ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter

CISSP All-in-One Exam Guide 7th
edition Edition Harris - eBook PDF

Go to download the full and correct content document:
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-ebook-pdf-2/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
CISSP All in one Exam Guide 7th Edition Shon Harris -

eBook PDF
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-
ebook-pdf/
Cissp All-In-One Exam Guide 8th Edition Shon Harris -

eBook PDF
https://ebooksecure.com/download/cissp-all-in-one-exam-guide-
ebook-pdf-3/
All in One CISSP Exam Guide 9th Edition Fernando Maymí

- eBook PDF
https://ebooksecure.com/download/all-in-one-cissp-exam-guide-
ebook-pdf/
CC Certified in Cybersecurity All-in-One Exam Guide 1st

Edition - eBook PDF
https://ebooksecure.com/download/cc-certified-in-cybersecurity-
all-in-one-exam-guide-ebook-pdf/
Ccsp Certified Cloud Security Professional All-In-One
Exam Guide - eBook PDF
https://ebooksecure.com/download/ccsp-certified-cloud-security-
professional-all-in-one-exam-guide-ebook-pdf-2/
CompTIA Network+ Certification All-In-One Exam Guide,

Seventh Edition (Exam N10-007) Meyers - eBook PDF
https://ebooksecure.com/download/comptia-network-certification-
all-in-one-exam-guide-seventh-edition-exam-n10-007-ebook-pdf/
CompTIA Server+ Certification All-in-One Exam Guide,

Second Edition (Exam SK0-005) Lachance - eBook PDF
https://ebooksecure.com/download/comptia-server-certification-
all-in-one-exam-guide-second-edition-exam-sk0-005-ebook-pdf/
CEH Certified Ethical Hacker All-in-One Exam Guide 4th

Edition (eBook PDF)
http://ebooksecure.com/product/ceh-certified-ethical-hacker-all-
in-one-exam-guide-4th-edition-ebook-pdf/
CompTIA Linux+ Certification All-in-One Exam Guide

(Exam XK0-005), 2nd Edition Ted Jordan - eBook PDF
https://ebooksecure.com/download/comptia-linux-certification-all-
in-one-exam-guide-exam-xk0-005-2nd-edition-ebook-pdf/
All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Front Matter
Blind Folio i
ALL IN ONE
CISSP
®
EXAM GUIDE
Seventh Edition
Shon Harris
Fernando Maymí
New York Chicago San Francisco

Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
McGraw-Hill Education is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/
training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and
digital content may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill Education
warrants that use of this publication and digital content will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP®,
ISSMP®, SSCP®, CCSP®, and CBK® are trademarks or registered trademarks of (ISC)2 in the United States and certain other
countries. All other trademarks are trademarks of their respective owners.
00-FM.indd 1 14/04/16 10:24 AM

Copyright © 2016 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of
this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not
be reproduced for publication.
ISBN: 978-0-07-184926-5
MHID: 0-07-184926-2
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-184927-2,
MHID: 0-07-184927-0.
eBook conversion by codeMantra

Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we
use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such
designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training
programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness
of any information and is not responsible for any errors or omissions or the results obtained from
the use of such information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms.
Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble,
reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any
part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education
nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting
therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall
McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to
any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Blind Folio iii
We dedicate this book to all those who have served selflessly.
00-FM.indd 3 14/04/16 10:24 AM

Blind Folio iv
ABOUT THE AUTHORS

Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logi-
cal Security LLC, a security consultant, a former engineer in the Air Force’s Informa-
tion Warfare unit, an instructor, and an author. Shon owned and ran her own training
and consulting companies for 13 years prior to her death in 2014. She consulted with
Fortune 100 corporations and government agencies on extensive security issues. She
authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking:
The Ethical Hacker’s Handbook and Security Information and Event Management (SIEM)
Implementation, and a technical editor for Information Security Magazine.
Fernando Maymí, Ph.D., CISSP, is a security practitioner

with over 25 years’ experience in the field. He currently leads
a multidisciplinary team charged with developing disruptive
innovations for cyberspace operations as well as impactful pub-
lic-private partnerships aimed at better securing cyberspace.
Fernando has served as a consultant for both government and
private-sector organizations in the United States and abroad.
He has authored and taught dozens of courses and workshops
in cyber security for academic, government, and professional
audiences in the United States and Latin America. Fernando
is the author of over a dozen publications and holds three
patents. His awards include the U.S. Department of the Army Research and Development
Achievement Award and he was recognized as a HENAAC Luminary. He worked closely
with Shon Harris, advising her on a multitude of projects, including the sixth edition of
the CISSP All-in-One Exam Guide. Fernando is also a volunteer puppy raiser for Guiding
Eyes for the Blind and has raised two guide dogs, Trinket and Virgo.
About the Contributor

Bobby E. Rogers is an information security engineer working as a contractor for Depart-
ment of Defense agencies, helping to secure, certify, and accredit their information sys-
tems. His duties include information system security engineering, risk management, and
certification and accreditation efforts. He retired after 21 years in the U.S. Air Force,
serving as a network security engineer and instructor, and has secured networks all over
the world. Bobby has a master’s degree in information assurance (IA) and is pursuing a
doctoral degree in cybersecurity from Capitol Technology University in Maryland. His
many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the
CompTIA A+, Network+, Security+, and Mobility+ certifications.
00-FM.indd 4 14/04/16 10:24 AM

