Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
CISSP Training Kit Dedication A Note Regarding Supplemental Files Introduction
Preparing for the exam Signing up for the exam The exam itself Seeing the big picture of CISSP The day of the exam After completing the exam Using the companion CD
How to use the practice tests How to uninstall the practice tests
Acknowledgments Support and feedback
Errata We want to hear from you Stay in touch
1. Information security governance and risk management
Where do information security and risk management begin? Security objectives and controls
Understanding risk modeling Understanding countermeasures and controls Reducing the risk of litigation
Policies and frameworks
Policy documents
Sources Ethical standards Certification and accreditation Awareness Revisions, updates, and change control
Risk assessment and management
Starting the risk management project Performing the risk assessment
Inventory the assets Assign a value to each asset Classify assets Identify threats Calculate the annualized loss expectancy Identify cost-effective countermeasures The four methods of managing risk Manage speculation and uncertainty Complete the assessment Implement the security program
Implementing the security program
Understanding the new organization chart Understanding the information life cycle Classifying data
Assign roles and responsibilities Define classification categories Define category criteria Define required protective controls for each category Inventory the information assets (data elements) Assign a value to each asset Reappraise and adjust the classification of information assets Provide security awareness training for all employees and applicable third parties Assign enforcement responsibilities
Implementing hiring practices Implementing termination practices Providing security awareness training Managing third-party service providers Monitoring and auditing
Exercises
Exercise 1-1 Exercise 1-2
Chapter summary Chapter review Answers
Exercise 1-1 Exercise 1-2 Chapter review
2. Access control
Trusted path Choices, choices, choices
Types of access controls The provisioning life cycle Managing fraud
Authentication, authorization, and auditing
Identity management Authentication
Something you know Resetting passwords Attacks on passwords
The Brute Force Attack The Dictionary Attack The Hybrid Attack The Rainbow Attack The Replay Attack Social Engineering
Something you have Drawbacks of authentication devices (something you have) Something you are
Enrollment Errors in the Biometric Systems Finding a Matching Record Drawbacks of Biometric Authentication (Something You Are)
Multi-factor authentication Mutual authentication
The Zero Knowledge Proof
Single sign on Kerberos
Weaknesses With Kerberos
Directory services Secure European System for Applications in a Multivendor Environment (SESAME) Web-based authentication
Authorization
The authorization life cycle Mandatory access control Discretionary access control Role-based access control Rule-based access control Decentralized access control Centralized access control Hybrid access control Centralized access control technologies
RADIUS TACACS Diameter
Other types of access controls
The Constrained Interface The Hardware Guard The Software Guard Temporal Access Controls
Auditing
Intrusion detection systems and intrusion prevention systems The honeypot, the honeynet, and the padded cell
Exercises
Exercise 2-1 Exercise 2-2
Chapter summary Chapter review Answers
Exercise 2-1 Exercise 2-2 Chapter review
3. Cryptography
What is cryptography? The basics of cryptography
Cryptanalysis The strength of a cryptosystem—its work factor
Historical review of cryptography
Hieroglyphics: 3000 BC The Atbash cipher: 500 BC The Scytale cipher: 400 BC The Caesar or Shift cipher: 100 BC Cryptanalysis: AD 800 The Vigenere cipher: AD 1586 The Jefferson disk: AD 1795 The Vernam cipher/the one-time pad: AD 1917 The Enigma machine: AD 1942 Hashing algorithms: AD 1953 The Data Encryption Algorithm (DEA) and the Data Encryption Standard (DES): AD 1976 Diffie-Hellman (or Diffie-Hellman-Merkle): AD 1976 RC4: AD 1987 Triple DES (3DES): AD 1999 The Rijndael algorithm and the Advanced Encryption Standard (AES): AD 2002 Other points of interest
Cryptographic keys
