Fluent Essays

Course: Emerging Threats and Countermeasures This discussion topic is to be  reflective and will be using your own words and not a compilation of  direct citations from other papers or sources. You can use citations in  your posts, but this discussion exercise should be about what you have  learned through your viewpoint and not a re-hash of any particular  article, topic, or the book.  Items to include in the initial thread:  “Interesting Assignments” - What were some of the more interesting assignments to you?  “Interesting Readings” - What reading or readings did you find the most interesting and why? “Interesting Readings” “Perspective” - How has this course changed your perspective?  “Course Feedback” - What topics or activities would you add to the course, or should we focus on some areas more than others? ================================================ Completed Assignments in this Course Week 1 Discussion = describe and discuss ways, if any, we can safely share security data. Are there precautions we can take, technical solutions we can use, e.g., like using the CIA triad, or should we just not share these kinds of data? Feel free to argue for and against, just make sure to back up your statements with scholarly support. ================================================ Week 2 Discussion = Internet-related crime occurs every minute. Cybercriminals steal millions of dollars with near impunity. For everyone that is captured nearly 10,000 or not captured. For every one successful prosecuted in a court of law, 100 get off without punishment or with a warning. Why is it so difficult to prosecute cybercriminals? Research Paper = Contingency Planning ================================================ Week 3 Discussion = Malicious individuals have discovered several methods to attack and defeat cryptosystems. Its important that understand the threats posed by cryptographic attacks to minimize the risks to your network systems. Research Paper = Threat Modeling = A new medium-sized health care facility just opened and you are hired as the CIO. The CEO is somewhat technical and has tasked you with creating a threat model. The CEO needs to decide from 3 selected models but needs your recommendation. Review this week’s readings, conduct your own research, then choose a model to recommend with proper justifications. Items to include (at a minimum) are: ================================================ Week 4 Discussion = Many business environments have both visible and invisible physical security controls. You see them at the post office, at the corner store, and in certain areas of your own computing environment. They are so pervasive that some people choose where they live based on their presence, as in gated access communities or secure apartment complexes. Alison is a security analyst for a major technology corporation that specializes in data management. This company includes an in house security staff (guards, administrators, and so on) that is capable of handling physical security breaches. Brad experienced an intrusion—into his personal vehicle in the company parking lot. He asks Alison whether she observed or recorded anyone breaking into and entering his vehicle, but this is a personal item and not a company possession, and she has no control or regulation over damage to employee assets. This is understandably unnerving for Brad, but he understands that she’s protecting the business and not his belongings. Research Paper = For this assignment, review the article: Abomhara, M., & Koien, G.M. (2015). Cyber security and the internet of things: Vulnerabilities, threats, intruders, and attacks. Journal of Cyber Security, 4, 65-88. Doi: 10.13052/jcsm2245-1439.414 and evaluate it in 3 pages (800 words), using your own words, by addressing the following: What did the authors investigate, and in general how did they do so? Identify the hypothesis or question being tested Summarize the overall article. Identify the conclusions of the authors Indicate whether or not you think the data support their conclusions/hypothesis Consider alternative explanations for the results Provide any additional comments pertaining to other approaches to testing their hypothesis (logical follow-up studies to build on, confirm or refute the conclusions) The relevance or importance of the study The appropriateness of the experimental design ================================================ Week 5 Discussion = What are the various technologies employed by wireless devices to maximize their use of the available radio frequencies Also discuss methods used to secure 802.11 wireless networking in your initial thread. Research Paper = Considering the importance of data in organization, it is absolutely essential to secure the