Robin Abernathy,
Darren Hayes,
Darren R. Hayes
CISSP Cert Guide
Paperback Engels 2022 9780137507474
Verwachte levertijd ongeveer 9 werkdagen
Samenvatting
Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning. Master the latest CISSP exam topics Assess your knowledge with chapter-ending quizzes Review key concepts with exam preparation tasks Practice with realistic exam questions Get practical guidance for test taking strategies
CISSP Cert Guide, Fourth Edition is a comprehensive exam study guide. Leading IT certification experts Robin Abernathy and Darren Hayes share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.
The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.
This study guide helps you master all the topics on the CISSP exam, including Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security
Specificaties
ISBN13:9780137507474
Taal:Engels
Bindwijze:paperback
Uitgever:Pearson Education
Serie:Certification Guide
Lezersrecensies
Wees de eerste die een lezersrecensie schrijft!
Inhoudsopgave
<p>Introduction xlvii<br><strong>Chapter 1</strong> Security and Risk Management 5<br> Security Terms 6<br> CIA 6<br> Auditing and Accounting 7<br> Non-repudiation 8<br> Default Security Posture 8<br> Defense in Depth 9<br> Abstraction 10<br> Data Hiding 10<br> Encryption 10<br> Security Governance Principles 10<br> Security Function Alignment 12<br> Organizational Processes 14<br> Organizational Roles and Responsibilities 16<br> Security Control Frameworks 20<br> Due Care and Due Diligence 38<br> Compliance 38<br> Contractual, Legal, Industry Standards, and Regulatory Compliance 40<br> Privacy Requirements Compliance 40<br> Legal and Regulatory Issues 41<br> Computer Crime Concepts 41<br> Major Legal Systems 43<br> Licensing and Intellectual Property 46<br> Cyber Crimes and Data Breaches 50<br> Import/Export Controls 51<br> Trans-Border Data Flow 51<br> Privacy 52<br> Investigation Types 62<br> Operations/Administrative 63<br> Criminal 63<br> Civil 64<br> Regulatory 64<br> Industry Standards 64<br> eDiscovery 67<br> Professional Ethics 67<br> (ISC)2 Code of Ethics 67<br> Computer Ethics Institute 68<br> Internet Architecture Board 68<br> Organizational Code of Ethics 69<br> Security Documentation 69<br> Policies 70<br> Processes 72<br> Procedures 72<br> Standards 73<br> Guidelines 73<br> Baselines 73<br> Business Continuity 73<br> Business Continuity and Disaster Recovery Concepts 73<br> Scope and Plan 77<br> BIA Development 81<br> Personnel Security Policies and Procedures 85<br> Candidate Screening and Hiring 85<br> Employment Agreements and Policies 87<br> Employee Onboarding and Offboarding Policies 88<br> Vendor, Consultant, and Contractor Agreements and Controls 88<br> Compliance Policy Requirements 89<br> Privacy Policy Requirements 89<br> Job Rotation 89<br> Separation of Duties 89<br> Risk Management Concepts 90<br> Asset and Asset Valuation 90<br> Vulnerability 91<br> Threat 91<br> Threat Agent 91<br> Exploit 91<br> Risk 91<br> Exposure 92<br> Countermeasure 92<br> Risk Appetite 92<br> Attack 93<br> Breach 93<br> Risk Management Policy 94<br> Risk Management Team 94<br> Risk Analysis Team 94<br> Risk Assessment 95<br> Implementation 100<br> Control Categories 100<br> Control Types 102<br> Controls Assessment, Monitoring, and Measurement 108<br> Reporting and Continuous Improvement 108<br> Risk Frameworks 109<br> A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128<br> Geographical Threats 129<br> Internal Versus External Threats 129<br> Natural Threats 130<br> System Threats 