CISSP® Certified Information Systems Security Professional Official PDF

Table of Contents Cover Table of Contents Title Page Copyright Dedication Acknowledgments About the Authors About the Technical Editors Introduction Overview of the CISSP Exam The Elements of This Study Guide Interactive Online Learning Environment and Test Bank Study Guide Exam Objectives Objective Map How to Contact the Publisher Assessment Test Answers to Assessment Test Chapter 1: Security Governance Through Principles and Policies Security 101 Understand and Apply Security Concepts Security Boundaries Evaluate and Apply Security Governance Principles Manage the Security Function Security Policy, Standards, Procedures, and Guidelines Threat Modeling Supply Chain Risk Management Summary Study Essentials Written Lab Review Questions Chapter 2: Personnel Security and Risk Management Concepts Personnel Security Policies and Procedures Understand and Apply Risk Management Concepts Social Engineering Establish and Maintain a Security Awareness, Education, and Training Program Summary Study Essentials Written Lab Review Questions Chapter 3: Business Continuity Planning Planning for Business Continuity Project Scope and Planning Business Impact Analysis Continuity Planning Plan Approval and Implementation Summary Study Essentials Written Lab Review Questions Chapter 4: Laws, Regulations, and Compliance Categories of Laws Laws State Privacy Laws Compliance Contracting and Procurement Summary Study Essentials Written Lab Review Questions Chapter 5: Protecting Security of Assets Identifying and Classifying Information and Assets Establishing Information and Asset Handling Requirements Data Protection Methods Understanding Data Roles Using Security Baselines Summary Study Essentials Written Lab Review Questions Chapter 6: Cryptography and Symmetric Key Algorithms Cryptographic Foundations Modern Cryptography Symmetric Cryptography Cryptographic Life Cycle Summary Study Essentials Written Lab Review Questions Chapter 7: PKI and Cryptographic Applications Asymmetric Cryptography Hash Functions Digital Signatures Public Key Infrastructure Asymmetric Key Management Hybrid Cryptography Applied Cryptography Cryptographic Attacks Summary Study Essentials Written Lab Review Questions Chapter 8: Principles of Security Models, Design, and Capabilities Secure Design Principles Techniques for Ensuring CIA Understand the Fundamental Concepts of Security Models Select Controls Based on Systems Security Requirements Understand Security Capabilities of Information Systems Summary Study Essentials Written Lab Review Questions Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Shared Responsibility Data Localization and Data Sovereignty Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements Client-Based Systems Server-Based Systems Industrial Control Systems Distributed Systems High-Performance Computing (HPC) Systems Real-Time Operating Systems Internet of Things Edge and Fog Computing Embedded Devices and Cyber-Physical Systems Microservices Infrastructure as Code Immutable Architecture Virtualized Systems Containerization Mobile Devices Essential Security Protection Mechanisms Common Security Architecture Flaws and Issues Summary Study Essentials Written Lab Review Questions Chapter 10: Physical Security Requirements Apply Security Principles to Site and Facility Design Implement Site and Facility Security Controls Implement and Manage Physical Security Summary Study Essentials Written Lab Review Questions Chapter 11: Secure Network Architecture and Components OSI Model TCP/IP Model Analyzing Network Traffic Common Application Layer Protocols Transport Layer Protocols Domain Name System Internet Protocol (IP) Networking ARP Concerns Secure Communication Protocols Implications of Multilayer Protocols Segmentation Edge Networks Wireless Networks Satellite Communications Cellular Networks Content Distribution Networks (CDNs) Secure Network Components Summary Study Essentials Written Lab Review Questions Chapter 12: Secure Communications and Network Attacks Protocol Security Mechanisms Secure Voice Communications Remote Access Security Management Multimedia Collaboration Monitoring and Management Load Balancing Manage Email Security Virtual Private Network Switching and Virtual LANs Network Address Translation Third-Party Connectivity Switching Technologies WAN Technologies Fiber-Optic Links Prevent or Mitigate Network Attacks Summary Study Essentials Written Lab Review Questions Chapter 13: Managing Identity and Authentication Controlling Access to Assets The AAA Model Implementing Identity Management Managing the Identity and Access Provisioning Life Cycle Summary Study Essentials Written Lab Review Questions Chapter 14: Controlling and Monitoring Access Comparing Access Control Models Implementing Authentication Systems Zero-Trust Access Policy Enforcement Understanding Access Control Attacks Summary Study Essentials Written Lab Review Questions Chapter 15: Security Assessment and Testing Building a Security Assessment and Testing Program Performing Vulnerability Assessments Testing Your Software Training and Exercises Implementing Security Management Processes and Collecting Security Process Data Summary Exam Essentials Written Lab Review Questions Chapter 16: Managing Security Operations Apply Foundational Security Operations Concepts Address Personnel Safety and Security Provision Information and Assets Securely Apply Resource Protection Managed Services in the Cloud Perform Configuration Management (CM) Manage Change Manage Patches and Reduce Vulnerabilities Summary Study Essentials Written Lab Review Questions Chapter 17: Preventing and Responding to Incidents Conducting Incident Management Implementing Detection and Preventive Measures Logging and Monitoring Automating Incident Response Summary Study Essentials Written Lab Review Questions Chapter 18: Disaster Recovery Planning The Nature of Disaster Understand System Resilience, High Availability, and Fault Tolerance Recovery Strategy Recovery Plan Development Training, Awareness, and Documentation Testing and Maintenance Summary Study Essentials Written Lab Review Questions Chapter 19: Investigations and Ethics Investigations Major Categories of Computer Crime Ethics Summary Study Essentials Written Lab Review Questions Chapter 20: Software Development Security Introducing Systems Development Controls Establishing Databases and Data Warehousing Storage Threats Understanding Knowledge-Based Systems Summary Study Essentials Written Lab Review Questions Chapter 21: Malicious Code and Application Attacks Malware Malware Prevention Application Attacks Injection Vulnerabilities Exploiting Authorization Vulnerabilities Exploiting Web Application Vulnerabilities Application Security Controls Secure Coding Practices Summary Study Essentials Written Lab Review Questions Appendix A: Answers to Review Questions Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Appendix B: Answers to Written Labs Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Index End User License Agreement List of Tables Chapter 2 TABLE 2.1 Comparison of quantitative and qualitative risk analysis TABLE 2.2 Quantitative risk analysis formulas Chapter 5 TABLE 5.1 Securing email data TABLE 5.2 Unmodified data within a database TABLE 5.3 Masked data Chapter 6 TABLE 6.1 AND operation truth table TABLE 6.2 OR operation truth table TABLE 6.3 NOT operation truth table TABLE 6.4 Exclusive OR operation truth table TABLE 6.5 Using the Vigenère system TABLE 6.6 The encryption operation TABLE 6.7 Symmetric and asymmetric key comparison TABLE 6.8 Comparison of symmetric and asymmetric cryptography systems TABLE 6.9 Symmetric encryption memorization chart Chapter 7 TABLE 7.1 Hash algorithm memorization chart TABLE 7.2 Digital certificate formats Chapter 8 TABLE 8.1 Subjects and objects TABLE 8.2 Fail terms' definitions related to physical and digital products TABLE 8.3 An access control matrix TABLE 8.4 Common Criteria evaluation assurance levels Chapter 10 TABLE 10.1 Static voltage and damage TABLE 10.2 Fire extinguisher classes Chapter 11 TABLE 11.1 IP classes TABLE 11.2 IP classes' default subnet masks TABLE 11.3 802.11 wireless networking amendments TABLE 11.4 UTP categories Chapter 12 TABLE 12.1 Common load-balancing scheduling techniques TABLE 12.2 Circuit switching vs. packet switching TABLE 12.3 Bandwidth levels of SDH and SONET List of Illustrations Chapter 1 FIGURE 1.1 The CIA Triad FIGURE 1.2 The five elements of AAA services FIGURE 1.3 Strategic, tactical, and operational plan timeline comparison FIGURE 1.4 An example of diagramming to reveal threat concerns FIGURE 1.5 A risk matrix or risk heat map Chapter 2 FIGURE 2.1 Former employees must return all company property. FIGURE 2.2 The cyclical relationships of risk elements FIGURE 2.3 The six major elements of quantitative risk analysis FIGURE 2.4 The categories of security controls in a defense-in-depth impleme... FIGURE 2.5 The elements of the risk management framework (RMF) (from NIST SP... Chapter 3 FIGURE 3.1 Earthquake hazard map of the United States Chapter 5 FIGURE 5.1 Data classifications FIGURE 5.2 Clearing a hard drive Chapter 6 FIGURE 6.1 Challenge-response authentication protocol FIGURE 6.2 The magic door FIGURE 