® CISSP Study Guide This page intentionally left blank ® CISSP Study Guide Fourth Edition Eric Conrad Backshore Communications, Peaks Island, ME, United States Seth Misenar Context Security, LLC, Jackson, MS, United States Joshua Feldman Senior Vice President for Security Technology, Radian Group, Wayne, PA, United States SyngressisanimprintofElsevier 50HampshireStreet,5thFloor,Cambridge,MA02139,UnitedStates Copyright©2023ElsevierInc.Allrightsreserved. CISSP®isaregisteredcertificationmarkof(ISC)2,Inc Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageandretrieval system,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseekpermission,further informationaboutthePublisher’spermissionspoliciesandourarrangementswithorganizations suchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency,canbefoundatour website:www.elsevier.com/permissions. Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperience broadenourunderstanding,changesinresearchmethods,professionalpractices,ormedical treatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluating andusinganyinformation,methods,compounds,orexperimentsdescribedherein.Inusingsuch informationormethodstheyshouldbemindfuloftheirownsafetyandthesafetyofothers,including partiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assume anyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability, negligenceorotherwise,orfromanyuseoroperationofanymethods,products,instructions,or ideascontainedinthematerialherein. ISBN:978-0-443-18734-6 ForinformationonallSyngresspublications visitourwebsiteathttps://www.elsevier.com/books-and-journals Publisher:MaraE.Conner AcquisitionsEditor:ChrisKatsaropoulos EditorialProjectManager:JohnLeonard ProductionProjectManager:StalinViswanathan CoverDesigner:GregHarris TypesetbySTRAIVE,India Contents Aboutthe authors...................................................................................................xix CHAPTER 1 Introduction...........................................................1 How toPrepare for the Exam.......................................................2 ® TheCISSP Exam Isa Management Exam.............................2 The2021 Update.......................................................................2 TheNotes Card Approach.........................................................3 Practice Tests.............................................................................3 Readthe Glossary......................................................................3 Readiness Checklist...................................................................4 How toTake the Exam..................................................................4 ® Steps toBecomingaCISSP ....................................................4 Computer-Based Testing (CBT)...............................................5 ® CISSP CAT.............................................................................5 Takingthe Exam.......................................................................6 Afterthe Exam..........................................................................9 Good Luck!....................................................................................9 References....................................................................................10 CHAPTER 2 Domain 1: Security and Risk Management.............11 Unique Terms andDefinitions....................................................11 Introduction..................................................................................12 Cornerstone InformationSecurityConcepts...............................12 Confidentiality, Integrity,and Availability.............................12 Identityand Authentication, Authorization, and Accountability (AAA).........................................................15 Non-repudiation.......................................................................17 Least Privilege and Need toKnow.........................................17 Subjects and Objects...............................................................18 Defense-in-Depth.....................................................................18 Due Care and Due Diligence..................................................19 Legal and RegulatoryIssues.......................................................19 Compliance With Laws andRegulations................................19 MajorLegal Systems...............................................................20 Criminal,Civil,and Administrative Law...............................21 Liability....................................................................................23 Due Care..................................................................................23 Due Diligence..........................................................................24 v vi Contents Legal Aspectsof Investigations..............................................24 IntellectualProperty................................................................29 Privacy.....................................................................................33 International Cooperation........................................................37 Import/Export Restrictions......................................................38 Trans-border Data Flow..........................................................38 Important Laws andRegulations............................................39 Ethics...........................................................................................42 The (ISC)2® Code ofEthics....................................................42 Computer Ethics Institute........................................................44 IAB’s Ethics and the Internet..................................................45 Information Security Governance...............................................45 Security Policy and Related Documents.................................45 Personnel Security...................................................................48 Access ControlDefensive Categoriesand Types.......................51 Preventive................................................................................52 Detective..................................................................................52 Corrective.................................................................................52 Recovery..................................................................................53 Deterrent..................................................................................53 Compensating..........................................................................53 Comparing Access Controls....................................................53 Risk Analysis...............................................................................54 Assets.......................................................................................55 Threats and Vulnerabilities.....................................................55 Risk=Threat (cid:1)Vulnerability..................................................55 Impact......................................................................................56 Risk Analysis Matrix...............................................................57 Calculating Annualized Loss Expectancy...............................57 Total Cost of Ownership.........................................................59 Return on Investment..............................................................59 Budget and Metrics.................................................................60 Risk Response..........................................................................61 Quantitativeand QualitativeRisk Analysis............................63 The Risk Management Process...............................................64 Risk MaturityModeling..........................................................65 Security andThird Parties...........................................................65 Service Provider Contractual Security....................................65 Minimum Security Requirements...........................................65 Supply ChainRisk Management.............................................67 Contents vii VendorGovernance.................................................................68 Acquisitions.............................................................................68 Divestitures..............................................................................68 Third Party Assessmentand Monitoring................................68 Outsourcing and Offshoring....................................................69 Types ofAttackers.......................................................................70 Hackers....................................................................................70 ScriptKiddies..........................................................................71 Outsiders..................................................................................71 Insiders.....................................................................................71 