Blind Folio v
About the Technical Editor

Jonathan Ham, CISSP, GSEC, GCIA, GCIH, is an independent consultant who
specializes in large-scale enterprise security issues, from policy and procedure, through
staffing and training, to scalable prevention, detection, and response technology and
techniques. With a keen understanding of ROI and TCO, he has helped his clients
achieve greater success for more than 12 years, advising in both the public and private
sectors, from small upstarts to the Fortune 500. Jonathan has been commissioned to
teach NCIS investigators how to use Snort, has performed packet analysis from a facil-
ity more than 2,000 feet underground, and has chartered and trained the CIRT for
one of the largest U.S. civilian federal agencies. He is a member of the GIAC Advisory
Board and is a SANS instructor teaching their MGT414: SANS Training Program for
CISSP Certification course. He is also co-author of Network Forensics: Tracking Hackers
Through Cyberspace, a textbook published by Prentice-Hall.
00-FM.indd 5 14/04/16 10:24 AM

CONTENTS AT A GLANCE
Chapter 1 Security and Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 Asset Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 3 Security Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Chapter 4 Communication and Network Security.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 5 Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Chapter 6 Security Assessment and Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Chapter 7 Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Chapter 8 Software Development Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Appendix A Comprehensive Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Appendix B About the . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
Glossary................................................................................................................. 1273
Index....................................................................................................................... 1291
vi
00-FM.indd 6 14/04/16 10:24 AM

CONTENTS
In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
From the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Chapter 1 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 3
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Enterprise Architecture Development . . . . . . . . . . . . . . . . . . 19
Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 33
Process Management Development . . . . . . . . . . . . . . . . . . . . 37
Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
The Crux of Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . 45
Complexities in Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Electronic Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
The Evolution of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
International Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Types of Legal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Intellectual Property Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Trademark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Internal Protection of Intellectual Property . . . . . . . . . . . . . . 67
Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
The Increasing Need for Privacy Laws . . . . . . . . . . . . . . . . . . 72
Laws, Directives, and Regulations . . . . . . . . . . . . . . . . . . . . . 73
Employee Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vii
00-FM.indd 7 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

viii
Data Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
U.S. Laws Pertaining to Data Breaches . . . . . . . . . . . . . . . . . 84
Other Nations’ Laws Pertaining to Data Breaches . . . . . . . . . 85
Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . 86
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Holistic Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Information Systems Risk Management Policy . . . . . . . . . . . 95
The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . 96
The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . 97
Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Reduction Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 104
Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . 105
Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 106
Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 107
Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Categorize Information System . . . . . . . . . . . . . . . . . . . . . . . 128
Select Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Implement Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . 129
Assess Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Authorize Information System . . . . . . . . . . . . . . . . . . . . . . . . 130
Monitor Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . 130
Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 133
Making BCM Part of the Enterprise Security Program . . . . . 136
BCP Project Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
00-FM.indd 8 14/04/16 10:24 AM

Contents
ix
Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . 157
Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
The Computer Ethics Institute . . . . . . . . . . . . . . . . . . . . . . . 166
The Internet Architecture Board . . . . . . . . . . . . . . . . . . . . . . 166
Corporate Ethics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 2 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Information Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Developing a Retention Policy . . . . . . . . . . . . . . . . . . . . . . . . 207
Protecting Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Data Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Data Processers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Limits on Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
00-FM.indd 9 14/04/16 10:24 AM


x
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Media Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Protecting Other Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Paper Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Chapter 3 Security Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Computer Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
The Central Processing Unit . . . . . . . . . . . . . . . . . . . . . . . . . 252
Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Memory Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Input/Output Device Management . . . . . . . . . . . . . . . . . . . . 285
CPU Architecture Integration . . . . . . . . . . . . . . . . . . . . . . . . 287
Operating System Architectures . . . . . . . . . . . . . . . . . . . . . . . 291
Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
System Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Security Architecture Requirements . . . . . . . . . . . . . . . . . . . . 302
Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Bell-LaPadula Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Biba Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Clark-Wilson Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Noninterference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Brewer and Nash Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Graham-Denning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . 312
Systems Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Why Put a Product Through Evaluation? . . . . . . . . . . . . . . . 317
Certification vs. Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
00-FM.indd 10 14/04/16 10:24 AM

Contents
xi
Open vs. Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Open Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Closed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Distributed System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Parallel Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Few Threats to Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Maintenance Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Time-of-Check/Time-of-Use Attacks . . . . . . . . . . . . . . . . . . . 333
Cryptography in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 335
Cryptography Definitions and Concepts . . . . . . . . . . . . . . . . . . . . . 340
Kerckhoffs’ Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
The Strength of the Cryptosystem . . . . . . . . . . . . . . . . . . . . . 343
Services of Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Running and Concealment Ciphers . . . . . . . . . . . . . . . . . . . . 347
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Types of Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Transposition Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Methods of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Symmetric vs. Asymmetric Algorithms . . . . . . . . . . . . . . . . . 353
Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Block and Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Hybrid Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . 364
Types of Symmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . 378
International Data Encryption Algorithm . . . . . . . . . . . . . . . 378
Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Types of Asymmetric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Diffie-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
El Gamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 386
Knapsack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Zero Knowledge Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
00-FM.indd 11 14/04/16 10:24 AM


xii
Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
The One-Way Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Various Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 393
MD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Attacks Against One-Way Hash Functions . . . . . . . . . . . . . . . 395
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
The Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . 402
PKI Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Key Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . 406
Rules for Keys and Key Management . . . . . . . . . . . . . . . . . . 407
Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
TPM Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Attacks on Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Ciphertext-Only Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Known-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Chosen-Plaintext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Chosen-Ciphertext Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Analytic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Statistical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 414
Site and Facility Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
The Site Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Crime Prevention Through Environmental Design . . . . . . . . 420
Designing a Physical Security Program . . . . . . . . . . . . . . . . . 426
Protecting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Using Safes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Internal Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Electric Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Environmental Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Fire Prevention, Detection, and Suppression . . . . . . . . . . . . . 448
00-FM.indd 12 14/04/16 10:24 AM

