Оглавление
Aaron Kraus. The Official (ISC)2 CISSP CBK Reference
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
CISSP: Certified Information Systems Security Professional. The Official (ISC)2® CISSP® CBK® Reference
Lead Authors
Technical Reviewer
Foreword
Introduction
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security
DOMAIN 1 Security and Risk Management
UNDERSTAND, ADHERE TO, AND PROMOTE PROFESSIONAL ETHICS
(ISC)2 Code of Professional Ethics
Organizational Code of Ethics
Ethics and the Internet
UNDERSTAND AND APPLY SECURITY CONCEPTS
Confidentiality
Integrity
Availability
Limitations of the CIA Triad
EVALUATE AND APPLY SECURITY GOVERNANCE PRINCIPLES
Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives
Organizational Processes
Governance Committees
Mergers and Acquisitions
Divestitures
Organizational Roles and Responsibilities
Security Control Frameworks
ISO/IEC 27001
ISO/IEC 27002
NIST 800-53
NIST Cybersecurity Framework
CIS Critical Security Controls
Due Care and Due Diligence
DETERMINE COMPLIANCE AND OTHER REQUIREMENTS
Legislative and Regulatory Requirements
U.S. Computer Security Act of 1987
U.S. Federal Information Security Management Act (FISMA) of 2002
Industry Standards and Other Compliance Requirements
U.S. Sarbanes–Oxley Act of 2002
System and Organization Controls
Payment Card Industry Data Security Standard
Privacy Requirements
UNDERSTAND LEGAL AND REGULATORY ISSUES THAT PERTAIN TO INFORMATION SECURITY IN A HOLISTIC CONTEXT
Cybercrimes and Data Breaches
U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030
U.S. Electronic Communications Privacy Act of 1986
U.S. Economic Espionage Act of 1996
U.S. Child Pornography Prevention Act of 1996
U.S. Identity Theft and Assumption Deterrence Act of 1998
USA PATRIOT Act of 2001
U.S. Homeland Security Act of 2002
U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
U.S. Intelligence Reform and Terrorism Prevention Act of 2004
The Council of Europe's Convention on Cybercrime of 2001
The Computer Misuse Act 1990 (U.K.)
Information Technology Act of 2000 (India)
Cybercrime Act 2001 (Australia)
Licensing and Intellectual Property Requirements
Licensing
Patents
Trademarks
Copyrights
Trade Secrets
Import/Export Controls
Transborder Data Flow
Privacy
U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552a
U.S. Health Insurance Portability and Accountability Act of 1996
U.S. Children's Online Privacy Protection Act of 1998
U.S. Gramm-Leach-Bliley Act of 1999
U.S. Health Information Technology for Economic and Clinical Health Act of 2009
Data Protection Directive (EU)
Data Protection Act 1998 (UK)
Safe Harbor
EU-US Privacy Shield
General Data Protection Regulation (EU)
GDPR Fines
Determination
Lower Level
Upper Level
UNDERSTAND REQUIREMENTS FOR INVESTIGATION TYPES
Administrative
Criminal
Civil
Regulatory
Industry Standards
DEVELOP, DOCUMENT, AND IMPLEMENT SECURITY POLICY, STANDARDS, PROCEDURES, AND GUIDELINES
Policies
Standards
Procedures
Guidelines
IDENTIFY, ANALYZE, AND PRIORITIZE BUSINESS CONTINUITY REQUIREMENTS
Business Impact Analysis
Develop and Document the Scope and the Plan
People
Processes
Technologies
CONTRIBUTE TO AND ENFORCE PERSONNEL SECURITY POLICIES AND PROCEDURES
Candidate Screening and Hiring
Employment Agreements and Policies
Onboarding, Transfers, and Termination Processes
Onboarding
Transfers
