ISC2 CISSP Certified Information Systems Security Professional Official Study Guide

Introduction xxxv
Assessment Test lx

Chapter 1 Security Governance Through Principles and Policies 1
Security 101 3
Understand and Apply Security Concepts 4
Confidentiality 5
Integrity 6
Availability 6
DAD, Overprotection, Authenticity, Nonrepudiation,
and AAA Services 7
Protection Mechanisms 11
Security Boundaries 13
Evaluate and Apply Security Governance Principles 14
Third‐Party Governance 15
Documentation Review 16
Manage the Security Function 16
Alignment of Security Function to Business Strategy,
Goals, Mission, and Objectives 17
Organizational Processes 19
Organizational Roles and Responsibilities 21
Security Control Frameworks 22
Due Diligence and Due Care 27
Security Policy, Standards, Procedures, and Guidelines 27
Security Policies 28
Security Standards, Baselines, and Guidelines 28
Security Procedures 29
Threat Modeling 29
Identifying Threats 30
Determining and Diagramming Potential Attacks 32
Performing Reduction Analysis 33
Prioritization and Response 33
Supply Chain Risk Management 35
Summary 38
Study Essentials 39
Written Lab 41
Review Questions 42

Chapter 2 Personnel Security and Risk Management Concepts 49
Personnel Security Policies and Procedures 51
Job Descriptions and Responsibilities 51
Candidate Screening and Hiring 52
Onboarding: Employment Agreements and
Policy‐Driven Requirements 53
Employee Oversight 55
Offboarding, Transfers, and Termination Processes 56
Vendor, Consultant, and Contractor Agreements
and Controls 58
Understand and Apply Risk Management Concepts 60
Risk Terminology and Concepts 61
Asset Valuation 64
Identify Threats and Vulnerabilities 65
Risk Assessment/Analysis 66
Risk Responses 73
Cybersecurity Insurance 75
Cost vs. Benefit of Security Controls 76
Countermeasure Selection and Implementation 80
Applicable Types of Controls 82
Security Control Assessment 84
Monitoring and Measurement 84
Risk Reporting and Documentation 85
Continuous Improvement 86
Legacy Risk 87
Risk Frameworks 87
Social Engineering 90
Social Engineering Principles 92
Eliciting Information 94
Prepending 94
Phishing 95
Spear Phishing 97
Whaling 97
Spam 98
Shoulder Surfing 99
Invoice Scams 99
Hoax 100
Impersonation and Masquerading 100
Tailgating and Piggybacking 100
Dumpster Diving 102
Identity Fraud 102
Typosquatting 103
Influence Campaigns 104
Establish and Maintain a Security Awareness, Education,
and Training Program 106
Awareness 106
Training 107
Education 107
Improvements 108
Effectiveness Evaluation 109
Summary 110
Study Essentials 111
Written Lab 114
Review Questions 115

Chapter 3 Business Continuity Planning 121
Planning for Business Continuity 122
Project Scope and Planning 123
Organizational Review 124
BCP Team Selection 125
Resource Requirements 127
External Dependencies 128
Business Impact Analysis 131
Identifying Priorities 132
Risk Identification 133
Likelihood Assessment 134
Impact Analysis 135
Resource Prioritization 137
Continuity Planning 137
Strategy Development 138
Provisions and Processes 138
Plan Approval and Implementation 140
Plan Approval 140
Plan Implementation 140
Communication, Training and Education 141
BCP Documentation 141
Summary 145
Study Essentials 145
Written Lab 146
Review Questions 147

Chapter 4 Laws, Regulations, and Compliance 151
Categories of Laws 152
Criminal Law 152
Civil Law 154
Administrative Law 154
Laws 155
Computer Crime 155
Intellectual Property (IP) 160
Software Licensing 166
Import/Export 167
Privacy 168
State Privacy Laws 179
Compliance 179
Contracting and Procurement 181
Summary 182
Study Essentials 182
Written Lab 184
Review Questions 185

