® CISSP Study Guide Intentionally left as blank ® CISSP Study Guide Second Edition Eric Conrad Seth Misenar Joshua Feldman Technical Editor Kevin Riggins AMSTERDAM (cid:129) BOSTON (cid:129) HEIDELBERG (cid:129) LONDON NEW YORK (cid:129) OXFORD (cid:129) PARIS (cid:129) SAN DIEGO SAN FRANCISCO (cid:129) SINGAPORE (cid:129) SYDNEY (cid:129) TOKYO Syngress is an imprint of Elsevier AcquiringEditor:ChrisKatsaropoulos DevelopmentEditor:HeatherScherer ProjectManager:PaulGottehrer Designer:JoanneBlank SyngressisanimprintofElsevier 225WymanStreet,Waltham,MA02451,USA #2012ElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronic ormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem, withoutpermissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformation aboutthePublisher’spermissionspoliciesandourarrangementswithorganizationssuchasthe CopyrightClearanceCenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:www. elsevier.com/permissions. ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher (otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperience broadenourunderstanding,changesinresearchmethodsorprofessionalpractices,maybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluating andusinganyinformationormethodsdescribedherein.Inusingsuchinformationormethodsthey shouldbemindfuloftheirownsafetyandthesafetyofothers,includingpartiesforwhomtheyhavea professionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assume anyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability, negligenceorotherwise,orfromanyuseoroperationofanymethods,products,instructions,orideas containedinthematerialherein. LibraryofCongressCataloging-in-PublicationData Applicationsubmitted BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary. ForinformationonallSyngresspublications visitourwebsiteathttp://store.elsevier.com ISBN:978-1-59749-961-3 PrintedintheUnitedStatesofAmerica 12 13 14 15 16 10 9 8 7 6 5 4 3 2 1 Contents Acknowledgments................................................................................................xvii About the authors...................................................................................................xix CHAPTER 1 Introduction...........................................................1 How to Prepare for the Exam............................................2 The CISSP exam is a management exam.......................2 The notes card approach..............................................2 Practice tests..............................................................3 Read the glossary........................................................3 Readiness checklist.....................................................3 Taking the Exam.............................................................4 Steps to becoming a CISSP.........................................4 Computer-based testing (CBT)......................................4 How to take the exam..................................................5 After the exam............................................................6 Good Luck!.....................................................................7 CHAPTER 2 Domain 1: Access Control......................................9 Unique Terms and Definitions..........................................9 Introduction....................................................................9 Cornerstone Information Security Concepts.....................10 Confidentiality, integrity, and availability.....................11 Identity and authentication, authorization, and accountability (AAA).......................................13 Non-repudiation........................................................15 Least privilege and need to know................................15 Subjects and objects.................................................16 Defense in depth.......................................................16 Access Control Models...................................................17 Discretionary Access Control (DAC).............................17 Mandatory Access Control (MAC)................................18 Non-discretionary access control................................18 Content- and context-dependent access controls..........19 Centralized access control..........................................20 Decentralized access control......................................20 Access provisioning lifecycle......................................21 Access control protocols and frameworks ....................22 Procedural Issues for Access Control...............................24 Labels, clearance, formal access approval, and need to know................................................................24 Rule-based access controls........................................26 v vi Contents Access control lists ...................................................27 Access Control Defensive Categories and Types...............27 Preventive.................................................................27 Detective..................................................................28 Corrective.................................................................28 Recovery...................................................................28 Deterrent..................................................................28 Compensating...........................................................28 Comparing access controls.........................................29 Authentication Methods.................................................29 Type 1 authentication: something you know................30 Type 2 authentication: something you have.................35 Type 3 authentication: something you are...................36 Biometric fairness, psychological comfort, and safety.............................................................37 Access Control Technologies..........................................42 Single sign-on (SSO).................................................42 Federated identity management..................................43 Kerberos...................................................................43 SESAME...................................................................47 Security audit logs....................................................47 Types of Attackers.........................................................48 Hackers....................................................................48 Black hats and white hats..........................................49 Script kiddies...........................................................49 Outsiders..................................................................50 Insiders....................................................................51 Hacktivist.................................................................51 Bots and botnets.......................................................52 Phishers and spear phishers.......................................53 Assessing Access Control...............................................54 Penetration testing....................................................54 Vulnerability testing...................................................56 Security audits..........................................................57 Security assessments.................................................57 Summary of Exam Objectives.........................................57 Self Test.......................................................................58 Self-Test Quick Answer Key...........................................60 CHAPTER 3 Domain 2: Telecommunications and Network Security...............................................................63 Unique Terms and Definitions........................................63 Introduction..................................................................63 Network Architecture and Design....................................64 Network defense-in-depth..........................................64 Contents vii Fundamental network concepts..................................64 The OSI Model..........................................................67 TCP/IP model............................................................69 Encapsulation...........................................................70 Network Access, Internet and Transport Layer Protocols, and Concepts.........................................71 Application layer TCP/IP protocols and concepts..........85 