Contents
xiii
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 4 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . 477
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Open Systems Interconnection Reference Model . . . . . . . . . . . . . . 479
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Functions and Protocols in the OSI Model . . . . . . . . . . . . . . 492
Tying the Layers Together . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Multilayer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Layer 2 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Converged Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Types of Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Analog and Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Asynchronous and Synchronous . . . . . . . . . . . . . . . . . . . . . . 514
Broadband and Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Twisted-Pair Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Fiber-Optic Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Cabling Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Networking Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Media Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Transmission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Network Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . 538
Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
E-mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . 560
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
00-FM.indd 13 14/04/16 10:24 AM


xiv
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
PBXs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . 607
Content Distribution Networks . . . . . . . . . . . . . . . . . . . . . . . 608
Software Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . 609
Intranets and Extranets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Metropolitan Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Metro Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Wide Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Telecommunications Evolution . . . . . . . . . . . . . . . . . . . . . . . 617
Dedicated Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
WAN Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
DSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Cable Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Wireless Communications Techniques . . . . . . . . . . . . . . . . . . 660
WLAN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Evolution of WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . 665
Wireless Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Best Practices for Securing WLANs . . . . . . . . . . . . . . . . . . . . 677
Satellites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Mobile Wireless Communication . . . . . . . . . . . . . . . . . . . . . 678
Network Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Link Encryption vs. End-to-End Encryption . . . . . . . . . . . . . 685
E-mail Encryption Standards . . . . . . . . . . . . . . . . . . . . . . . . . 687
Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
DNS Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Drive-by Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
00-FM.indd 14 14/04/16 10:24 AM

Contents
xv
Chapter 5 Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Identification, Authentication, Authorization, and Accountability . . . 724
Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 727
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Integrating Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . 786
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 787
Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 796
Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . 798
Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . 799
Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Centralized Access Control Administration . . . . . . . . . . . . . . 800
Decentralized Access Control Administration . . . . . . . . . . . . 807
Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 816
Protecting Audit Data and Log Information . . . . . . . . . . . . . 818
Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 819
Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 822
Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . 830
Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Phishing and Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
00-FM.indd 15 14/04/16 10:24 AM


xvi
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Chapter 6 Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Audit Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
Internal Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
Third-Party Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Auditing Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Vulnerability Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
War Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
Other Vulnerability Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Postmortem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
Log Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Synthetic Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Misuse Case Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Interface Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Auditing Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Backup Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Disaster Recovery and Business Continuity . . . . . . . . . . . . . . 892
Security Training and Security Awareness Training . . . . . . . . 899
Key Performance and Risk Indicators . . . . . . . . . . . . . . . . . . 903
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Technical Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
Executive Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Management Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
Before the Management Review . . . . . . . . . . . . . . . . . . . . . . 909
Reviewing Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Management Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Chapter 7 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
The Role of the Operations Department . . . . . . . . . . . . . . . . . . . . . 924
Administrative Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
Security and Network Personnel . . . . . . . . . . . . . . . . . . . . . . 928
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
Clipping Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
00-FM.indd 16 14/04/16 10:24 AM

Contents
xvii
Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Operational Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Unusual or Unexplained Occurrences . . . . . . . . . . . . . . . . . . 931
Deviations from Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 932
Unscheduled Initial Program Loads (aka Rebooting) . . . . . . . 932
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Trusted Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Input and Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 936
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
Facility Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Personnel Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
External Boundary Protection Mechanisms . . . . . . . . . . . . . . 950
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . 960
Patrol Force and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
Dogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Auditing Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Secure Resource Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Asset Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 966
Provisioning Cloud Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Network and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . 970
Mean Time Between Failures . . . . . . . . . . . . . . . . . . . . . . . . . 971
Mean Time to Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
Single Points of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . 986
Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
The Incident Management Process . . . . . . . . . . . . . . . . . . . . . . . . . 993
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Business Process Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Facility Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
00-FM.indd 17 14/04/16 10:24 AM


xviii
Supply and Technology Recovery . . . . . . . . . . . . . . . . . . . . . . 1013
Choosing a Software Backup Facility . . . . . . . . . . . . . . . . . . . 1018
End-User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Data Backup Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Electronic Backup Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 1025
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
Recovery and Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Developing Goals for the Plans . . . . . . . . . . . . . . . . . . . . . . . 1034
Implementing Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038
Computer Forensics and Proper Collection of Evidence . . . . 1039
Motive, Opportunity, and Means . . . . . . . . . . . . . . . . . . . . . 1041
Computer Criminal Behavior . . . . . . . . . . . . . . . . . . . . . . . . 1042
Incident Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
The Forensic Investigation Process . . . . . . . . . . . . . . . . . . . . . 1043
What Is Admissible in Court? . . . . . . . . . . . . . . . . . . . . . . . . 1049
Surveillance, Search, and Seizure . . . . . . . . . . . . . . . . . . . . . . 1051
Interviewing Suspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
Liability and Its Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
Liability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056
Third-Party Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
Contractual Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
Procurement and Vendor Processes . . . . . . . . . . . . . . . . . . . . 1059
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Personal Safety Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Chapter 8 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Building Good Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Where Do We Place Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Different Environments Demand Different Security . . . . . . . 1080
Environment vs. Application . . . . . . . . . . . . . . . . . . . . . . . . . 1081
Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082
Implementation and Default Issues . . . . . . . . . . . . . . . . . . . . 1082
Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 1084
Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084
Requirements Gathering Phase . . . . . . . . . . . . . . . . . . . . . . . 1085
Design Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086
Development Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
Testing/Validation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
Release/Maintenance Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
00-FM.indd 18 14/04/16 10:24 AM

