Front Cover -- Eleventh Hour CISSP®: Study Guide -- Copyright -- Contents -- Author Biography -- Chapter 1: Domain 1: Access Control -- Introduction -- Cornerstone Information Security Concepts -- Confidentiality, integrity, and availability -- Confidentiality -- Integrity -- Availability -- Disclosure, alteration, and destruction -- Identity and authentication, authorization, and accountability -- Identity and authentication -- Authorization -- Accountability -- Nonrepudiation -- Least privilege and need to know -- Subjects and objects -- Defense-in-depth -- Access Control Models -- Discretionary access controls -- Mandatory access controls -- Nondiscretionary access control -- Rule-based access controls -- Centralized access control -- Access control lists -- Access provisioning lifecycle -- User entitlement, access review, and audit -- Access control protocols and frameworks -- RADIUS -- Diameter -- TACACS and TACACS+ -- PAP and CHAP -- Access Control Defensive Categories and Types -- Preventive -- Detective -- Corrective -- Recovery -- Deterrent -- Compensating -- Authentication Methods -- Type 1 authentication: something you know -- Passwords -- Password hashes and password cracking -- Dictionary attacks -- Hybrid attacks -- Brute-force attacks -- Rainbow tables -- Salts -- Type 2 authentication: something you have -- Synchronous dynamic token -- Asynchronous dynamic token -- Type 3 authentication: something you are -- Biometric enrollment and throughput -- Accuracy of biometric systems -- False reject rate -- False accept rate -- Crossover Error Rate -- Types of biometric controls -- Fingerprints -- Retina scan -- Iris scan -- Hand geometry -- Keyboard dynamics -- Dynamic signature -- Voiceprint -- Facial scan -- Someplace you are -- Access Control Technologies -- Single sign-on -- Federated identity management -- Kerberos -- SESAME.

Assessing Access Control -- Penetration testing -- Vulnerability testing -- Security audits -- Security assessments -- Summary of Exam Objectives -- Top Five Toughest Questions -- Self-Test Quick Answer Key -- Endnotes -- Chapter 2: Domain 2: Telecommunications and Network Security -- Introduction -- Network Architecture and Design -- Fundamental network concepts -- Simplex, half-duplex, and full-duplex communication -- LANs, WANs, MANs, and PANs -- Internet, Intranet, and Extranet -- The OSI model -- Layer 1: Physical -- Layer 2: Data Link -- Layer 3: Network -- Layer 4: Transport -- Layer 5: Session -- Layer 6: Presentation -- Layer 7: Application -- The TCP/IP model -- Network Access Layer -- Internet Layer -- Host-to-Host Transport Layer -- Application Layer -- MAC addresses -- EUI-64 MAC addresses -- IPv4 -- IPv6 -- TCP -- TCP ports -- UDP -- ICMP -- Application-Layer TCP/IP protocols and concepts -- Telnet -- FTP -- SSH -- SMTP, POP, and IMAP -- DNS -- HTTP and HTTPS -- LAN technologies and protocols -- Ethernet -- WAN technologies and protocols -- T1s, T3s, E1s, and E3s -- Frame Relay -- MPLS -- Network Devices and Protocols -- Repeaters and hubs -- Bridges -- Switches -- Routers -- Firewalls -- Packet filter -- Stateful firewalls -- Proxy firewalls -- Application-Layer Proxy firewalls -- Modem -- Intrusion Detection Systems and Intrusion Prevention Systems -- Endpoint security -- Antivirus -- Application whitelisting -- Removable media controls -- Disk encryption -- Secure Communications -- Authentication protocols and frameworks -- PAP and CHAP -- 802.1X and EAP -- VPN -- PPP -- IPsec -- SSL and TLS -- VoIP -- Wireless Local Area Networks -- FHSS, DSSS, and OFDM -- 802.11 abgn -- WEP -- 802.11i -- Bluetooth -- RFID -- Remote access -- Remote desktop console access -- Desktop and application virtualization -- DSL -- Cable Modems.

Instant messaging -- Remote meeting technology -- Summary of Exam Objectives -- Top Five Toughest Questions -- Self-Test Quick Answer Key -- Chapter 3: Domain 3: Information Security Governance and Risk Management -- Introduction -- Risk Analysis -- Assets -- Threats and vulnerabilities -- Risk=threat×vulnerability -- Impact -- Risk Analysis Matrix -- Calculating Annualized Loss Expectancy -- Asset Value -- Exposure Factor -- Single Loss Expectancy -- Annual Rate of Occurrence -- Annualized Loss Expectancy -- Total Cost of Ownership -- Return on Investment -- Budget and metrics -- Risk choices -- Accept the risk -- Risk acceptance criteria -- Mitigate the risk -- Transfer the risk -- Risk avoidance -- Qualitative and Quantitative Risk Analysis -- The Risk Management process -- Information Security Governance -- Security policy and related documents -- Policy -- Components of program policy -- Policy types -- Procedures -- Standards -- Guidelines -- Baselines -- Roles and responsibilities -- Personnel security -- Background checks -- Employee termination -- Security awareness and training -- Vendor, consultant, and contractor security -- Outsourcing and offshoring -- Privacy -- Due care and due diligence -- Gross negligence -- Best practice -- Auditing and control frameworks -- OCTAVE -- ISO 17799 and the ISO 27000 series -- COBIT -- ITIL -- Certification and Accreditation -- Summary of Exam Objectives -- Top Five Toughest Questions -- Answers -- Endnotes -- Chapter 4: Domain 4: Software Development Security -- Introduction -- Programming Concepts -- Machine code, source code, and assemblers -- Compilers, interpreters, and bytecode -- Types of publicly released software -- Open and closed source software -- Free Software, Shareware, and Crippleware -- Application Development Methods -- Waterfall Model -- Spiral -- Agile Software Development.

