CISSP® Certified Information Systems Security Professional: Study Guide -- Acknowledgments -- About the Authors -- Contents -- Introduction -- (ISC)2 -- CISSP and SSCP -- Prequalifications -- Overview of the CISSP Exam -- CISSP Exam Question Types -- Advice on Taking the Exam -- Study and Exam Preparation Tips -- Completing the Certification Process -- Post-CISSP Concentrations -- Notes on This Book's Organization -- The Elements of This Study Guide -- What's Included With the Additional Study Tools -- The Sybex Test Preparation Software -- Electronic Flashcards -- Glossary of Terms in PDF -- Bonus Practice Exams -- How to Use This Book's Study Tools -- Assessment Test -- Answers to Assessment Test -- Chapter 1: Access Control -- Access Control Overview -- Users, Owners, and Custodians -- The CIA Triad -- Policies -- Compare Permissions, Rights, and Privileges -- Types of Access Control -- Defense in Depth -- Access Control Elements -- Identification and Authentication Techniques -- Passwords -- Smart Cards and Tokens -- Biometrics -- Multifactor Authentication -- Access Control Techniques -- Security Operations Principles -- Discretionary Access Controls -- Nondiscretionary Access Controls -- Mandatory Access Controls -- Role-Based Access Control -- Centralized versus Decentralized Access Control -- Single Sign-On -- AAA Protocols -- Authorization Mechanisms -- Identity and Access Provisioning Life Cycle -- Provisioning -- Account Review -- Account Revocation -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 2: Access Control Attacks and Monitoring -- Understanding Access Control Attacks -- Introduction to Risk Elements -- Asset Valuation -- Threat Modeling -- Vulnerability Analysis -- Common Access Control Attacks -- Preventing Access Control Attacks -- Logging and Monitoring.

Assessing Effectiveness of Access Controls -- Handling Audit Reports -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 3: Secure Network Architecture and Securing Network Components -- OSI Model -- History of the OSI Model -- OSI Functionality -- Encapsulation/Deencapsulation -- OSI Layers -- TCP/IP Model -- TCP/IP Protocol Suite Overview -- Secure Network Components -- Network Access Control -- Firewalls -- Endpoint Security -- Other Network Devices -- Cabling, Wireless, Topology, and Communications Technology -- Network Cabling -- Wireless Communications and Security -- Network Topologies -- LAN Technologies -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 4: Secure Communications and Network Attacks -- Network and Protocol Security Mechanisms -- Secure Communications Protocols -- Authentication Protocols -- Virtual Private Network -- Tunneling -- How VPNs Work -- Common VPN Protocols -- Virtual LAN -- Remote Access Security Management -- Plan Remote Access Security -- Dial-Up Protocols -- Centralized Remote Authentication Services -- Network Address Translation -- Private IP Addresses -- Stateful NAT -- Static and Dynamic NAT -- Automatic Private IP Addressing -- Switching Technologies -- Circuit Switching -- Packet Switching -- Virtual Circuits -- WAN Technologies -- WAN Connection Technologies -- Dial-Up Encapsulation Protocols -- Virtualization -- Miscellaneous Security Control Characteristics -- Transparency -- Verify Integrity -- Transmission Mechanisms -- Manage Email Security -- Email Security Goals -- Understand Email Security Issues -- Email Security Solutions -- Secure Voice Communications -- Social Engineering -- Fraud and Abuse -- Phreaking -- Security Boundaries -- Network Attacks and Countermeasures -- DoS and DDoS -- Eavesdropping -- Impersonation/Masquerading -- Replay Attacks.

Modification Attacks -- Address Resolution Protocol Spoofing -- DNS Poisoning, Spoofing, and Hijacking -- Hyperlink Spoofing -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 5: Security Governance Concepts, Principles, and Policies -- Security Management Planning -- Security Governance -- Security Roles and Responsibilities -- Protection Mechanisms -- Layering -- Abstraction -- Data Hiding -- Encryption -- Privacy Requirements Compliance -- Control Frameworks: Planning to Plan -- Security Management Concepts and Principles -- Confidentiality -- Integrity -- Availability -- Other Security Concepts -- Develop and Implement Security Policy -- Security Policies -- Security Standards, Baselines, and Guidelines -- Security Procedures -- Change Control/Management -- Data Classification -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 6: Risk and Personnel Management -- Manage Third-Party Governance -- Risk Management -- Risk Terminology -- Risk Assessment Methodologies -- Quantitative Risk Analysis -- Qualitative Risk Analysis -- Handle Risk -- Manage Personnel Security -- Screening and Background Checks -- Employment Agreements -- Vendor, Consultant, and Contractor Controls -- Employee Termination -- Develop and Manage Security Education, Training, and Awareness -- Manage the Security Function -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 7: Software Development Security -- Application Issues -- Local/Nondistributed Computing -- Distributed Computing -- Databases and Data Warehousing -- Database Management System Architecture -- Database Transactions -- Security for Multilevel Databases -- ODBC -- Aggregation -- Data Mining -- Data/Information Storage -- Types of Storage -- Storage Threats -- Knowledge-Based Systems -- Expert Systems -- Neural Networks.