6.3 Symmetric key cryptography FIGURE 6.4 Asymmetric key cryptography Chapter 7 FIGURE 7.1 Asymmetric key cryptography FIGURE 7.2 Steganography tool FIGURE 7.3 Image with embedded message Chapter 8 FIGURE 8.1 Transitive trust FIGURE 8.2 The TCB, security perimeter, and reference monitor FIGURE 8.3 The take-grant model's directed graph FIGURE 8.4 The Bell–LaPadula model FIGURE 8.5 The Biba model FIGURE 8.6 The Clark–Wilson model Chapter 9 FIGURE 9.1 The four-layer protection ring model FIGURE 9.2 The life cycle of an executed process FIGURE 9.3 Types of hypervisors FIGURE 9.4 Application containers versus a hypervisor Chapter 10 FIGURE 10.1 A smartcard's ISO 7816 interface FIGURE 10.2 Hot and cold aisles FIGURE 10.3 The fire triangle FIGURE 10.4 The four primary stages of fire FIGURE 10.5 A secure physical boundary with a person trap and a turnstile Chapter 11 FIGURE 11.1 The OSI model FIGURE 11.2 OSI model encapsulation FIGURE 11.3 The OSI model peer layer logical channels FIGURE 11.4 OSI model layer-based network container names FIGURE 11.5 Comparing the OSI model with the TCP/IP model FIGURE 11.6 The TCP three-way handshake FIGURE 11.7 An RFID antenna FIGURE 11.8 The configuration dialog boxes for a transparent (left) versus a... FIGURE 11.9 A ring topology FIGURE 11.10 A linear bus topology and a tree bus topology FIGURE 11.11 A star topology FIGURE 11.12 A mesh topology Chapter 12 FIGURE 12.1 IPSec's encryption of a packet in transport mode FIGURE 12.2 IPSec's encryption of a packet in tunnel mode FIGURE 12.3 Two LANs being connected using a tunnel- mode VPN across the Inte... FIGURE 12.4 A client connecting to a network via a remote- access/tunnel VPN... Chapter 13 FIGURE 13.1 Hardware authenticator FIGURE 13.2 Software authenticator FIGURE 13.3 Graph of FRR and FAR errors indicating the CER point FIGURE 13.4 YubiKey passkey Chapter 14 FIGURE 14.1 Role-based access control FIGURE 14.2 A representation of the boundaries provided by lattice-based acc... FIGURE 14.3 NIST Zero-Trust core trust logical components FIGURE 14.4 Wireshark capture Chapter 15 FIGURE 15.1 Nmap scan of a web server run from a Linux system FIGURE 15.2 Default Apache server page running on the server scanned in Figu... FIGURE 15.3 Nmap scan of a large network run from a Mac system using the Ter... FIGURE 15.4 Network vulnerability scan of the same web server that was port... FIGURE 15.5 Web application vulnerability scan of the same web server that w... FIGURE 15.6 Scanning a database-backed application with Sqlmap FIGURE 15.7 Penetration testing process FIGURE 15.8 The Metasploit Framework automated system exploitation tool allo... FIGURE 15.9 Fagan inspections follow a rigid formal process, with defined en... FIGURE 15.10 Prefuzzing input file containing a series of 1s FIGURE 15.11 The input file from Figure 15.10 after being run through the zz... Chapter 16 FIGURE 16.1 Cloud shared responsibility model FIGURE 16.2 Creating and deploying images FIGURE 16.3 Web server and database server Chapter 17 FIGURE 17.1 Incident management FIGURE 17.2 SYN flood attack FIGURE 17.3 A man-in-the-middle attack FIGURE 17.4 Intrusion prevention system FIGURE 17.5 Viewing a log entry Chapter 18 FIGURE 18.1 Seismic hazard map FIGURE 18.2 Flood hazard map for Miami–Dade County, Florida FIGURE 18.3 Failover cluster with network load balancing Chapter 20 FIGURE 20.1 RStudio Desktop IDE FIGURE 20.2 Security vs. user-friendliness vs. functionality FIGURE 20.3 The iterative life cycle model with feedback loop FIGURE 20.4 The spiral life cycle mode FIGURE 20.5 Software Assurance Maturity Model FIGURE 20.6 The IDEAL model FIGURE 20.7 Gantt chart FIGURE 20.8 The DevOps model FIGURE 20.9 Hierarchical data model FIGURE 20.10 Customers table from a relational database FIGURE 20.11 ODBC as the interface between applications and a backend databa... Chapter 21 FIGURE 21.1 Account number input page FIGURE 21.2 Account information page FIGURE 21.3 Account information page after blind SQL injection FIGURE 21.4 Account creation page FIGURE 21.5 Example web server directory structure FIGURE 21.6 Message board post rendered in a browser FIGURE 21.7 XSS attack rendered in a browser FIGURE 21.8 Web application firewall FIGURE 21.9 SQL error disclosure ISC2® CISSP® Certified Information Systems Security Professional Official Study Guide Tenth Edition Mike Chapple, CISSP James Michael Stewart, CISSP Darril Gibson, CISSP Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada and the United Kingdom. ISBNs: 9781394254699 (paperback), 9781394254712 (ePDF), 9781394254705 (ePub) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission. Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. ISC2 and CISSP are trademarks or registered trademarks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572- 3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2024935047 Cover image: © Getty Images Inc./Jeremy Woodhouse Cover design: Wiley To Darril Gibson, my friend and co-author of many years. You made a tremendous impact on the cybersecurity field and we will be eternally grateful for your contributions. —Mike Chapple To Cathy, I continue to love threading the zigzaggednesses of life with you. —James Michael Stewart Acknowledgments We'd like to express our thanks to Sybex for continuing to support this project. Extra thanks to the tenth edition developmental editor, Kelly Talbot, and technical editors, Shahla Pirnia and Rae Baker, who performed amazing feats in guiding us to improve this book. We also owe a debt of gratitude to our literary agent, Carole Jelen of Waterside Productions, for continuing to assist in nailing down these projects. Thanks for all your hard work herding us authors. We also want to express our condolences to the family and friends of Darril Gibson. Darril, you are missed. —Mike and Michael Special thanks go to my many friends and colleagues in the cybersecurity community who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book. I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators and I'd like to thank them both for their thoughtful contributions to my chapters over the years. I'd also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press. —Mike Chapple Thanks to Mike Chapple for continuing your excellent contribution to this project. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. To my adoring wife, Cathy: every year is another wonderful experience with you. To Slayde and Remi: always remember that you are loved no matter where you go or what you become. To my mom, Johnnie: it is wonderful to have you close by. To Mark: no matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis: I've heard that when you make a sandwich, it's called a peanut butter and banana “Hunka Hunka Burning Lunch”! —James Michael Stewart About the Authors Mike Chapple, PhD, CISSP, Security+, CySA+, PenTest+, CISA, CISM, CCSP, CIPP/US, is a teaching professor of IT, analytics, and operations at the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is the author of more than 200 books and video courses, including the companion book to this study guide: CISSP Official ISC2 Practice Tests, the CompTIA CySA+ Study Guide, the CompTIA Security+ (SY0-701) Study Guide, and Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for the CISSP, SSCP, CCSP, Security+, and other major certifications on his website at www.certmike.com. James Michael Stewart, CISSP, CEH, CHFI, ECSA, CND, ECIH, CySA+, PenTest+, CASP+, Security+, Network+, A+, CTT+, CEI, and CFR, has been writing and training for more than 25 years, with a focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 80 books on security certification, Microsoft topics, and network administration. Michael is the author of the official online virtual lab sets for CompTIA's Security+, CASP+, and PenTest+, as well as hundreds of other labs focusing on Microsoft Windows, Linux, internet, and security concepts. More information about Michael can be found at his website at www.impactonline.com. Darril Gibson, CISSP (1958–2022), was the CEO of YCDA, LLC and regularly wrote and consulted on a wide variety of technical and security topics and held numerous other certifications, including MCSE, MCDBA, MCSD, MCITP, ITIL v3, and Security+. He authored or coauthored more than 30 books, including multiple prior editions of the CISSP Study Guide. Darril was greatly respected in the cybersecurity, training, and education fields and will be missed. About the Technical Editors Rae Baker is a senior open source intelligence analyst, public speaker, licensed private investigator, and Wiley author specializing in maritime intelligence and OSINT training. She is the owner of OSINT training company Kase Scenarios and she holds several prominent industry certificates, including SANS GOSI and Associate of ISC2 (CISSP). More information about Rae can be found at http://raebaker.net. Shahla Pirnia is a freelance technical editor and proofreader with a focus on cybersecurity and certification topics. She currently serves as a technical editor for CertMike.com. Shahla earned BS degrees in computer and information science and psychology from the University of Maryland Global Campus and an Associate of Arts in information systems from Montgomery College, Maryland. Shahla's IT certifications include CompTIA Security+, Network+, A+, and ISC2 CC. Introduction The ISC2® CISSP® Certified Information Systems Security Professional Official Study Guide, Tenth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you've shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam. This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this CISSP Study Guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam. The information presented here in this Introduction was based on the publicly available documentation from ISC2 as of April 15, 2024. However, these details and exam parameters are subject to change at any time based upon ISC2 operational decisions. Please consult isc2.org to confirm, verify, or learn about updated exam specifics. Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of cumulative full-time work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. Part-time work and internship experience is also acceptable with conditions; see www.isc2.org/certifications/cissp/cissp-experience-requirements. If you are qualified to take the CISSP exam according to ISC2, then you are sufficiently prepared to use this book to study for it. For more information on ISC2, see the next section. Alternatively, ISC2 allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the ISC2 prerequisite pathway. As of Q1 2024, the qualified certifications are: AWS Certified Security - Specialty Certified in Governance, Risk and Compliance (CGRC) Certified Cloud Security Professional (CCSP) Certified Computer Examiner (CCE) Certified Ethical Hacker v8 or higher Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) Certified Internal Auditor (CIA) Certified Protection Professional (CPP) from ASIS Certified in Risk and Information Systems Control (CRISC) Certified Secure Software Life cycle Professional (CSSLP) Certified Wireless Security Professional (CWSP) Cisco Certified CyberOps Associate/Professional Cisco Certified Internetwork Expert (CCIE) Security Cisco Certified Network Associate Security (CCNA Security) Cisco Certified Network Professional Security (CCNP Security) CIW Web Security Professional CIW Web Security Specialist CompTIA Advanced Security Practitioner (CASP+) CompTIA CySA+ CompTIA Security+ Computer Hacking Forensic Investigator (CHFI) CSA Certificate of Cloud Security Knowledge (CCSK) EC-Council Certified Security Specialist (ECSS) EC-Council Certified SOC Analyst (CSA) GIAC Certified Enterprise Defender (GCED) GIAC Certified Incident Handler (GCIH) GIAC Certified Intrusion Analyst (GCIA) GIAC Cyber Threat Intelligence (GCTI) GIAC Global Industrial Cyber Security Professional (GICSP) GIAC Information Security Fundamentals (GISF) GIAC Information Security Professional (GISP) GIAC Security Essentials Certificate (GSEC) GIAC Security Leadership Certification (GSLC) GIAC Strategic Planning, Policy, and Leadership (GSTRT) GIAC Systems and Network Auditor (GSNA) HealthCare Information Security and Privacy Practitioner (HCISPP) Information Security Management Systems Lead Auditor (IRCA) Information Security Management Systems Principal Auditor (IRCA) Juniper Networks Certified Internet Expert (JNCIE-SEC) Microsoft Identity and Access Management Microsoft Security Operations Analyst Microsoft Certified Cybersecurity Architect Offensive Security Certified Professional/Expert (OSCP/E) Systems Security Certified Practitioner (SSCP) For the complete and current list of qualifying certifications, visit www.isc2.org/certifications/cissp/cissp-experience-requirements. You can use only one of the experience reduction measures, either a college degree or a certification, not both. ISC2 offers an entry program known as an Associate of ISC2. This program allows someone without any or enough experience to qualify as a CISSP applicant to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement (discussed later), can the individual be awarded the full CISSP certification. If you are just getting started on your journey to CISSP certification and do not yet have the work experience, then our book can still be a useful tool in your preparation for the exam. However, you may find that some of the topics covered assume knowledge that you don't have. For those topics, you may need to do some additional research using other materials, and then return to this book to continue learning about the CISSP topics. ISC2 The CISSP exam is governed by the International Information System Security Certification Consortium ISC2. ISC2 is a global nonprofit organization. It has the mission of “ISC2 strengthens the influence, diversity and vitality of the field through advocacy, expertise and workforce empowerment that accelerates cyber safety and cybersecurity in an interconnected world.” ISC2 is operated by a board of directors elected from the ranks of its certified practitioners. ISC2 supports and provides a wide variety of certifications, including CISSP, ISSAP, ISSMP, ISSEP, SSCP, CCSM, CCSP, CGRCSM, and CSSLP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about ISC2 and its other certifications from its website at isc2.org. The CISSP credential is for security professionals “with the knowledge, skills and abilities to lead an organization's information security program.” Topical Domains The CISSP certification covers material from the eight topical domains. These eight domains are as follows: Domain 1: Security and Risk Management Domain 2: Asset Security Domain 3: Security Architecture and Engineering Domain 4: Communication and Network Security Domain 5: Identity and Access Management (IAM) Domain 6: Security Assessment and Testing Domain 7: Security Operations Domain 8: Software Development Security These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide. Prequalifications ISC2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (as mentioned previously). Professional experience is defined as security work performed (with or without pay) within two or more of the eight CISSP domains. Second, you must agree to adhere to a formal code of ethics. The ISC2 Code of Ethics is a set of guidelines ISC2 wants all certification candidates to follow to maintain professionalism in the field of information systems security. You can find the ISC2 Code of Ethics at isc2.org/ethics. Overview of the CISSP Exam The CISSP exam focuses on security from an overview perspective; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you'll need to be familiar with every domain but not necessarily be a master of each domain. The CISSP exam is in an adaptive format that ISC2 calls CISSP CAT (Computerized Adaptive Testing). For complete details of this form of exam presentation, please see www.isc2.org/certifications/CISSP/CISSP-CAT. The CISSP CAT exam has a minimum of 100 questions and a maximum of 150. Not all items (i.e., questions) presented count toward your proficiency level, competency requirements, or passing status. There are 25 unscored questions that are called pre-test or unscored items by ISC2, whereas the scored questions are called operational items. The questions are not labeled on the exam as to whether they are scored (i.e., operational items) or unscored (i.e., pre-test questions). Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions. However, an exam's pass/fail report is determined by only the last 75 operational items answered by the test candidate. The CISSP CAT grants a maximum of three (3) hours to take the exam. If you run out of time before achieving a passing rank, you will automatically fail. The CISSP CAT does not allow you to return to a previous question to change your answer. Your answer selection is final once you leave a question by submitting your answer selection. To pass the CISSP CAT exam, you must score 700 out of a possible 1000 points, within the last 75 operational items (i.e., questions). If you do not achieve the minimum passing score after submitting your answer to question 150, then you fail. If you run out of time, then you fail. If you do not pass the CISSP exam on your first attempt, you are allowed to retake the CISSP exam under the following conditions: You can take the CISSP exam a maximum of four times per 12- month period. (Note that on the CISSP CAT FAQ the limit is defined as 3 times per a 12-month period.) You must wait 30 days after your first attempt before trying a second time. You must wait an additional 60 days after your second attempt before trying a third time. You must wait an additional 90 days after your third or subsequent attempts before trying again. The exam retake policy may be updated; you can read the most current version of the official policy here: www.isc2.org/Exams/After- Your-Exam. You will need to pay full price for each additional exam attempt. However, ISC2 offers promotions from time to time that may allow you to retake an exam at no additional cost. This promotion has been called “Peace of Mind Protection,” but could be renamed. It is limited to first-time test-takers only and has time restrictions. Be sure to read the fine print before acting on any such promotional offers. The CISSP CAT exam is available in English, Chinese, German, Japanese, and Spanish. For more details and the most up-to-date information on the CISSP exam direct from ISC2, please visit www.isc2.org/Certifications/CISSP and