Key creation Key length Key distribution Secure key storage Quantities of keys Key escrow (archival) and recovery Key lifetime or the cryptoperiod Initialization vectors
Hashing algorithm/message digest
Attacks on hashing algorithms
Strong cryptography Symmetric key algorithms and cryptosystems
Symmetric keystream ciphers
RC4
Symmetric key block ciphers
Data Encryption Algorithm (DEA) and Data Encryption Standard (DES) Double DES (2DES) Triple DES (TDES or 3DES) Advanced Encryption Standard (AES) International Data Encryption Algorithm (IDEA) Rivest Cipher 5 (RC5) and RC6 Blowfish and Twofish
Modes of symmetric key block ciphers
Electronic Code Book (ECB) Cipher block chaining (CBC) Output Feedback mode (OFB) Cipher Feedback mode (CFB) Counter mode (CTR)
Signing and sealing using symmetric key algorithms
Signing by using symmetric key algorithms
MAC Versus Digital Signature Hashed Message Authentication Code (HMAC) Cipher Block Chaining Message Authentication Code (CBC-MAC) Cipher-Based Message Authentication Code (CMAC)
Sealing by using symmetric key algorithms
Weaknesses in symmetric key algorithms
Asymmetric key algorithms and cryptosystems
Signing by using asymmetric key algorithms in a hybrid cryptosystem Sealing by using asymmetric key algorithms in a hybrid cryptosystem Sending to multiple recipients when sealing Signing and sealing messages Asymmetric key algorithms
Diffie-Hellman-Merkle (or just Diffie-Hellman) RSA Elliptic Curve Cryptography (ECC) ElGamal Digital Signature Standard (DSS) LUC XTR Knapsack
Cryptography in use
Link encryption End-to-end encryption Public key infrastructure
The certification authority (CA) The registration authority (RA) Trusting a certification authority or PKI The X.509 digital certificate The certificate repository Certificate revocation
Pretty Good Privacy (PGP) Secure channels for LAN-based applications
Secure shell (SSH) Point-to-Point Tunneling Protocol (PPTP) Internet Protocol Security (IPsec)
Internet Key Exchange (IKE) Authentication Header (AH) Encapsulating Security Payload (ESP) Transport Mode Tunnel Mode
Layer Two Tunneling Protocol (L2TP) Secure Socket Tunneling Protocol (SSTP)
Secure channels for web-based applications
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Hypertext Transfer Protocol over SSL/TLS (HTTPS) Secure Hypertext Transfer Protocol (S-HTTP) Secure File Transfer Protocol (SFTP) and FTP over SSL (FTPS) Secure Electronic Transaction (SET) Secure Multipurpose Internet Message Extensions (S/MIME)
Steganography
Watermarks
Attacks on cryptography
Ciphertext-only attack Known plaintext attack Chosen plaintext attack Chosen ciphertext attack Adaptive attacks
Exercises
Exercise 3-1 Exercise 3-2
Chapter summary Chapter review Answers
Exercise 3-1 Exercise 3-2 Chapter review
4. Physical (environmental) security
Physical security in a layered defense model Planning the design of a secure facility
First line of defense Threats to physical security Liability of physical design
Designing a physical security program
Crime prevention through environmental design
Physical controls
Building Materials Security Zones Data Center Location
Target hardening
Full wall versus partition Window design Doors Locks Key management Fences Emanations protection
Wireless Communications CABLES Tempest Faraday Cage White Noise
Security guards: Advantages and disadvantages Guard dogs Piggybacking or tailgating Physical access controls Fail safe and fail secure Signage Lighting CCTV cameras
Field of View and Focal Lengths Depth of Field and Irises Camera Mounting Monitoring Station
Securing portable devices
Cable locks Password policy Disk encryption Asset tracking Wiping the disk Suggested target-hardening procedures
Intrusion detection
Acoustic sensors Photoelectric sensors Proximity detectors Pressure mats Contact switches
Heating, ventilation, and air conditioning systems
Temperature and humidity considerations
Failure recovery
Service-level agreements Secondary power supplies Electricity considerations Water detectors
Periodic walkthroughs and inspections Auditing and logging
Fire prevention, detection, and suppression
Four legs of a fire Fire detection
Fire detectors
Five classes of fires Sprinkler systems
Wet pipe sprinkler systems Dry pipe sprinkler systems Pre-action sprinkler systems Deluge sprinkler systems