Contents
xix
Secure Software Development Best Practices . . . . . . . . . . . . . . . . . . 1097
Software Development Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Build and Fix Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
Waterfall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
V-Shaped Model (V-Model) . . . . . . . . . . . . . . . . . . . . . . . . . 1100
Prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Incremental Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Spiral Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
Rapid Application Development . . . . . . . . . . . . . . . . . . . . . . 1104
Agile Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Integrated Product Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . . . . 1111
Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Software Configuration Management . . . . . . . . . . . . . . . . . . 1114
Security of Code Repositories . . . . . . . . . . . . . . . . . . . . . . . . 1116
Programming Languages and Concepts . . . . . . . . . . . . . . . . . . . . . . 1116
Assemblers, Compilers, Interpreters . . . . . . . . . . . . . . . . . . . . 1119
Object-Oriented Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 1121
Other Software Development Concepts . . . . . . . . . . . . . . . . 1129
Application Programming Interfaces . . . . . . . . . . . . . . . . . . . 1131
Distributed Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
Distributed Computing Environment . . . . . . . . . . . . . . . . . . 1132
CORBA and ORBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134
COM and DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Java Platform, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . 1138
Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1138
Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142
Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Specific Threats for Web Environments . . . . . . . . . . . . . . . . . 1146
Web Application Security Principles . . . . . . . . . . . . . . . . . . . 1154
Database Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155
Database Management Software . . . . . . . . . . . . . . . . . . . . . . 1155
Database Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
Database Programming Interfaces . . . . . . . . . . . . . . . . . . . . . 1161
Relational Database Components . . . . . . . . . . . . . . . . . . . . . 1164
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166
Database Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
Data Warehousing and Data Mining . . . . . . . . . . . . . . . . . . . 1174
Malicious Software (Malware) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
00-FM.indd 19 14/04/16 10:24 AM


xx
Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184
Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184
Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186
Antimalware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187
Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190
Antimalware Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192
Assessing the Security of Acquired Software . . . . . . . . . . . . . . . . . . 1193
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207
Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
Appendix B About the Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
Total Tester Premium Practice Exam Software . . . . . . . . . . . . . . . . . 1269
Downloading Total Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270
Installing and Running Total Tester . . . . . . . . . . . . . . . . . . . . . . . . . 1270
Hotspot and Drag-and-Drop Questions . . . . . . . . . . . . . . . . . . . . . 1271
McGraw-Hill Professional Media Center Download . . . . . . . . . . 1271
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1272
Total Seminars Technical Support . . . . . . . . . . . . . . . . . . . . . 1272
McGraw-Hill Education Content Support . . . . . . . . . . . . . . 1272
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291
00-FM.indd 20 14/04/16 10:24 AM

IN MEMORY OF SHON HARRIS
In the summer of 2014, Shon asked me to write a foreword for the new edition of her
CISSP All-in-One Exam Guide. I was honored to do that, and the following two para-
graphs are that original foreword. Following that, I will say more about my friend, the
late Shon Harris.
The cyber security field is still relatively new and has been evolving as technology
advances. Every decade or so, we have an advance or two that seems to change the game.
For example, in the 1990s we were focused primarily on “perimeter defense.” Lots of
money was spent on perimeter devices like firewalls to keep the bad guys out. Around
2000, recognizing that perimeter defense alone was insufficient, the “defense in depth”
approach became popular, and we spent another decade trying to build layers of defense
and detect the bad guys who were able to get past our perimeter defenses. Again, lots of
money was spent, this time on intrusion detection, intrusion prevention, and end-point
solutions. Then, around 2010, following the lead of the U.S. government in particular,
we began to focus on “continuous monitoring,” the goal being to catch the bad guys
inside the network if they get past the perimeter defense and the defense in depth.
Security information and event management (SIEM) technology has emerged as the
best way to handle this continuous monitoring requirement. The latest buzz phrase is
“active defense,” which refers to the ability to respond in real time through a dynamic and
changing defense that works to contain the attacker and allow the organization to recover
quickly and get back to business. We are starting to see the re-emergence of honeypots
combined with sandbox technology to bait and trap attackers for further analysis of their
activity. One thing is common throughout this brief historical survey: the bad guys keep
getting in and we keep responding to try and keep up, if not prevent them in the first
place. This cat-and-mouse game will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats,
each new strategy and tactic brings with it a new set of terminology and concepts for
the security professional to master. The sheer bulk of the body of knowledge can be
overwhelming, particularly to newcomers. As a security practitioner, consultant, and
business leader, I am often asked by aspiring security practitioners where to start when
trying to get into the field. I often refer them to Shon’s CISSP All-in-One Exam Guide,
not necessarily for the purpose of becoming a CISSP, but so that they may have in one
resource the body of knowledge in the field. I am also often asked by experienced security
practitioners how to advance in the field. I encourage them to pursue CISSP certification
and, once again, I refer them to Shon’s book. Some are destined to become leaders in
the field, and the CISSP is a solid certificate for managers. Other security professionals
I encounter are just looking for more breadth of knowledge, and I recommend Shon’s
book to them too as a good one-stop reference for that. This book has stood the test
of time. It has evolved as the field has evolved and stands as the single most important
xxi
00-FM.indd 21 14/04/16 10:24 AM