Decision Support Systems -- Security Applications -- Systems Development Controls -- Software Development -- Systems Development Life Cycle -- Life Cycle Models -- Gantt Charts and PERT -- Change and Configuration Management -- Software Testing -- Security Control Architecture -- Service-Level Agreements -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 8: Malicious Code and Application Attacks -- Malicious Code -- Sources of Malicious Code -- Viruses -- Logic Bombs -- Trojan Horses -- Worms -- Spyware and Adware -- Active Content -- Countermeasures -- Password Attacks -- Password Guessing -- Dictionary Attacks -- Social Engineering -- Countermeasures -- Application Attacks -- Buffer Overflows -- Time-of-Check-to-Time-of-Use -- Back Doors -- Escalation of Privilege and Rootkits -- Web Application Security -- Cross-Site Scripting (XSS) -- SQL Injection -- Reconnaissance Attacks -- IP Probes -- Port Scans -- Vulnerability Scans -- Dumpster Diving -- Masquerading Attacks -- IP Spoofing -- Session Hijacking -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 9: Cryptography and Symmetric Key Algorithms -- Historical Milestones in Cryptography -- Caesar Cipher -- American Civil War -- Ultra vs. Enigma -- Cryptographic Basics -- Goals of Cryptography -- Cryptography Concepts -- Cryptographic Mathematics -- Ciphers -- Modern Cryptography -- Cryptographic Keys -- Symmetric Key Algorithms -- Asymmetric Key Algorithms -- Hashing Algorithms -- Symmetric Cryptography -- Data Encryption Standard -- Triple DES -- International Data Encryption Algorithm -- Blowfish -- Skipjack -- Advanced Encryption Standard -- Symmetric Key Management -- Cryptographic Life Cycle -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 10: PKI and Cryptographic Applications -- Asymmetric Cryptography.

Public and Private Keys -- RSA -- El Gamal -- Elliptic Curve -- Hash Functions -- SHA -- MD2 -- MD4 -- MD5 -- Digital Signatures -- HMAC -- Digital Signature Standard -- Public Key Infrastructure -- Certificates -- Certificate Authorities -- Certificate Generation and Destruction -- Asymmetric Key Management -- Applied Cryptography -- Portable Devices -- Electronic Mail -- Web Applications -- Networking -- Cryptographic Attacks -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 11: Principles of Security Models, Design, and Capabilities -- Understand the Fundamental Concepts of Security Models -- Trusted Computing Base -- State Machine Model -- Information Flow Model -- Noninterference Model -- Take-Grant Model -- Access Control Matrix -- Bell-LaPadula Model -- Biba Model -- Clark-Wilson Model -- Brewer and Nash Model (aka Chinese Wall) -- Goguen-Meseguer Model -- Sutherland Model -- Graham-Denning Model -- Objects and Subjects -- Closed and Open Systems -- Techniques for Ensuring Confidentiality, Integrity, and Availability -- Controls -- Trust and Assurance -- Understand the Components of Information Systems Security Evaluation Models -- Rainbow Series -- ITSEC Classes and Required Assurance and Functionality -- Common Criteria -- Industry and International Security Implementation Guidelines -- Certification and Accreditation -- Understand Security Capabilities Of Information Systems -- Summary -- Exam Essentials -- Written Lab -- Review Questions -- Chapter 12: Security Architecture Vulnerabilities, Threats, and Countermeasures -- Computer Architecture -- Hardware -- Input/Output Structures -- Firmware -- Avoiding Single Points of Failure -- Redundant Servers -- Failover Solutions -- RAID -- Distributed Architecture -- Cloud Computing -- Security Protection Mechanisms -- Technical Mechanisms.

Security Policy and Computer Architecture.