Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:i Mike Meyers’ CIASS+P ® CompTIA ® CPEARSTSIPFIOCRATTION PASSPORT SEVENTH (Exams 220-1001 & 220-1002) EDITION 00-FM.indd 1 16/08/22 6:31 PM Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:ii About the Author Bobby Rogers (he/his/him) is a cybersecurity proessional with over 30 years in the inor- mation technology and cybersecurity ields. He currently works with a major engineering company in Huntsville, Alabama, helping to secure networks and manage cyber risk or its customers. Bobby’s customers include the U.S. Army, NASA, the State o ennessee, and private/commercial companies and organizations. His specialties are cybersecurity engineer- ing, security compliance, and cyber risk management, but he has worked in almost every area o cybersecurity, including network deense, computer orensics and incident response, and penetration testing. Bobby is a retired Master Sergeant rom the U.S. Air Force, having served or over 21 years. He has built and secured networks in the United States, Chad, Uganda, South Arica, Germany, Saudi Arabia, Pakistan, Aghanistan, and several other remote locations. His decorations include two Meritorious Service medals, three Air Force Commendation medals, the National Deense Service medal, and several Air Force Achievement medals. He retired rom active duty in 2006. Bobby has a master o science in inormation assurance and a bachelor o science in computer inormation systems (with a dual concentration in Russian language), and two associate o science degrees. His many certiications include CISSP-ISSEP, CRISC, CySA+, CEH, and MCSE: Security. Bobby has narrated and produced over 30 computer training videos or several training companies and currently produces them or Pluralsight (https://www.pluralsight.com). He is also the author o CompTIA Mobility+ All-in-One Exam Guide (Exam MB0-001), CRISC Certiied in Risk and Inormation Systems Control All-in-One Exam Guide, andMike Meyers’ CompTIA Security+ Certiication Guide (Exam SY0-401), and is the contributing author/ technical editor or the popularCISSP All-in-One Exam Guide, Ninth Edition, all o which are published by McGraw Hill. About the Technical Editor Nichole O’Brienis a creative business leader with over 25 years o experience in cybersecurity and I leadership, program management, and business development across commercial, education, and ederal, state, and local business markets. Her ocus on innovative solutions is demonstrated by the development o a commercial cybersecurity and I business group, which she currently manages in a Fortune 500 corporation and has received the corporation’s annual Outstanding Customer Service Award. She currently serves as Vice President o Outreach or Cyber Huntsville, is on the Foundation Board or the National Cyber Summit, and supports cyber education initiatives like the USSRC Cyber Camp. Nichole has bachelor’s and master’s degrees in business administration and has a CISSP certiication. 00-FM.indd 2 16/08/22 6:31 PM Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:iii Mike Meyers’ CIASS+P ® CompTIA ® CPEARSTSIPFIOCRATTION PASSPORT SEVENTH (Exams 220-1001 & 220-1002) EDITION Bobby E. Rogers New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto McGraw Hill is an independent entity rom (ISC)²® and is not afliated with (ISC)² in any manner. Tis study/training guide and/or material is not sponsored by, endorsed by, or afliated with (ISC)2in any manner. Tis publication and accompanying media may be used in assisting students to prepare or the CISSP exam. Neither (ISC)² nor McGraw Hill warrants that use o this publication and accompanying media will ensure passing any exam. (ISC)²®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, and CBK® are trademarks or registered trademarks o (ISC)² in the United States and certain other countries. All other trademarks are trademarks o their respective owners. 00-FM.indd 3 16/08/22 6:31 PM Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-1-26-427798-8 MHID: 1-26-427798-9 The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-427797-1, MHID: 1-26-427797-0. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade- marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe- ment of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu- man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy ofthe work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent.You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD- ING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advisedof the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:v I’d like to dedicate this book to the cybersecurity proessionals who tirelessly, and sometimes, thanklessly, protect our inormation and systems rom all who would do them harm. I also dedicate this book to the people who serve in uniorm as military personnel, public saety proessionals, police, frefghters, and medical proessionals, sacrifcing sometimes all that they are and have so that we may all live in peace, security, and saety. —Bobby Rogers 00-FM.indd 5 16/08/22 6:31 PM Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:vi This page intentionally left blank 00-FM.indd 6 16/08/22 6:31 PM PPaassssppoorrtt__22001199// CCoISmSpPT®IAP aPsesnpToerst t/+ R®oCgeerrtsif /c 7a9t7io-n0 /P FaMssport / Linn / 004-5 / Domain DOMAIN vii Contents at a Glance 1.0 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2.0 Asset Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.0 Security Architecture and Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.0 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 5.0 Identity and Access Management (IAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 6.0 Security Assessment and esting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 7.0 Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 8.0 Sotware Development Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 A About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 vii 00-FM.indd 7 16/08/22 6:31 PM Passport_2019/ CISSP®Passport / Rogers / 797-0 / FM / Blind olio:viii This page intentionally left blank 00-FM.indd 8 16/08/22 6:31 PM PPaassssppoorrtt__22001199// CCoISmSpPT®IAP aPsesnpToerst t/+ R®oCgeerrtsif /c 7a9t7io-n0 /P FaMssport / Linn / 004-5 / Domain DOMAIN ix Contents Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix 1.0 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Objective 1.1 Understand, adhere to, and promote professional ethics . . . . . . . . . . . . . . . . . . . . . . . . . . 2 The (ISC)2Code of Ethics                                              3 Code of Ethics Preamble                                         3 Code of Ethics Canons                                          3 Organizational Code of Ethics                                          4 Workplace Ethics Statements and Policies                          4 Other Sources for Ethics Requirements                             5 REVIEW                                                          7 11 QUESTIONS                                               7 11 ANSWERS                                                8 Objective 1.2 Understand and apply security concepts . . . . . . . . . . . 9 Security Concepts                                                   9 Data, Information, Systems, and Entities                            9 Confidentiality                                                10 Integrity                                                      11 Availability                                                   11 Supporting Tenets of Information Security                                11 Identification                                                  11 Authentication                                                11 Authenticity                                                  12 Authorization                                                 12 Auditing and Accountability                                      12 Nonrepudiation                                                12 Supporting Security Concepts                                    13 ix 00-FM.indd 9 16/08/22 6:31 PM