Termination
Vendor, Consultant, and Contractor Agreements and Controls
Compliance Policy Requirements
Privacy Policy Requirements
UNDERSTAND AND APPLY RISK MANAGEMENT CONCEPTS
Identify Threats and Vulnerabilities
Threats
Vulnerabilities
Assets
Risk Assessment
Risk Identification
Risk Analysis
Quantitative Risk Calculation
Risk Evaluation
Risk Response/Treatment
Avoid
Mitigate
Transfer
Accept
Countermeasure Selection and Implementation
Security-Effectiveness
Cost-Effectiveness
Operational Impact
Applicable Types of Controls
Control Assessments
Monitoring and Measurement
Reporting
Continuous Improvement
Risk Frameworks
International Standards Organization
U.S. National Institute of Standards and Technology
COBIT and RiskIT
UNDERSTAND AND APPLY THREAT MODELING CONCEPTS AND METHODOLOGIES
Threat Modeling Concepts
Attacker-centric
Asset-centric
Software-centric (or System-centric)
Threat Modeling Methodologies
STRIDE
PASTA
NIST 800-154
DREAD
Other Models
APPLY SUPPLY CHAIN RISK MANAGEMENT CONCEPTS
Risks Associated with Hardware, Software, and Services
Malicious Code in the Supply Chain
SolarWinds and the SUNBURST Attack
Third-Party Assessment and Monitoring
Minimum Security Requirements
Service-Level Requirements
Frameworks
NIST IR 7622
ISO 28000
U.K. National Cyber Security Centre
ESTABLISH AND MAINTAIN A SECURITY AWARENESS, EDUCATION, AND TRAINING PROGRAM
Methods and Techniques to Present Awareness and Training
Social Engineering
Security Champions
Gamification
Periodic Content Reviews
Program Effectiveness Evaluation
SUMMARY
DOMAIN 2 Asset Security
IDENTIFY AND CLASSIFY INFORMATION AND ASSETS
Data Classification and Data Categorization
Data Classification
Examples of Classification Schemes
Data Categorization
Asset Classification
Benefits of Classification
Asset Classification Levels
ESTABLISH INFORMATION AND ASSET HANDLING REQUIREMENTS
Marking and Labeling
Handling
Storage
Declassification
De-identification
Tokenization
PROVISION RESOURCES SECURELY
Information and Asset Ownership
Asset Inventory
Inventory Tool/System of Record
Process Considerations
Asset Management
Information Technology Asset Management
Configuration Management
Change Management
MANAGE DATA LIFECYCLE
Data Roles
Owners
Controllers
Custodians
Processors
Users
Subjects
Data Collection
Data Location
Data Maintenance
Data Retention
Data Destruction
Data Remanence
ENSURE APPROPRIATE ASSET RETENTION
Determining Appropriate Records Retention
Records Retention Best Practices
DETERMINE DATA SECURITY CONTROLS AND COMPLIANCE REQUIREMENTS
Data States
Data at Rest
Data in Transit
Data in Use
Scoping and Tailoring
Common Controls
Compensating Security Controls
Standards Selection
Leading Security Frameworks
Security Standards
Data Protection Methods
Digital Rights Management
Data Loss Prevention
Cloud Access Security Broker
SUMMARY
DOMAIN 3 Security Architecture and Engineering
RESEARCH, IMPLEMENT, AND MANAGE ENGINEERING PROCESSES USING SECURE DESIGN PRINCIPLES
ISO/IEC 19249
ISO/IEC 19249 Architectural Principles
Domain Separation
Layering
Encapsulation
Redundancy
Virtualization
ISO/IEC 19249 Design Principles
Least Privilege
Attack Surface Minimization
Centralized Parameter Validation
Centralized General Security Services
Preparing for Error and Exception Handling
Threat Modeling
STRIDE
DREAD
PASTA
Secure Defaults
Fail Securely
Separation of Duties
Keep It Simple
Trust, but Verify
Zero Trust
BeyondCorp at Google
Privacy by Design
Shared Responsibility
Defense in Depth
UNDERSTAND THE FUNDAMENTAL CONCEPTS OF SECURITY MODELS
Primer on Common Model Components
Information Flow Model
Noninterference Model
Bell–LaPadula Model
Biba Integrity Model
Clark–Wilson Model
Brewer–Nash Model
Take-Grant Model
SELECT CONTROLS BASED UPON SYSTEMS SECURITY REQUIREMENTS
UNDERSTAND SECURITY CAPABILITIES OF INFORMATION SYSTEMS
Memory Protection
Potential Weaknesses
Spectre and Meltdown
Secure Cryptoprocessor
Trusted Platform Module
Potential Weaknesses
Cryptographic Module
Hardware Security Module
ASSESS AND MITIGATE THE VULNERABILITIES OF SECURITY ARCHITECTURES, DESIGNS, AND SOLUTION ELEMENTS
Client-Based Systems
Server-Based Systems
Server Hardening Guidelines
Database Systems
Cryptographic Systems
Algorithm and Protocol Weaknesses
The Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DBRG)
WEP: A Design Flaw Case Study
Implementation Weaknesses
Heartbleed: An Implementation Flaw Case Study
Key Management Vulnerabilities
Industrial Control Systems
Ukraine Power Grid Cyber Attack
Israel Water Supply Cyber Attacks
Cloud-Based Systems
Distributed Systems
Internet of Things
Smart Lightbulb Hack
IoT Security from an Equipment Manufacturer's Perspective
IoT Security from a User's Perspective
UK Report on Consumer IoT
Microservices
Containerization
Security Concerns
Serverless
Security Concerns
Embedded Systems
High-Performance Computing Systems
Edge Computing Systems
Security Concerns
Virtualized Systems
Potential Weaknesses
SELECT AND DETERMINE CRYPTOGRAPHIC SOLUTIONS
Cryptography Basics
Cryptographic Lifecycle
Cryptographic Methods
Symmetric Encryption
Stream Ciphers
Block Ciphers
Block Cipher Modes of Operation
Data Encryption Standard
Triple DES
Advanced Encryption Standard
Rivest Ciphers
Asymmetric Encryption (Public Key Cryptography)
Diffie–Hellman–Merkle Key Exchange
RSA
ElGamal
Elliptic Curve Cryptography
Quantum Cryptography
Public Key Infrastructure
DigiNotar: When a Trusted CA Is Compromised
Key Management Practices
Secure Key Generation
Secure Key Storage and Use
Separation of Duties, Dual Control, and Split Knowledge
Timely Key Rotation and Key Change
Key Destruction
Digital Signatures and Digital Certificates
Nonrepudiation
Blockchain and Nonrepudiation
Integrity
UNDERSTAND METHODS OF CRYPTANALYTIC ATTACKS
Brute Force
Ciphertext Only
Known Plaintext
Chosen Plaintext Attack
Frequency Analysis
Chosen Ciphertext
Implementation Attacks
Side-Channel Attacks
Fault Injection
Timing Attacks
Man-in-the-Middle
Pass the Hash
Kerberos Exploitation
Ransomware
APPLY SECURITY PRINCIPLES TO SITE AND FACILITY DESIGN
DESIGN SITE AND FACILITY SECURITY CONTROLS
Wiring Closets/Intermediate Distribution Facilities
Server Rooms/Data Centers
Media Storage Facilities
Evidence Storage
Restricted and Work Area Security
Least Privilege and Need-to-Know
Separation of Duties and/or Dual Control
Defense in Depth
Compliance Obligations
Utilities and Heating, Ventilation, and Air Conditioning
Generator Failure Takes Out Major Data Center
Environmental Issues
Cloud Computing and Availability
Fire Prevention, Detection, and Suppression
SUMMARY
DOMAIN 4 Communication and Network Security
ASSESS AND IMPLEMENT SECURE DESIGN PRINCIPLES IN NETWORK ARCHITECTURES
