Updated for 2009 Covers the critical information you'll need to know to score higher on your CISSP exam! * Build and manage an effective, integrated security architecture * Systematically protect your physical facilities and the IT resources they contain * Implement and administer access control * Use cryptography to help guarantee data integrity, confidentiality, and authenticity * Secure networks, Internet connections, and communications * Make effective business continuity and disaster recovery plans, and execute them successfully * Address today's essential legal, regulatory, and compliance issues * Master the basics of security forensics * Develop more secure applications and systems from the ground up * Use security best practices ranging from risk management to operations and auditing * Understand and perform the crucial non-technical tasks associated with IT security CD Features Test Engine Powered by MeasureUp! * Detailed explanations of correct and incorrect answers * Multiple test modes * Random questions and order of answers * Coverage of each CISSP exam domain

Table of Contents

Introduction 1 Chapter 1: The CISSP Certification Exam ...15 Introduction ...16 Assessing Exam Readiness...16 Taking the Exam...17 Multiple-Choice Question Format ...19 Exam Strategy...19 Question-Handling Strategies...21 Mastering the Inner Game...21 Need to Know More?...22 Chapter 2: Physical Security ...23 Introduction ...24 Physical Security Risks ...24 Natural Disasters...25 Man-Made Threats ...26 Technical Problems ...27 Facility Concerns and Requirements...28 CPTED ...28 Area Concerns ...29 Location...30 Construction...30 Doors, Walls, Windows, and Ceilings...31 Asset Placement...34 Perimeter Controls...34 Fences ...34 Gates ...36 Bollards ...37 CCTV Cameras ...38 Lighting ...39 Guards and Dogs...40 Locks...41 Employee Access Control ...44 Badges, Tokens, and Cards...44 Biometric Access Controls ...46 Environmental Controls...47 Heating, Ventilating, and Air Conditioning...48 Electrical Power...49 Uninterruptible Power Supply ...50 Equipment Life Cycle ...50 Fire Prevention, Detection, and Suppression...51 Fire-Detection Equipment...52 Fire Suppression ...52 Alarm Systems...55 Intrusion Detection Systems...55 Monitoring and Detection ...56 Exam Prep Questions ...58 Answers to Exam Prep Questions...60 Suggested Reading and Resources ...61 Chapter 3: Access Control Systems and Methodology ...63 Introduction ...64 Identification, Authentication, and Authorization ...65 Authentication ...65 Single Sign-On ...78 Kerberos...78 SESAME...81 Authorization and Access Controls Techniques ...81 Discretionary Access Control ...81 Mandatory Access Control...82 Role-Based Access Control ...84 Other Types of Access Controls ...85 Access Control Methods ...86 Centralized Access Control...86 Decentralized Access Control...89 Access Control Types ...90 Administrative Controls ...90 Technical Controls ...91 Physical Controls...91 Access Control Categories ...92 Audit and Monitoring...93 Monitoring Access and Usage ...93 Intrusion Detection Systems...94 Intrusion Prevention Systems ...98 Network Access Control ...98 Keystroke Monitoring...99 Emanation Security ...100 Access Control Attacks ...101 Password Attacks ...101 Spoofing...105 Sniffing...105 Eavesdropping and Shoulder Surfing...105 Wiretapping...106 Identity Theft ...106 Denial of Service Attacks ...107 Distributed Denial of Service Attacks ...109 Botnets ...109 Exam Prep Questions ...111 Answers to Exam Prep Questions...113 Suggesting Reading and Resources...115 Chapter 4: Cryptography...117 Introduction ...118 Cryptographic Basics ...118 History of Encryption ...121 Steganography ...126 Steganography Operation ...127 Digital Watermark ...128 Algorithms...128 Cipher Types and Methods ...130 Symmetric Encryption ...131 Data Encryption Standard ...133 Triple-DES ...136 Advanced Encryption Standard ...138 International Data Encryption Algorithm...138 Rivest Cipher Algorithms ...139 Asymmetric Encryption...139 Diffie-Hellman ...141 RSA ...142 El Gamal...143 Elliptical Curve Cryptosystem...144 Merkle-Hellman Knapsack ...144 Review of Symmetric and Asymmetric Cryptographic Systems .145 Hybrid Encryption ...145 Integrity and Authentication ...146 Hashing and Message Digests ...147 Digital Signatures...150 Cryptographic System Review...151 Public Key Infrastructure ...151 Certificate Authority ...152 Registration Authority...152 Certificate Revocation List ...153 Digital Certificates ...153 The Client's Role in PKI ...155 Email Protection Mechanisms ...156 Pretty Good Privacy...156 Other Email Security Applications...157 Securing