Оглавление
Peter H. Gregory. CISSP For Dummies
CISSP® For Dummies® To view this book's Cheat Sheet, simply go to www.dummies.com and search for “CISSP For Dummies Cheat Sheet” in the Search box. Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Introduction
About This Book
Foolish Assumptions
Icons Used in This Book
Beyond the Book
Where to Go from Here
Getting Started with CISSP Certification
(ISC)2 and the CISSP Certification
About (ISC)2 and the CISSP Certification
You Must Be This Tall to Ride This Ride (And Other Requirements)
Preparing for the Exam
Studying on your own
Getting hands-on experience
Getting official (ISC)2 CISSP training
Attending other training courses or study groups
Taking practice exams
Are you ready for the exam?
Registering for the Exam
About the CISSP Examination
After the Examination
Putting Your Certification to Good Use
Networking with Other Security Professionals
THE POWER OF ONLINE BUSINESS NETWORKING
Being an Active (ISC)2 Member
Considering (ISC)2 Volunteer Opportunities
Writing certification exam questions
Speaking at events
Helping at (ISC)2 conferences
Reading and contributing to (ISC)2 publications
Supporting the (ISC)2 Center for Cyber Safety and Education
Participating in bug-bounty programs
Participating in (ISC)2 focus groups
Joining the (ISC)2 community
Getting involved with a CISSP study group
Helping others learn more about data security
Becoming an Active Member of Your Local Security Chapter
Spreading the Good Word about CISSP Certification
Leading by example
Using Your CISSP Certification to Be an Agent of Change
Earning Other Certifications
Other (ISC)2 certifications
CISSP concentrations
Non-(ISC)2 certifications
Nontechnical/nonvendor certifications
Technical/vendor certifications
Choosing the right certifications
Finding a mentor, being a mentor
Building your professional brand
Pursuing Security Excellence
Certification Domains
Security and Risk Management
Understand, Adhere to, and Promote Professional Ethics
(ISC)2 Code of Professional Ethics
Organizational code of ethics
Internet Architecture Board: Ethics and the Internet (RFC 1087)
Ten Commandments of Computer Ethics
Understand and Apply Security Concepts
Confidentiality
Integrity
Availability
Authenticity
Nonrepudiation
Evaluate and Apply Security Governance Principles
Alignment of security function to business strategy, goals, mission, and objectives
Mission (not-so-impossible) and strategy
Goals and objectives
Organizational processes
Acquisitions and divestitures
Governance committees and executive oversight
Organizational roles and responsibilities
Management
Users
Security control frameworks
Due care and due diligence
Determine Compliance and Other Requirements
Contractual, legal, industry standards, and regulatory requirements
Contractual
Common law
Criminal law
CRIMINAL PENALTIES
BURDEN OF PROOF UNDER CRIMINAL LAW
CLASSIFICATIONS OF CRIMINAL LAW
Civil law
CIVIL PENALTIES
BURDEN OF PROOF UNDER CIVIL LAW
LIABILITY AND DUE CARE
LAWYERSPEAK
International law
Administrative law
Industry standards
Privacy requirements
Understand Legal and Regulatory Issues That Pertain to Information Security
Cybercrimes and data breaches
U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)
U.S. Electronic Communications Privacy Act (ECPA) of 1986
U.S. Computer Security Act of 1987
U.S. Communications Assistance for Law Enforcement Act of 1994
U.S. Federal Sentencing Guidelines of 1991
U.S. Economic Espionage Act of 1996
U.S. Child Pornography Prevention Act of 1996
USA PATRIOT Act of 2001
U.S. Sarbanes-Oxley Act of 2002 (SOX)
U.S. Homeland Security Act of 2002
U.S. Federal Information Systems Modernization Act (FISMA) of 2014
U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
U.S. Identity Theft and Assumption Deterrence Act of 2003
Safe Harbor (1998)
U.S. Intelligence Reform and Terrorism Prevention Act of 2004
California Security Breach Information Act
The Council of Europe’s Convention on Cybercrime (2001)
The Computer Misuse Act of 1990 (UK)
Privacy and Electronic Communications Regulations of 2003 (UK)
Information Technology Act 2000 (India)
Cybercrime Act of 2001 (Australia)
General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
Licensing and intellectual property requirements
Patents
Trademarks
Copyrights
Trade secrets
Import/export controls
Transborder data flow
Privacy
U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A
U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104–191
U.S. Children’s Online Privacy Protection Act (COPPA) of 1998
U.S. Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999, PL 106-102
U.S. Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
California Consumer Privacy Act of 2018 (CCPA)
California Privacy Rights Act of 2020 (CPRA)
UK Data Protection Act of 1998
European Union General Data Protection Regulation (GDPR)
Understand Requirements for Investigation Types
Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines
Policies
Standards (and baselines)
Procedures
Guidelines
Identify, Analyze, and Prioritize Business Continuity (BC) Requirements
BUSINESS CONTINUITY AND DISASTER RECOVERY: A SIMPLE ILLUSTRATION
COOPERATION IS THE KEY
Business impact analysis
Assessing vulnerability
Assessing criticality
Identifying key players
REMEMBERING PAYROLL
Establishing maximum tolerable downtime
Determining maximum tolerable outage
Establishing recovery targets
HOW BAD DOES IT HAVE TO BE?