131<br> Human-Caused Threats 133<br> Politically Motivated Threats 135<br> Threat Modeling 137<br> Threat Modeling Concepts 138<br> Threat Modeling Methodologies 138<br> Identifying Threats 141<br> Potential Attacks 142<br> Remediation Technologies and Processes 143<br> Security Risks in the Supply Chain 143<br> Risks Associated with Hardware, Software, and Services 144<br> Third-Party Assessment and Monitoring 144<br> Minimum Service-Level and Security Requirements 145<br> Service-Level Requirements 146<br> Security Education, Training, and Awareness 147<br> Levels Required 147<br> Methods and Techniques 148<br> Periodic Content Reviews 148<br> Review All Key Topics 148<br> Complete the Tables and Lists from Memory 150<br> Define Key Terms 150<br> Answers and Explanations 157<br><strong>Chapter 2</strong> Asset Security 165<br> Asset Security Concepts 166<br> Asset and Data Policies 166<br> Data Quality 167<br> Data Documentation and Organization 168<br> Identify and Classify Information and Assets 169<br> Data and Asset Classification 170<br> Sensitivity and Criticality 170<br> Private Sector Data Classifications 175<br> Military and Government Data Classifications 176<br> Information and Asset Handling Requirements 177<br> Marking, Labeling, and Storing 178<br> Destruction 178<br> Provision Resources Securely 179<br> Asset Inventory and Asset Management 179<br> Data Life Cycle 180<br> Databases 182<br> Roles and Responsibilities 188<br> Data Collection and Limitation 191<br> Data Location 192<br> Data Maintenance 192<br> Data Retention 193<br> Data Remanence and Destruction 193<br> Data Audit 194<br> Asset Retention 195<br> Data Security Controls 197<br> Data Security 197<br> Data States 197<br> Data Access and Sharing 198<br> Data Storage and Archiving 199<br> Baselines 200<br> Scoping and Tailoring 201<br> Standards Selection 201<br> Data Protection Methods 202<br> Review All Key Topics 205<br> Define Key Terms 205<br> Answers and Explanations 207<br><strong>Chapter 3</strong> Security Architecture and Engineering 213<br> Engineering Processes Using Secure Design Principles 214<br> Objects and Subjects 215<br> Closed Versus Open Systems 215<br> Threat Modeling 215<br> Least Privilege 216<br> Defense in Depth 216<br> Secure Defaults 216<br> Fail Securely 217<br> Separation of Duties (SoD) 217<br> Keep It Simple 218<br> Zero Trust 218<br> Privacy by Design 218<br> Trust but Verify 219<br> Shared Responsibility 219<br> Security Model Concepts 220<br> Confidentiality, Integrity, and Availability 220<br> Confinement 220<br> Bounds 221<br> Isolation 221<br> Security Modes 221<br> Security Model Types 222<br> Security Models 226<br> System Architecture Steps 230<br> ISO/IEC 42010:2011 231<br> Computing Platforms 231<br> Security Services 234<br> System Components 235<br> System Security Evaluation Models 244<br> TCSEC 245<br> ITSEC 248<br> Common Criteria 250<br> Security Implementation Standards 252<br> Controls and Countermeasures 255<br> Certification and Accreditation 256<br> Control Selection Based on Systems Security Requirements 256<br> Security Capabilities of Information Systems 257<br> Memory Protection 257<br> Trusted Platform Module 258<br> Interfaces 259<br> Fault Tolerance 259<br> Policy Mechanisms 260<br> Encryption/Decryption 260<br> Security Architecture Maintenance 261<br> Vulnerabilities of Security Architectures, Designs, and Solution Elements 261<br> Client-Based Systems 262<br> Server-Based Systems 263<br> Database Systems 264<br> Cryptographic Systems 265<br> Industrial