’s arrival the Lapp
took a block of wood, about the size of his daughter, and clothing it in
a gown, a new cap, silver belt, shoes and shoe band, he sat it up in
a corner of the tent, with a close veil, such as is worn by Lapp brides,
over the head.
When the Giant entered the tent he was much [222]pleased to find the
bride, as he supposed, in her best attire awaiting him, and at once
asked his prospective father-in-law to go out with him and select the
reindeer that should go with the bride as her dower. Meanwhile the
daughter was concealed behind an adjacent hill with harnessed
reindeer ready for flight. When the reindeer had been counted out
the Giant proceeded to kill one of them for supper, while the Lapp
slipped off into the woods, and, joining his daughter, they fled with all
speed into the mountains.
The Giant, after dressing the reindeer, went into the tent to visit his
sweetheart.
“Now, my little darling,” said he, “put the kettle over the fire.”
“Oh, the little dear is bashful, I’ll have to do it myself then,” said he.
After the pot had been boiling awhile he again addressed the object
in the corner:
“Now my girl, you may cleave the marrow bone,” but still no
response.
“Come, now, my dear, and prepare the meat.” But the bride was as
bashful as before, and did not stir.
When he had prepared the meal he bade her come and eat, but
without effect. The bride remained motionless in her corner. [223]
“The more for me, then,” thought he, and sat himself to the repast
with a good appetite. When he had eaten, he bade his bride prepare
the bed.
“Ah, my love, are you so bashful? I must then do it myself,” said the
simple Giant.
“Go now and retire.” No, she had not yet overcome her bashfulness,
whereupon the Giant became angry and grasped the object with
great force.
Discovering how the Lapp had deceived him, and that he had only a
block of wood instead of a human of flesh and blood, he was beside
himself with rage, and started in hot pursuit after the Lapp. The latter,
however, had so much the start that the Giant could not overtake
him. At the same time it was snowing, which caused the Giant to
lose his way in the mountains. Finally he began to suffer from the
cold. The moon coming up, he thought it a fire built by the Lapp, and
at once set out on a swift run toward it, but he had already run so far
that he was completely exhausted. He then climbed to the top of a
pine, thinking thereby to get near enough to the fire to warm himself,
but he froze to death instead, and thus ends the story. [224]
[Contents]