xxii
book in the cyber security field, period. I have personally referred to it several times
throughout my career and keep a copy near me at all times on my Kindle. Simply put, if
you are in the cyber security field, you need a copy of this book.
On a personal note, little did I know that within months of writing the preceding
foreword, Shon would no longer be with us. I counted Shon as a good friend and still
admire her for her contribution to the field. I met Shon at a CISSP boot camp in 2002.
I had just learned of the CISSP and within weeks found myself in her class. I had no clue
that she had already written several books by that time and was a true leader in the field.
I must have chattered away during our lunch sessions, because a few months after the
class, she reached out to me and said, “Hey, I remember you were interested in writing. I
have a new project that I need help on. Would you like to help?” After an awkward pause,
as I picked myself up from the floor, I told her that I felt underqualified, but yes! That
started a journey that has blessed me many times over. The book was called Gray Hat
Hacking and is now in the fourth edition. From the book came many consulting, writing,
and teaching opportunities, such as Black Hat. Then, as I retired from the Marine Corps,
in 2008, there was Shon, right on cue: “Hey, I have an opportunity to provide services
to a large company. Would you like to help?” Just like that, I had my first large client,
launching my company, which I was able to grow, with Shon’s help, and then sell a couple
of years ago. During the 12 years I knew her, Shon continued to give me opportunities
to become much more than I could have dreamed. She never asked for a thing in return,
simply saying, “You take it and run with it, I am too busy doing other things.” As I think
back over my career after the Marine Corps, I owe most of my success to Shon. I have
shared this story with others and found that I am not the only one; Shon blessed so many
people with her giving spirit. I am convinced there are many “Shon” stories like this one
out there. She touched so many people in the security field and more than lived up to the
nickname I had for her, Miss CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in
the field. If you knew Shon, I know you would echo that sentiment. If you did not know
Shon, I hope that through these few words, you understand why she was so special and
why there had to be another edition of this book. I have been asked several times over
the last year, “Do you think there will be another edition? The security field and CISSP
certification have both changed so much, we need another edition.” For this reason, I am
excited this new edition came to be. Shon would have wanted the book to go on helping
people to be the best they can be. I believe we, as a profession, need this book to continue.
So, I am thankful that the team from McGraw-Hill and Fernando are honoring Shon in
this way and continuing her legacy. She truly deserves it. Shon, you are missed and loved
by so many. Through this book, your generous spirit lives on, helping others.
Allen Harper, CISSP (thanks to Shon)

EVP and Chief Hacker, Tangible Security, Inc.
00-FM.indd 22 14/04/16 10:24 AM

FOREWORD
I’m excited and honored to introduce the seventh edition of CISSP All-in-One Exam
Guide to cyber security experts worldwide. This study guide is essential for those pursu-
ing CISSP certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to
be a member of a profession and the importance of shared values, common language,
and identity. At the same time, expert knowledge gained through training, education,
and experience are critical ingredients to a profession, but formal certifications based on
clearly articulated standards are the coin of the realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase
digitization, while assuming our freedom to operate was not at risk. Today’s threats
coupled with our vulnerabilities and the potential consequences create a new operational
reality—national security is at risk. When we enter any network, we must fight to ensure
we maintain our security, and cyber security experts are the professionals we will call on
to out-think and out-maneuver the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue
to grow exponentially. While our cyber workforce enabled by technology must focus
on preventing threats and reducing vulnerabilities, we will not eliminate either. This
demands professionals who understand risk management and security—experts who
are trusted and committed to creating and providing a wide range of security measures
tailored to mitigate enterprise risk and assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is
the king of the hill. In this edition, Shon’s quality content is present and is being stewarded
forward by Fernando Maymí. You’re in good hands, and you will grow personally and
professionally, from your study. As competent, trusted professionals of character, this book
is essential to you, your organization, and our national security.
Rhett Hernandez
Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command
Current West Point Cyber Chair, Army Cyber Institute
xxiii
00-FM.indd 23 14/04/16 10:24 AM

This page intentionally left blank
ACKNOWLEDGMENTS
We would like to thank all the people who work in the information security industry
who are driven by their passion, dedication, and a true sense of doing right. The best
security people are the ones who are driven toward an ethical outcome.
In this seventh edition, we would also like to thank the following:
•• Ronald Dodge, who brought the two authors of this book together and, in doing
so, set off a sequence of events that he couldn’t have possibly anticipated.
•• David Miller, whose work ethic, loyalty, and friendship have continuously in-
spired us.
•• All the teammates from Logical Security.
•• The men and women of our armed forces, who selflessly defend our way of life.
•• Kathy Conlon, who, more than anyone else, set the conditions that led to seven
editions of this book.
•• David Harris.
•• Emma Fernandez.
Most especially, we thank you, our readers, for standing on the frontlines of our digital
conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
xxv
00-FM.indd 25 14/04/16 10:24 AM