data present in the database. What are the strategic and technical security measures for good database security? Be sure to discuss at least one security model to properly develop databases for organizational security. Create a diagram of a security model for your research paper. ================================================ Week 6 Discussion = There are a variety of ways that a cyber-attack can cause economic damage. In many cases, attackers try to “penetrate” systems in order to steal technology or other sensitive information. When do you think an attack can be classified as cyber terrorism? Research Paper = Penetration testing is a simulated cyberattack against a computer or network that checks for exploitable vulnerabilities. Pen tests can involve attempting to breach application systems, APIs, servers, inputs, and code injection attacks to reveal vulnerabilities. In a well-written, highly-detailed research paper, discuss the following: What is penetration testing, Testing Stages,  Testing Methods, Testing, web applications and firewalls. ================================================ Week 7 Discussion = Web server auditing can go a long way in enforcing tighter security and ensuring business continuity. The power of log data is tremendous. Web server logs record valuable information pertaining to usage, errors, and other important security events. Using a specialized auditing tool can be extremely helpful during the audit of web servers. In your discussion this week, please discuss the methods of identifying weak web server configurations and how to mitigate them for a secure web server. Possible concepts to include are SSL certificates, HTTPS usage, attack surface, SQL injection, vulnerability migration, and least privilege. In at least one of your peer responses, provide an overview of how to audit the web server’s security and implement best practices. Research Paper = Develop a disaster recovery plan for an organization. There are many different templates available online for you to use as reference and guidance. Your plan should cover the following sections (these sections detail the elements in a DR plan in the sequence defined by industry compliance standards ISO 27031 and ISO 24762): ====================================================== ====================================================== Textbook attached for reference. (ISC)2 CISSP® Certified Information Systems Security Professional Official Study Guide Eighth Edition Mike Chapple James Michael Stewart Darril Gibson Development Editor: Kelly Talbot Technical Editors: Jeff Parker, Bob Sipes, and David Seidl Copy Editor: Kim Wimpsett Editorial Manager: Pete Gaughan Production Manager: Kathleen Wisor Executive Editor: Jim Minatel Proofreader: Amy Schneider Indexer: Johnna VanHoose Dinse Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: @Jeremy Woodhouse/Getty Images, Inc. Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-47593-4 ISBN: 978-1-119-47595-8 (ebk.) ISBN: 978-1-119-47587-3 (ebk.) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the http://www.wiley.com/go/permissions U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2018933561 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of (ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. http://booksupport.wiley.com http://www.wiley.com To Dewitt Latimer, my mentor, friend, and colleague. I miss you dearly. —Mike Chapple To Cathy, your perspective on the world and life often surprises me, challenges me, and makes me love you even more. —James Michael Stewart To Nimfa, thanks for sharing your life with me for the past 26 years and letting me share mine with you. —Darril Gibson Dear Future (ISC)2 Member, Congratulations on starting your journey to CISSP® certification. Earning your CISSP is an exciting and rewarding milestone in your cybersecurity career. Not only does it demonstrate your ability to develop and manage nearly all aspects of an organization’s cybersecurity operations, but you also signal to employers your commitment to life-long learning and taking an active role in fulfilling the (ISC)² vision of inspiring a safe and secure cyber world. The material in this study guide is based upon the (ISC)² CISSP Common Body of Knowledge. It will help you prepare for the exam that will assess your competency in the following eight domains: Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security While this study guide will help you prepare, passing the CISSP exam depends on your mastery of the domains combined with your ability to apply those concepts using your real-world experience. I wish you the best of luck as you continue on your path to become a CISSP and certified member of (ISC)2. Sincerely, David Shearer, CISSP CEO (ISC)2 Acknowledgments We’d like