Schweitzer Fachinformationen
Wenn es um professionelles Wissen geht, ist Schweitzer Fachinformationen wegweisend. Kunden aus Recht und Beratung sowie Unternehmen, öffentliche Verwaltungen und Bibliotheken erhalten komplette Lösungen zum Beschaffen, Verwalten und Nutzen von digitalen und gedruckten Medien.
CISSP Study Guide - fully updated for the 2024 CISSP Body of Knowledge
ISC2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 10th Edition has been completely updated based on the latest 2024 CISSP Detailed Content Outline. This bestselling Sybex Study Guide covers 100% of the CISSP objectives. You'll prepare smarter and faster with Sybex thanks to expert content, knowledge from our real-world experience, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic Study Essentials and chapter review questions.
The book's co-authors bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you'll need to successfully prove your CISSP mastery. Combined, they've taught cybersecurity concepts to millions of students through their books, video courses, and live training programs.
Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:
Coverage of all of the CISSP topics in the book means you'll be ready for:
Mike Chapple, PhD, CISSP, CCSP, is a teaching professor of IT, analytics, and operations at the University of Notre Dame. He is a cybersecurity professional and educator with over 25 years experience including as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of more than 200 books and video courses and provides cybersecurity certification resources at CertMike.com.
James Michael Stewart, CISSP, has been writing and training for more than 25 years, with a focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 80 books on security certification.
Darril Gibson, CISSP, (1958-2022) was the CEO of YCDA, LLC and regularly wrote and consulted on a wide variety of technical and security topics and held numerous other security certifications. He authored or coauthored more than 30 books including multiple prior editions of the CISSP Study Guide.
Introduction xxxv
Assessment Test lx
Chapter 1 Security Governance Through Principles and Policies 1
Security 101 3
Understand and Apply Security Concepts 4
Security Boundaries 13
Evaluate and Apply Security Governance Principles 14
Manage the Security Function 16
Security Policy, Standards, Procedures, and Guidelines 27
Threat Modeling 29
Supply Chain Risk Management 35
Summary 38
Study Essentials 39
Written Lab 41
Review Questions 42
Chapter 2 Personnel Security and Risk Management Concepts 49
Personnel Security Policies and Procedures 51
Understand and Apply Risk Management Concepts 60
Social Engineering 90
Establish and Maintain a Security Awareness, Education, and Training Program 106
Summary 110
Study Essentials 111
Written Lab 114
Review Questions 115
Chapter 3 Business Continuity Planning 121
Planning for Business Continuity 122
Project Scope and Planning 123
Business Impact Analysis 131
Continuity Planning 137
Plan Approval and Implementation 140
Summary 145
Study Essentials 145
Written Lab 146
Review Questions 147
Chapter 4 Laws, Regulations, and Compliance 151
Categories of Laws 152
Laws 155
State Privacy Laws 179
Compliance 179
Contracting and Procurement 181
Summary 182
Study Essentials 182
Written Lab 184
Review Questions 185
Chapter 5 Protecting Security of Assets 189
Identifying and Classifying Information and Assets 190
Establishing Information and Asset Handling Requirements 198
Data Protection Methods 208
Understanding Data Roles 214
Using Security Baselines 216
Summary 219
Study Essentials 220
Written Lab 221
Review Questions 222
Chapter 6 Cryptography and Symmetric Key Algorithms 227
Cryptographic Foundations 228
Modern Cryptography 246
Symmetric Cryptography 253
Cryptographic Life Cycle 263
Summary 264
Study Essentials 264
Written Lab 266
Review Questions 267
Chapter 7 PKI and Cryptographic Applications 271
Asymmetric Cryptography 272
Hash Functions 279
Digital Signatures 283
Public Key Infrastructure 286
Asymmetric Key Management 292
Hybrid Cryptography 293
Applied Cryptography 294
Cryptographic Attacks 306
Summary 309
Study Essentials 310
Written Lab 311
Review Questions 312
Chapter 8 Principles of Security Models, Design, and Capabilities 317
Secure Design Principles 319
Techniques for Ensuring CIA 330
Understand the Fundamental Concepts of Security Models 332
Select Controls Based on Systems Security Requirements 345
Understand Security Capabilities of Information Systems 349