Layer 1. Network Cabling...........................................89 LAN technologies and protocols..................................92 LAN Physical Network Topologies...............................94 WAN technologies and protocols.................................96 Network Devices and Protocols.....................................100 Repeaters and hubs.................................................100 Bridges...................................................................100 Switches.................................................................101 Network taps...........................................................103 Routers..................................................................103 Firewalls.................................................................108 DTE/DCE and CSU/DSU...........................................114 Intrusion detection systems and intrusion prevention systems..............................................................115 Endpoint security....................................................118 Honeypots..............................................................120 Network attacks......................................................121 Network scanning tools............................................122 Secure Communications..............................................123 Authentication protocols and frameworks..................123 VPN.......................................................................126 VoIP.......................................................................128 Wireless Local Area Networks...................................129 Remote access........................................................134 Summary of Exam Objectives.......................................137 Self Test.....................................................................138 Self Test Quick Answer Key.........................................140 CHAPTER 4 Domain 3: Information Security Governance and Risk Management........................................143 Unique Terms and Definitions......................................143 Introduction................................................................143 Risk Analysis..............................................................144 Assets....................................................................144 Threats and vulnerabilities.......................................144 Risk ¼ Threat (cid:2) Vulnerability...................................145 Calculating Annualized Loss Expectancy...................147 viii Contents Total Cost of Ownership...........................................148 Return on Investment..............................................149 Budget and metrics.................................................150 Risk choices...........................................................151 The Risk Management Process.................................153 Information Security Governance..................................154 Security policy and related documents......................154 Roles and responsibilities........................................157 Personnel security...................................................158 Compliance with laws and regulations.......................160 Due care and due diligence......................................161 Best practice..........................................................161 Auditing and control frameworks..............................162 Certification and Accreditation.................................164 Summary of Exam Objectives.......................................165 Self Test.....................................................................165 Self Test Quick Answer Key.........................................167 CHAPTER 5 Domain 4: Software Development Security ..........169 Unique Terms and Definitions......................................169 Introduction................................................................169 Programming Concepts................................................170 Machine code, source code, and assemblers.............170 Compilers, interpreters, and bytecode.......................171 Procedural and object-oriented languages.................171 Fourth-generation programming language..................173 Computer-aided software engineering (CASE)...............................................................173 Top-down versus bottom-up programming.................173 Types of publicly released software...........................174 Application Development Methods................................175 Waterfall model.......................................................176 Sashimi model........................................................177 Agile software development......................................179 Spiral.....................................................................180 Rapid application development (RAD).......................181 Prototyping.............................................................181 SDLC.....................................................................182 Software escrow......................................................186 Object-Orientated Design and Programming ..................186 Object-oriented programming (OOP) .........................186 Object-oriented analysis (OOA) and object-oriented design (OOD)......................................................191 Software Vulnerabilities, Testing, and Assurance...........192 Contents ix Software vulnerabilities............................................192 Software testing methods.........................................194 Disclosure...............................................................195 Software Capability Maturity Model (CMM)................196 Software Change and Configuration Management.......196 Databases...................................................................197 Types of databases..................................................198 Database integrity...................................................202 Database replication and shadowing.........................202 Data warehousing and data mining...........................203 Artificial Intelligence...................................................203 Expert systems........................................................203 Artificial neural networks.........................................204 Bayesian filtering....................................................205 Genetic algorithms and programming........................206 Summary of Exam Objectives.......................................206 Self Test.....................................................................207 Self Test Quick Answer Key.........................................209 CHAPTER 6 Domain 5: Cryptography.....................................213 Unique Terms and Definitions......................................213 Introduction................................................................213 Cornerstone Cryptographic Concepts.............................213 Key terms...............................................................214 Confidentiality, integrity, authentication, and non-repudiation............................................214 Confusion, diffusion, substitution, and permutation...214 Cryptographic strength.............................................215 Monoalphabetic and polyalphabetic ciphers...............215 Modular math.........................................................216 Exclusive Or (XOR)..................................................216 Types of cryptography..............................................217 Data at rest and data in motion................................217 History of Cryptography................................................218 Egyptian hieroglyphics.............................................218 Spartan scytale.......................................................218 Caesar cipher and other rotation ciphers...................218 Vigene`re cipher.......................................................219 Cipher disk.............................................................219 Jefferson disks........................................................220 Book cipher and running-key cipher..........................222 Codebooks..............................................................223 One-time pad..........................................................224