Hacktivist.................................................................................73 Bots and Botnets......................................................................73 Phishers and Spear Phishers....................................................74 Summary ofExam Objectives....................................................75 Self-Test.......................................................................................76 Self-TestQuick AnswerKey......................................................78 References....................................................................................79 CHAPTER 3 Domain 2: Asset Security.....................................81 Unique Terms andDefinitions....................................................81 Introduction..................................................................................81 Classifying Data..........................................................................82 Labels.......................................................................................82 Security Compartments...........................................................82 Clearance.................................................................................83 Formal Access Approval.........................................................83 Needto Know..........................................................................83 Sensitive Information/Media Security....................................84 Ownership andInventory............................................................84 Asset Inventory........................................................................85 Asset Retention........................................................................85 Business orMissionOwners...................................................85 Data Owners............................................................................86 System Owner..........................................................................86 Custodian.................................................................................86 Users........................................................................................86 Data Controllers andData Processors.....................................87 Data Location..........................................................................87 Data Maintenance....................................................................88 Data Loss Prevention...............................................................88 viii Contents Digital Rights Management.....................................................88 Cloud Access SecurityBrokers...............................................89 Data Collection Limitation......................................................90 Memoryand Remanence.............................................................91 Data Remanence......................................................................91 Memory....................................................................................91 Data Destruction..........................................................................94 Overwriting..............................................................................95 Degaussing...............................................................................95 Destruction...............................................................................95 Shredding.................................................................................96 Determining Data Security Controls...........................................96 Certificationand Accreditation...............................................96 Standards andControlFrameworks........................................97 Scoping and Tailoring...........................................................100 Data States.............................................................................100 Summary ofExam Objectives..................................................102 Self-Test.....................................................................................102 Self-Test Quick AnswerKey....................................................104 References..................................................................................105 CHAPTER 4 Domain3:SecurityArchitectureandEngineering....107 Unique Terms and Definitions..................................................107 Introduction................................................................................108 SecureDesignPrinciples...........................................................108 Threat Modeling....................................................................108 Least Privilege andDefense-in-Depth..................................109 Secure Defaults......................................................................109 Privacy byDesign..................................................................109 Fail Securely..........................................................................110 Separation ofDuties (SoD)...................................................110 Keep It Simple.......................................................................110 Trust, butVerify....................................................................111 Zero Trust..............................................................................111 Security Models.........................................................................113 Reading Down and Writing Up............................................113 State Machine Model.............................................................114 Bell-LaPadula Model.............................................................115 Lattice-Based Access Controls..............................................115 IntegrityModels....................................................................116 Contents ix Information Flow Model.......................................................118 Chinese Wall Model..............................................................118 Non-interference....................................................................118 Take-Grant.............................................................................119 Access ControlMatrix...........................................................119 Zachman Framework for Enterprise Architecture................120 Graham-DenningModel........................................................120 Harrison-Ruzzo-Ullman Model.............................................121 Evaluation Methods,Certification, and Accreditation.............121 TheInternational CommonCriteria......................................121 SecureSystemDesign Concepts...............................................122 Layering.................................................................................123 Abstraction.............................................................................123 Security Domains..................................................................123 TheRing Model.....................................................................124 Open andClosed Systems.....................................................125 SecureHardware Architecture..................................................125 TheSystemUnit and Motherboard.......................................125 TheComputer Bus.................................................................126 TheCPU................................................................................127 MemoryProtection................................................................130 TrustedPlatformModule......................................................132 Data Execution Preventionand Address Space Layout Randomization...................................................................133 SecureOperating System andSoftware Architecture..............134 TheKernel.............................................................................134 Usersand FilePermissions...................................................135 Virtualization, Cloud, and Distributed Computing...................137 Virtualization.........................................................................138 Cloud Computing..................................................................139 Microservices, Containers,and Serverless............................141 High-Performance Computing(HPC)and Grid Computing.........................................................................144 Peer-to-Peer...........................................................................145 ThinClients...........................................................................145 Embedded Systems and The InternetofThings (IoT).........146 DistributedSystems and EdgeComputingSystems.............147 Industrial ControlSystems (ICS)..........................................148 System Vulnerabilities, Threats, and Countermeasures...........149 Emanations.............................................................................149