to express our thanks to Sybex for continuing to support this project. Extra thanks to the eighth edition developmental editor, Kelly Talbot, and technical editors, Jeff Parker, Bob Sipes, and David Seidl, who performed amazing feats in guiding us to improve this book. Thanks as well to our agent, Carole Jelen, for continuing to assist in nailing down these projects. —Mike, James, and Darril Special thanks go to the information security team at the University of Notre Dame, who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book. I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. Jeff Parker, Bob Sipes, and David Seidl, our diligent and knowledgeable technical editors, provided valuable in- sight as we brought this edition to press. I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press. —Mike Chapple Thanks to Mike Chapple and Darril Gibson for continuing to contribute to this project. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. To my adoring wife, Cathy: Building a life and a family together has been more wonderful than I could have ever imagined. To Slayde and Remi: You are growing up so fast and learning at an outstanding pace, and you continue to delight and impress me daily. You are both growing into amazing individuals. To my mom, Johnnie: It is wonderful to have you close by. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis: You were way ahead of the current bacon obsession with your peanut butter/banana/bacon sandwich; I think that’s proof you traveled through time! —James Michael Stewart Thanks to Jim Minatel and Carole Jelen for helping get this update in place before (ISC)2 released the objectives. This helped us get a head start on this new edition, and we appreciate your efforts. It’s been a pleasure working with talented people like James Michael Stewart and Mike Chapple. Thanks to both of you for all your work and collaborative efforts on this project. The technical editors, Jeff Parker, Bob Sipes, and David Seidl, provided us with some outstanding feedback, and this book is better because of their efforts. Thanks to the team at Sybex (including project managers, editors, and graphics artists) for all the work you did helping us get this book to print. Last, thanks to my wife, Nimfa, for putting up with my odd hours as I worked on this book. —Darril Gibson About the Authors Mike Chapple, CISSP, PhD, Security+, CISA, CySA+, is an associate teaching professor of IT, analytics, and operations at the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of more than 25 books including the companion book to this study guide: CISSP Official (ISC)2 Practice Tests, the CompTIA CSA+ Study Guide, and Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for the CISSP, SSCP, Security+, and CSA+ certifications on his website at www.certmike.com. James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has been writing and training for more than 20 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 75 books and numerous courseware sets on security certification, Microsoft topics, and network administration, including the Security+ (SY0-501) Review Guide. More information about Michael can be found at his website at www.impactonline.com. Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short for You Can Do Anything), and he has authored or coauthored more than 40 books. Darril regularly writes, consults, and teaches on a wide variety of technical and security topics and holds several certifications. He regularly posts blog articles at http://blogs.getcertifiedgetahead.com/ about certification topics and uses that site to help people stay abreast of changes in certification exams. He loves hearing from readers, especially when they pass an exam after using one of his books, and you can contact him through the blogging site. http://www.certmike.com http://www.impactonline.com http://blogs.getcertifiedgetahead.com/ About the Technical Editors Jeff T. Parker, CISSP, is a technical editor and reviewer across many focuses of information security. Jeff regularly contributes to books, adding experience and practical know-how where needed. Jeff’s experience comes from 10 years of consulting with Hewlett-Packard in Boston and from 4 years with Deutsche-Post in Prague, Czech Republic. Now residing in Canada, Jeff teaches his and other middle- school kids about building (and destroying) a home lab. He recently coauthored Wireshark for Security Professionals and is now authoring CySA+ Practice Exams. Keep learning! Bob Sipes, CISSP, is an enterprise security architect and account security officer at DXC Technology providing tactical and strategic leadership for DXC clients. He holds several certifications, is actively involved in security organizations including ISSA and Infragard, and