Summary 352
Study Essentials 353
Written Lab 354
Review Questions 355
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 359
Shared Responsibility 360
Data Localization and Data Sovereignty 362
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 363
Client-Based Systems 378
Server-Based Systems 381
Industrial Control Systems 384
Distributed Systems 386
High-Performance Computing (HPC) Systems 387
Real-Time Operating Systems 388
Internet of Things 389
Edge and Fog Computing 390
Embedded Devices and Cyber-Physical Systems 391
Microservices 396
Infrastructure as Code 397
Immutable Architecture 398
Virtualized Systems 399
Containerization 406
Mobile Devices 407
Essential Security Protection Mechanisms 424
Common Security Architecture Flaws and Issues 427
Summary 431
Study Essentials 432
Written Lab 436
Review Questions 437
Chapter 10 Physical Security Requirements 443
Apply Security Principles to Site and Facility Design 444
Implement Site and Facility Security Controls 449
Implement and Manage Physical Security 473
Summary 480
Study Essentials 481
Written Lab 484
Review Questions 485
Chapter 11 Secure Network Architecture and Components 491
OSI Model 493
TCP/IP Model 501
Analyzing Network Traffic 502
Common Application Layer Protocols 503
Transport Layer Protocols 504
Domain Name System 506
Internet Protocol (IP) Networking 512
ARP Concerns 516
Secure Communication Protocols 517
Implications of Multilayer Protocols 518
Segmentation 523
Edge Networks 526
Wireless Networks 527
Satellite Communications 543
Cellular Networks 544
Content Distribution Networks (CDNs) 544
Secure Network Components 545
Summary 572
Study Essentials 573
Written Lab 575
Review Questions 576
Chapter 12 Secure Communications and Network Attacks 581
Protocol Security Mechanisms 582
Secure Voice Communications 587
Remote Access Security Management 591
Multimedia Collaboration 595
Monitoring and Management 597
Load Balancing 597
Manage Email Security 600
Virtual Private Network 606
Switching and Virtual LANs 613
Network Address Translation 617
Third-Party Connectivity 622
Switching Technologies 624
WAN Technologies 626
Fiber-Optic Links 629
Prevent or Mitigate Network Attacks 630
Summary 631
Study Essentials 632
Written Lab 635
Review Questions 636
Chapter 13 Managing Identity and Authentication 641
Controlling Access to Assets 643
The AAA Model 645
Implementing Identity Management 662
Managing the Identity and Access Provisioning Life Cycle 668
Summary 672
Study Essentials 672
Written Lab 675
Review Questions 676
Chapter 14 Controlling and Monitoring Access 681
Comparing Access Control Models 682
Implementing Authentication Systems 694
Zero-Trust Access Policy Enforcement 702
Understanding Access Control Attacks 703
Summary 719
Study Essentials 720
Written Lab 721
Review Questions 722
Chapter 15 Security Assessment and Testing 727
Building a Security Assessment and Testing Program 729
Performing Vulnerability Assessments 735
Testing Your Software 750
Training and Exercises 758
Implementing Security Management Processes and Collecting Security Process Data 759
Summary 762
Exam Essentials 763
Written Lab 764
Review Questions 765
Chapter 16 Managing Security Operations 769
Apply Foundational Security Operations Concepts 771
Address Personnel Safety and Security 778
Provision Information and Assets Securely 780
Managed Services in the Cloud 786
Perform Configuration Management (CM) 790
Manage Change 793
Manage Patches and Reduce Vulnerabilities 797
Summary 801
Study Essentials 802
Written Lab 804
Review Questions 805
Chapter 17 Preventing and Responding to Incidents 809
Conducting Incident Management 811
Implementing Detection and Preventive Measures 818
Logging and Monitoring 842
Automating Incident Response 854
Summary 860
Study Essentials 860
Written Lab 863
Review Questions 864
Chapter 18 Disaster Recovery Planning 869
The Nature of Disaster 871
Understand System Resilience, High Availability, and Fault Tolerance 883
Recovery Strategy 888
Recovery Plan Development 898
Training, Awareness, and Documentation 906
Testing and Maintenance 907
Summary 911
Study Essentials 912
Written Lab 913
Review Questions 914
Chapter 19 Investigations and Ethics 919
Investigations 920
Major Categories of Computer Crime 934
Ethics 940
Summary 944
Study Essentials 945
Written Lab 946
Review Questions 947
Chapter 20 Software Development Security 951
Introducing Systems Development Controls 953
Establishing Databases and Data Warehousing 984
Storage Threats 994