Control Systems 265<br> Cloud-Based Systems 268<br> Large-Scale Parallel Data Systems 274<br> Distributed Systems 275<br> Grid Computing 275<br> Peer-to-Peer Computing 275<br> Internet of Things 276<br> Microservices 280<br> Containerization 281<br> Serverless Systems 281<br> High-Performance Computing Systems 282<br> Edge Computing Systems 282<br> Virtualized Systems 283<br> Vulnerabilities in Web-Based Systems 283<br> Maintenance Hooks 284<br> Time-of-Check/Time-of-Use Attacks 284<br> Web-Based Attacks 285<br> XML 285<br> SAML 285<br> OWASP 286<br> Vulnerabilities in Mobile Systems 286<br> Device Security 287<br> Application Security 287<br> Mobile Device Concerns 287<br> NIST SP 800-164 290<br> Vulnerabilities in Embedded Systems 291<br> Cryptographic Solutions 292<br> Cryptography Concepts 292<br> Cryptography History 294<br> Cryptosystem Features 298<br> NIST SP 800-175A and B 299<br> Cryptographic Mathematics 300<br> Cryptographic Life Cycle 302<br> Cryptographic Types 304<br> Running Key and Concealment Ciphers 305<br> Substitution Ciphers 305<br> Transposition Ciphers 307<br> Symmetric Algorithms 308<br> Asymmetric Algorithms 310<br> Hybrid Ciphers 311<br> Elliptic Curves 312<br> Quantum Cryptography 312<br> Symmetric Algorithms 312<br> DES and 3DES 313<br> AES 316<br> IDEA 317<br> Skipjack 317<br> Blowfish 317<br> Twofish 318<br> RC4/RC5/RC6/RC7 318<br> CAST 318<br> Asymmetric Algorithms 319<br> Diffie-Hellman 320<br> RSA 320<br> El Gamal 321<br> ECC 321<br> Knapsack 322<br> Zero-Knowledge Proof 322<br> Public Key Infrastructure and Digital Certificates 322<br> Certificate Authority and Registration Authority 323<br> Certificates 323<br> Certificate Life Cycle 324<br> Certificate Revocation List 327<br> OCSP 327<br> PKI Steps 327<br> Cross-Certification 328<br> Key Management Practices 328<br> Message Integrity 332<br> Hashing 333<br> Message Authentication Code 337<br> Salting 339<br> Digital Signatures and Non-repudiation 339<br> DSS 340<br> Non-repudiation 340<br> Applied Cryptography 340<br> Link Encryption Versus End-to-End Encryption 340<br> Email Security 340<br> Internet Security 341<br> Cryptanalytic Attacks 341<br> Ciphertext-Only Attack 342<br> Known Plaintext Attack 342<br> Chosen Plaintext Attack 342<br> Chosen Ciphertext Attack 342<br> Social Engineering 342<br> Brute Force 343<br> Differential Cryptanalysis 343<br> Linear Cryptanalysis 343<br> Algebraic Attack 343<br> Frequency Analysis 343<br> Birthday Attack 344<br> Dictionary Attack 344<br> Replay Attack 344<br> Analytic Attack 344<br> Statistical Attack 344<br> Factoring Attack 344<br> Reverse Engineering 344<br> Meet-in-the-Middle Attack 345<br> Ransomware Attack 345<br> Side-Channel Attack 345<br> Implementation Attack 345<br> Fault Injection 345<br> Timing Attack 346<br> Pass-the-Hash Attack 346<br> Digital Rights Management 346<br> Document DRM 347<br> Music DRM 347<br> Movie DRM 347<br> Video Game DRM 348<br> E-book DRM 348<br> Site and Facility Design 348<br> Layered Defense Model 348<br> CPTED 348<br> Physical Security Plan 350<br> Facility Selection Issues 351<br> Site and Facility Security Controls 353<br> Doors 353<br> Locks 355<br> Biometrics 356<br> Type of Glass Used for Entrances 356<br> Visitor Control 357<br> Wiring Closets/Intermediate Distribution Facilities 357<br> Restricted and Work Areas 357<br> Environmental Security and Issues 358<br> Equipment Physical Security 362<br> Review All Key Topics 364<br> Complete the Tables and Lists from Memory 366<br> Define Key Terms 366<br> Answers and Explanations 