Fire suppression agents
Gases
Halon Gases and Their Alternatives CO2 Countdown Timers
Dry chemicals
Fire extinguishers
Fire extinguisher ratings Fire extinguisher suppressants Fire extinguisher status/inspection
Fire plan and drill
Roles and responsibilities Evacuation routes Training and awareness
Exercises
Exercise 4-1 Exercise 4-2 Exercise 4-3 Exercise 4-4 Exercise 4-5
Chapter summary Chapter review Answers
Exercise 4-1 Exercise 4-2 Exercise 4-3 Exercise 4-4 Exercise 4-5 Chapter review
5. Security architecture and design
Identifying architectural boundaries Computer hardware and operating systems
Computer hardware
The central processing unit (CPU)
CISC and RISC CPU Chips Uni-Processing Systems and Multiprocessing Systems Scalar, Superscalar, and Pipelined Processors
Memory The address bus and the data bus Peripherals Security opportunities within the computer hardware
The operating system
Multiprogramming Multitasking Multithreading Processes The buffer overflow attack The memory manager
Logical Memory Addressing Virtual Memory Shared Content in Memory
The mandatory access control (MAC) model and security modes
Dedicated Security Mode System High Security Mode Compartmented Security Mode Multi-Level Security Mode
Application architecture
Service-oriented architecture
Distributed systems Peer-to-peer networks Virtualization Cloud computing Grid computing
Frameworks for security
International Organization for Standardization (ISO) 27000 series The Zachman Framework for enterprise architecture The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and Related Technology (COBIT) Information Technology Infrastructure Library (ITIL) Generally Accepted Information Security Principles (GAISP) National Institute of Standards and Technology (NIST) Special Publication 800 (SP 800) series Security models
State machine model Information flow model Noninterference model Bell-LaPadula model Biba model Clark-Wilson model Brewer-Nash model
Certification and accreditation (C&A)
Trusted Computing System Evaluation Criteria (TCSEC) Information Technology Security Evaluation Criteria (ITSEC) Common Criteria
Legal and regulatory compliance
Payment Card Industry-Data Security Standard (PCI-DSS) Sarbanes-Oxley Act of 2002 (SOX) Gramm Leach Bliley Act of 1999 (GLBA) Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
Exercises
Exercise 5-1 Exercise 5-2
Chapter summary Chapter review Answers
Exercise 5-1 Exercise 5-2 Chapter review
6. Legal, regulations, investigations, and compliance
Computer crimes
Is it a crime?
A global perspective of laws regarding computer crime
The codified law system The common law system
Criminal law Administrative law or regulatory law Civil law
The customary law system
The religious law system Hybrid law systems
The difference between laws and regulations Protecting intellectual property
Patents Copyrights Trademarks Trade secrets
Protecting privacy
The EU Data Protection Directive US privacy laws and regulations Industry regulations that protect privacy
Auditing for compliance
Employee privacy issues Trans-border information flow
Litigation Governance of third parties Software licensing Investigating computer crime When to notify law enforcement Incident response
CSIRT The CSIRT plan
Monitor Detection Notification Triage Investigation Containment Analysis Tracking Recovery Reporting Prevention
Evidence
Evidence life cycle Admissibility of evidence Types of evidence
Forensic investigations
Forensic analysis Preparing clone disks Analyzing the content on the clone disk
Free Space and Slack Space Hidden Content Other Content for Analysis
Exercises
Exercise 6-1 Exercise 6-2
Chapter summary Chapter review Answers
Exercise 6-1 Exercise 6-2 Chapter review
7. Telecommunications and network security
The Open Systems Interconnection (OSI) Model
The seven layers of the OSI Model
Layer 7: The Application layer Layer 6: The Presentation layer Layer 5: The Session layer Layer 4: The Transport layer
TCP and UDP The TCP Three-Way-Handshake Ports and Sockets
Layer 3: The Network layer
Internet Protocol Version 4 Internet Protocol Version 6 Name Resolution to Get the Destination IP Address The Routing Decision Routing
Layer 2: The Data Link layer
The Institute for Electrical and Electronics Engineers (IEEE) 802 Specifications