Chapter 5 Protecting Security of Assets 189
Identifying and Classifying Information and Assets 190
Defining Sensitive Data 190
Defining Data Classifications 192
Defining Asset Classifications 195
Understanding Data States 195
Determining Compliance Requirements 196
Determining Data Security Controls 197
Establishing Information and Asset Handling Requirements 198
Data Maintenance 199
Data Loss Prevention 199
Labeling Sensitive Data and Assets 200
Handling Sensitive Information and Assets 202
Data Collection Limitation 202
Data Location 203
Storing Sensitive Data 203
Data Destruction 204
Ensuring Appropriate Data and Asset Retention 207
Data Protection Methods 208
Digital Rights Management 209
Cloud Access Security Broker 210
Pseudonymization 210
Tokenization 211
Anonymization 212
Understanding Data Roles 214
Data Owners 214
Data Controllers and Processors 215
Data Custodians 216
Users and Subjects 216
Using Security Baselines 216
Comparing Tailoring and Scoping 217
Standards Selection 218
Summary 219
Study Essentials 220
Written Lab 221
Review Questions 222

Chapter 6 Cryptography and Symmetric Key Algorithms 227
Cryptographic Foundations 228
Goals of Cryptography 228
Cryptography Concepts 231
Cryptographic Mathematics 232
Ciphers 239
Modern Cryptography 246
Cryptographic Keys 246
Symmetric Key Algorithms 248
Asymmetric Key Algorithms 250
Hashing Algorithms 253
Symmetric Cryptography 253
Block Cipher Modes of Operation 254
Data Encryption Standard 256
Triple DES 256
International Data Encryption Algorithm 257
Blowfish 258
SKIPJACK 258
Rivest Ciphers 258
Advanced Encryption Standard 259
CAST 260
Comparison of Symmetric Encryption Algorithms 260
Symmetric Key Management 261
Cryptographic Life Cycle 263
Summary 264
Study Essentials 264
Written Lab 266
Review Questions 267

Chapter 7 PKI and Cryptographic Applications 271
Asymmetric Cryptography 272
Public and Private Keys 272
RSA 274
ElGamal 275
Elliptic Curve Cryptography 276
Diffie–Hellman Key Exchange 277
Quantum Cryptography 278
Hash Functions 279
SHA Family 280
MD5 281
RIPEMD 282
Comparison of Hash Function Value Lengths 282
Digital Signatures 283
HMAC 284
Digital Signature Standard 285
Public Key Infrastructure 286
Certificates 286
Certificate Authorities 287
Certificate Life Cycle 288
Certificate Formats 291
Asymmetric Key Management 292
Hybrid Cryptography 293
Applied Cryptography 294
Portable Devices 294
Email 295
Web Applications 298
Steganography and Watermarking 300
Networking 302
Emerging Applications 304
Cryptographic Attacks 306
Summary 309
Study Essentials 310
Written Lab 311
Review Questions 312

Chapter 8 Principles of Security Models, Design,
and Capabilities 317
Secure Design Principles 319
Objects and Subjects 319
Closed and Open Systems 321
Secure Defaults 322
Fail Securely 323
Keep It Simple and Small 325
Zero-Trust 326
Trust but Verify 328
Privacy by Design 328
Secure Access Service Edge (SASE) 329
Techniques for Ensuring CIA 330
Confinement 330
Bounds 330
Isolation 331
Access Controls 331
Trust and Assurance 331
Understand the Fundamental Concepts of Security Models 332
Trusted Computing Base 333
State Machine Model 334
Information Flow Model 335
Noninterference Model 335
Composition Theories 336
Take‐Grant Model 336
Access Control Matrix 337
Bell–LaPadula Model 338
Biba Model 340
Clark–Wilson Model 342
Brewer and Nash Model 343
Select Controls Based on Systems Security Requirements 345
Common Criteria 345
Authorization to Operate 348
Understand Security Capabilities of Information Systems 349
Memory Protection 349
Virtualization 349
Trusted Platform Module (TPM) 349
Interfaces 350
Fault Tolerance 350
Encryption/Decryption 350
Manage the Information System Life Cycle 350
Summary 352
Study Essentials 353
Written Lab 354
Review Questions 355

Chapter 9 Security Vulnerabilities, Threats,
and Countermeasures 359
Shared Responsibility 360
Data Localization and Data Sovereignty 362
Assess and Mitigate the Vulnerabilities of Security
Architectures, Designs, and Solution Elements 363
Hardware 364
Firmware 377
Client‐Based Systems 378
Mobile Code 379
Local Caches 381
Server‐Based Systems 381
Large‐Scale Parallel Data Systems 382
Grid Computing 383
Peer to Peer 384
Industrial Control Systems 384
Distributed Systems 386
High‐Performance Computing (HPC) Systems 387
Real‐Time Operating Systems 388
Internet of Things 389
Edge and Fog Computing 390
Embedded Devices and Cyber‐Physical Systems 391
Static Systems 392
Cyber‐Physical Systems 393
Security Concerns of Embedded and Static Systems 393
Microservices 396
Infrastructure as Code 397
Immutable Architecture 398
Virtualized Systems 399
Virtual Software 401
Virtualized Networking 402
Software‐Defined Everything 402
Virtualization Security Management 404
Containerization 406
Mobile Devices 407
Mobile Device Security Features 408
Mobile Device Deployment Policies 419
Essential Security Protection Mechanisms 424
Process Isolation 425
Hardware Segmentation 425
Root of Trust 426
System Security Policy 426
Common Security Architecture Flaws and Issues 427
Covert Channels 427
Attacks Based on Design or Coding Flaws 428
Rootkits 429
Incremental Attacks 430
Summary 431
Study Essentials 432
Written Lab 436
Review Questions 437