372<br><strong>Chapter 4</strong> Communication and Network Security 377<br> Secure Network Design Principles 378<br> OSI Model 378<br> TCP/IP Model 383<br> IP Networking 389<br> Common TCP/UDP Ports 389<br> Logical and Physical Addressing 391<br> IPv4 392<br> Network Transmission 399<br> IPv6 403<br> Network Types 416<br> Protocols and Services 421<br> ARP/RARP 422<br> DHCP/BOOTP 423<br> DNS 424<br> FTP, FTPS, SFTP, and TFTP 424<br> HTTP, HTTPS, and S-HTTP 425<br> ICMP 425<br> IGMP 426<br> IMAP 426<br> LDAP 426<br> LDP 426<br> NAT 426<br> NetBIOS 426<br> NFS 427<br> PAT 427<br> POP 427<br> CIFS/SMB 427<br> SMTP 427<br> SNMP 427<br> SSL/TLS 428<br> Multilayer Protocols 428<br> Converged Protocols 429<br> FCoE 429<br> MPLS 430<br> VoIP 431<br> iSCSI 431<br> Wireless Networks 431<br> FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432<br> WLAN Structure 435<br> WLAN Standards 436<br> WLAN Security 439<br> Communications Cryptography 445<br> Link Encryption 445<br> End-to-End Encryption 446<br> Email Security 446<br> Internet Security 448<br> Secure Network Components 450<br> Hardware 450<br> Transmission Media 471<br> Network Access Control Devices 491<br> Endpoint Security 493<br> Content-Distribution Networks 494<br> Secure Communication Channels 495<br> Voice 495<br> Multimedia Collaboration 495<br> Remote Access 497<br> Data Communications 507<br> Virtualized Networks 507<br> Network Attacks 509<br> Cabling 509<br> Network Component Attacks 510<br> ICMP Attacks 512<br> DNS Attacks 514<br> Email Attacks 516<br> Wireless Attacks 518<br> Remote Attacks 519<br> Other Attacks 519<br> Review All Key Topics 521<br> Define Key Terms 522<br> Answers and Explanations 529<br><strong>Chapter 5</strong> Identity and Access Management (IAM) 535<br> Access Control Process 536<br> Identify Resources 536<br> Identify Users 536<br> Identify the Relationships Between Resources and Users 537<br> Physical and Logical Access to Assets 537<br> Access Control Administration 538<br> Information 539<br> Systems 539<br> Devices 540<br> Facilities 540<br> Applications 541<br> Identification and Authentication Concepts 541<br> NIST SP 800-63 542<br> Five Factors for Authentication 546<br> Single-Factor Versus Multifactor Authentication 557<br> Device Authentication 557<br> Identification and Authentication Implementation 558<br> Separation of Duties 558<br> Least Privilege/Need-to-Know 559<br> Default to No Access 560<br> Directory Services 560<br> Single Sign-on 561<br> Session Management 566<br> Registration, Proof, and Establishment of Identity 566<br> Credential Management Systems 567<br> Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568<br> Accountability 568<br> Just-In-Time (JIT) 570<br> Identity as a Service (IDaaS) Implementation 571<br> Third-Party Identity Services Integration 571<br> Authorization Mechanisms 572<br> Permissions, Rights, and Privileges 572<br> Access Control Models 572<br> Access Control Policies 580<br> Provisioning Life Cycle 580<br> Provisioning 581<br> User, System, and Service Account Access Review 582<br> Account Transfers 582<br> Account Revocation 583<br> Role Definition 583<br> Privilege Escalation 583<br> Access Control Threats 584<br> Password Threats 585<br> Social Engineering Threats 586<br> DoS/DDoS 588<br> Buffer Overflow 588<br> Mobile Code 588<br> Malicious Software 589<br> Spoofing 589<br> Sniffing and Eavesdropping 589<br> Emanating 590<br> Backdoor/Trapdoor 590<br> Access Aggregation 590<br> Advanced Persistent Threat 591<br> Prevent or Mitigate Access Control Threats 