RECOVERY TIME OBJECTIVE
RECOVERY POINT OBJECTIVE
HOW RTO AND RPO WORK TOGETHER
Defining resource requirements
Develop and document the scope and the plan
Emergency response
Damage assessment
Salvage
Personnel safety
Personnel notification
Backups and media storage
THE END OF MAGNETIC TAPE?
Software escrow agreements
External communications
WHO SAYS EXTERNAL AFFAIRS IS NONESSENTIAL?
Utilities
Logistics and supplies
Fire and water protection
Documentation
Data processing continuity planning
Making your business continuity planning project a success
Simplifying large or complex critical functions
GETTING AMAZING THINGS DONE
Documenting the strategy
Implementing the plan
WHY HIRE AN EXPERT?
SECURING SENIOR MANAGEMENT APPROVAL
PROMOTING ORGANIZATIONAL AWARENESS
TESTING THE PLAN
MAINTAINING THE PLAN
Contribute to and Enforce Personnel Security Policies and Procedures
Candidate screening and hiring
Employment agreements and policies
Onboarding, transfers, and termination processes
Vendor, consultant, and contractor agreements and controls
Compliance policy requirements
Privacy policy requirements
Understand and Apply Risk Management Concepts
Identify threats and vulnerabilities
Risk assessment/analysis
Risk assessment
ASSET VALUATION
THREAT ANALYSIS
VULNERABILITY ASSESSMENT
Risk analysis
QUALITATIVE RISK ANALYSIS
QUANTITATIVE RISK ANALYSIS
HYBRID RISK ANALYSIS
Risk appetite and risk tolerance
Risk treatment
Countermeasure selection and implementation
Cost-effectiveness
Legal liability
Operational impact
Technical factors
Applicable types of controls
Control assessments (security and privacy)
Control assessment approach
Control assessment methodology
CONTROL ASSESSMENT TECHNIQUES
SAMPLING TECHNIQUES
REPORTING
Monitoring and measurement
Reporting
Continuous improvement
Risk frameworks
Risk assessment frameworks
Risk management frameworks
Understand and Apply Threat Modeling Concepts and Methodologies
Identifying threats
Determining and diagramming potential attacks
Performing reduction analysis
Remediating threats
IT HAS TO BE PASTA
Apply Supply Chain Risk Management (SCRM) Concepts
Risks associated with hardware, software, and services
Third-party assessment and monitoring
Fourth-party risk
Minimum security requirements
Service-level agreement requirements
Establish and Maintain a Security Awareness, Education, and Training Program
Methods and techniques to present awareness and training
Awareness
Training
Education
Periodic content reviews
Program effectiveness evaluation
Asset Security
Identify and Classify Information and Assets
Data classification
Commercial data classification
Government data classification
Data handling
Asset classification
Establish Information and Asset Handling Requirements
DETERMINING APPROPRIATE HANDLING REQUIREMENTS
Provision Resources Securely
Information and asset ownership
Asset inventory
Asset management
Manage Data Life Cycle
Data roles
Data collection
Data location
Data maintenance
Data retention
Data remanence
Data destruction
Ensure Appropriate Asset Retention
End of life
End of support
Determine Data Security Controls and Compliance Requirements
Data states
Scoping and tailoring
Standards selection
Data protection methods
Digital rights management (DRM)
Data loss prevention (DLP)
Cloud access security broker (CASB)
Cryptography
Access controls
Privacy controls
Security Architecture and Engineering