FROM THE AUTHOR
For the first time in seven editions, the CISSP All-in-One Exam Guide bears the names
of two authors. For the first time in 15 years, Shon Harris will not be with us as we go to
print on a new edition of her seminal work. Still, she remains with us in the pages of the
hundreds of thousands of books sold, which have enriched the lives of security profes-
sionals worldwide. It is no exaggeration to say that Shon was one of the most influential
authors in our field. Her legacy lives on in the pages of this latest edition.
Our goal in this seventh edition of Shon’s book was both to address the newly revised
CISSP body of knowledge and to allow you to hear Shon’s voice as you read the words on
its pages. You see, much of the content in this book was actually authored by Shon. We
have reorganized, enhanced, augmented, and updated it, but the content is still largely
hers. If you have read any of her multitude of other works or had the blessing of having
met her, you will recognize her distinctive tone in these pages. We also hope that you will
perceive her penchant for excellence in every aspect of professional development.
The goal of this book is not just to get you to pass the CISSP exam, but to provide
you the bedrock of knowledge that will allow you to flourish as an information systems
security professional before and after you pass the certification exam. If you strive for
excellence in your own development, the CISSP certification will follow as a natural
byproduct. This approach will demand that you devote time and energy to topics and
issues that may seem to have no direct or immediate return on investment. That is OK.
We each have our own areas of strength and weakness, and many of us tend to reinforce
the former while ignoring the latter. This leads to individuals who have tremendous
depth in a very specific topic, but who lack the breadth to understand context or thrive
in new and unexpected conditions. What we propose is an inversion of this natural
tendency, so that we devote appropriate amounts of effort to those areas in which we are
weakest. What we propose is that we balance the urge to be specialists with the need to
be well-rounded professionals. This is what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals
that performs a critical service that societies cannot do for themselves. In the case of
the CISSP, this professional ensures the confidentiality, integrity, and availability of our
information systems. This cannot be done simply by being the best firewall administrator,
or the best forensic examiner, or the best reverse engineer. Instead, our service requires a
breadth of knowledge that will allow us to choose the right tool for the job. This relevant
knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon
which we can build our expertise. This is why, in order to be competent professionals,
we all need to devote ourselves to learning topics that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and
foundational knowledge. It is designed, as it always was, to be both a study guide and an
enduring reference. Our hope is that, long after you obtain your CISSP certification, you
will turn to this tome time and again to brush up on your areas of weakness as well as to
guide you in a lifelong pursuit of self-learning and excellence.
xxvii
00-FM.indd 27 14/04/16 10:24 AM

WHY BECOME A CISSP?
As our world changes, the need for improvements in security and technology continues
to grow. Corporations and other organizations are desperate to identify and recruit
talented and experienced security professionals to help protect the resources on which
they depend to run their businesses and remain competitive. As a Certified Information
Systems Security Professional (CISSP), you will be seen as a security professional of
proven ability who has successfully met a predefined standard of knowledge and expe-
rience that is well understood and respected throughout the industry. By keeping this
certification current, you will demonstrate your dedication to staying abreast of security
developments.
Consider some of the reasons for attaining a CISSP certification:
•• To broaden your current knowledge of security concepts and practices
•• To demonstrate your expertise as a seasoned security professional
•• To become more marketable in a competitive workforce
•• To increase your salary and be eligible for more employment opportunities
•• To bring improved security expertise to your current occupation
•• To show a dedication to the security discipline
The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices; perform
risk analysis; identify necessary countermeasures; and help the organization as a whole
protect its facility, network, systems, and information. The CISSP certification also
shows potential employers you have achieved a level of proficiency and expertise in
skill sets and knowledge required by the security industry. The increasing importance
placed on security in corporate success will only continue in the future, leading to even
greater demands for highly skilled security professionals. The CISSP certification shows
that a respected third-party organization has recognized an individual’s technical and
theoretical knowledge and expertise, and distinguishes that individual from those who
lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good
network administrator, programmer, or engineer. Job descriptions that do not specifically
target security professionals still often require that a potential candidate have a good
understanding of security concepts as well as how to implement them. Due to staff size
and budget restraints, many organizations can’t afford separate network and security staffs.
But they still believe security is vital to their organization. Thus, they often try to combine
knowledge of technology and security into a single role. With a CISSP designation, you
can put yourself head and shoulders above other individuals in this regard.
xxix
00-FM.indd 29 14/04/16 10:24 AM

Another random document with
no related content on Scribd:
The Bell in Själevad.
When the church at Själevad was about to be built, parishioners

could not agree upon a location. Those who resided farthest north
wished it built at Hemling, and those dwelling to the south desired it
more convenient to them. To terminate the wrangle an agreement
[213]was arrived at as ingenious as simple. Two logs were thrown out
into Hörätt Sound, and it was decided that if they floated out to sea
the church should be built at Voge, but if they floated in toward the
Fjord of Själevad, Hemling should be the building spot.
It happened that just then it was full high tide, when the current
changes from its usual course, and in consequence the logs floated
in favor of Hemling.
The Southerners found it hard to swallow their disappointment and at

once set their wits at work to find a way to defeat the accidental good
luck of their neighbors. In the old chapel of Hemling there was an
unusually large bell, said to have been brought from some strange
land, and regarded with great veneration. Upon this the Southerners
set their hope. One beautiful night they stole the bell and took it
southward, persuaded that their opponents would follow and build
the church near Voge. But the bell, which knew best where the
church ought to stand, provided itself with invisible wings and started
to fly back to the place from which it had been brought.
As it was winging its way homeward, an old woman standing on