TCP/IP with Cryptographic Solutions...157 Application/Process Layer Controls...158 Host to Host Layer Controls...159 Internet Layer Controls ...160 Network Access Layer Controls ...161 Link and End to End Encryption...162 Cryptographic Attacks...163 Exam Prep Questions ...166 Answers to Exam Prep Questions...168 Need to Know More?...170 Chapter 5: Security Architecture and Models ...171 Introduction ...172 Computer System Architecture...172 Central Processing Unit...172 Storage Media...175 I/O Bus Standards ...178 Virtual Memory and Virtual Machines...178 Computer Configurations...179 Security Architecture...180 Protection Rings...180 Trusted Computer Base ...182 Open and Closed Systems...185 Security Modes of Operation...185 Operating States ...186 Recovery Procedures...187 Process Isolation...188 Security Models of Control...188 State Machine Model ...189 Confidentiality...190 Integrity ...191 Other Models ...194 Documents and Guidelines ...195 The Rainbow Series ...195 The Red Book: Trusted Network Interpretation...197 Information Technology Security Evaluation Criteria ...198 Common Criteria...199 British Standard 7799...200 System Validation ...200 Certification and Accreditation...201 Governance and Enterprise Architecture...202 Security Architecture Threats...204 Buffer Overflow...204 Back Doors ...205 Asynchronous Attacks ...205 Covert Channels...205 Incremental Attacks...206 Exam Prep Questions ...207 Answers to Exam Prep Questions...209 Need to Know More?...211 Chapter 6: Telecommunications and Network Security...213 Introduction ...214 Network Models and Standards...214 OSI Model...215 Encapsulation/De-encapsulation ...221 TCP/IP ...222 Network Access Layer...222 Internet Layer...223 Host-to-Host (Transport) Layer...226 Application Layer ...229 LANs and Their Components...232 LAN Communication Protocols ...233 Network Topologies...233 LAN Cabling...236 Network Types ...238 Communication Standards...239 Network Equipment...240 Repeaters...240 Hubs...240 Bridges ...240 Switches ...241 Routers...242 Brouters ...243 Gateways...243 Routing...244 WANs and Their Components...246 Packet Switching ...246 Circuit Switching...248 Voice Communications and Wireless Communications...251 Voice over IP ...251 Cell Phones...252 802.11 Wireless Networks and Standards...253 Network Security...261 Firewalls...261 Demilitarized Zone ...263 Firewall Design...264 Remote Access ...265 Point-to-Point Protocol...265 Virtual Private Networks ...266 Remote Authentication Dial-in User Service ...267 Terminal Access Controller Access Control System...267 IPSec ...268 Message Privacy...268 Threats to Network Security ...269 DoS Attacks ...269 Disclosure Attacks ...270 Destruction, Alteration, or Theft ...271 Exam Prep Questions ...274 Answers to Exam Prep Questions...277 Need to Know More?...278 Chapter 7: Business Continuity and Disaster Recovery Planning...279 Introduction ...280 Threats to Business Operations ...280 Disaster Recovery and Business Continuity Management ...281 Project Management and Initiation...283 Business Impact Analysis...285 Recovery Strategy...290 Plan Design and Development ...303 Implementation ...306 Testing...307 Monitoring and Maintenance ...309 Disaster Life Cycle ...310 Teams and Responsibilities ...312 Exam Prep Questions ...314 Answers to Exam Prep Questions...316 Need to Know More?...318 Chapter 8: Legal, Regulations, Compliance, and Investigations ...319 Introduction ...320 United States Legal System and Laws...320 International Legal Systems and Laws ...321 International Property Laws ...323 Piracy and Issues with Copyrights...323 Privacy Laws and Protection of Personal Information ...325 Privacy Impact Assessment ...327 Computer Crime Laws...328 Ethics...328 ISC2 Code of Ethics ...329 Computer Ethics Institute ...330 Internet Architecture Board...331 NIST 800-14 ...332 Computer Crime and Criminals ...332 Pornography ...335 Well-Known Computer Crimes ...335 How Computer Crime Has Changed...336 Attack Vectors ...338 Keystroke Logging...338 Wiretapping...339 Spoofing Attacks...339 Manipulation Attacks ...340 Social Engineering ...341 Dumpster Diving...341 Investigating Computer Crime ...342 Computer Crime Jurisdiction ...343 Incident Response ...343 Forensics ...347 Standardization of Forensic Procedures...349 Computer Forensics ...349 Investigations ...354 Search, Seizure, and Surveillance ...354 Interviews and Interrogations ...355 Honeypots and Honeynets ...355 Evidence Types...356 Trial ...357 The Evidence Life Cycle ...358 Exam Prep Questions ...359 Answers to Exam Prep Questions...362 Need to Know More?...364 Chapter 9: Applications