Research, Implement, and Manage Engineering Processes Using Secure Design Principles
Threat modeling
Identifying threats
Determining and diagramming potential attacks
Performing reduction analysis
Remediating threats
IT HAS TO BE PASTA
Least privilege (and need to know)
Defense in depth
Secure defaults
Fail securely
Separation of duties
Keep it simple
Zero trust
SIMPLICITY IS IN THE EYE OF THE BEHOLDER
Privacy by design
Trust but verify
SYSTEM HARDENING
Shared responsibility
Understand the Fundamental Concepts of Security Models
Biba
Bell-LaPadula
Access Matrix
Discretionary Access Control
Mandatory Access Control
Take-Grant
Clark-Wilson
Information Flow
Noninterference
Select Controls Based Upon Systems Security Requirements
Evaluation criteria
Trusted Computer System Evaluation Criteria
Trusted Network Interpretation
European Information Technology Security Evaluation Criteria
Common Criteria
System certification and accreditation
DITSCAP
NIACAP
FedRAMP
CMMC
DCID 6/3
Understand Security Capabilities of Information Systems
Trusted Computing Base
Trusted Platform Module
Secure modes of operation
Open and closed systems
Memory protection
Encryption and decryption
Protection rings
Security modes
Recovery procedures
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
Client-based systems
Server-based systems
Database systems
Cryptographic systems
Industrial control systems
Cloud-based systems
Distributed systems
Internet of Things
Microservices
Containerization
Serverless
Embedded systems
High-performance computing systems
Edge computing systems
Virtualized systems
Web-based systems
Mobile systems
Select and Determine Cryptographic Solutions
THE SCIENCE OF CRYPTO
Plaintext and ciphertext
Encryption and decryption
End-to-end encryption
Link encryption
Putting it all together: The cryptosystem
Classes of ciphers
Block ciphers
A DISPOSABLE CIPHER: THE ONE-TIME PAD
Stream ciphers
Types of ciphers
Substitution ciphers
Transposition
CRYPTOGRAPHY ALTERNATIVES
Cryptographic life cycle
Cryptographic methods
Symmetric
DATA ENCRYPTION STANDARD
TRIPLE DES
ADVANCED ENCRYPTION STANDARD
BLOWFISH AND TWOFISH
RIVEST CIPHERS
IDEA CIPHER
Asymmetric
RSA
DIFFIE-HELLMAN KEY EXCHANGE
EL GAMAL
MERKLE-HELLMAN (TRAPDOOR) KNAPSACK
ELLIPTIC CURVE
QUANTUM COMPUTING
Public key infrastructure
Key management practices
KEY ESCROW AND KEY RECOVERY
Digital signatures and digital certificates
Nonrepudiation
Integrity (hashing)
MD
SHA
HMAC
Understand Methods of Cryptanalytic Attacks
WORK FACTOR: FORCE × EFFORT = WORK
Brute force
Ciphertext only
Known plaintext
Frequency analysis
Chosen ciphertext
Implementation attacks
Side channel
Fault injection
Timing
Man in the middle
Pass the hash
Kerberos exploitation
Ransomware
Apply Security Principles to Site and Facility Design
Design Site and Facility Security Controls
Wiring closets, server rooms, and more
Restricted and work area security
Utilities and heating, ventilation, and air conditioning
Environmental issues
Fire prevention, detection, and suppression
Power
Communication and Network Security
Assess and Implement Secure Design Principles in Network Architectures
OSI and TCP/IP models
The OSI Reference Model
Application Layer (Layer 7)
CONTENT DISTRIBUTION NETWORKS
Presentation Layer (Layer 6)
Session Layer (Layer 5)
Transport Layer (Layer 4)
Network Layer (Layer 3)
ROUTING PROTOCOLS
ROUTED PROTOCOLS