download the CISSP Ultimate Guide and visit www.isc2.org/certifications/cissp/cissp- certification-exam-outline to download the CISSP Exam Outline. You might also find useful information on the ISC2 Insights blog at www.isc2.org/Insights. The total number of questions you may see on the exam, the total number of questions that count toward your score, the means and methods of scoring, and the time limit for the test are things that ISC2 reevaluates and changes from time to time. The best advice for preparing is to always recheck the ISC2 website for up to date exam specifications and policies. CISSP Exam Question Types Most of the questions on the CISSP exam are four-option, multiple- choice questions with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. You must select the one correct or best answer and mark it. In some cases, the correct answer will be obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you'll need to select the least incorrect answer. Some multiple-choice questions may require that you select more than one answer; if so, these will state what is necessary to provide a complete answer. In addition to the standard multiple-choice question format, the exam may include a few advanced question formats, which ISC2 calls advanced innovative questions. These include drag-and-drop questions and hotspot questions. These types of questions require you to place topics or concepts in order of operations, in priority preference, or in relation to proper positioning for the needed solution. Specifically, the drag-and-drop questions require the test taker to move labels or icons to mark items on an image. The hotspot questions require the test-taker to pinpoint a location on an image with a crosshair marker. These question concepts are easy to work with and understand, but be careful about your accuracy when dropping or marking. ISC2 introduced the advanced innovative questions in 2014. They maintained a page describing these questions until 2017. While they still use this phrase to reference the question concepts, they no longer provide an explanation or examples of these questions on their website. Advice on Taking the Exam The CISSP exam consists of two key elements. First, you need to know the material from the eight domains. Second, you must have good test-taking skills. You have a maximum of 3 hours to achieve a passing standard with the potential to see up to 150 questions. Thus, you will have on average just over a minute for each question, so it is important to work quickly, without rushing, but also without wasting time. Question skipping is not allowed on the CISSP CAT exam. You cannot return to view or change a previous question, and you're also not allowed to jump around, so one way or another, you have to come up with your best answer on each question as it is presented to you. If you don't know how to answer a question, then we recommend that you attempt to eliminate as many answer options as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct. Since you have to answer every question presented, and you might not know the answer to some questions, you should develop a guessing strategy to select an answer promptly to minimize further wasting time. Also note that ISC2 does not disclose if there is partial credit given for multiple-part questions if you get only some of the elements correct. So, pay attention to questions with checkboxes, and be sure to select as many items as necessary to properly address the question. You will be provided with a dry-erase board and a marker to jot down thoughts and make notes. But nothing written on that board will be used to alter your score. That board must be returned to the test administrator prior to departing the test facility. To maximize your test-taking activities, here are some general guidelines: Read each question carefully, then read the answer options, and then reread the question. Eliminate wrong answers before selecting the correct one. Watch for double negatives. Pay attention to universal terms, such as always or never. Look for relationships between answer options, such as similes, antonyms, sets, groups, parent/child, category/example, etc. Be sure you understand what the question is asking. Manage your time. You can take breaks during your test, but this will consume some of your test time. You might consider bringing a drink and snacks, but your food and drink will be stored for you away from the testing area, and that break time will count against your test time limit. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. You should avoid wearing anything on your wrists, including watches, fitness trackers, and jewelry. You are not allowed to bring any form of noise-canceling headsets or earbuds, although you can use foam earplugs. We also recommend wearing comfortable clothes and taking a light jacket with you (some testing locations are a bit chilly). You may want to review the ISC2 CISSP Glossary document at www.isc2.org/certifications/cissp/cissp-student-glossary. Finally, ISC2 exam policies are subject to change. Please be sure to check isc2.org for the current policies before you register and take the exam. Study and Exam Preparation Tips We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits: Take one or two evenings to read each chapter in this book. Read and understand the Study Essentials for each chapter. Complete the written labs from each chapter. Answer all the review questions for each chapter. Be sure to research each question that you get wrong in order to learn what you didn't know. Review ISC2's Exam Outline to make sure you understand each listed item. Use the flashcards included with the online study tools to reinforce your understanding of concepts. Take the 4 full-length bonus practice exams provided in the online test engine. We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams. Students have reported that the more time they spent taking practice exams, the better they retained test topics. In addition to the practice tests with this Study Guide, Sybex also publishes ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (ISBN: 978-1- 394-25507-8). It contains 100 or more practice questions for each domain and four additional full-sized practice exams. Like this Study Guide, it also comes with an online version of the questions. Completing the Certification Process Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who holds any ISC2 certification in good standing and is familiar with your work history to endorse you. Endorsement is the evaluation of your prerequisite qualifications (i.e., work experience) and the recommendation to ISC2 to award you the certification. Once you pass the CISSP exam, you will receive an email with instructions. However, you can review the endorsement application process at isc2.org/Endorsement. This URL is also where you initiate the endorsement process. You will need to know the ISC2 membership number of the person who will endorse you. If you registered for CISSP, then you must complete endorsement within nine months of your exam. If you registered for Associate of ISC2, then you have six years from your exam data to complete endorsement. Once ISC2 accepts your endorsement, the certification process will be completed and you will be sent a welcome packet with confirmation of the certification achieved. You should also receive an email confirmation of the endorsement process’s completion and another when the certification is awarded to you. Once you have achieved your CISSP certification, you must maintain it. You will need to earn 120 Continuing Professional Education (CPE) credits by your third-year anniversary. For details on earning and reporting CPEs, please consult the ISC2 Continuing Professional Education (CPE) Handbook (www.isc2.org/-/media/Project/ISC2/Main/Media/documents/members /CPE-Handbook-2023.pdf) and the CPE Opportunities page (www.isc2.org/members/cpe-opportunities). You will also be required to pay an annual maintenance fee (AMF) upon earning your certification and at each annual anniversary. For details on the AMF, please see the ISC2 CPE Handbook, www.isc2.org/Policies- Procedures/AMFs-Overview, and www.isc2.org/Policies- Procedures/Member-Policies. The Elements of This Study Guide Each chapter includes common elements to help you focus your studies and test your knowledge. Here are descriptions of those elements: Tips and Notes Throughout each chapter you will see inserted statements that you should pay additional attention to. These items are often focused details related to the chapter section or related important material. Summaries The summary is a brief review of the chapter to sum up what was covered. Study Essentials The Study Essentials highlight topics that could appear on the exam in some form. This section reinforces significant concepts that are key to understanding the concepts and topics of the chapter. The Study Essentials point out specific knowledge you want to retain from a chapter. Written Labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you've encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions. We highly encourage you to write out your answers before viewing our suggested solutions in Appendix B. Chapter Review Questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it's an indication that you need to spend some more time studying the corresponding topics. The answers to the practice questions can be found in Appendix A. Interactive Online Learning Environment and Test Bank Studying the material in the ISC2 CISSP: Certified Information Systems Security Professional Official Study Guide, Tenth Edition is an important part of preparing for the Certified Information Systems Security Professional (CISSP) certification exam, but we provide additional tools to help you prepare. The online Test Bank will help you understand the types of questions that will appear on the certification exam. The sample tests in the Test Bank include all the questions in each chapter as well as the questions from the Assessment test in this Introduction section. In addition, there are four bonus practice exams that you can use to evaluate your understanding and identify areas that may require additional study. These four additional practice exams include 125 questions each and cover the breadth of domain topics in a similar percentage ratio as the real exam. They can be used as real exam simulations to evaluate your preparedness. The online flashcards will push the limits of what you should know for the certification exam. The questions are provided in digital format. Each online flashcard has one question and one correct answer. The downloadable PDF glossary is a searchable list of key terms from this exam guide that you should know for the CISSP certification exam. A downloadble audio review is available where Mike Chapple reads aloud the Study Essentials from each chapter. You can listen to the audio review to keep your knowledge skills sharps as you go about your day. Its another means to sneak in a few more minutes of study time. To start using these to study for the exam, go to www.wiley.com/go/sybextestprep, register your book to receive your unique PIN, and then once you have the PIN, return to www.wiley.com/go/sybextestprep and register a new account or add this book to an existing account. Like all exams, the CISSP certification from ISC2 is updated periodically and may eventually be retired or replaced. At some point after ISC2 is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available. Study Guide Exam Objectives This table provides the extent, by percentage, to which each domain is represented on the actual examination. Domain % of exam Domain 1: Security and Risk Management 16% Domain 2: Asset Security 10% Domain 3: Security Architecture and Engineering 13% Domain 4: Communication and Network Security 13% Domain 5: Identity and Access Management (IAM) 13% Domain 6: Security Assessment and Testing 12% Domain 7: Security Operations 13% Domain 8: Software Development Security 10% Total 100% Objective Map This book is designed to cover each of the eight CISSP Exam Outline domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book consists of 21 chapters. Here is a complete CISSP Exam Outline mapping each objective item to its location in this book's chapters. Domain Description Chapter 1.0 Security and Risk Management 1.1 Understand, adhere to, and promote 19 professional ethics 1.1.1 ISC2 Code of Professional Ethics 19 1.1.2 Organizational code of ethics 19 1.2 Understand and apply security concepts 1 1.2.1 Confidentiality, integrity, and availability, 1 authenticity, and nonrepudiation (5 Pillars of Information Security) 1.3 Evaluate and apply security governance 1 principles 1.3.1 Alignment of the security function to business 1 strategy, goals, mission, and objectives 1.3.2 Organizational processes (e.g., acquisitions, 1 divestitures, governance committees) 1.3.3 Organizational roles and responsibilities 1 1.3.4 Security control frameworks (e.g., International 1 Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP)) 1.3.5 Due care/due diligence 1 1.4 Understand legal, regulatory, and compliance 4 issues that pertain to information security in a holistic context 1.4.1 Cybercrimes and data breaches 4 Domain Description Chapter 1.4.2 Licensing and Intellectual Property 4 requirements 1.4.3 Import/export controls 4 1.4.4 Transborder data flow 4 1.4.5 Issues related to privacy (e.g., General Data 4 Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act) 1.4.6 Contractual, legal, industry standards, and 4 regulatory requirements 1.5 Understand requirements for investigation 19 types (i.e., administrative, criminal, civil, regulatory, industry standards) 1.6 Develop, document, and implement security 1 policy, standards, procedures, and guidelines 1.7 Identify, analyze, assess, prioritize, and 3 implement Business Continuity (BC) requirements 1.7.1 Business Impact Analysis (BIA) 3 1.7.2 External dependencies 3 1.8 Contribute to and enforce personnel security 2 policies and procedures 1.8.1 Candidate screening and hiring 2 1.8.2 Employment agreements and policy driven 2 requirements 1.8.3 Onboarding, transfers, and termination 2 processes 1.8.4 Vendor, consultant, and contractor agreements 2 and controls 1.9 Understand and apply risk management 2 concepts Domain Description Chapter 1.9.1 Threat and vulnerability identification 2 1.9.2 Risk analysis, assessment, and scope 2 1.9.3 Risk response and treatment (e.g., 2 cybersecurity insurance) 1.9.4 Applicable types of controls (e.g., preventive, 2 detection, corrective) 1.9.5 Control assessments (e.g., security and privacy) 2 1.9.6 Continuous monitoring and measurement 2 1.9.7 Reporting (e.g., internal, external) 2 1.9.8 Continuous improvement (e.g., risk maturity 2 modeling) 1.9.9 Risk frameworks (e.g., International 2 Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI)) 1.10 Understand and apply threat modeling 1 concepts and methodologies 1.11 Apply supply chain risk management (SCRM) 1 concepts 1.11.1 Risks associated with the acquisition of 1 products and services from suppliers and providers (e.g., product tampering, counterfeits, implants) 1.11.2 Risk mitigations (e.g., third-party assessment 1 and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials) 1.12 Establish and maintain a security awareness, 2 education, and training program Domain Description Chapter 1.12.1 Methods and techniques to increase awareness 2 and training (e.g., social engineering, phishing, security champions, gamification) 1.12.2 Periodic content reviews to include emerging 2 technologies and trends (e.g., cryptocurrency, artificial intelligence (Al), blockchain) 1.12.3 Program effectiveness evaluation 2 2.0 Asset Security 2.1 Identify and classify information and assets 5 2.1.1 Data classification 5 2.1.2 Asset classification 5 2.2 Establish information and asset handling 5 requirements 2.3 Provision information and assets securely 16 2.3.1 Information and asset ownership 16 2.3.2 Asset inventory (e.g., tangible, intangible) 16 2.3.3 Asset management 16 2.4 Manage data lifecycle 5 2.4.1 Data roles (i.e., owners, controllers, custodians, 5 processors, users/subjects) 2.4.2 Data collection 5 2.4.3 Data location 5 2.4.4 Data maintenance 5 2.4.5 Data retention 5 2.4.6 Data remanence 5 2.4.7 Data destruction 5 2.5 Ensure appropriate asset retention (e.g., End of 5 Life (EOL), End of Support) 2.6 Determine data security controls and 5 compliance requirements Domain Description Chapter 2.6.1 Data states (e.g., in use, in transit, at rest) 5 2.6.2 Scoping and tailoring 5 2.6.3 Standards selection 5 2.6.4 Data protection methods (e.g., Digital Rights 5 Management (DRM) data loss prevention (DLP), cloud access security broker (CASB)) 3.0 Security Architecture and Engineering 3.1 Research, implement, and manage engineering 1, 8, 9, 16 processes using secure design principles 3.1.1 Threat modeling 1 3.1.2 Least privilege 16 3.1.3 Defense in depth 1 3.1.4 Secure defaults 8 3.1.5 Fail securely 8 3.1.6 Segregation of Duties (SoD) 16 3.1.7 Keep it simple and small 8 3.1.8 Zero trust or trust but verify 8 3.1.9 Privacy by design 8 3.1.10 Shared responsibility 9 3.1.11 Secure access service edge 8 3.2 Understand the fundamental concepts of 8 security models (e.g., Biba, Star Model, Bell- LaPadula) 3.3 Select controls based upon systems security 8 requirements 3.4 Understand security capabilities of Information 8 Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) 3.5 Assess and mitigate the vulnerabilities of 6, 7, 9, security architectures, designs, and solution 16, 20 Domain Description Chapter elements 3.5.1 Client-based systems 9 3.5.2 Server-based systems 9 3.5.3 Database systems 20 3.5.4 Cryptographic systems 6, 7 3.5.5 Industrial Control Systems (ICS) 9 3.5.6 Cloud-based systems (e.g., Software as a 16 Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) 3.5.7 Distributed systems 9 3.5.8 Internet of Things (IoT) 9 3.5.9 Microservices (e.g., application programming 9 interface (API)) 3.5.10 Containerization 9 3.5.11 Serverless 16 3.5.12 Embedded systems 9 3.5.13 High-Performance Computing systems 9 3.5.14 Edge computing systems 9 3.5.15 Virtualized systems 9 3.6 Select and determine cryptographic solutions 6, 7 3.6.1 Cryptographic life cycle (e.g., keys, algorithm 6, 7 selection) 3.6.2 Cryptographic methods (e.g., symmetric, 6, 7 asymmetric, elliptic curves, quantum) 3.6.3 Public Key Infrastructure (PKI) (e.g., quantum 7 key distribution) 3.6.4 Key management