ALL IN ONE CISSP® E X A M G U I D E S i x t h E d i t i o n Shon Harris New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto McGraw-Hill is an independent entity from (ISC)2® and is not affiliated with (ISC)2 in any manner. This study/training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC)2 in any manner. This publication and digital content may be used in assisting students to prepare for the CISSP exam. Neither (ISC)2 nor McGraw-Hill warrant that use of this publication and digital content will ensure passing any exam. (ISC)2®, CISSP®, CAP®, ISSAP®, ISSEP® ISSMP®, SSCP® and CBK®are trademarks or registered trademarks of (ISC)2 in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Copyright © 2013 by McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-0-07-178173-2 MHID: 0-07-178173-0 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-178174-9, MHID: 0-07-178174-9. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefi t of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at [email protected]. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPER- LINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. I dedicate this book to some of the most wonderful people I have lost over the last several years. My grandfather (George Fairbairn), who taught me about integrity, unconditional love, and humility. My grandmother (Marge Fairbairn), who taught me about the importance of living life to the fullest, having “fun fun,” and of course, black jack. My dad (Tom Conlon), who taught me how to be strong and face adversity. My father-in-law (Maynard Harris), who taught me a deep meaning of the importance of family that I never knew before. Each person was a true role model to me. I learned a lot from them, I appreciate all that they have done for me, and I miss them terribly. ABOUT THE AUTHOR Shon Harris is the founder and CEO of Shon Harris Security LLC and Logical Security LLC, a security consultant, a former engineer in the Air Force’s Information Warfare unit, an instructor, and an author. Shon has owned and run her own training and con- sulting companies since 2001. She consults with Fortune 100 corporations and govern- ment agencies on extensive security issues. She has authored three best-selling CISSP books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook andSecurity Information and Event Management (SIEM) Implementation, and a technical editor for Information Security Magazine. Shon has also developed many digital security products for Pearson Publishing. About the Technical Editor Polisetty Veera Subrahmanya Kumar, CISSP, CISA, PMP, PMI-RMP, MCPM, ITIL, has more than two decades of experience in the field of Information Technology. His areas of specialization include information security, business continuity, project manage- ment, and risk management. In the recent past he served his term as Chairperson for Project Management Institute’s PMI-RMP (PMI - Risk Management Professional) Cre- dentialing Committee and was a member of ISACA’s India Growth Task Force team. In the past he worked as content development team leader on a variety of PMI standards development projects. He was a lead instructor for the PMI PMBOK review seminars. CONTENTS AT A GLANCE Chapter 1 Becoming a CISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 2 Information Security Governance and Risk Management . . . . . . . . 21 Chapter 3 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Chapter 4 Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Chapter 5 Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . . 427 Chapter 6 Telecommunications and Network Security . . . . . . . . . . . . . . . . . . 515 Chapter 7 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 Chapter 8 Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . 885 Chapter 9 Legal, Regulations, Compliance, and Investigations . . . . . . . . . . . . . 979 Chapter 10 Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1081 Chapter 11 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233 Appendix A Comprehensive Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319 Appendix B About the Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385 v This page intentionally left blank CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Chapter 1 Becoming a CISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Why Become a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The CISSP Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 CISSP: A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 How Do You Sign Up for the Exam? . . . . . . . . . . . . . . . . . . . . . . . . 7 What Does This Book Cover? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Tips for Taking the CISSP Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 How to Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter 2 Information Security Governance and Risk Management . . . . . . . . 21 Fundamental Principles of Security . . . . . . . . . . . . . . . . . . . . . . . . . 22 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Balanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 ISO/IEC 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Enterprise Architecture Development . . . . . . . . . . . . . . . . . . . 41 Security Controls Development . . . . . . . . . . . . . . . . . . . . . . . 55 COSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Process Management Development . . . . . . . . . . . . . . . . . . . . 60 Functionality vs. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Who Really Understands Risk Management? . . . . . . . . . . . . . 71 Information Risk Management Policy . . . . . . . . . . . . . . . . . . 72 The Risk Management Team . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Risk Analysis Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 The Value of Information and Assets . . . . . . . . . . . . . . . . . . . 76 Costs That Make Up the Value . . . . . . . . . . . . . . . . . . . . . . . . 76 Identifying Vulnerabilities and Threats . . . . . . . . . . . . . . . . . 77 Methodologies for Risk Assessment . . . . . . . . . . . . . . . . . . . . 78 Risk Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 vii CISSP All-in-One Exam Guide viii Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Putting It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Total Risk vs. Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Handling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Policies, Standards, Baselines, Guidelines, and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Classifications Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Classification Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Layers of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Board of Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Chief Information Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Chief Privacy Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Chief Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Security Steering Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Audit Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Data Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Data Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 System Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Security Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Application Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Change Control Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Data Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Process Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Solution Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Product Line Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Why So Many Roles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Security-Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Degree or Certification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Contents ix Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Chapter 3 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Access Controls Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Identification, Authentication, Authorization, and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . 162 Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 220 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Access Control Techniques and Technologies . . . . . . . . . . . . . . . . . 227 Rule-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Constrained User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Access Control Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Content-Dependent Access Control . . . . . . . . . . . . . . . . . . . . 231 Context-Dependent Access Control . . . . . . . . . . . . . . . . . . . . 231 Access Control Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Centralized Access Control Administration . . . . . . . . . . . . . . 233 Decentralized Access Control Administration . . . . . . . . . . . . 240 Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Access Control Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Administrative Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Physical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Review of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . 250 Protecting Audit Data and Log Information . . . . . . . . . . . . . . 251 Keystroke Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Access Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Unauthorized Disclosure of Information . . . . . . . . . . . . . . . . 253 Access Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . 265 Threats to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Brute Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Spoofing at Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270