Karnigberg—Hag Mountain—saw something strange floating
through the air, at which she stared earnestly, wondering what it
could be, finally recognizing the much prized bell of the parish,
whereupon she cried out:—
“Oh! See our holy church bell!”
Nothing more was needed to deprive the bell of its power of

locomotion and it plunged, like a stone, into Prest Sund—priest
sound—where, every winter, a hole in the ice marks its resting place
at the bottom. [214]
[Contents]
The Vätts Storehouse.
In Herjedalen, as in many of the northern regions of our country,

where there is yet something remaining of the primitive pastoral life,
there are still kept alive reminiscences of a very ancient people,
whose [215]occupation was herding cattle, which constituted their
wealth and support. It is, however, with a later and more civilized
people, though no date is given, that this narrative deals.
In days gone by, so the story goes, it happened that a milkmaid did
not produce as much milk and butter from her herd as usual, for
which her master took her severely to task. The girl sought
vindication by charging it upon the Vätts, who, she claimed,
possessed the place and appropriated a share of the product of the
herd. This, the master was not willing to believe, but, to satisfy
himself, went one autumn evening, after the cattle had been brought
home, to the dairy house, where he secreted himself, as he
supposed, under an upturned cheese kettle. He had not sat in his
hiding place long when a Vätt mother with her family—a large one—
came trooping in and began preparation for their meal.
The mother, who was busy at the fireplace, finally inquired if all had
spoons.
“Yes,” replied one of the Vätts. “All except him under the kettle.”
The dairyman’s doubts were now dispelled, and he hastened to move

his residence to another place. [216]
[Contents]
The Stone in Grönan Dal.
It is probable that the “Stone in Grönan Dal” is like the traditional

Phœnix, a pure tradition, since it has never been found by any one
of the many who have made pilgrimages to the valley in search of it,
for the purpose of deciphering the Runic [217]characters said to be
engraved thereon. Yet many stories are widely current in the land
concerning it, and the old people relate the following:
When St. Jaffen, “the Apostle of the North,” was one time riding
through Jämtland from the borders of Norway, his way led along a
beautiful green valley, in the parish of Åre. Becoming weary, he
dismounted and laid himself down for a nap. When he awoke it
occurred to him that such a garden spot must some day be inhabited
by mankind, so, selecting a slab of stone, he cut in its surface the
following prophetic lines:
“When Swedish men adopt foreign customs

And the land loses its old honor,
Yet, shall stand the Stone in Grönan Dal.
When churches are converted into prisons,

And God’s services have lost their joyous light,
Yet shall stand the Stone in Grönan Dal.
When rogues and villains thrive

And honest men are banished,
Yet will stand the Stone in Grönan Dal.
When priests become beggars,

And farmers monsters,
Then shall lie the Stone in Grönan Dal.”
When the Governor of the Province, Baron Tilas, in 1742, traveled

through Jämtland, he found, a few paces east of the gate of Skurdal,
a stone lying, which he concluded must be the stone so much talked
about. When his coat of arms and the date had been engraved upon
it, he caused it to be raised, so that, “even yet it stands, the Stone in
Grönan Dal.” [218]
[Contents]
The Voyage in a Lapp Sled.
In the great forest west of Samsele, a hunter, early one morning,

pursued his way in quest of game. About midday he ascended a
ridge, where he was overtaken by a Troll-iling—a storm said to be
raised by and to conceal a Troll—before which sticks and straws
danced in the air. Quickly grasping his knife he threw it at the wind,
which at once subsided, and in a few seconds the usual quiet
reigned.
Some time later he was again hunting, when he lost his way. After a
long and wearisome wandering he reached a Lapp hut, where he
found a woman stirring something in a kettle. When she had
concluded her cooking, she invited the hunter to dine, and gave him
the same knife to eat with that he had thrown at the storm.
The following day he wished to return home, but could not possibly
discover the course he should take, whereupon the Troll woman—for
his hostess was none other—directed him to get into the Lapp sled,
and attach to it a rope, in which he must tie three knots.
“Now, untie one knot at a time,” said she, “and you will soon reach
home.”
The hunter untied one knot, as instructed, and away went the rope,
dragging the sled after it into the air. After a time he untied another
knot, and his speed was increased. Finally he untied the last knot,
increasing the speed to such a rate that when the sled came to a
standstill, as it did, suddenly, not long after, he concluded his
journey, falling into his own yard with such force as to break his leg.
[219]
[Contents]
The Lapp Genesis, or the First of Mankind.
The Lapps, like other people, have their legends, and many of them
the same, or nearly so, as are found among other nations. Others
reflect more particularly the national characteristics of the Lapp folk.
Thus, for instance, there is to be found among them a tradition of a
general deluge, a universal catastrophe, whereof there still remains
a dim reminiscence in the consciences of so many other primitive
people.
Before the Lord destroyed mankind, so says the Lapp legend, there
were people in Samelads (Lappland), but when the Flood came
upon the earth every living creature perished except two, a brother
and sister, whom God conducted to a high mountain—Passevare
—“The Holy Mountain.”
When the waters had subsided and the land was again dry, the
brother and sister separated, going in opposite directions in search
of others, if any might be left. After three years’ fruitless search they
met, and, recognizing each other, they once more went into the
world, to meet again in three years, but, recognizing one another
now, also, they parted a third time. When they met at the end of
these three years neither knew the other, whereafter they lived
together, and from them came the Lapps and Swedes.
Again, as to the distinct manners and customs of the Lapps and