Chapter 10 Physical Security Requirements 443
Apply Security Principles to Site and Facility Design 444
Secure Facility Plan 444
Site Selection 445
Facility Design 446
Implement Site and Facility Security Controls 449
Equipment Failure 450
Wiring Closets 450
Server Rooms/Data Centers 452
Intrusion Detection Systems 454
Cameras 458
Access Abuses 459
Media Storage Facilities 459
Evidence Storage 460
Work Area Security 461
Utility Considerations 462
Fire Prevention, Detection, and Suppression 467
Implement and Manage Physical Security 473
Perimeter Security Controls 474
Internal Security Controls 478
Key Performance Indicators of Physical Security 479
Summary 480
Study Essentials 481
Written Lab 484
Review Questions 485

Chapter 11 Secure Network Architecture and Components 491
OSI Model 493
History of the OSI Model 493
OSI Functionality 494
Encapsulation/Deencapsulation 494
OSI Layers 496
TCP/IP Model 501
Analyzing Network Traffic 502
Common Application Layer Protocols 503
Transport Layer Protocols 504
Domain Name System 506
DNS Poisoning 508
Domain Hijacking 511
Internet Protocol (IP) Networking 512
IPv4 vs. IPv6 513
IP Classes 514
ICMP 516
IGMP 516
ARP Concerns 516
Secure Communication Protocols 517
Implications of Multilayer Protocols 518
Converged Protocols 520
Voice over Internet Protocol (VoIP) 521
Software‐Defined Networking 522
Segmentation 523
Edge Networks 526
Wireless Networks 527
Securing the SSID 528
Wireless Channels 529
Conducting a Site Survey 530
Wireless Security 530
Wi‐Fi Protected Setup (WPS) 533
Wireless MAC Filter 534
Wireless Antenna Management 534
Using Captive Portals 535
General Wi‐Fi Security Procedure 535
Wireless Communications 536
Wireless Attacks 539
Satellite Communications 543
Cellular Networks 544
Content Distribution Networks (CDNs) 544
Secure Network Components 545
Secure Operation of Hardware 546
Common Network Equipment 547
Network Access Control 549
Firewalls 551
Endpoint Security 556
Cabling, Topology, and Transmission Media Technology 559
Transmission Media 560
Transport Architecture 564
Network Topologies 565
Ethernet 568
Sub‐Technologies 568
Summary 572
Study Essentials 573
Written Lab 575
Review Questions 576

Chapter 12 Secure Communications and Network Attacks 581
Protocol Security Mechanisms 582
Authentication Protocols 582
Port Security 585
Quality of Service (QoS) 585
Secure Voice Communications 587
Public Switched Telephone Network 587
Voice over Internet Protocol (VoIP) 587
Vishing and Phreaking 589
PBX Fraud and Abuse 590
Remote Access Security Management 591
Remote Access and Telecommuting Techniques 592
Remote Connection Security 592
Plan a Remote Access Security Policy 593
Network Administrative Functions 594
Multimedia Collaboration 595
Remote Meeting 595
Instant Messaging and Chat 596
Monitoring and Management 597
Load Balancing 597
Virtual IP Addresses 599
Active‐Active vs. Active‐Passive 599
Manage Email Security 600
Email Security Goals 601
Understand Email Security Issues 602
Email Security Solutions 603
Virtual Private Network 606
Tunneling 606
How VPNs Work 607
Always‐On 610
Split Tunnel vs. Full Tunnel 610
Common VPN Protocols 611
Switching and Virtual LANs 613
MAC Flooding Attack 616
MAC Cloning 617
Network Address Translation 617
Private IP Addresses 620
Stateful NAT 621
Automatic Private IP Addressing 621
Third‐Party Connectivity 622
Switching Technologies 624
Circuit Switching 624

xxvi Contents
Packet Switching 625
Virtual Circuits 626
WAN Technologies 626
Fiber‐Optic Links 629
Prevent or Mitigate Network Attacks 630
Eavesdropping 630
Modification Attacks 630
Summary 631
Study Essentials 632
Written Lab 635
Review Questions 636

