CISSP For Dummies, 7th Edition (Lawrence C. Miller, Peter H. Gregory) (Z-Library)

CISSP® 7th Edition by Lawrence C. Miller, CISSP and Peter H. Gregory, CISSP

CISSP® For Dummies®, 7th Edition Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc., and may not be used without written permission. CISSP is a registered certification mark of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2022930207 ISBN 978-1-119-80682-0 (pbk); ISBN 978-1-119-80689-9 (ebk); ISBN 978-1-119-80690-5 (ebk)

Contents at a Glance Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Part 1: Getting Started with CISSP Certification . . . . . . . . . . . . . . 7 CHAPTER 1: (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 CHAPTER 2: Putting Your Certification to Good Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Part 2: Certification Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 CHAPTER 3: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 CHAPTER 4: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 CHAPTER 5: Security Architecture and Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 CHAPTER 6: Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 CHAPTER 7: Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 CHAPTER 8: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 CHAPTER 9: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 CHAPTER 10: Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Part 3: The Part of Tens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 CHAPTER 11: Ten Ways to Prepare for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 CHAPTER 12: Ten Test-Day Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 CISSP

Table of Contents vii Table of Contents INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Foolish Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Icons Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Beyond the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Where to Go from Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 PART 1: GETTING STARTED WITH CISSP CERTIFICATION . . . 7 CHAPTER 1: (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . 9 About (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 You Must Be This Tall to Ride This Ride (And Other Requirements) . . .10 Preparing for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Studying on your own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Getting hands-on experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Getting official (ISC)2 CISSP training . . . . . . . . . . . . . . . . . . . . . . . . . .14 Attending other training courses or study groups . . . . . . . . . . . . . .15 Taking practice exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Are you ready for the exam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Registering for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 About the CISSP Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 After the Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 CHAPTER 2: Putting Your Certification to Good Use . . . . . . . . . . . . . . 23 Networking with Other Security Professionals . . . . . . . . . . . . . . . . . . . .24 Being an Active (ISC)2 Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Considering (ISC)2 Volunteer Opportunities . . . . . . . . . . . . . . . . . . . . . .26 Writing certification exam questions . . . . . . . . . . . . . . . . . . . . . . . . .27 Speaking at events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Helping at (ISC)2 conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Reading and contributing to (ISC)2 publications . . . . . . . . . . . . . . . .27 Supporting the (ISC)2 Center for Cyber Safety and Education . . . .28 Participating in bug-bounty programs . . . . . . . . . . . . . . . . . . . . . . . .28 Participating in (ISC)2 focus groups . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Joining the (ISC)2 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Getting involved with a CISSP study group . . . . . . . . . . . . . . . . . . . .28 Helping others learn more about data security . . . . . . . . . . . . . . . .29 Becoming an Active Member of Your Local Security Chapter . . . . . . .30 Spreading the Good Word about CISSP Certification . . . . . . . . . . . . . . .31 Leading by example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Using Your CISSP Certification to Be an Agent of Change . . . . . . . . . . .32

viii CISSP For Dummies Earning Other Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Other (ISC)2 certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 CISSP concentrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Non-(ISC)2 certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Choosing the right certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Finding a mentor, being a mentor . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Building your professional brand . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Pursuing Security Excellence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 PART 2: CERTIFICATION DOMAINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 CHAPTER 3: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . 45 Understand, Adhere to, and Promote Professional Ethics . . . . . . . . . .45 (ISC)2 Code of Professional Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Organizational code of ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Understand and Apply Security Concepts . . . . . . . . . . . . . . . . . . . . . . . .49 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Evaluate and Apply Security Governance Principles . . . . . . . . . . . . . . .53 Alignment of security function to business strategy, goals, mission, and objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Organizational processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Organizational roles and responsibilities . . . . . . . . . . . . . . . . . . . . .56 Security control frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Due care and due diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Determine Compliance and Other Requirements . . . . . . . . . . . . . . . . .61 Contractual, legal, industry standards, and regulatory requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Privacy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Understand Legal and Regulatory Issues That Pertain to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Cybercrimes and data breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Licensing and intellectual property requirements . . . . . . . . . . . . . .82 Import/export controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Transborder data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Understand Requirements for Investigation Types . . . . . . . . . . . . . . . .93 Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . .94 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Standards (and baselines) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Table of Contents ix Identify, Analyze, and Prioritize Business Continuity (BC) Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Business impact analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Develop and document the scope and the plan . . . . . . . . . . . . . . .107 Contribute to and Enforce Personnel Security Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Candidate screening and hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Employment agreements and policies . . . . . . . . . . . . . . . . . . . . . . .123 Onboarding, transfers, and termination processes . . . . . . . . . . . .123 Vendor, consultant, and contractor agreements and controls . . .124 Compliance policy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Privacy policy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Understand and Apply Risk Management Concepts . . . . . . . . . . . . . .125 Identify threats and vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . .126 Risk assessment/analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Risk appetite and risk tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Risk treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Countermeasure selection and implementation . . . . . . . . . . . . . .133 Applicable types of controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Control assessments (security and privacy) . . . . . . . . . . . . . . . . . .137 Monitoring and measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Risk frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Understand and Apply Threat Modeling Concepts and Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Identifying threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Determining and diagramming potential attacks . . . . . . . . . . . . . .144 Performing reduction analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Remediating threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Apply Supply Chain Risk Management (SCRM) Concepts . . . . . . . . . .146 Risks associated with hardware, software, and services . . . . . . . .147 Third-party assessment and monitoring . . . . . . . . . . . . . . . . . . . . .147 Fourth-party risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Minimum security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Service-level agreement requirements . . . . . . . . . . . . . . . . . . . . . .147 Establish and Maintain a Security Awareness, Education, and Training Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Methods and techniques to present awareness and training . . .148 Periodic content reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Program effectiveness evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . .151 CHAPTER 4: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Identify and Classify Information and Assets . . . . . . . . . . . . . . . . . . . .153 Data classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Asset classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

x CISSP For Dummies Establish Information and Asset Handling Requirements . . . . . . . . .162 Provision Resources Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Information and asset ownership . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Asset inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Asset management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Manage Data Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Data roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Data location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Data maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Data retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Data remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Data destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Ensure Appropriate Asset Retention . . . . . . . . . . . . . . . . . . . . . . . . . . .171 End of life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 End of support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Determine Data Security Controls and Compliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Data states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Scoping and tailoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Standards selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Data protection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 CHAPTER 5: Security Architecture and Engineering . . . . . . . . . . . . . 179 Research, Implement, and Manage Engineering Processes Using Secure Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Threat modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Least privilege (and need to know) . . . . . . . . . . . . . . . . . . . . . . . . . .186 Defense in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Secure defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Fail securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Separation of duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Keep it simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Zero trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Privacy by design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Trust but verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Shared responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Understand the Fundamental Concepts of Security Models . . . . . . .196 Select Controls Based Upon Systems Security Requirements . . . . . .199 Evaluation criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 System certification and accreditation . . . . . . . . . . . . . . . . . . . . . . .205 Understand Security Capabilities of Information Systems . . . . . . . . .208 Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Secure modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209

Table of Contents xi Open and closed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Memory protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Protection rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 Security modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 Recovery procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements . . . . . . . . . . . . . . . . . .213 Client-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Server-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Database systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Cryptographic systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Industrial control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 Cloud-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Distributed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Microservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Containerization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Serverless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Embedded systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 High-performance computing systems . . . . . . . . . . . . . . . . . . . . . .225 Edge computing systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Virtualized systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226 Web-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226 Mobile systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Select and Determine Cryptographic Solutions . . . . . . . . . . . . . . . . . .228 Plaintext and ciphertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 End-to-end encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Link encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231 Putting it all together: The cryptosystem . . . . . . . . . . . . . . . . . . . . .232 Classes of ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Types of ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Cryptographic life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237 Cryptographic methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Public key infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Key management practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Digital signatures and digital certificates . . . . . . . . . . . . . . . . . . . . .250 Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Integrity (hashing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Understand Methods of Cryptanalytic Attacks . . . . . . . . . . . . . . . . . . .253 Brute force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Ciphertext only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Known plaintext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

xii CISSP For Dummies Frequency analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Chosen ciphertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Implementation attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Side channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Fault injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Man in the middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Pass the hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Kerberos exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Apply Security Principles to Site and Facility Design . . . . . . . . . . . . . .259 Design Site and Facility Security Controls . . . . . . . . . . . . . . . . . . . . . . .261 Wiring closets, server rooms, and more . . . . . . . . . . . . . . . . . . . . .264 Restricted and work area security . . . . . . . . . . . . . . . . . . . . . . . . . . .265 Utilities and heating, ventilation, and air conditioning . . . . . . . . .266 Environmental issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267 Fire prevention, detection, and suppression . . . . . . . . . . . . . . . . . .268 Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 CHAPTER 6: Communication and Network Security . . . . . . . . . . . . 275 Assess and Implement Secure Design Principles in Network Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 OSI and TCP/IP models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 The OSI Reference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Secure Network Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Operation of hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Transmission media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317 Network access control devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .318 Endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 Implement Secure Communication Channels According to Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Multimedia collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Data communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 Virtualized networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 Third-party connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 CHAPTER 7: Identity and Access Management . . . . . . . . . . . . . . . . . . . 339 Control Physical and Logical Access to Assets . . . . . . . . . . . . . . . . . . .340 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Systems and devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Table of Contents xiii Manage Identification and Authentication of People, Devices, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343 Identity management implementation . . . . . . . . . . . . . . . . . . . . . .343 Single-/multifactor authentication . . . . . . . . . . . . . . . . . . . . . . . . . .343 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Session management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Registration, proofing, and establishment of identity . . . . . . . . . .360 Federated identity management . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Credential management systems . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 Just-in-Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Federated Identity with a Third-Party Service . . . . . . . . . . . . . . . . . . . .363 On-premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Hybrid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Implement and Manage Authorization Mechanisms . . . . . . . . . . . . . .365 Role-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Rule-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Mandatory access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Discretionary access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 Attribute-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Risk-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Manage the Identity and Access Provisioning Life Cycle . . . . . . . . . . .370 Implement Authentication Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 OpenID Connect/Open Authorization . . . . . . . . . . . . . . . . . . . . . . .372 Security Assertion Markup Language . . . . . . . . . . . . . . . . . . . . . . . .372 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 RADIUS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 CHAPTER 8: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . 379 Design and Validate Assessment, Test, and Audit Strategies . . . . . . .379 Conduct Security Control Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Penetration testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Log reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Synthetic transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389 Code review and testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390 Misuse case testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Test coverage analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392 Interface testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392 Breach attack simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Compliance checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Collect Security Process Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Management review and approval . . . . . . . . . . . . . . . . . . . . . . . . . .395

xiv CISSP For Dummies Key performance and risk indicators . . . . . . . . . . . . . . . . . . . . . . . .396 Backup verification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Training and awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Disaster recovery and business continuity . . . . . . . . . . . . . . . . . . .400 Analyze Test Output and Generate Reports . . . . . . . . . . . . . . . . . . . . .400 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Exception handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402 Ethical disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 Conduct or Facilitate Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . .404 CHAPTER 9: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Understand and Comply with Investigations . . . . . . . . . . . . . . . . . . . .408 Evidence collection and handling . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Reporting and documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Investigative techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416 Digital forensics tools, tactics, and procedures . . . . . . . . . . . . . . . .418 Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Conduct Logging and Monitoring Activities . . . . . . . . . . . . . . . . . . . . . .419 Intrusion detection and prevention . . . . . . . . . . . . . . . . . . . . . . . . .419 Security information and event management . . . . . . . . . . . . . . . .421 Security orchestration, automation, and response . . . . . . . . . . . .421 Continuous monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Egress monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Log management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Threat intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 User and entity behavior analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Perform Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Apply Foundational Security Operations Concepts . . . . . . . . . . . . . . .426 Need-to-know and least privilege . . . . . . . . . . . . . . . . . . . . . . . . . . .427 Separation of duties and responsibilities . . . . . . . . . . . . . . . . . . . .428 Privileged account management . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 Job rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431 Service-level agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Apply Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Media management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Media protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Conduct Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Operate and Maintain Detective and Preventative Measures . . . . . .440 Implement and Support Patch and Vulnerability Management . . . . .442 Understand and Participate in Change Management Processes . . . .443 Implement Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Backup storage strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Recovery site strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445 Multiple processing sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445 System resilience, high availability, quality of service, and fault tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

Table of Contents xv Implement Disaster Recovery Processes . . . . . . . . . . . . . . . . . . . . . . . .448 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 Training and awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456 Lessons learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456 Test Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456 Read-through or tabletop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457 Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458 Parallel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459 Full interruption (or cutover) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459 Participate in Business Continuity Planning and Exercises . . . . . . . . .460 Implement and Manage Physical Security . . . . . . . . . . . . . . . . . . . . . . .460 Address Personnel Safety and Security Concerns . . . . . . . . . . . . . . . .461 CHAPTER 10: Software Development Security . . . . . . . . . . . . . . . . . . . . . 463 Understand and Integrate Security in the Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464 Development methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464 Maturity models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473 Operation and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474 Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475 Integrated product team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476 Identify and Apply Security Controls in Software Development Ecosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476 Programming languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 Tool sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 Integrated development environment . . . . . . . . . . . . . . . . . . . . . . .480 Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480 Continuous integration/continuous delivery . . . . . . . . . . . . . . . . . .481 Security orchestration, automation, and response . . . . . . . . . . . .481 Software configuration management . . . . . . . . . . . . . . . . . . . . . . .482 Code repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Application security testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484 Assess the Effectiveness of Software Security . . . . . . . . . . . . . . . . . . .486 Auditing and logging of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 Risk analysis and mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487 Assess Security Impact of Acquired Software . . . . . . . . . . . . . . . . . . . .489 Define and Apply Secure Coding Guidelines and Standards . . . . . . .490 Security weaknesses and vulnerabilities at the source-code level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491

xvi CISSP For Dummies Security of application programming interfaces . . . . . . . . . . . . . .492 Secure coding practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493 Software-defined security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495 PART 3: THE PART OF TENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 CHAPTER 11: Ten Ways to Prepare for the Exam . . . . . . . . . . . . . . . . . . 499 Know Your Learning Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499 Get a Networking Certification First . . . . . . . . . . . . . . . . . . . . . . . . . . . .500 Register Now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500 Make a 60-Day Study Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500 Get Organized and Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Join a Study Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Take Practice Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502 Take a CISSP Training Seminar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502 Adopt an Exam-Taking Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502 Take a Breather . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503 CHAPTER 12: Ten Test-Day Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Get a Good Night’s Rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505 Dress Comfortably . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Eat a Good Meal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Arrive Early . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Bring Approved Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Bring Snacks and Drinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 Bring Prescription and Over-the-Counter Medications . . . . . . . . . . . .507 Leave Your Mobile Devices Behind . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 Take Frequent Breaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 Guess — As a Last Resort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Introduction 1 Introduction Since 1994, security practitioners around the world have been pursuing a well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since 2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification. Today, there are approximately 140,000 CISSPs worldwide. Ironically, some skep- tics might argue that the CISSP certification is becoming less relevant because so many people have earned it. But the CISSP certification isn’t less relevant because more people are attaining it; more people are attaining it because it’s more rele- vant now than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophis- ticated cyberattacks becoming all too frequent occurrences in our modern era. Many excellent and reputable information security training and education pro- grams are available. In addition to technical and industry certifications, many fully accredited postsecondary degree, certificate, and apprenticeship programs are available for information security practitioners. And there certainly are plenty of self-taught, highly skilled people working in the information security field who have a strong understanding of core security concepts, techniques, and technolo- gies. But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications, preying on the obliviousness of business and other leaders to pursue a fulfilling career in the information security field (or for other, more-dubious purposes). The CISSP certification is widely regarded as the professional standard for infor- mation security professionals. It enables security professionals to distinguish themselves from others by validating both their knowledge and experience. Like- wise, it enables businesses and other organizations to identify qualified informa- tion security professionals and verify the knowledge and experience of candidates for critical information security roles in their organizations. Thus, the CISSP cer- tification is more relevant and important than ever before.

2 CISSP For Dummies About This Book Some people say that a CISSP candidate requires a breadth of knowledge many miles across but only a few inches deep. To embellish on this statement, we believe that a CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — with maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World. The problem with lots of CISSP preparation materials is defining how high (or deep) the Great Wall is. Some material overwhelms and intimidates CISSP candi- dates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while attempting to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, “What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?” Our goal in this book is simple: to help you prepare for and pass the CISSP exami- nation so that you can join the ranks of respected certified security professionals who dutifully serve and protect organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object. Also, we don’t intend for this book to be an all-purpose, be-all-and-end-all, one- stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 7th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but by itself, it won’t make you an infor- mation security expert. That takes knowledge, skills, and experience! Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabili- ties, require us, as security professionals, to press forward constantly, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys. Earning your CISSP is an outstanding achievement and an essential hallmark in a lifetime of continuous learning.