Swedes, they relate that at first both [220]Lapps and Swedes were as
one people and of the same parentage, but during a severe storm
the one became frightened, and hurried under a board. From this
came the Swedes, who live in houses. The other remained in the
open air, and he became the progenitor of the Lapps, who, to this
day, do not ask for a roof over their heads. [221]
[Contents]
The Giant’s Bride.
More than with anything else, the Lapp legends have to do with
giants and the adventures of mankind with them. The giant is feared
because of his great size and strength and his insatiable appetite for
human flesh. His laziness, clumsiness, and that he is inferior to the
man in intelligence are, however, often the cause of his overthrow.
It is, therefore, commonly an adventure wherein the giant has been

outwitted by a Lapp man or woman that concludes the giant stories.
There was one time a giant who made love to a rich Lapp girl.
Neither she nor her father were much inclined toward the match, but
they did not dare do otherwise than appear to consent and at the
same time thank the Giant for the high honor he would bestow upon
them. The father, nevertheless, determined that the union should not
take place, and consoled himself with the hope that when the time
arrived some means of defeating the Giant’s project would be
presented. Meantime he was obliged to set the day when the Giant
might come and claim his bride. Before the Giant’s arrival the Lapp
took a block of wood, about the size of his daughter, and clothing it in
a gown, a new cap, silver belt, shoes and shoe band, he sat it up in
a corner of the tent, with a close veil, such as is worn by Lapp brides,
over the head.
When the Giant entered the tent he was much [222]pleased to find the
bride, as he supposed, in her best attire awaiting him, and at once
asked his prospective father-in-law to go out with him and select the
reindeer that should go with the bride as her dower. Meanwhile the
daughter was concealed behind an adjacent hill with harnessed
reindeer ready for flight. When the reindeer had been counted out
the Giant proceeded to kill one of them for supper, while the Lapp
slipped off into the woods, and, joining his daughter, they fled with all
speed into the mountains.
The Giant, after dressing the reindeer, went into the tent to visit his
sweetheart.
“Now, my little darling,” said he, “put the kettle over the fire.”
But no move in the corner.
“Oh, the little dear is bashful, I’ll have to do it myself then,” said he.
After the pot had been boiling awhile he again addressed the object
in the corner:
“Now my girl, you may cleave the marrow bone,” but still no
response.
“My little one is bashful, then I must do it myself,” thought he.
When the meat was cooked he tried again:
“Come, now, my dear, and prepare the meat.” But the bride was as
bashful as before, and did not stir.
“Gracious! how bashful she is. I must do it myself,” repeated the

Giant.
When he had prepared the meal he bade her come and eat, but
without effect. The bride remained motionless in her corner. [223]
“The more for me, then,” thought he, and sat himself to the repast
with a good appetite. When he had eaten, he bade his bride prepare
the bed.
“Ah, my love, are you so bashful? I must then do it myself,” said the
simple Giant.
“Go now and retire.” No, she had not yet overcome her bashfulness,
whereupon the Giant became angry and grasped the object with
great force.
Discovering how the Lapp had deceived him, and that he had only a
block of wood instead of a human of flesh and blood, he was beside
himself with rage, and started in hot pursuit after the Lapp. The latter,
however, had so much the start that the Giant could not overtake
him. At the same time it was snowing, which caused the Giant to
lose his way in the mountains. Finally he began to suffer from the
cold. The moon coming up, he thought it a fire built by the Lapp, and
at once set out on a swift run toward it, but he had already run so far
that he was completely exhausted. He then climbed to the top of a
pine, thinking thereby to get near enough to the fire to warm himself,
but he froze to death instead, and thus ends the story. [224]
[Contents]

ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter

Uploaded by

Copyright:

Available Formats

You might also like

ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ebook download CISSP All-in-One Exam Guide 7th edition Edition Harris - eBook PDF all chapter

Uploaded by

Copyright:

Available Formats

CISSP All-in-One Exam Guide 7th

edition Edition Harris - eBook PDF

CISSP All in one Exam Guide 7th Edition Shon Harris -

Cissp All-In-One Exam Guide 8th Edition Shon Harris -

All in One CISSP Exam Guide 9th Edition Fernando Maymí

CC Certified in Cybersecurity All-in-One Exam Guide 1st

CompTIA Network+ Certification All-In-One Exam Guide,

CompTIA Server+ Certification All-in-One Exam Guide,

CEH Certified Ethical Hacker All-in-One Exam Guide 4th

CompTIA Linux+ Certification All-in-One Exam Guide

New York Chicago San Francisco

00-FM.indd 1 14/04/16 10:24 AM

eBook conversion by codeMantra

We dedicate this book to all those who have served selflessly.

00-FM.indd 3 14/04/16 10:24 AM

ABOUT THE AUTHORS

Fernando Maymí, Ph.D., CISSP, is a security practitioner

About the Contributor

00-FM.indd 4 14/04/16 10:24 AM

About the Technical Editor

00-FM.indd 5 14/04/16 10:24 AM

Chapter 1 Security and Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

00-FM.indd 6 14/04/16 10:24 AM

In Memory of Shon Harris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

00-FM.indd 7 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 8 14/04/16 10:24 AM

00-FM.indd 9 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 10 14/04/16 10:24 AM

00-FM.indd 11 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 12 14/04/16 10:24 AM

00-FM.indd 13 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 14 14/04/16 10:24 AM

00-FM.indd 15 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 16 14/04/16 10:24 AM

00-FM.indd 17 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 18 14/04/16 10:24 AM

00-FM.indd 19 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

00-FM.indd 20 14/04/16 10:24 AM

IN MEMORY OF SHON HARRIS

00-FM.indd 21 14/04/16 10:24 AM

CISSP All-in-One Exam Guide

Allen Harper, CISSP (thanks to Shon)

00-FM.indd 22 14/04/16 10:24 AM

00-FM.indd 23 14/04/16 10:24 AM

00-FM.indd 25 14/04/16 10:24 AM

FROM THE AUTHOR

00-FM.indd 27 14/04/16 10:24 AM

WHY BECOME A CISSP?

00-FM.indd 29 14/04/16 10:24 AM

When the church at Själevad was about to be built, parishioners

The Southerners found it hard to swallow their disappointment and at

As it was winging its way homeward, an old woman standing on