IMPLICATIONS OF MULTILAYER PROTOCOLS
CONVERGED PROTOCOLS
SOFTWARE-DEFINED NETWORKS
IPSEC
OTHER NETWORK LAYER PROTOCOLS
NETWORKING EQUIPMENT AT THE NETWORK LAYER
Data Link Layer (Layer 2)
LAN PROTOCOLS AND TRANSMISSION METHODS
WIRELESS NETWORKS
SATELLITE NETWORKS
CELLULAR NETWORKS
WAN TECHNOLOGIES AND PROTOCOLS
ASYNCHRONOUS AND SYNCHRONOUS COMMUNICATIONS
NETWORKING EQUIPMENT AT THE DATA LINK LAYER
Physical Layer (Layer 1)
NETWORK TOPOLOGIES
CABLE AND CONNECTOR TYPES
ANALOG AND DIGITAL SIGNALING
INTERFACE TYPES
NETWORKING EQUIPMENT
The TCP/IP Model
Secure Network Components
Operation of hardware
Transmission media
Protecting wired networks
Protecting Wi-Fi networks
Network access control devices
Firewalls and firewall types
PACKET-FILTERING
CIRCUIT-LEVEL GATEWAY
APPLICATION-LEVEL GATEWAY
WEB APPLICATION FIREWALL
NEXT-GENERATION FIREWALLS AND UNIFIED THREAT MANAGEMENT DEVICES
Firewall architectures
SCREENING ROUTER
DUAL-HOMED GATEWAYS
SCREENED-HOST GATEWAYS
SCREENED SUBNET
MICROSEGMENTATION
Intrusion detection and prevention systems
ACTIVE AND PASSIVE IDS
NETWORK-BASED AND HOST-BASED IDs
KNOWLEDGE-BASED AND BEHAVIOR-BASED IDS
Web content filters
Data loss prevention
Cloud access security brokers
Endpoint security
Implement Secure Communication Channels According to Design
Voice
Multimedia collaboration
Remote access
Remote access security methods
Remote access security
POINT-TO-POINT TUNNELING PROTOCOL
LAYER 2 FORWARDING PROTOCOL
LAYER 2 TUNNELING PROTOCOL
SECURE SOCKETS LAYER/TRANSPORT LAYER SECURITY
Data communications
Virtualized networks
Third-party connectivity
Identity and Access Management
Control Physical and Logical Access to Assets
Information
Systems and devices
DEVICE SECURITY AND LIFE SAFETY
Facilities
Applications
Manage Identification and Authentication of People, Devices, and Services
Identity management implementation
Single-/multifactor authentication
Single-factor authentication
PASSWORDS AND PASSPHRASES
ONE-TIME PASSWORDS
PERSONAL IDENTIFICATION NUMBERS
Multifactor authentication
TOKENS
SMARTPHONE / SMS PASSWORDS
DIGITAL CERTIFICATES
BIOMETRICS
Accountability
Session management
Registration, proofing, and establishment of identity
Federated identity management
Credential management systems
Single sign-on
Just-in-Time
Federated Identity with a Third-Party Service
On-premises
Cloud
Hybrid
Implement and Manage Authorization Mechanisms
Role-based access control
Rule-based access control
Mandatory access control
Discretionary access control
Attribute-based access control
Risk-based access control
Manage the Identity and Access Provisioning Life Cycle
Implement Authentication Systems
OpenID Connect/Open Authorization
Security Assertion Markup Language
Kerberos
RADIUS and TACACS+
Security Assessment and Testing
Design and Validate Assessment, Test, and Audit Strategies
Conduct Security Control Testing
Vulnerability assessment
Port scanning
Vulnerability scans
Unauthenticated and authenticated scans
Vulnerability scan reports
Penetration testing
Network penetration testing
THE COMMON VULNERABILITY SCORING SYSTEM
PACKET SNIFFING ISN’T ALL BAD
Application penetration testing
Physical penetration testing
GET OUT OF JAIL FREE
Social engineering
PHISHING AND ITS VARIANTS
Log reviews
Synthetic transactions
NOBODY REVIEWS LOGS ANYMORE
Code review and testing
Misuse case testing
WHY WOULD SOMEONE TYPE THAT?