practices (e.g., rotation) 7 3.6.5 Digital signatures and digital certificates (e.g., 7 non-repudiation, integrity) 3.7 Understand methods of cryptanalytic attacks 7, 14, 21 Domain Description Chapter 3.7.1 Brute force 7 3.7.2 Ciphertext only 7 3.7.3 Known plaintext 7 3.7.4 Frequency analysis 7 3.7.5 Chosen ciphertext 7 3.7.6 Implementation attacks 7 3.7.7 Side-channel 7 3.7.8 Fault injection 7 3.7.9 Timing 7 3.7.10 Man-in-the-Middle (MITM) 7 3.7.11 Pass the hash 14 3.7.12 Kerberos exploitation 14 3.7.13 Ransomware 21 3.8 Apply security principles to site and facility 10 design 3.9 Design site and facility security controls 10 3.9.1 Wiring closets/intermediate distribution frame 10 3.9.2 Server rooms/data centers 10 3.9.3 Media storage facilities 10 3.9.4 Evidence storage 10 3.9.5 Restricted and work area security 10 3.9.6 Utilities and Heating, Ventilation, and Air 10 Conditioning (HVAC) 3.9.7 Environmental issues (e.g., natural disasters, 10 man-made) 3.9.8 Fire prevention, detection, and suppression 10 3.9.9 Power (e.g., redundant, backup) 10 3.10 Manage the information system lifecycle 8 3.10.1 Stakeholders needs and requirements 8 Domain Description Chapter 3.10.2 Requirements analysis 8 3.10.3 Architectural design 8 3.10.4 Development /implementation 8 3.10.5 Integration 8 3.10.6 Verification and validation 8 3.10.7 Transition/deployment 8 3.10.8 Operations and maintenance/sustainment 8 3.10.9 Retirement/disposal 8 4.0 Communication and Network Security 4.1 Apply secure design principles in network 11, 12 architectures 4.1.1 Open System Interconnection (OSI) and 11 Transmission Control Protocol/Internet Protocol (TCP/IP) models 4.1.2 Internet Protocol (IP) version 4 and 6 (IPv6) 11 (e.g., unicast, broadcast, multicast, anycast) 4.1.3 Secure protocols (e.g., Internet Protocol 11 Security (IPSec), Secure Shell (SSH), Secure Sockets Layer (SSL)]/Transport Layer Security (TLS)) 4.1.4 Implications of multilayer protocols 11 4.1.5 Converged protocols (e.g., Internet Small 11 Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP), InfiniBand over Ethernet, Compute Express Link) 4.1.6 Transport architecture (e.g., topology, 11 data/control/management plane, cut- through/store-and-forward) 4.1.7 Performance metrics (e.g., bandwidth, latency, 12 jitter, throughput, signal-to-noise ratio) 4.1.8 Traffic flows (e.g., north-south, east-west) 11 Domain Description Chapter 4.1.9 Physical segmentation (e.g., in-band, out-of- 11 band, air-gapped) 4.1.10 Logical segmentation (e.g., virtual local area 11 networks (VLANs), virtual private networks (VPNs), virtual routing and forwarding, virtual domain) 4.1.11 Micro-segmentation (e.g., network 11 overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust) 4.1.12 Edge networks (e.g., ingress/egress, peering) 11 4.1.13 Wireless networks (e.g., Bluetooth, Wi-Fi, 11 Zigbee, satellite) 4.1.14 Cellular/mobile networks (e.g., 4G, 5G) 11 4.1.15 Content distribution networks (CDN) 11 4.1.16 Software defined networks (SDN), (e.g., 11 application programming interface (API), Software-Defined Wide-Area Network, network functions virtualization) 4.1.17 Virtual Private Cloud (VPC) 11 4.1.18 Monitoring and management (e.g., network 12 observability, traffic flow/shaping, capacity management, fault detection and handling) 4.2 Secure network components 11 4.2.1 Operation of infrastructure (e.g., redundant 11 power, warranty, support) 4.2.2 Transmission media (e g. physical security of 11 media, signal propagation quality) 4.2.3 Network Access Control (NAC) systems (e.g., 11 physical, and virtual solutions) 4.2.4 Endpoint security (e.g., host-based) 11 Domain Description Chapter 4.3 Implement secure communication channels 12 according to design 4.3.1 Voice, video, and collaboration (e.g., 12 conferencing, Zoom rooms) 4.3.2 Remote access (e.g., network administrative 12 functions) 4.3.3 Data communications (e.g., backhaul networks 12 satellite) 4.3.4 Third-party connectivity (e.g., telecom 12 providers, hardware support) 5.0 Identity and Access Management (IAM) 5.1 Control physical and logical access to assets 13 5.1.1 Information 13 5.1.2 Systems 13 5.1.3 Devices 13 5.1.4 Facilities 13 5.1.5 Applications 13 5.1.6 Services 13 5.2 Design identification and authentication 13 strategy (e.g., people, devices, and services) 5.2.1 Groups and Roles 13 5.2.2 Authentication, Authorization and Accounting 13 (AAA) (e.g., multi-factor authentication (MFA), password-less authentication) 5.2.3 Session management 13 5.2.4 Registration, proofing, and establishment of 13 identity 5.2.5 Federated Identity Management (FIM) 13 5.2.6 Credential management systems (e.g., 13 Password vault) 5.2.7 Single sign-on (SSO) 13 Domain Description Chapter 5.2.8 Just-ln-Time 13 5.3 Federated identity with a third-party service 13 5.3.1 On-premise 13 5.3.2 Cloud 13 5.3.3 Hybrid 13 5.4 Implement and manage authorization 14 mechanisms 5.4.1 Role-based access control (RBAC) 14 5.4.2 Rule based access control 14 5.4.3 Mandatory access control (MAC) 14 5.4.4 Discretionary access control (DAC) 14 5.4.5 Attribute-based access control (ABAC) 14 5.4.6 Risk based access control 14 5.4.7 Access policy enforcement (e.g., policy decision 14 point, policy enforcement point) 5.5 Manage the identity and access provisioning 13, 14 lifecycle 5.5.1 Account access review (e.g., user, system, 13 service) 5.5.2 Provisioning and deprovisioning (e.g., on/off 13 boarding and transfers) 5.5.3 Role definition and transition (e.g., people 13 assigned to new roles) 5.5.4 Privilege escalation (e.g., use of sudo, auditing 14 its use) 5.5.5 Service accounts management 13 5.6 Implement authentication systems 14 6.0 Security Assessment and Testing 6.1 Design and validate assessment, test, and audit 15 strategies Domain Description Chapter 6.1.1 Internal (e.g., within organization control) 15 6.1.2 External (e.g., outside organization control) 15 6.1.3 Third-party (e.g., outside of enterprise control) 15 6.1.4 Location (e.g., on-premise, cloud, hybrid) 15 6.2 Conduct security controls testing 15 6.2.1 Vulnerability assessment 15 6.2.2 Penetration testing (e.g., red, blue, and/or 15 purple team exercises) 6.2.3 Log reviews 15 6.2.4 Synthetic transactions/benchmarks 15 6.2.5 Code review and testing 15 6.2.6 Misuse case testing 15 6.2.7 Coverage analysis 15 6.2.8 Interface testing (e.g., user interface, network 15 interface, application programming interface (API)) 6.2.9 Breach attack simulations 15 6.2.10 Compliance checks 15 6.3 Collect security process data (e.g., technical and 15, 18 administrative) 6.3.1 Account management 15 6.3.2 Management review and approval 15 6.3.3 Key performance and risk indicators 15 6.3.4 Backup verification data 15 6.3.5 Training and awareness 15, 18 6.3.6 Disaster Recovery (DR) and Business 15, 18 Continuity (BC) 6.4 Analyze test output and generate report 15 6.4.1 Remediation 15 Domain Description Chapter 6.4.2 Exception handling 15 6.4.3 Ethical disclosure 15 6.5 Conduct or facilitate security audits 15 6.5.1 Internal (e.g., within organization control) 15 6.5.2 External (e.g., outside organization control) 15 6.5.3 Third-party (e.g., outside of enterprise control) 15 6.5.4 Location (e.g., on-premise, cloud, hybrid) 15 7.0 Security Operations 7.1 Understand and comply with investigations 19 7.1.1 Evidence collection and handling 19 7.1.2 Reporting and documentation 19 7.1.3 Investigative techniques 19 7.1.4 Digital forensics tools, tactics, and procedures 19 7.1.5 Artifacts (e.g., data, computer, network, mobile 19 device) 7.2 Conduct logging and monitoring activities 17, 21 7.2.1 Intrusion detection and prevention system 17 (IDPS) 7.2.2 Security information and event management 17 (SIEM) 7.2.3 Continuous monitoring and tuning 17 7.2.4 Egress monitoring 17 7.2.5 Log management 17 7.2.6 Threat intelligence (e.g., threat feeds, threat 17 hunting) 7.2.7 User and Entity Behavior Analytics (UEBA) 21 7.3 Perform configuration management (CM) (e.g., 16 provisioning, baselining, automation) 7.4 Apply foundational security operations 16 concepts Domain Description Chapter 7.4.1 Need-to-know/least privilege 16 7.4.2 Segregation of Duties (SoD) and 16 responsibilities 7.4.3 Privileged account management 16 7.4.4 Job rotation 16 7.4.5 Service-level agreements (SLA) 16 7.5 Apply resource protection 16 7.5.1 Media management 16 7.5.2 Media protection techniques 16 7.5.3 Data at rest/data in transit 16 7.6 Conduct incident management 17 7.6.1 Detection 17 7.6.2 Response 17 7.6.3 Mitigation 17 7.6.4 Reporting 17 7.6.5 Recovery 17 7.6.6 Remediation 17 7.6.7 Lessons learned 17 7.7 Operate and maintain detection and 11, 17, 21 preventative measures 7.7.1 Firewalls (e.g., next generation, web 11 application, network) 7.7.2 Intrusion detection systems (IDS) and 17 intrusion prevention systems (IPS) 7.7.3 Whitelisting/blacklisting 17 7.7.4 Third-party provided security services 17 7.7.5 Sandboxing 17 7.7.6 Honeypots/honeynets 17 7.7.7 Anti-malware 17, 21 Domain Description Chapter 7.7.8 Machine learning and Artificial Intelligence 17 (Al) based tools 7.8 Implement and support patch and vulnerability 16 management 7.9 Understand and participate in change 16 management processes 7.10 Implement recovery strategies 18 7.10.1 Backup storage strategies (e.g., cloud storage, 18 onsite, offsite) 