and Systems-Development Security ...365 Introduction ...366 System Development...366 Avoiding System Failure ...367 The System Development Life Cycle ...369 System Development Methods ...376 The Waterfall Model ...376 The Spiral Model ...376 Joint Application Development ...377 Rapid Application Development...377 Incremental Development ...377 Prototyping...378 Computer-Aided Software Engineering...378 Agile Development Methods ...378 Capability Maturity Model ...379 Scheduling ...380 Change Management...380 Programming Languages ...382 Object-Oriented Programming ...384 CORBA...385 Database Management ...385 Database Terms ...386 Integrity ...388 Transaction Processing...388 Data Warehousing...388 Data Mining ...389 Knowledge Management ...390 Artificial Intelligence and Expert Systems ...390 Malicious Code ...391 Viruses...391 Worms...393 Spyware...394 Back Doors and Trapdoors ...394 Change Detection ...395 Malformed Input (SQL Injection)...395 Mobile Code...396 Financial Attacks...396 Buffer Overflow...397 Denial of Service ...398 Distributed Denial of Service ...399 Exam Prep Questions ...400 Answers to Exam Prep Questions...402 Need to Know More?...404 Chapter 10: Information Security and Risk Management Practices...405 Introduction ...406 Basic Security Principles ...406 Security Management and Governance...408 Asset Identification ...410 Risk Assessment ...411 Risk Management...412 Policies Development...427 Security Policy...428 Standards...430 Baselines...430 Guidelines...431 Procedures ...431 Data Classification...431 Implementation...434 Roles and Responsibility ...434 Security Controls...436 Training and Education...438 Security Awareness ...439 Social Engineering ...440 Auditing Your Security Infrastructure ...441 The Risk of Poor Security Management...442 Exam Prep Questions ...443 Answers to Exam Prep Questions...445 Need to Know More?...447 Chapter 11: Operations Security ...449 Introduction ...450 Operational Security...450 Employee Recruitment ...451 New-Hire Orientation ...452 Separation of Duties...452 Job Rotation...452 Least Privilege ...453 Mandatory Vacations...453 Termination ...454 Accountability ...454 Controls ...456 Security Controls...456 Operational Controls ...458 Auditing and Monitoring ...465 Auditing ...466 Monitoring Controls...467 Clipping Levels...468 Intrusion Detection ...469 Keystroke Monitoring...470 Antivirus...470 Facility Access Control...471 Telecommunication Controls...472 Fax...472 PBX...473 Email...474 Backup, Fault Tolerance, and Recovery Controls ...476 Backups ...477 Fault Tolerance...478 RAID...480 Recovery Controls...482 Security Assessments ...483 Policy Reviews ...484 Vulnerability Scanning ...484 Penetration Testing ...485 Operational Security Threats and Vulnerabilities...489 Common Attack Methodologies...490 Attack Terms and Techniques ...492 Exam Prep Questions ...494 Answers to Exam Prep Questions...497 Need to Know More?...499 Chapter 12: Practice Exam I ...501 Chapter 13: Answers to Practice Exam I...515 Chapter 14: Practice Exam II ...531 Chapter 15: Answers to Practice Exam II...545 Appendix A: What's on the CD ...559 Index ...563

About the Author

As the founder and president of Superior Solutions, Inc., a Houston-based IT security consulting, auditing, and training firm, Michael Gregg has more than15 years experience in information security and risk management. He holds two associate's degrees, a bachelor's degree, and a master's degree. Some of the certifications he holds include the following: CISSP, CISA, CISM, MCSE, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP. Michael has experience not only in performing security audits and assessments, but also is the co-author of Build Your Own Security Lab by Wiley Publishing. Other publications he has authored include CISSP Practice Questions Exam Cram, CISA Exam Prep, and CEH Exam Prep 2. Michael is a site expert for TechTarget.com websites and also serves on their editorial advisory board. His articles have been published on IT websites including CertMag.com, CramSession.com, and GoCertify.com. Michael has created security, audit, and IT networking course material for various companies and universities. Although audits and assessments are where he spends the bulk of his time, teaching and contributing to the written body of IT security knowledge is how Michael believes he can give something back to the community that has given him so much. He is a member of the American College of Forensic Examiners and the Information Systems Audit and Control Association. When not working, Michael enjoys traveling and restoring muscle cars.