Test coverage analysis
Interface testing
Breach attack simulations
Compliance checks
Collect Security Process Data
Account management
Management review and approval
Key performance and risk indicators
Backup verification data
Training and awareness
Disaster recovery and business continuity
Analyze Test Output and Generate Reports
Remediation
Exception handling
Ethical disclosure
Conduct or Facilitate Security Audits
Security Operations
Understand and Comply with Investigations
Evidence collection and handling
Types of evidence
Rules of evidence
BEST EVIDENCE RULE
HEARSAY RULE
Admissibility of evidence
Chain of custody and the evidence life cycle
COLLECTION AND IDENTIFICATION
ANALYSIS
STORAGE, PRESERVATION, AND TRANSPORTATION
PRESENTATION IN COURT
FINAL DISPOSITION
Reporting and documentation
Investigative techniques
Digital forensics tools, tactics, and procedures
Artifacts
Conduct Logging and Monitoring Activities
Intrusion detection and prevention
Security information and event management
Security orchestration, automation, and response
Continuous monitoring
Egress monitoring
Log management
Threat intelligence
User and entity behavior analysis
Perform Configuration Management
Apply Foundational Security Operations Concepts
Need-to-know and least privilege
Separation of duties and responsibilities
Privileged account management
MONITORING (EVERYBODY'S SPECIAL!)
Job rotation
MANDATORY AND PERMANENT VACATIONS: JOB ROTATIONS OF A DIFFERENT SORT
Service-level agreements
HOW MANY NINES?
Apply Resource Protection
Media management
Media protection techniques
Conduct Incident Management
Operate and Maintain Detective and Preventative Measures
Implement and Support Patch and Vulnerability Management
Understand and Participate in Change Management Processes
Implement Recovery Strategies
Backup storage strategies
Recovery site strategies
Multiple processing sites
System resilience, high availability, quality of service, and fault tolerance
HOW VIRTUALIZATION MAKES HIGH AVAILABILITY A REALITY
Implement Disaster Recovery Processes
DISASTER RECOVERY PLANNING AND TERRORIST ATTACKS
PLANNING FOR PANDEMICS
Response
Salvage
Recovery
Financial readiness
Personnel
Communications
Assessment
Restoration
Training and awareness
Lessons learned
Test Disaster Recovery Plans
Read-through or tabletop
Walkthrough
Simulation
Parallel
Full interruption (or cutover)
Participate in Business Continuity Planning and Exercises
Implement and Manage Physical Security
Address Personnel Safety and Security Concerns
Software Development Security
Understand and Integrate Security in the Software Development Life Cycle
Development methodologies
Agile
Waterfall
DevOps
CIS SYSTEM AND DEVICE HARDENING STANDARDS
DevSecOps
Maturity models
Operation and maintenance
Change management
CSSLP CERTIFICATION
Integrated product team
Identify and Apply Security Controls in Software Development Ecosystems
KEEP DEVELOPERS OUT OF PRODUCTION ENVIRONMENTS
Programming languages
Libraries
Tool sets
Integrated development environment
Runtime
Continuous integration/continuous delivery
Security orchestration, automation, and response
Software configuration management
Code repositories
Application security testing
Code reviews
Static application security testing
Dynamic application security testing
CODING STANDARDS
Assess the Effectiveness of Software Security
Auditing and logging of changes
Risk analysis and mitigation
Assess Security Impact of Acquired Software
Define and Apply Secure Coding Guidelines and Standards
Security weaknesses and vulnerabilities at the source-code level
Security of application programming interfaces
Secure coding practices
OPEN WEB APPLICATION SECURITY PROJECT
Software-defined security
The Part of Tens
Ten Ways to Prepare for the Exam
Know Your Learning Style
Get a Networking Certification First
Register Now
Make a 60-Day Study Plan
Get Organized and Read
Join a Study Group
Take Practice Exams
Take a CISSP Training Seminar
Adopt an Exam-Taking Strategy
Take a Breather
Ten Test-Day Tips
Get a Good Night’s Rest
Dress Comfortably
Eat a Good Meal
Arrive Early
Bring Approved Identification
Bring Snacks and Drinks
Bring Prescription and Over-the-Counter Medications
Leave Your Mobile Devices Behind
Take Frequent Breaks
Guess — As a Last Resort
Glossary
Index. A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
About the Authors
Dedication
Authors' Acknowledgments
WILEY END USER LICENSE AGREEMENT