7.10.2 Recovery site strategies (e.g., cold vs. hot, 18 resource capacity agreements) 7.10.3 Multiple processing sites 18 7.10.4 System resilience, high availability (HA), 18 Quality of Service (QoS), and fault tolerance 7.11 Implement disaster recovery (DR) processes 18 7.11.1 Response 18 7.11.2 Personnel 18 7.11.3 Communications (e.g., methods) 18 7.11.4 Assessment 18 7.11.5 Restoration 18 7.11.6 Training and awareness 18 7.11.7 Lessons learned 18 7.12 Test disaster recovery plan (DRP) 18 7.12.1 Read-through/tabletop 18 7.12.2 Walkthrough 18 7.12.3 Simulation 18 7.12.4 Parallel 18 7.12.5 Full interruption 18 7.12.6 Communications (e.g., stakeholders, test 18 status, regulators) Domain Description Chapter 7.13 Participate in Business Continuity (BC) 3 planning and exercises 7.14 Implement and manage physical security 10 7.14.1 Perimeter security controls 10 7.14.2 Internal security controls 10 7.15 Address personnel safety and security concerns 16 7.15.1 Travel 16 7.15.2 Security training and awareness (e.g., insider 16 threat, social media impacts, two-factor authentication (2FA) fatigue) 7.15.3 Emergency management 16 7.15.4 Duress 16 8.0 Software Development Security 8.1 Understand and integrate security in the 20 Software Development Life Cycle (SDLC) 8.1.1 Development methodologies (e.g., Agile, 20 Waterfall, DevOps, DevSecOps, Scaled Agile Framework) 8.1.2 Maturity models (e.g., Capability Maturity 20 Model (CMM), Software Assurance Maturity Model (SAMM)) 8.1.3 Operation and maintenance 20 8.1.4 Change management 20 8.1.5 Integrated Product Team 20 8.2 Identify and apply security controls in software 15, 20, 21 development ecosystems 8.2.1 Programming languages 20 8.2.2 Libraries 20 8.2.3 Tool sets 20 8.2.4 Integrated Development Environment 20 Domain Description Chapter 8.2.5 Runtime 20 8.2.6 Continuous Integration and Continuous 20 Delivery (Cl/CD) 8.2.7 Software Configuration Management (CM) 20 8.2.8 Code repositories 20 8.2.9 Application security testing (e.g., static 15 application security testing (SAST), dynamic application security testing (DAST), software composition analysis, interactive application security testing (IAST)) 8.3 Assess the effectiveness of software security 20, 21 8.3.1 Auditing and logging of changes 20 8.3.2 Risk analysis and mitigation 21 8.4 Assess security impact of acquired software 16, 20 8.4.1 Commercial-off-the-shelf (COTS) 20 8.4.2 Open source 20 8.4.3 Third-party 20 8.4.4 Managed services (e.g., enterprise applications) 16 8.4.5 Cloud services (e.g., Software as a Service 16 (SaaS), Infrastructure as a Service [IaaS], Platform as a Service (PaaS)) 8.5 Define and apply secure coding guidelines and 20, 21 standards 8.5.1 Security weaknesses and vulnerabilities at the 21 source-code level 8.5.2 Security of application programming interfaces 20 (API) 8.5.3 Secure coding practices 20 8.5.4 Software-defined security 20 How to Contact the Publisher If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur. In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.” Assessment Test 1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity? A. Preventive B. Deterrent C. Detection D. Corrective 2. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices. A. Is difficult to guess or unpredictable B. Meets minimum length requirements C. Meets specific complexity requirements D. All of the above 3. Some adversaries use DoS attacks as their primary weapon to harm targets, whereas others may use them as weapons of last resort when all other attempts to intrude on a target fail. Which of the following is most likely to detect DoS attacks? A. Host-based IDS B. Network-based IDS C. Vulnerability scanner D. Penetration testing 4. Unfortunately, attackers have many options of attacks to perform against their targets. Which of the following is considered a denial-of-service (DoS) attack? A. Pretending to be a technical manager over the phone and asking a receptionist to change their password B. While surfing the web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU C. Intercepting network traffic by copying the packets as they pass through a specific subnet D. Sending message packets to a recipient who did not request them, simply to be annoying 5. Hardware networking devices operate within the protocol stack just like protocols themselves. Thus, hardware networking devices can be associated with an OSI model layer related to the protocols they manage or control. At which layer of the OSI model does a router operate? A. Network Layer B. Layer 1 C. Transport Layer D. Layer 5 6. Which type of firewall automatically adjusts its filtering rules based on the content and context of the traffic of existing sessions? (Choose all that apply.) A. Static packet filtering B. Application-level gateway C. Circuit-level gateway D. Stateful inspection firewall 7. A VPN can be a significant security improvement for many communication links. A VPN can be established over which of the following? A. Wireless LAN connection B. Remote access dial-up connection C. WAN link D. All of the above 8. Adversaries will use any and all means to harm their targets. This includes mixing attack concepts together to make a more effective campaign. What type of malware uses social engineering to trick a victim into installing it? A. Virus B. Worm C. Trojan horse D. Logic bomb 9. Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. Then, controls are selected that provide protection for the CIA Triad of the assets at risk. The CIA Triad consists of what elements? A. Contiguousness, interoperable, arranged B. Authentication, authorization, accountability C. Capable, available, integral D. Availability, confidentiality, integrity 10. The security concept of AAA services describes the elements that are necessary to establish subject accountability. Which of the following is not a required component in the support of accountability? A. Logging B. Privacy C. Identification verification D. Authorization 11. Collusion is when two or more people work together to commit a crime or violate a company policy. Which of the following is not a defense against collusion? A. Separation of duties B. Restricted job responsibilities C. Group shared user accounts D. Job rotation 12. A data custodian is responsible for securing resources after ______________ has assigned the resource a security label. A. Senior management B. The data owner C. An auditor D. Security staff 13. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures used to gain a detailed understanding of the software development process? A. Repeatable B. Defined C. Managed D. Optimizing 14. Which one of the following is a layer of the protection ring model design concept that is not normally implemented? A. Ring 0 B. Ring 1 C. Ring 3 D. Ring 4 15. TCP operates at the Transport Layer and is a connection- oriented protocol. It uses a special process to establish a session each time a communication takes place. What is the last phase of the TCP three-way handshake sequence? A. SYN flagged packet B. ACK flagged packet C. FIN flagged packet D. SYN/ACK flagged packet 16. The lack of secure coding practices has enabled an uncountable number of software vulnerabilities that attackers have discovered and exploited. Which one of the following vulnerabilities would be best countered by adequate parameter checking? A. Time-of-check to time-of-use B. Buffer overflow C. SYN flood D. Distributed denial of service (DDoS) 17. Computers are based on binary mathematics. All computer functions are derived from the basic set of Boolean operations. What is the value of the logical operation shown here? X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 ___________________ X ⊕ Y: ? A. 0 1 0 1 1 1 B. 0 0 1 0 0 0 C. 0 1 1 1 1 1 D. 1 0 0 1 0 1 18. Which of the following are considered standard data type classifications used in either a government/military or a private sector organization? (Choose all that apply.) A. Public B. Healthy C. Private D. Inside only E. Sensitive F. Proprietary G. Essential H. Certified I. Critical J. Confidential K. For Your Eyes Only 19. The General Data Protection Regulation (GDPR) has defined several roles in relation to the protection and management of personally identifiable information (PII). Which of the following statements is true? A. A data processor is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. B. A data custodian is the entity that performs operations on data. C. A data controller is the entity that makes decisions about the data they are collecting. D. A data owner is the entity assigned or delegated the day-to- day responsibility of proper storage and transport as well as protecting data, assets, and other organizational objects. 20. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike? A. Renee's public key B. Renee's private key C. Mike's public key D. Mike's private key 21. A systems administrator is setting up a new data management system. It will be gathering data from numerous locations across the network, even from remote offsite locations. The data will be moved to a centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this data warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators. Which of the following describes the data? A. The data is encrypted in transit. B. The data is encrypted in processing. C. The data is redundantly stored. D. The data is encrypted at rest. 22. The __________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A. Data owner B. Data controller C. Data processor D. Data custodian 23. A security auditor is seeking evidence of how sensitive documents made their way out of the organization and onto a public document distribution site. It is suspected that an insider exfiltrated the data over a network connection to an external server, but this is only a guess. Which of the following would be useful in determining whether this suspicion is accurate? (Choose two.) A. NAC B. DLP alerts C. Syslog D. Log analysis E. Malware scanner reports F. Integrity monitoring 24. A new Wireless Access Point (WAP) is being installed to add wireless connectivity to the company network. The configuration policy indicates that WPA3 is to be used and thus only newer or updated endpoint devices can connect. The policy also states that ENT authentication will not be implemented. What authentication mechanism can be implemented in this situation? A. IEEE 802.1X B. IEEE 802.1q C. Simultaneous authentication of equals (SAE) D. EAP-FAST 25. When securing a mobile device, what types of authentication can be used that depend on the user's physical attributes? (Choose all that apply.) A. Fingerprint B. TOTP (time-based one-time password) C. Voice D. SMS (short message service) E. Retina or iris F. Gait G. Phone call H. Facial recognition I. Smartcard J. Password 26. A recently acquired piece of equipment is not working properly. Your organization does not have a trained repair technician on staff, so you have to bring in an outside expert. What type of account should be issued to a trusted third-party repair technician? A. Guest account B. Privileged account C. Service account D. User account 27. Security should be designed and integrated into the organization as a means to support and maintain the business objectives. However, the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system's security controls? A. Logging usage data B. War dialing C. Penetration testing D. Deploying secured desktop workstations 28. Security needs to be designed to support the business objectives, but it also needs to be legally defensible. To defend the security of an organization, a log of events and activities must be created. Auditing is a required factor to sustain and enforce what? A. Accountability B. Confidentiality C. Accessibility D. Redundancy 29. Risk assessment is a process by which the assets, threats, probabilities, and likelihoods are evaluated in order to establish criticality prioritization. What is the formula used to compute the ALE? A. ALE = AV * EF * ARO B. ALE = ARO * EF C. ALE = AV * ARO D. ALE = EF * ARO 30. Incident response plans, business continuity plans, and disaster recovery plans are crafted when implementing business-level redundancy. These plans are derived from the information obtained when performing a business impact assessment (BIA). What is the first step of the BIA process? A. Identification of priorities B. Likelihood assessment C. Risk identification D. Resource prioritization 31. Many events can threaten the operation, existence, and stability of an organization. Some of those threats are human caused, whereas others are from natural events. Which of the following represent natural events that can pose a threat or risk to an organization? A. Earthquake B. Flood C. Tornado D. All of the above 32. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility? A. Hot site B. Warm site C. Cold site D. All of the above 33. During an account review, an auditor provided the following report: User Last Login Length Last Password Change Bob 4 hours 87 days Sue 3 hours 38 days John 1 hour 935 days User Last Login Length Last Password Change Kesha 3 hours 49 days The security manager reviews the account policies of the organization and takes note of the following requirements: Passwords must be at least 12 characters long. Passwords must include at least one example of three different character types. Passwords must be changed every 180 days. Passwords cannot be reused. Which of the following security controls should be corrected to enforce the password policy? A. Minimum password length B. Account lockout C. Password history and minimum age D. Password maximum age 34. Any evidence to be used in a court proceeding must abide by the Rules of Evidence to be admissible. What type of evidence refers to written documents that are brought into court to prove a fact? A. Best evidence B. Parol evidence C. Documentary evidence D. Testimonial evidence 35. DevOps manager John is concerned with the CEO's plan to minimize his department and outsource code development to a foreign programming group. John has a meeting scheduled with the board of directors to encourage them to retain code development in house due to several concerns. Which of the following should John include in his presentation? (Choose all that apply.) A. Code from third parties will need to be manually reviewed for function and security. B. If the third party goes out of business, existing code may need to be abandoned. C. Third-party code development is always more expensive. D. A software escrow agreement should be established. 36. When TLS is being used to secure web communications, what URL prefix appears in the web browser address bar to signal this fact? A. SHTTP:// B. TLS:// C. FTPS:// D. HTTPS:// 37. A new update has been released by the vendor of an important software product that is an essential element of a critical business task. The chief security officer (CSO) indicates that the new software version needs to be tested and evaluated in a virtual lab, which has a cloned simulation of many of the company's production systems. Furthermore, the results of this evaluation must be reviewed before a decision is made as to whether the software update should be installed and, if so, when to install it. What security principle is the CSO demonstrating? A. Business continuity planning (BCP) B. Onboarding C. Change management D. Static analysis 38. What type of token device produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate? A. HOTP B. HMAC C. SAML D. TOTP 39. Your organization is moving a significant portion of their data processing from an on-premises solution to the cloud. When evaluating a cloud service provider (CSP), which of the following is the most important security concern? A. Data retention policy B. Number of customers C. Hardware used to support VMs D. Whether they offer MaaS, IDaaS, and SaaS 40. Most software vulnerabilities exist because of a lack of secure or defensive coding practices used by the developers. Which of the following is considered a secure coding technique? (Choose all that apply.) A. Using immutable systems B. Using stored procedures C. Using code signing D. Using server-side validation E. Optimizing file sizes F. Using third-party software libraries Answers to Assessment Test 1. C. Detection access controls are used to discover (and document) unwanted or unauthorized activity. Preventive access controls block the ability to perform unwanted activity. Deterrent access controls attempt to persuade the perpetrator not to perform unwanted activity. Corrective access controls restore a system to normal function in the event of a failure or system interruption. 2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and use any of the alphabetic, numeric, and allowed special characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn't be transmitted in the clear. 3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don't detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool. 4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering (i.e., pretending to be a technical manager) and sniffing (i.e., intercepting network traffic) are typically not considered DoS attacks. Sending message packets to a recipient who did not request them simply to be annoying may be a type of social engineering, and it is definitely spam, but unless the volume of the messages is significant, it does not warrant the label of DoS. 5. A. Routers function at Layer 3, the Network Layer. Layer 1, the Physical Layer, is where repeaters and hubs operate, not routers. Network devices usually do not operate at the transport layer alone, but across layers, such as firewalls, proxies, and load balancers. Layer 5, the Session Layer, does not actually exist in a modern TCP/IP network, and thus no hardware directly operates at this layer, but its functions are performed by TCP in the Transport Layer, Layer 4, when sessions are in use. 6. B, D. Stateful inspection firewalls (aka dynamic packet-filtering firewalls) enable the real-time modification of the filtering rules based on traffic content and context. An application-level gateway is a type of stateful firewall. Static packet filtering and circuit-level firewalls are both stateless and thus do not consider the context when applying filtering rules. 7. D. A virtual private network (VPN) link can be established over any network communication connect

CISSP® Certified Information Systems Security Professional Official PDF

Document Details

Tags

Related

Summary

Full Transcript