is an experienced public speaker on topics including cybersecurity, communications, and leadership. In his spare time, Bob is an avid antiquarian book collector with an extensive library of 19th and early 20th century boys’ literature. You can follow Bob on Twitter at @bobsipes. David Seidl, CISSP, is the senior director for Campus Technology Services at the University of Notre Dame, where he has also taught cybersecurity and networking in the Mendoza College of Business. David has written multiple books on cybersecurity certification and cyberwarfare, and he has served as the technical editor for the sixth, seventh, and eighth editions of CISSP Study Guide. David holds a master’s degree in information security and a bachelor’s degree in communication technology from Eastern Michigan University, as well as CISSP, GPEN, GCIH, and CySA+ certifications. Contents Introduction Overview of the CISSP Exam Notes on This Book’s Organization Assessment Test Answers to Assessment Test Chapter 1 Security Governance Through Principles and Policies Understand and Apply Concepts of Confidentiality, Integrity, and Availability Evaluate and Apply Security Governance Principles Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines Understand and Apply Threat Modeling Concepts and Methodologies Apply Risk-Based Management Concepts to the Supply Chain Summary Exam Essentials Written Lab Review Questions Chapter 2 Personnel Security and Risk Management Concepts Personnel Security Policies and Procedures Security Governance Understand and Apply Risk Management Concepts Establish and Maintain a Security Awareness, Education, and Training Program Manage the Security Function Summary Exam Essentials Written Lab Review Questions Chapter 3 Business Continuity Planning Planning for Business Continuity Project Scope and Planning Business Impact Assessment Continuity Planning Plan Approval and Implementation Summary Exam Essentials Written Lab Review Questions Chapter 4 Laws, Regulations, and Compliance Categories of Laws Laws Compliance Contracting and Procurement Summary Exam Essentials Written Lab Review Questions Chapter 5 Protecting Security of Assets Identify and Classify Assets Determining Ownership Using Security Baselines Summary Exam Essentials Written Lab Review Questions Chapter 6 Cryptography and Symmetric Key Algorithms Historical Milestones in Cryptography Cryptographic Basics Modern Cryptography Symmetric Cryptography Cryptographic Lifecycle Summary Exam Essentials Written Lab Review Questions Chapter 7 PKI and Cryptographic Applications Asymmetric Cryptography Hash Functions Digital Signatures Public Key Infrastructure Asymmetric Key Management Applied Cryptography Cryptographic Attacks Summary Exam Essentials Written Lab Review Questions Chapter 8 Principles of Security Models, Design, and Capabilities Implement and Manage Engineering Processes Using Secure Design Principles Understand the Fundamental Concepts of Security Models Select Controls Based On Systems Security Requirements Understand Security Capabilities of Information Systems Summary Exam Essentials Written Lab Review Questions Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Assess and Mitigate Security Vulnerabilities Client-Based Systems Server-Based Systems Database Systems Security Distributed Systems and Endpoint Security Internet of Things Industrial Control Systems Assess and Mitigate Vulnerabilities in Web-Based Systems Assess and Mitigate Vulnerabilities in Mobile Systems Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Essential Security Protection Mechanisms Common Architecture Flaws and Security Issues Summary Exam Essentials Written Lab Review Questions Chapter 10 Physical Security Requirements Apply Security Principles to Site and Facility Design Implement Site and Facility Security Controls Implement and Manage Physical Security Summary Exam Essentials Written Lab Review Questions Chapter 11 Secure Network Architecture and Securing Network Components OSI Model TCP/IP Model Converged Protocols Wireless Networks Secure Network Components Cabling, Wireless, Topology, Communications, and Transmission Media Technology Summary Exam Essentials Written Lab Review Questions Chapter 12 Secure Communications and Network Attacks Network and Protocol Security Mechanisms Secure Voice Communications Multimedia Collaboration Manage Email Security Remote Access Security Management Virtual Private Network Virtualization Network Address Translation Switching Technologies WAN Technologies Miscellaneous Security Control Characteristics Security Boundaries Prevent or Mitigate Network Attacks Summary Exam Essentials Written Lab Review Questions Chapter 13 Managing Identity and Authentication Controlling Access to Assets Comparing Identification and