Open System Interconnection and Transmission Control Protocol/Internet Protocol Models
The OSI Reference Model
Layer 1: Physical Layer
Layer 1 Attack Vectors
Layer 2: Data Link Layer
Layer 2 Attack Vectors
Layer 3: Network Layer
Layer 3 Attack Vectors
Layer 4: Transport Layer
Transmission Control Protocol
User Datagram Protocol
Layer 4 Attack Vectors
Layer 5: Session Layer
Layer 5 Attack Vectors
Layer 6: Presentation Layer
Layer 6 Attack Vectors
Layer 7: Application Layer
Layer 7 Attack Vectors
The TCP/IP Reference Model
Link (or Network Access) Layer
Internet Layer
Transport Layer
Application Layer
Internet Protocol Networking
Internet Protocol Version 4
Network Address Translation
Internet Protocol Version 6
Network Attacks
Distributed Denial-of-Service Attacks
SYN Flooding
DDoS and the Internet of Things
Man-in-the-Middle Attacks
Packet Sniffing
Hijacking Attacks
MITRE ATT&CK Framework
Secure Protocols
Secure Shell
Transport Layer Security
Kerberos
Internet Protocol Security
Internet Key Exchange
Implications of Multilayer Protocols
Virtual Local Area Networks
Supervisory Control and Data Acquisition Systems
Converged Protocols
Microsegmentation
Software-Defined Networking
Software-Defined Security
Software-Defined Wide Area Network
Virtual eXtensible Local Area Network
Encapsulation
Wireless Networks
Wi-Fi
Wired Equivalent Privacy and Wi-Fi Protected Access
WPA2 (or IEEE 802.11i)
WPA3
IEEE 802.1X
Extensible Authentication Protocol
Protected Extensible Authentication Protocol
Lightweight Extensible Authentication Protocol
Temporal Key Integrity Protocol
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
Securing Wireless Access Points
Conducting a Site Survey
Determining Wireless Access Placement
Antenna Types
Wireless Channels
Infrastructure Mode and Ad Hoc Mode
Service Set Identifiers
Using Captive Portals
MAC Filters
Wireless Attacks
Li-Fi
Bluetooth
ZigBee
Cellular Networks
Content Distribution Networks
SECURE NETWORK COMPONENTS
Operation of Hardware
Firewalls
Types of Firewalls
Static Packet Filtering Firewalls
Application-Level Firewalls
Stateful Inspection Firewalls
Circuit-Level Firewalls
Next Generation Firewalls
Multihomed Firewalls
Bastion Host/Screened Host
Firewall Deployment Architectures
Repeaters, Concentrators, and Amplifiers
Hubs
Bridges
Switches
Routers
Gateways
Proxies
LAN Extenders
Wireless Access Points
Transmission Media
Local Area Network Technologies
Ethernet
Wireless LAN
Network Cabling
Coaxial Cable
Baseband and Broadband Cables
Twisted Pair
Conductors
Additional Cabling Considerations
Network Topologies
Ring Topology
Bus Topology
Star Topology
Mesh Topology
Network Access Control
Endpoint Security
Mobile Devices
IMPLEMENT SECURE COMMUNICATION CHANNELS ACCORDING TO DESIGN
Voice
Private Branch Exchange and Plain Old Telephone Service
Voice over Internet Protocol
Multimedia Collaboration
Remote Meeting
Zoombombing
Instant Messaging
Email
Email Security Goals
Email Security Solutions
Remote Access
Remote Access for Telecommuting
Remote Access Security Management
Authentication Approaches
Centralized Remote Authentication Services
Virtual Private Network
Tunneling
Common VPN Protocols
Point-to-Point Tunneling Protocol
Layer 2 Tunneling Protocol
Data Communications
Frame Relay
Asynchronous Transfer Mode
Multiprotocol Label Switching
Virtualized Networks
Third-Party Connectivity
SUMMARY
DOMAIN 5 Identity and Access Management
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Access Control Definitions
Information
Systems
Devices
Facilities
Physical Access Control Systems
An Expanded Definition of Facilities
Applications
MANAGE IDENTIFICATION AND AUTHENTICATION OF PEOPLE, DEVICES, AND SERVICES
Identity Management Implementation
Single/Multifactor Authentication
Type 1 Authentication Factors
Password Managers
Type 2 Authentication Factors
Type 3 Authentication Factors
Common Access Control Errors
Accountability
Session Management
Registration, Proofing, and Establishment of Identity
Federated Identity Management
Credential Management Systems
Single Sign-On
Just-In-Time
FEDERATED IDENTITY WITH A THIRD-PARTY SERVICE
On Premises
Cloud
Hybrid
IMPLEMENT AND MANAGE AUTHORIZATION MECHANISMS
Role-Based Access Control
Rule-Based Access Control
Mandatory Access Control
Discretionary Access Control
Attribute-Based Access Control
Risk-Based Access Control
MANAGE THE IDENTITY AND ACCESS PROVISIONING LIFECYCLE
Account Access Review
Account Usage Review
Provisioning and Deprovisioning
Role Definition
Privilege Escalation
IMPLEMENT AUTHENTICATION SYSTEMS
OpenID Connect/Open Authorization
Security Assertion Markup Language
Kerberos
Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus
SUMMARY
DOMAIN 6 Security Assessment and Testing
DESIGN AND VALIDATE ASSESSMENT, TEST, AND AUDIT STRATEGIES
Internal
Preparing for External Audits
External
Third-Party
CONDUCT SECURITY CONTROL TESTING
Vulnerability Assessment
Asset Inventory
Scanning Tool Functions and Considerations
Common Vulnerability Assessment Issues
Excessive Traffic and DoS
Alerts and Incidents
Cross-Functional Ownership
Data Integrity Pollution
Network Segmentation
Penetration Testing
Pen Test Scoping: It's Not Safe to Ignore Systems!
Pen Testing Rules
Pen Testing Phases
Phase 1: Discovery or Reconnaissance
Phase 2: Scanning and Probing
Phase 3: Exploitation
Phase 4: Post-exploitation
Phase 5: Reporting
Physical Penetration Testing
Log Reviews
Synthetic Transactions
Code Review and Testing
Misuse Case Testing
Abuse Cases
Test Coverage Analysis
Interface Testing
Breach Attack Simulations
Compliance Checks
COLLECT SECURITY PROCESS DATA
Technical Controls and Processes
Administrative Controls
Account Management
Management Review and Approval
Management Reviews for Compliance
Key Performance and Risk Indicators
Key Performance Indicators
Key Risk Indicators
Backup Verification Data
Training and Awareness
Disaster Recovery and Business Continuity
ANALYZE TEST OUTPUT AND GENERATE REPORT
Typical Audit Report Contents
Remediation
Exception Handling
Ethical Disclosure
CONDUCT OR FACILITATE SECURITY AUDITS
Designing an Audit Program
Common Audit Frameworks
Sampling
Internal Audits
External Audits
Third-Party Audits
SUMMARY
DOMAIN 7 Security Operations
UNDERSTAND AND COMPLY WITH INVESTIGATIONS
Evidence Collection and Handling
Collecting Digital Evidence
Handling Digital Evidence
Reporting and Documentation
Investigative Techniques
Digital Forensics Tools, Tactics, and Procedures
Tools
Techniques and Procedures
Forensics in the Cloud
Artifacts
Computer
Network
Mobile Devices
CONDUCT LOGGING AND MONITORING ACTIVITIES
Intrusion Detection and Prevention
False Positives—More Is Not Always Better!
Security Information and Event Management
Continuous Monitoring
Egress Monitoring
Log Management
Define Auditable Events and Thresholds
Protect Log Data
Threat Intelligence
Threat Feeds
Threat Hunting
User and Entity Behavior Analytics
PERFORM CONFIGURATION MANAGEMENT
The Two Meanings of CM
Provisioning
Hardening
Asset Inventory
Baselining
Automation
APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Need-to-Know/Least Privilege
Separation of Duties and Responsibilities
Key Signing Ceremonies During a Global Pandemic
Privileged Account Management
Job Rotation
Service-Level Agreements
APPLY RESOURCE PROTECTION
Media Management
Labeling and Marking
Handling
Media Protection Techniques
Transporting Media
Sanitization and Disposal
CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Incident Response Testing and Exercise
Third-Party Considerations
Detection
Response
Mitigation
Reporting
Internal Reporting
External Reporting
Breach Reporting
Recovery
Remediation
The Cost of a Breach
Lessons Learned
OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Firewalls
Intrusion Detection Systems and Intrusion Prevention Systems
Whitelisting/Blacklisting
Third-Party-Provided Security Services
Sandboxing
Honeypots/Honeynets
Anti-malware
Machine Learning and Artificial Intelligence Based Tools
IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Patch Management
Vulnerability Management
UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES
IMPLEMENT RECOVERY STRATEGIES
Backup Storage Strategies
The 3-2-1 Backup Strategy
Integrity and Confidentiality of Backups
RAID
Cloud
Recovery Site Strategies
Multiple Processing Sites
System Resilience, High Availability, Quality of Service, and Fault Tolerance
IMPLEMENT DISASTER RECOVERY PROCESSES
Response
Personnel
Food and Other Needs
Communications
Assessment
Restoration
Training and Awareness
Lessons Learned
TEST DISASTER RECOVERY PLANS
Read-through/Tabletop
Walkthrough
Simulation
Parallel
Full Interruption
Monkey Business
PARTICIPATE IN BUSINESS CONTINUITY PLANNING AND EXERCISES
IMPLEMENT AND MANAGE PHYSICAL SECURITY
Perimeter Security Controls
Public Areas
Site Ingress and Egress Points
External Facilities
Internal Security Controls
Operational Facilities
High-Security Facilities
ADDRESS PERSONNEL SAFETY AND SECURITY CONCERNS
Travel
Security Training and Awareness
Emergency Management
Duress
SUMMARY
DOMAIN 8 Software Development Security
UNDERSTAND AND INTEGRATE SECURITY IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)
Development Methodologies
Software Development Lifecycle Phases
Waterfall
Agile
Agile Testing Approaches
Agile Development Methodologies
DevOps
DevSecOps
Other Methodologies
Maturity Models
Process Maturity Is No Guarantee of Success!
Common Maturity Model Components
Capability Maturity Model
Capability Maturity Model Integration
Software Assurance Maturity Model
Building Security-In Maturity Model
CMMC
Maturity Model Summary
Operation and Maintenance
Bug Fixes and SDLC Iteration
Change Management
Change Management Phases and Security Practices
Emergency Change Management
Integrated Product Team
IDENTIFY AND APPLY SECURITY CONTROLS IN SOFTWARE DEVELOPMENT ECOSYSTEMS
Programming Languages
Type Checking and Type Safe Languages
Programming Paradigms
Libraries
Toolsets
Integrated Development Environment
Runtime
Continuous Integration and Continuous Delivery
Emphasis on Testing in CI/CD Pipelines
Security Orchestration, Automation, and Response
Orchestration
Automation
Response
Software Configuration Management
Code Repositories
Protecting Source Code
Protecting the Repository
Application Security Testing
ASSESS THE EFFECTIVENESS OF SOFTWARE SECURITY
Auditing and Logging of Changes
Applications of Logging and Auditing
Software Development Auditing
Auditing CI/CD Environments
Risk Analysis and Mitigation
Risk Assessment and Treatment
Mitigation Strategies
ASSESS SECURITY IMPACT OF ACQUIRED SOFTWARE
Commercial Off-the-Shelf
Open Source
Third-Party
Managed Services (SaaS, IaaS, PaaS)
Assessing Shared Responsibilities
Audits and Assurance
DEFINE AND APPLY SECURE CODING GUIDELINES AND STANDARDS
Security Weaknesses and Vulnerabilities at the Source-Code Level
Common Weakness Enumeration
Common Weakness Scoring System
Common Vulnerabilities and Exposures
Common Vulnerability Scoring System
OWASP Top 10
Software Composition Analysis
Security of Application Programming Interfaces
API Security Best Practices
Authentication and Access Control
Input Validation and Sanitization
Protection of Resources
Protecting Communications
Cryptography
Security Logging, Monitoring, and Alerting
Security Testing APIs
Secure Coding Practices
Standards for Secure Software Development
Education and Culture
Software-Defined Security
SUMMARY
Index
WILEY END USER LICENSE AGREEMENT