591<br> Review All Key Topics 592<br> Define Key Terms 593<br> Answers and Explanations 596<br><strong>Chapter 6</strong> Security Assessment and Testing 601<br> Design and Validate Assessment and Testing Strategies 602<br> Security Testing 602<br> Security Assessments 603<br> Red Team versus Blue Team 603<br> Security Auditing 604<br> Internal, External, and Third-party Security Assessment, Testing, and Auditing 604<br> Conduct Security Control Testing 605<br> Vulnerability Assessment 605<br> Penetration Testing 609<br> Log Reviews 611<br> Synthetic Transactions 616<br> Code Review and Testing 616<br> Misuse Case Testing 619<br> Test Coverage Analysis 619<br> Interface Testing 620<br> Collect Security Process Data 620<br> NIST SP 800-137 620<br> Account Management 621<br> Management Review and Approval 622<br> Key Performance and Risk Indicators 622<br> Backup Verification Data 623<br> Training and Awareness 623<br> Disaster Recovery and Business Continuity 624<br> Analyze Test Outputs and Generate a Report 624<br> Conduct or Facilitate Security Audits 624<br> Review All Key Topics 626<br> Define Key Terms 627<br> Answers and Explanations 630<br><strong>Chapter 7</strong> Security Operations 637<br> Investigations 638<br> Forensic and Digital Investigations 638<br> Evidence Collection and Handling 646<br> Digital Forensic Tools, Tactics, and Procedures 651<br> Logging and Monitoring Activities 654<br> Audit and Review 654<br> Log Types 655<br> Intrusion Detection and Prevention 656<br> Security Information and Event Management (SIEM) 656<br> Continuous Monitoring 657<br> Egress Monitoring 657<br> Log Management 658<br> Threat Intelligence 658<br> User and Entity Behavior Analytics (UEBA) 659<br> Configuration and Change Management 659<br> Resource Provisioning 661<br> Baselining 664<br> Automation 664<br> Security Operations Concepts 664<br> Need to Know/Least Privilege 664<br> Managing Accounts, Groups, and Roles 665<br> Separation of Duties and Responsibilities 666<br> Privilege Account Management 666<br> Job Rotation and Mandatory Vacation 666<br> Two-Person Control 667<br> Sensitive Information Procedures 667<br> Record Retention 667<br> Information Life Cycle 668<br> Service-Level Agreements 668<br> Resource Protection 669<br> Protecting Tangible and Intangible Assets 669<br> Asset Management 671<br> Incident Management 680<br> Event Versus Incident 680<br> Incident Response Team and Incident Investigations 681<br> Rules of Engagement, Authorization, and Scope 681<br> Incident Response Procedures 682<br> Incident Response Management 682<br> Detect 683<br> Respond 683<br> Mitigate 683<br> Report 684<br> Recover 684<br> Remediate 684<br> Review and Lessons Learned 684<br> Detective and Preventive Measures 684<br> IDS/IPS 685<br> Firewalls 685<br> Whitelisting/Blacklisting 685<br> Third-Party Security Services 686<br> Sandboxing 686<br> Honeypots/Honeynets 686<br> Anti-malware/Antivirus 686<br> Clipping Levels 686<br> Deviations from Standards 687<br> Unusual or Unexplained Events 687<br> Unscheduled Reboots 687<br> Unauthorized Disclosure 687<br> Trusted Recovery 688<br> Trusted Paths 688<br> Input/Output Controls 688<br> System Hardening 688<br> Vulnerability Management Systems 689<br> Machine Learning and Artificial Intelligence (AI)-Based Tools 689<br> Patch and Vulnerability Management 689<br> Recovery Strategies 690<br> Create Recovery Strategies 691<br> Backup Storage Strategies 699<br> Recovery and Multiple Site Strategies 700<br> Redundant Systems, Facilities, and Power 