Authentication Implementing Identity Management Managing the Identity and Access Provisioning Lifecycle Summary Exam Essentials Written Lab Review Questions Chapter 14 Controlling and Monitoring Access Comparing Access Control Models Understanding Access Control Attacks Summary Exam Essentials Written Lab Review Questions Chapter 15 Security Assessment and Testing Building a Security Assessment and Testing Program Performing Vulnerability Assessments Testing Your Software Implementing Security Management Processes Summary Exam Essentials Written Lab Review Questions Chapter 16 Managing Security Operations Applying Security Operations Concepts Securely Provisioning Resources Managing Configuration Managing Change Managing Patches and Reducing Vulnerabilities Summary Exam Essentials Written Lab Review Questions Chapter 17 Preventing and Responding to Incidents Managing Incident Response Implementing Detective and Preventive Measures Logging, Monitoring, and Auditing Summary Exam Essentials Written Lab Review Questions Chapter 18 Disaster Recovery Planning The Nature of Disaster Understand System Resilience and Fault Tolerance Recovery Strategy Recovery Plan Development Training, Awareness, and Documentation Testing and Maintenance Summary Exam Essentials Written Lab Review Questions Chapter 19 Investigations and Ethics Investigations Major Categories of Computer Crime Ethics Summary Exam Essentials Written Lab Review Questions Chapter 20 Software Development Security Introducing Systems Development Controls Establishing Databases and Data Warehousing Storing Data and Information Understanding Knowledge-Based Systems Summary Exam Essentials Written Lab Review Questions Chapter 21 Malicious Code and Application Attacks Malicious Code Password Attacks Application Attacks Web Application Security Reconnaissance Attacks Masquerading Attacks Summary Exam Essentials Written Lab Review Questions Appendix A Answers to Review Questions Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Securing Network Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Appendix B Answers to Written Labs Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Securing Network Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Advert EULA List of Tables Chapter 2 Table 2.1 Table 2.2 Chapter 5 Table 5.1 Table 5.2 Table 5.3 Chapter 6 Table 6.1 Table 6.2 Chapter 7 Table 7.1 Chapter 8 Table 8.1 Table 8.2 Table 8.3 Table 8.4 Chapter 9 Table 9.1 Chapter 10 Table 10.1 Table 10.2 Chapter 11 Table 11.1 Table 11.2 Table 11.3 Table 11.4 Table 11.5 Table 11.6 Table 11.7 Table 11.8 Table 11.9 Table 11.10 Table 11.11 Chapter 12 Table 12.1 Table 12.2 Table 12.3 Table 12.4 Chapter 18 Table 18.1 List of Illustrations Chapter 1 FIGURE 1.1 The CIA Triad FIGURE 1.2 The five elements of AAA services FIGURE 1.3 Strategic, tactical, and operational plan timeline comparison FIGURE 1.4 Levels of government/military classification FIGURE 1.5 Commercial business/private sector classification levels FIGURE 1.6 The comparative relationships of security policy components FIGURE 1.7 An example of diagramming to reveal threat concerns FIGURE 1.8 An example of diagramming to reveal threat concerns Chapter 2 FIGURE 2.1 An example of separation of duties related to five admin tasks and seven administrators FIGURE 2.2 An example of job rotation among management positions FIGURE 2.3 Ex-employees must return all company property FIGURE 2.4 The elements of risk FIGURE 2.5 The six major elements of quantitative risk analysis FIGURE 2.6 The categories of security controls in a defense- in-depth implementation FIGURE 2.7 The six steps of the risk management framework Chapter 3 FIGURE 3.1 Earthquake hazard map of the United States Chapter 5 FIGURE 5.1 Data classifications FIGURE 5.2 Clearing a hard drive Chapter 6 FIGURE 6.1 Challenge-response authentication protocol FIGURE 6.2 The magic door FIGURE 6.3 Symmetric key cryptography FIGURE 6.4 Asymmetric key cryptography Chapter 7 FIGURE 7.1 Asymmetric key cryptography FIGURE 7.2 Steganography tool FIGURE 7.3 Image with embedded message Chapter 8 FIGURE 8.1 The TCB, security perimeter, and reference monitor FIGURE 8.2 The Take-Grant model’s directed graph FIGURE 8.3 The Bell-LaPadula model FIGURE 8.4 The Biba model FIGURE 8.5 The Clark-Wilson model FIGURE 8.6 The levels of TCSEC Chapter 9 FIGURE 9.1 In the commonly used four-ring model, protection rings segregate the operating system into kernel, components, and drivers in rings 0 through 2 and applications and programs run at ring 3. FIGURE 9.2 The process scheduler Chapter 10 FIGURE 10.1 A typical wiring closet FIGURE 10.2 The fire triangle FIGURE 10.3 The four primary stages of fire FIGURE 10.4 A secure physical boundary with a mantrap and a turnstile Chapter 11 FIGURE 11.1 Representation of the OSI model FIGURE 11.2 Representation of OSI model encapsulation FIGURE 11.3 Representation of the OSI model peer layer logical channels FIGURE 11.4 OSI model data names FIGURE 11.5 Comparing the OSI model with the TCP/IP model FIGURE 11.6 The four layers of TCP/IP and its component protocols FIGURE 11.7 The TCP three-way handshake FIGURE 11.8 Single-, two-, and three-tier firewall deployment architectures FIGURE 11.9 A ring topology FIGURE 11.10 A linear bus topology and a tree bus topology FIGURE 11.11 A star topology FIGURE 11.12 A mesh topology Chapter 13 FIGURE 13.1 Graph of FRR and FAR errors indicating the CER point Chapter 14 FIGURE 14.1 Defense in depth with layered security FIGURE 14.2 Role Based Access Control FIGURE 14.3 A representation of the boundaries provided by lattice-based access controls FIGURE 14.4 Wireshark capture Chapter 15 FIGURE 15.1 Nmap scan of a web server run from a Linux system FIGURE 15.2 Default Apache server page running on the server scanned in Figure 15.1 FIGURE 15.3 Nmap scan of a large network run from a Mac system using the Terminal utility FIGURE 15.4 Network vulnerability scan of the same web server that was port scanned in Figure 15.1 FIGURE 15.5 Web application vulnerability scan of the same web server that was port scanned in Figure 15.1 and network vulnerability scanned in Figure 15.2. FIGURE 15.6 Scanning a database-backed application with sqlmap FIGURE 15.7 Penetration testing process FIGURE 15.8 The Metasploit automated system exploitation tool allows attackers to quickly execute common attacks against target systems. FIGURE 15.9 Fagan inspections follow a rigid formal process, with defined entry and exit criteria that must be met before transitioning between stages. FIGURE 15.10 Prefuzzing input file containing a series of 1s FIGURE 15.11 The input file from Figure 15.10 after being run through the zzuf mutation fuzzing tool Chapter 16 FIGURE 16.1 A segregation of duties control matrix FIGURE 16.2 Creating and deploying images FIGURE 16.3 Web server and database server Chapter 17 FIGURE 17.1 Incident response FIGURE 17.2 SYN flood attack FIGURE 17.3 A man-in-the-middle attack FIGURE 17.4 Intrusion prevention system FIGURE 17.5 Viewing a log entry Chapter 18 FIGURE 18.1 Flood hazard map for Miami–Dade County, Florida FIGURE 18.2 Failover cluster with network load balancing Chapter 20 FIGURE 20.1 Security vs. user-friendliness vs. functionality FIGURE 20.2 The waterfall lifecycle model FIGURE 20.3 The spiral lifecycle mode FIGURE 20.4 The IDEAL model FIGURE 20.5 Gantt chart FIGURE 20.6 The DevOps model FIGURE 20.7 Hierarchical data model FIGURE 20.8 Customers table from a relational database FIGURE 20.9 ODBC as the interface between applications and a backend database system Chapter 21 FIGURE 21.1 Social Security phishing message FIGURE 21.2 Typical database-driven website architecture kindle:embed:0007?mime=image/jpg Introduction The (ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, Eighth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam. This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam. Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of full-time paid work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section. (ISC)2 also allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the (ISC)2 prerequisite pathway. These include certifications such as CAP, CISM, CISA, CCNA Security, Security+, MCSA, MCSE, and many of the GIAC certifications. For a complete list of qualifying certifications, visit https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway. Note: You can use only one of the experience reduction measures, either a college degree or a certification, not both. (ISC)2 https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2. (ISC)2 is a global not-for- profit organization. It has four primary mission goals: Maintain the Common Body of Knowledge (CBK) for the field of information systems security. Provide certification for information systems security professionals and practitioners. Conduct certification training and administer the certification exams. Oversee the ongoing accreditation of qualified certification candidates through continued education. The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. (ISC)2 supports and provides a wide variety of certifications, including CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC)2 and its other certifications from its website at www.isc2.org. The Certified Information Systems Security Professional (CISSP) credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. Topical Domains The CISSP certification covers material from the eight topical domains. These eight domains are as follows: Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) …