Chapter 13 Managing Identity and Authentication 641
Controlling Access to Assets 643
Controlling Physical and Logical Access 644
The CIA Triad and Access Controls 644
The AAA Model 645
Identification and Authentication Strategy 645
Comparing Subjects and Objects 646
Registration, Proofing, and Establishment of Identity 647
Authorization and Accounting 648
Authentication Factors Overview 649
Something You Know 651
Something You Have 654
Something You Are 656
Multifactor Authentication (MFA) 659
Passwordless Authentication 660
Device Authentication 661
Service Authentication 661
Mutual Authentication 662
Implementing Identity Management 662
Single Sign‐On 663
SSO and Federated Identities 664
Credential Management Systems 666
Credential Manager Apps 666
Scripted Access 667
Session Management 667
Managing the Identity and Access Provisioning Life Cycle 668
Provisioning and Onboarding 668
Deprovisioning and Offboarding 670
Role Definition and Transition 670
Account Maintenance 671
Account Access Review 671
Summary 672
Study Essentials 672
Written Lab 675
Review Questions 676

Chapter 14 Controlling and Monitoring Access 681
Comparing Access Control Models 682
Comparing Permissions, Rights, and Privileges 682
Understanding Authorization Mechanisms 683
Defining Requirements with a Security Policy 685
Introducing Access Control Models 685
Discretionary Access Control 686
Nondiscretionary Access Controls 687
Implementing Authentication Systems 694
Implementing SSO on the Internet 694
Implementing SSO on Internal Networks 698
Zero‐Trust Access Policy Enforcement 702
Understanding Access Control Attacks 703
Risk Elements 704
Common Access Control Attacks 704
Core Protection Methods 717
Summary 719
Study Essentials 720
Written Lab 721
Review Questions 722

Chapter 15 Security Assessment and Testing 727
Building a Security Assessment and Testing Program 729
Security Testing 729
Security Assessments 731
Security Audits 732
Performing Vulnerability Assessments 735
Describing Vulnerabilities 736
Vulnerability Scans 736
Penetration Testing 747
Compliance Checks 750
Testing Your Software 750
Code Review and Testing 751
Interface Testing 755
Misuse Case Testing 756
Test Coverage Analysis 757
Website Monitoring 757
Training and Exercises 758
Implementing Security Management Processes
and Collecting Security Process Data 759
Log Reviews 759
Account Management 760
Disaster Recovery and Business Continuity 761
Training and Awareness 761
Key Performance and Risk Indicators 762
Summary 762
Exam Essentials 763
Written Lab 764
Review Questions 765

Chapter 16 Managing Security Operations 769
Apply Foundational Security Operations Concepts 771
Need‐to‐Know and Least Privilege 772
Segregation of Duties (SoD) and Responsibilities 773
Two‐Person Control 774
Job Rotation 775
Mandatory Vacations 775
Privileged Account Management 775
Service‐Level Agreements (SLAs) 777
Address Personnel Safety and Security 778
Duress 778
Travel 778
Emergency Management 779
Security Training and Awareness 780
Provision Information and Assets Securely 780
Information and Asset Ownership 781
Asset Management 781
Apply Resource Protection 783
Media Management 783
Media Protection Techniques 783
Managed Services in the Cloud 786
Shared Responsibility with Cloud Service Models 787
Scalability and Elasticity 789
Serverless Architecture 790
Perform Configuration Management (CM) 790
Provisioning 791
Baselining 791
Using Images for Baselining 791
Automation 792
Manage Change 793
Change Management 795
Versioning 796
Configuration Documentation 796
Manage Patches and Reduce Vulnerabilities 797
Systems to Manage 797
Patch Management 797
Vulnerability Management 799
Vulnerability Scans 800
Common Vulnerabilities and Exposures 800
Summary 801
Study Essentials 802
Written Lab 804
Review Questions 805

Chapter 17 Preventing and Responding to Incidents 809
Conducting Incident Management 811
Defining an Incident 811
Incident Management Steps 812
Implementing Detection and Preventive Measures 818
Basic Preventive Measures 819
Understanding Attacks 820
Intrusion Detection and Prevention Systems 828
Specific Preventive Measures 836
Logging and Monitoring 842
Logging Techniques 843
The Role of Monitoring 846
Monitoring and Tuning Techniques 848
Log Management 852
Egress Monitoring 853
Automating Incident Response 854
Understanding SOAR 854
Machine Learning and AI Tools 855
Threat Intelligence 856
The Intersection of SOAR, Machine Learning,
AI, and Threat Feeds 859
Summary 860
Study Essentials 860
Written Lab 863
Review Questions 864

Chapter 18 Disaster Recovery Planning 869
The Nature of Disaster 871
Natural Disasters 872
Human‐Made Disasters 877
Understand System Resilience, High Availability,
and Fault Tolerance 883
Protecting Hard Drives 884
Protecting Servers 885
Protecting Power Sources 886
Trusted Recovery 887
Quality of Service 888
Recovery Strategy 888
Business Unit and Functional Priorities 889
Crisis Management 890
Emergency Communications 891
Workgroup Recovery 891
Alternate Processing Sites 891
Database Recovery 896
Recovery Plan Development 898
Emergency Response 899
Personnel and Communications 900
Assessment 900
Backups and Storage Strategies 901
Software Escrow Arrangements 904
Utilities 905
Logistics and Supplies 905
Recovery vs. Restoration 905
Training, Awareness, and Documentation 906
Testing and Maintenance 907
Read‐Through 908
Tabletop 908
Walk‐Through 908
Simulation Test 908
Parallel Test 909
Full‐Interruption Test 909
Lessons Learned 909
Maintenance 910
Test Communications 911
Summary 911
Study Essentials 912
Written Lab 913
Review Questions 914

Chapter 19 Investigations and Ethics 919
Investigations 920
Investigation Types 920
Evidence 923
Investigation Process 930
Major Categories of Computer Crime 934
Military and Intelligence Attacks 935
Business Attacks 936
Financial Attacks 937
Terrorist Attacks 937
Grudge Attacks 938
Thrill Attacks 939
Hacktivists 940
Ethics 940
Organizational Code of Ethics 940
ISC2 Code of Professional Ethics 941
Ethics and the Internet 943
Summary 944
Study Essentials 945
Written Lab 946
Review Questions 947

Chapter 20 Software Development Security 951
Introducing Systems Development Controls 953
Software Development 953
Systems Development Life Cycle 962
Life Cycle Models 965
Gantt Charts and PERT 975
Change and Configuration Management 976
The DevOps Approach 977
Application Programming Interfaces 979
Software Testing 980
Code Repositories 981
Service‐Level Agreements 982
Third‐Party Software Acquisition 983
Establishing Databases and Data Warehousing 984
Database Management System Architecture 984
Database Transactions 988
Security for Multilevel Databases 990
Open Database Connectivity 993
NoSQL 994
Storage Threats 994
Understanding Knowledge‐Based Systems 995
Expert Systems 996
Machine Learning 997
Neural Networks 997
Summary 998
Study Essentials 998
Written Lab 1000
Review Questions 1001

Chapter 21 Malicious Code and Application Attacks 1005
Malware 1006
Sources of Malicious Code 1007
Viruses 1007
Logic Bombs 1011
Trojan Horses 1012
Worms 1013
Spyware and Adware 1016
Ransomware 1016
Malicious Scripts 1017
Zero‐Day Attacks 1018
Malware Prevention 1018
Platforms Vulnerable to Malware 1019
Anti‐malware Software 1019
Integrity Monitoring 1020
Advanced Threat Protection 1020
Application Attacks 1021
Buffer Overflows 1021
Time of Check to Time of Use 1022
Backdoors 1023
Privilege Escalation and Rootkits 1023
Injection Vulnerabilities 1024
SQL Injection Attacks 1024
Code Injection Attacks 1028
Command Injection Attacks 1029
Exploiting Authorization Vulnerabilities 1030
Insecure Direct Object References 1030
Directory Traversal 1031
File Inclusion 1032
Exploiting Web Application
Vulnerabilities 1033
Cross‐Site Scripting (XSS) 1033
Request Forgery 1036
Session Hijacking 1037
Application Security Controls 1038
Input Validation 1038
Web Application Firewalls 1040
Database Security 1041
Code Security 1042
Secure Coding Practices 1044
Source Code Comments 1044
Error Handling 1045
Hard‐Coded Credentials 1046
Memory Management 1047
Summary 1048
Study Essentials 1048
Written Lab 1049
Review Questions 1050

Appendix A Answers to Review Questions 1055

Index 1133