Layer 1: The Physical layer The TCP/IP model
Transmission media and technologies
Media types
Emanations Signal degradation Cables
Coax Twisted-Pair Cables—UTP and STP Fiber Optic Cables Wireless Networking
Encoding data into signals
Analog encoding Digital encoding
Synchronous and Asynchronous Signaling
Networking topologies
Circuit-switched versus packet-switched networks Multiplexing Whose network is it, anyhow? Packet transmission modes
Media access methods
Network devices
Devices within the OSI Model
Layer 1 devices Layer 2 devices Layer 3 devices Layer 7 devices
Mainframe computers Client/endpoint systems Remote access by client/endpoint systems Bastion hosts/hardened systems Firewalls
Generation 1 firewall: Packet filter Generation 2 firewall: Proxy server Generation 3 firewall: Stateful inspection Generation 4 firewall: Dynamic packet filtering Generation 5 firewall: Kernel proxy
Firewalls in use
Ingress and egress filters
Network address translation Name resolution Dynamic Host Configuration Protocol The virtual private network server
Protocols, protocols, and more protocols
Internet Protocol version 4 Internet Protocol version 6 The TCP/IP Protocol suite Commonly used protocols Routing protocols Virtual private network protocols Authentication protocols
PAN, LAN, MAN, WAN, and more
Personal area networks Local area networks Metropolitan area networks Wide area networks Private Branch Exchange (PBX) Voice over Internet Protocol
Wireless networking
Wireless networking basics
Frequency Hopping Spread Spectrum Direct Sequence Spread Spectrum Roaming
Wireless security WEP, WPA, and WPA2 802.11n and 802.11ac: multiple input, multiple output Worldwide Interoperability for Microwave Access Cellular networking
Attacking the network
Types of attacks
Denial of service attack Distributed denial of service attack Information theft Attacks on wireless networks Attacks on phone systems and cell phones
Telephone Slamming
Exercises
Exercise 7-1 Exercise 7-2 Exercise 7-3
Chapter summary Chapter review Answers
Exercise 7-1 Exercise 7-2 Exercise 7-3 Chapter review
8. Business continuity and disaster recovery planning
Disaster recovery plan and the business continuity plan
The disaster recovery plan The business continuity plan Stages of the planning process
Defining need for DRP and BCP in the enterprise framework Define the planning project leader Define the scope of the planning project Define the DRP and BCP planning team Define the DRP and BCP planning budget and schedule Perform the business impact analysis
Identifying Business and Dependency Functions and Support Determine MTD for Each Business Function Perform Vulnerability, Threat, and Risk Analysis for Functions and Support
Develop the plans: Proposals
Identify preventive controls Develop disaster recovery plans and strategy
Alternative procedures Compliance Increased operating costs Recovery of the workspace Get it settled now Location of secondary facilities Parallel processing facilities Collocation of processes Alternate (owned) sites Subscription services: Leased sites, hot, warm, and cold
Hot Sites Warm Sites Cold Sites
Tertiary sites Rolling hot sites Reciprocal agreements Recovery of supply systems
Heating, Ventilation, and Air Conditioning Electricity Deliveries Inbound and Outbound
Recovery of technologies
Documentation Deliveries or In-House Inventory Redundancy and Fault Tolerance Compatibility Communications
Security standards Recovery of data
Recovery Point Objective (RPO) Recovery Time Objective Storage Location Security Requirements Disk Mirroring and Database Mirroring Disk Shadowing and Database Shadowing Transaction Journaling
Backup strategies and storage
The Full Backup The Incremental Backup The Differential Backup Electronic Vaulting Tape Vaulting Collocation of Data Practice Restores of the Data
Recovery of people and critical personnel
Developing the BCP (reconstitution guidelines) Presentation to senior management
Implementing the approved plans
Components of the plans
Overview Roles and responsibilities Activation of the disaster recovery procedures Recovery plans for the critical business functions Business continuity guidelines Finishing touches
Plans for Testing the Plans Maintaining the Plans Training
Appendices
Share the accomplishment with the world?