703<br> Fault-Tolerance Technologies 704<br> Insurance 704<br> Data Backup 705<br> Fire Detection and Suppression 705<br> High Availability 705<br> Quality of Service 706<br> System Resilience 706<br> Disaster Recovery 706<br> Response 707<br> Personnel 707<br> Communications 709<br> Assessment 710<br> Restoration 710<br> Training and Awareness 710<br> Lessons Learned 710<br> Testing Disaster Recovery Plans 711<br> Read-Through Test 711<br> Checklist Test 712<br> Table-Top Exercise 712<br> Structured Walk-Through Test 712<br> Simulation Test 712<br> Parallel Test 712<br> Full-Interruption Test 712<br> Functional Drill 713<br> Evacuation Drill 713<br> Business Continuity Planning and Exercises 713<br> Physical Security 713<br> Perimeter Security Controls 713<br> Building and Internal Security Controls 719<br> Personnel Safety and Security 719<br> Duress 720<br> Travel 720<br> Monitoring 720<br> Emergency Management 721<br> Security Training and Awareness 721<br> Review All Key Topics 722<br> Define Key Terms 723<br> Answers and Explanations 727<br><strong>Chapter 8</strong> Software Development Security 733<br> Software Development Concepts 734<br> Machine Languages 734<br> Assembly Languages and Assemblers 734<br> High-Level Languages, Compilers, and Interpreters 734<br> Object-Oriented Programming 735<br> Distributed Object-Oriented Systems 737<br> Mobile Code 739<br> Security in the System and Software Development Life Cycle 743<br> System Development Life Cycle 743<br> Software Development Life Cycle 746<br> DevSecOps 750<br> Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750<br> Security Orchestration and Automated Response (SOAR) 751<br> Software Development Methods and Maturity Models 751<br> Operation and Maintenance 762<br> Integrated Product Team 763<br> Security Controls in Development 764<br> Software Development Security Best Practices 764<br> Software Environment Security 765<br> Source Code Analysis Tools 766<br> Code Repository Security 766<br> Software Threats 766<br> Software Protection Mechanisms 772<br> Assess Software Security Effectiveness 774<br> Auditing and Logging 774<br> Risk Analysis and Mitigation 774<br> Regression and Acceptance Testing 775<br> Security Impact of Acquired Software 775<br> Secure Coding Guidelines and Standards 776<br> Security Weaknesses and Vulnerabilities at the Source Code Level 776<br> Security of Application Programming Interfaces 780<br> Secure Coding Practices 780<br> Review All Key Topics 782<br> Define Key Terms 782<br> Answers and Explanations 786<br><strong>Chapter 9</strong> Final Preparation 791<br> Tools for Final Preparation 791<br> Pearson Test Prep Practice Test Engine and Questions on the Website 791<br> Customizing Your Exams 793<br> Updating Your Exams 794<br> Memory Tables 795<br> Chapter-Ending Review Tools 795<br> Suggested Plan for Final Review/Study 795<br> Summary 796<br><strong>Online Elements<br> Appendix A</strong> Memory Tables<br><strong>Appendix B</strong> Memory Tables Answer Key<br> Glossary</p> <p> </p> <p>9780137507474 TOC 9/19/2022</p>
Rubrieken
- advisering
- algemeen management
- coaching en trainen
- communicatie en media
- economie
- financieel management
- inkoop en logistiek
- internet en social media
- it-management / ict
- juridisch
- leiderschap
- marketing
- mens en maatschappij
- non-profit
- ondernemen
- organisatiekunde
- personal finance
- personeelsmanagement
- persoonlijke effectiviteit
- projectmanagement
- psychologie
- reclame en verkoop
- strategisch management
- verandermanagement
- werk en loopbaan