Extreme Programming -- Rapid Application Development -- SDLC -- Object-Oriented Programming -- Cornerstone Object-Oriented Programming concepts -- Object Request Brokers -- COM and DCOM -- Software Vulnerabilities, Testing, and Assurance -- Software vulnerabilities -- Types of software vulnerabilities -- Cross-Site Scripting and Cross-Site Request Forgery -- Privilege escalation -- Backdoors -- Disclosure -- Software Capability Maturity Model -- Databases -- Relational databases -- Foreign keys -- Referential, semantic, and entity integrity -- Database normalization -- Database views -- Database query languages -- Database integrity -- Database replication and shadowing -- Summary of Exam Objectives -- Top Five Toughest Questions -- Self-Test Quick Answer Key -- Endnotes -- Chapter 5: Domain 5: Cryptography -- Introduction -- Cornerstone Cryptographic Concepts -- Key terms -- Confidentiality, integrity, authentication, and nonrepudiation -- Substitution and permutation -- Cryptographic strength -- Monoalphabetic and polyalphabetic ciphers -- Exclusive Or (XOR) -- Types of cryptography -- Symmetric Encryption -- Stream and block ciphers -- Initialization vectors and chaining -- DES -- Modes of DES -- Electronic Code Book -- Cipher Block Chaining -- Cipher Feedback -- Output Feedback -- Counter -- Single DES -- Triple DES -- Triple DES encryption order and keying options -- International Data Encryption Algorithm -- Advanced Encryption Standard -- Choosing AES -- Blowfish and Twofish -- RC5 and RC6 -- Asymmetric Encryption -- Asymmetric methods -- Factoring prime numbers -- Discrete logarithm -- Diffie-Hellman Key Agreement Protocol -- Elliptic Curve Cryptography -- Asymmetric and symmetric trade-offs -- Hash Functions -- MD5 -- Secure Hash Algorithm -- HAVAL -- Cryptographic Attacks -- Brute force -- Known plaintext.

Chosen plaintext and adaptive-chosen plaintext -- Chosen ciphertext and adaptive-chosen ciphertext -- Meet-in-the-middle attack -- Known key -- Differential cryptanalysis -- Linear cryptanalysis -- Side-channel attacks -- Implementing Cryptography -- Digital signatures -- Public Key Infrastructure -- Certificate Authorities and Organizational Registration Authorities -- Certificate Revocation Lists -- Key management issues -- SSL and TLS -- IPsec -- AH and ESP -- Security association and ISAKMP -- Tunnel and transport mode -- IKE -- PGP -- S/MIME -- Escrowed encryption -- Clipper Chip -- Summary of Exam Objectives -- Top Five Toughest Questions -- Answers -- Endnotes -- Chapter 6: Domain 6: Security Architecture and Design -- Introduction -- Secure System Design Concepts -- Layering -- Abstraction -- Security domains -- The ring model -- Secure Hardware Architecture -- The system unit and motherboard -- The computer bus -- The CPU -- Arithmetic logic unit and control unit -- Fetch and execute -- Pipelining -- Interrupts -- Processes and threads -- Multitasking and multiprocessing -- CISC and RISC -- Memory -- Cache memory -- RAM and ROM -- DRAM and SRAM -- Memory protection -- Process isolation -- Hardware segmentation -- Virtual memory -- Swapping and paging -- Firmware -- Flash memory -- BIOS -- Secure Operating System and Software Architecture -- The kernel -- Reference monitor -- Virtualization -- Hypervisor -- Virtualization security issues -- Cloud computing -- Grid computing -- Peer-to-peer -- Thin clients -- System Vulnerabilities, Threats, and Countermeasures -- Covert channels -- Buffer overflows -- TOCTOU/race conditions -- Maintenance Hooks -- Malicious code (malware) -- Computer viruses -- Worms -- Trojans -- Rootkits -- Web architecture and attacks -- Applets -- Java -- ActiveX -- OWASP -- XML and SAML -- Service-Oriented Architecture.

Mobile device attacks.