Exercises
Exercise 8-1 Exercise 8-2
Chapter summary Chapter review Answers
Exercise 8-1 Exercise 8-2 Chapter review
9. Software development security
The need for improved security in software Maturity models
The software development life cycle Project initiation Functional design System design Software development Installation and testing Operation and maintenance
Regression testing Change management Configuration management
Disposal and end of life Separation of duties Software Capability Maturity Model Integration
Initial level Managed level Defined level Quantitatively managed level Optimized level
The IDEAL model Software development models
Waterfall Model Spiral Model Rapid Application Development Model Cleanroom Model
Computer-aided software engineering tools Software testing Software updating Logging requirements The software escrow
Programming concepts
The generations of programming languages Object-oriented programming Distributed computing
Processes sharing data on a single computer Processes sharing data and processes on multiple computers across a network Client and server applications Web applications Single sign on for web-based applications The open web application security project (OWASP) Mobile code
Database systems
Database models
Hierarchical databases Network databases Relational databases Object-oriented databases
Accessing databases
Open database connectivity drivers Constrained view
Polyinstantiation Transaction processing
The ACID test for the development of transactions Online transaction processing Distributed databases
Increasing the value of data
Artificial intelligence Fuzzy logic Expert systems Artificial neural network
Attacks on applications
Lack of validating and filtering data input Failure to release memory securely Residual maintenance hooks Unintended (covert) communications channels
The covert timing channel
Race conditions Malware
Exploit code Virus Worm Trojan horse Rootkits Backdoors Adware Spyware Ransomware Keystroke loggers Meme Traffic analysis
Attacking web-based applications
Cross-site scripting attacks
The Nonpersistent Cross-Site Scripting Attack The Persistent Cross-Site Scripting (XSS) Attack The Dom-Based Cross-Site Scripting (XSS) Attack
Web cache poisoning Hijacking webpages Directory transversal attacks Sensitive data retrieval
Cookies
Malware detection mechanisms
Signature-based detection Heuristic-based detection Behavior-based detection Integrity validation
Exercises
Exercise 9-1 Exercise 9-2
Chapter summary Chapter review Answers
Exercise 9-1 Exercise 9-2 Answers to the chapter review
10. Operations security
The activities of operations
Roles in information technology
The data owner The manager The data custodian The system custodian The user Remote access
Remote administration Availability User provisioning Fraud protection
Administrative controls
Separation of Duties Job Rotation Mandatory Vacations Dual Control
Physical access controls Technical access controls Technical detective controls
Vulnerability assessments
Vulnerability scanning Privileged users Penetration testing
The Penetration Testing Agreement Testing Systems Testing Facilities Testing Personnel The Starting Position of the Attacker The Level of Disclosure Hold Harmless Confidentiality
Reporting
The Executive Summary The Technical Report
Incident response
Data management
Data classification Media management The media library Maintaining the systems that support the data
Mean time between failures (MTBF) Single points of failure Redundant Array of Independent Disks (RAID) Parity Redundant Array of Independent Tapes (RAIT) Storage area networks (SAN) Massive array of inactive disks (MAID) Hierarchical storage management Server redundancy Collocation Service-level agreements (SLAs) Data backups
The Full Backup The Full Plus Incremental Backup The Full Plus Differential Backup Practice Restores
Data retention Secure deletion Object reuse Secure destruction Fax security
Attacks on operations
Preventive measures Common attacks and losses Anatomy of a targeted attack
Target selection Passive reconnaissance Active reconnaissance Exploit Privilege escalation Entrench Cover tracks Pillage Pivot and attack
Exercises
Exercise 10-1 Exercise 10-2
Chapter summary Chapter review Answers
Exercise 10-1 Exercise 10-2 Chapter review
A. Additional resources
Additional resources available from (ISC)2 Miscellaneous additional resources Chapter 1: Information security governance and risk management Chapter 2: Access control Chapter 3: Cryptography Chapter 4: Physical (environmental) security Chapter 5: Security architecture and design Chapter 6: Legal, regulations, investigations and compliance Chapter 7: Telecommunications and network security Chapter 8: Business continuity and disaster recovery planning Chapter 9: Software development security Chapter 10: Operations security
B. About the author Index About the Author Copyright
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion