Acknowledgments

About the authors

Chapter 1 Introduction

    How to Prepare for the Exam

         The Notes Card Approach

         Practice Tests

         Read the Glossary

         Readiness Checklist

    How to Take the Exam

         Steps to Becoming a CISSP

         Exam Logistics

         How to Take the Exam

         After the Exam

    Good Luck!

Chapter 2 Domain 1: Information security governance and risk management

    Unique Terms and Definitions

    Introduction

    Cornerstone Information Security Concepts

         Confidentiality, Integrity, and Availability

         Identity and Authentication, Authorization, and Accountability

    Risk Analysis

         Assets

         Threats and Vulnerabilities

         Risk = Threat  × Vulnerability

         Impact

         Risk Analysis Matrix

         Calculating Annualized Loss Expectancy

         Total Cost of Ownership

         Return on Investment

         Risk Choices

         Qualitative and Quantitative Risk Analysis

         The Risk Management Process

    Information Security Governance

         Security Policy and Related Documents

         Security Awareness and Training

         Roles and Responsibilities

         Compliance with Laws and Regulations

         Privacy

         Due Care and Due Diligence

         Best Practice

         Outsourcing and Offshoring

         Auditing and Control Frameworks

         Certification and Accreditation

    Ethics

         The (ISC)2 © Code of Ethics

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 3 Domain 2: Access control

    Unique Terms and Definitions

    Introduction

    Cornerstone Access Control Concepts

         The CIA triad

         Identification and AAA

         Subjects and objects

    Access Control Models

         Discretionary Access Controls (DAC)

         Mandatory Access Controls (MAC)

         Non-Discretionary Access Control

         Content and Context-Dependent Access Controls

         Centralized Access Control

         Decentralized Access Control

         Access Control Protocols and Frameworks

    Procedural Issues for Access Control

         Labels, Clearance, Formal Access Approval, and Need to Know

         Rule-Based Access Controls

         Access Control Lists

    Access Control Defensive Categories and Types

         Preventive

         Detective

         Corrective

         Recovery

         Deterrent

         Compensating

         Comparing Access Controls

    Authentication Methods

         Type 1 Authentication: Something You Know

         Type 2 Authentication: Something You Have

         Type 3 Authentication: Something You Are

         Someplace You Are

    Access Control Technologies

         Single Sign-On (SSO)

         Kerberos

         SESAME

         Security Audit Logs

    Types of Attackers

         Hackers

         Black Hats and White Hats

         Script Kiddies

         Outsiders

         Insiders

         Hacktivist

         Bots and BotNets

         Phishers and Spear Phishers

    Assessing Access Control

         Penetration Testing

         Vulnerability Testing

         Security Audits

         Security Assessments

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 4 Domain 3: Cryptography

    Unique Terms and Definitions

    Introduction

    Cornerstone Cryptographic Concepts

         Key Terms

         Confidentiality, Integrity, Authentication, and Non-Repudiation

         Confusion, Diffusion, Substitution, and Permutation

         Cryptographic Strength

         Monoalphabetic and Polyalphabetic Ciphers

         Modular Math

         Exclusive Or (XOR)

         Types of Cryptography

    History of Cryptography

         Egyptian Hieroglyphics

         Spartan Scytale

         Caesar Cipher and other Rotation Ciphers

         Vigenère Cipher

         Cipher Disk

         Jefferson Disks

         Book Cipher and Running-Key Cipher

         Codebooks

         One-Time Pad

         Hebern Machines and Purple

         Cryptography Laws

    Symmetric Encryption

         Stream and Block Ciphers

         Initialization Vectors and Chaining

         Data Encryption Standard

         International Data Encryption Algorithm (IDEA)

         Advanced Encryption Standard (AES)

         Blowfish and Twofish

         RC5 and RC6

    Asymmetric Encryption

         Asymmetric Methods

    Hash Functions

         Collisions

         MD5

         Secure Hash Algorithm

         HAVAL

    Cryptographic Attacks

         Brute Force

         Known Plaintext

         Chosen Plaintext and Adaptive Chosen Plaintext

         Chosen Ciphertext and Adaptive Chosen Ciphertext

         Meet-in-the-middle Attack

         Known Key

         Differential Cryptanalysis

         Linear Cryptanalysis

         Side-channel Attacks

         Birthday Attack

         Key Clustering

    Implementing Cryptography

         Digital Signatures

         HMAC

         CBC-MAC

         Public Key Infrastructure

         IPsec

         SSL and TLS

         PGP

         S/MIME

         Escrowed Encryption

         Steganography

         Digital Watermarks

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 5 Domain 4: Physical (Environmental) security

    Unique Terms and Definitions

    Introduction

    Perimeter Defenses

         Fences

         Gates

         Bollards

         Lights

         CCTV

         Locks

         Smart Cards and Magnetic Stripe Cards

         Tailgating/piggybacking

         Mantraps and Turnstiles

         Contraband Checks

         Motion Detectors and Other Perimeter Alarms

         Doors and Windows

         Walls, floors, and ceilings

         Guards

         Dogs

         Restricted Areas and Escorts

    Site Selection, Design, and Configuration

         Site Selection Issues

         Site Design and Configuration Issues

    System Defenses

         Asset Tracking

         Port Controls

         Drive and Tape Encryption

         Media Storage and Transportation

         Media Cleaning and Destruction

    Environmental Controls

         Electricity

         HVAC

         Heat, Flame, and Smoke Detectors

         Safety Training and Awareness

         ABCD Fires and Suppression

         Types of Fire Suppression Agents

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 6 Domain 5: Security architecture and design

    Unique Terms and Definitions

    Introduction

    Secure System Design Concepts

         Layering

         Abstraction

         Security Domains

         The Ring Model

         Open and Closed Systems

    Secure Hardware Architecture

         The System Unit and Motherboard

         The Computer Bus

         The CPU

         Memory

         Memory Protection

    Secure Operating System and Software Architecture

         The Kernel

         Users and File Permissions

         Virtualization

         Thin Clients

    System Vulnerabilities, Threats, and Countermeasures

         Emanations

         Covert Channels

         Buffer Overflows

         TOCTOU/Race Conditions

         Backdoors

         Malicious Code (Malware)

         Server-Side Attacks

         Client-Side Attacks

         Web Application Attacks

         Mobile Device Attacks

         Database Security

         Countermeasures

    Security Models

         Reading Down and Writing Up

         State Machine model

         Bell-LaPadula model

         Lattice-Based Access Controls

         Integrity Models

         Information Flow Model

         Chinese Wall Model

         Noninterference

         Take-Grant

         Access Control Matrix

         Zachman Framework for Enterprise Architecture

         Graham-Denning Model

         Harrison-Ruzzo-Ullman Model

         Modes of Operation

    Evaluation Methods, Certification, and Accreditation

         The Orange Book

         ITSEC

         The International Common Criteria

         PCI-DSS

         Certification and Accreditation

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 7 Domain 6: Business continuity and disaster recovery planning

    Unique Terms and Definitions

    Introduction

    BCP and DRP Overview and Process

         Business Continuity Planning (BCP)

         Disaster Recovery Planning (DRP)

         Relationship between BCP and DRP

         Disasters or disruptive Events

         The Disaster Recovery Process

    Developing a BCP/DRP

         Project Initiation

         Scoping the Project

         Assessing the Critical State

         Conduct Business Impact Analysis (BIA)

         Identify Preventive Controls

         Recovery Strategy

         Related Plans

         Plan Approval

    Backups and Availability

         Hardcopy Data

         Electronic Backups

         Software Escrow

    DRP Testing, Training, and Awareness

         DRP Testing

         Training

         Awareness

    Continued BCP/DRP Maintenance

         Change Management

         BCP/DRP Mistakes

    Specific BCP/DRP Frameworks

         NIST SP 800-34

         ISO/IEC-27031

         BS-25999

         BCI

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 8 Domain 7: Telecommunications and network security

    Unique Terms and Definitions

    Introduction

    Network Architecture and Design

         Network Defense-in-Depth

         Fundamental Network Concepts

         The OSI Model

         The TCP/IP Model

         Encapsulation

         Network Access, Internet and Transport Layer Protocols and Concepts

         Application Layer TCP/IP Protocols and Concepts

         Layer 1 Network Cabling

         LAN Technologies and Protocols

         LAN Physical Network Topologies

         WAN Technologies and Protocols

    Network Devices and Protocols

         Repeaters and Hubs

         Bridges

         Switches

         TAPs

         Routers

         Firewalls

         Modem

         DTE/DCE and CSU/DSU

         Intrusion Detection Systems and Intrusion Prevention Systems

         Honeypots

         Network Attacks

         Network Scanning Tools

    Secure Communications

         Authentication Protocols and Frameworks

         VPN

         VoIP

         Wireless Local Area Networks

         RFID

         Remote Access

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 9 Domain 8: Application development security

    Unique Terms and Definitions

    Introduction

    Programming Concepts

         Machine Code, Source Code, and Assemblers

         Compilers, Interpreters, and Bytecode

         Procedural and Object-Oriented Languages

         Fourth-generation Programming Language

         Computer-Aided Software Engineering (CASE)

         Top-Down versus Bottom-Up Programming

         Types of Publicly Released Software

    Application Development Methods

         Waterfall Model

         Sashimi Model

         Agile Software Development

         Spiral

         Rapid Application Development (RAD)

         Prototyping

         SDLC

         Software Escrow

    Object-Orientated Design and Programming

         Object-Oriented Programming (OOP)

         Object Request Brokers

         Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)

    Software Vulnerabilities, Testing, and Assurance

         Software Vulnerabilities

         Software Testing Methods

         Disclosure

         Software Capability Maturity Model (CMM)

    Databases

         Types of Databases

         Database Integrity

         Database Replication and Shadowing

         Data Warehousing and Data Mining

    Artificial Intelligence

         Expert Systems

         Artificial Neural Networks

         Bayesian Filtering

         Genetic Algorithms and Programming

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 10 Domain 9: Operations security

    Unique Terms and Definitions

    Introduction

    Administrative Security

         Administrative Personnel Controls

         Privilege Monitoring

    Sensitive Information/Media Security

         Sensitive Information

    Asset Management

         Configuration Management

         Change Management

    Continuity of Operations

         Service Level Agreements (SLA)

         Fault Tolerance

    Incident Response Management

         Methodology

         Types of attacks

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Chapter 11 Domain 10: Legal regulations, investigations, and compliance

    Unique Terms and Definitions

    Introduction

    Major Legal Systems

         Civil Law (legal system)

         Common Law

         Religious Law

         Other Systems

    Criminal, Civil, and Administrative Law

         Criminal Law

         Civil Law

         Administrative Law

    Information Security Aspects of Law

         Computer Crime

         Intellectual Property

         Import/export Restrictions

         Privacy

         Liability

    Legal Aspects of Investigations

         Digital Forensics

         Incident Response

         Evidence

         Evidence Integrity

         Chain of Custody

         Reasonable Searches

         Entrapment and enticement

    Important Laws and Regulations

         U.S. Computer Fraud and Abuse Act

         USA PATRIOT Act

         HIPAA

         United States Breach Notification Laws

    Ethics

         Computer Ethics Institute

         IAB’s Ethics and the Internet

         The (ISC)2 © Code of Ethics

    Summary of Exam Objectives

    Self Test

    Self Test Quick Answer Key

Appendix: Self test

Glossary

Index