Understanding Knowledge- Based Systems 995
Summary 998
Study Essentials 998
Written Lab 1000
Review Questions 1001
Chapter 21 Malicious Code and Application Attacks 1005
Malware 1006
Malware Prevention 1018
Application Attacks 1021
Injection Vulnerabilities 1024
Exploiting Authorization Vulnerabilities 1030
Exploiting Web Application Vulnerabilities 1033
Application Security Controls 1038
Secure Coding Practices 1044
Summary 1048
Study Essentials 1048
Written Lab 1049
Review Questions 1050
Appendix A Answers to Review Questions 1055
Chapter 1: Security Governance Through Principles and Policies 1056
Chapter 2: Personnel Security and Risk Management Concepts 1059
Chapter 3: Business Continuity Planning 1063
Chapter 4: Laws, Regulations, and Compliance 1065
Chapter 5: Protecting Security of Assets 1068
Chapter 6: Cryptography and Symmetric Key Algorithms 1070
Chapter 7: PKI and Cryptographic Applications 1072
Chapter 8: Principles of Security Models, Design, and Capabilities 1074
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1077
Chapter 10: Physical Security Requirements 1082
Chapter 11: Secure Network Architecture and Components 1085
Chapter 12: Secure Communications and Network Attacks 1089
Chapter 13: Managing Identity and Authentication 1092
Chapter 14: Controlling and Monitoring Access 1095
Chapter 15: Security Assessment and Testing 1097
Chapter 16: Managing Security Operations 1099
Chapter 17: Preventing and Responding to Incidents 1102
Chapter 18: Disaster Recovery Planning 1104
Chapter 19: Investigations and Ethics 1106
Chapter 20: Software Development Security 1108
Chapter 21: Malicious Code and Application Attacks 1111
Appendix B Answers to Written Labs 1115
Chapter 1: Security Governance Through Principles and Policies 1116
Chapter 2: Personnel Security and Risk Management Concepts 1116
Chapter 3: Business Continuity Planning 1117
Chapter 4: Laws, Regulations, and Compliance 1118
Chapter 5: Protecting Security of Assets 1119
Chapter 6: Cryptography and Symmetric Key Algorithms 1119
Chapter 7: PKI and Cryptographic Applications 1120
Chapter 8: Principles of Security Models, Design, and Capabilities 1121
Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1121
Chapter 10: Physical Security Requirements 1123
Chapter 11: Secure Network Architecture and Components 1124
Chapter 12: Secure Communications and Network Attacks 1125
Chapter 13: Managing Identity and Authentication 1126
Chapter 14: Controlling and Monitoring Access 1127
Chapter 15: Security Assessment and Testing 1127
Chapter 16: Managing Security Operations 1128
Chapter 17: Preventing and Responding to Incidents 1129
Chapter 18: Disaster Recovery Planning 1130
Chapter 19: Investigations and Ethics 1131
Chapter 20: Software Development Security 1131
Chapter 21: Malicious Code and Application Attacks 1131
Index 1133
The ISC2® CISSP® Certified Information Systems Security Professional Official Study Guide, Tenth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you've shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.
This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this CISSP Study Guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.
The information presented here in this Introduction was based on the publicly available documentation from ISC2 as of April 15, 2024. However, these details and exam parameters are subject to change at any time based upon ISC2 operational decisions. Please consult isc2.org to confirm, verify, or learn about updated exam specifics.
Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of cumulative full-time work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. Part-time work and internship experience is also acceptable with conditions; see www.isc2.org/certifications/cissp/cissp-experience-requirements. If you are qualified to take the CISSP exam according to ISC2, then you are sufficiently prepared to use this book to study for it. For more information on ISC2, see the next section.
www.isc2.org/certifications/cissp/cissp-experience-requirements
Alternatively, ISC2 allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the ISC2 prerequisite pathway. As of Q1 2024, the qualified certifications are:
For the complete and current list of qualifying certifications, visit www.isc2.org/certifications/cissp/cissp-experience-requirements.
You can use only one of the experience reduction measures, either a college degree or a certification, not both.
ISC2 offers an entry program known as an Associate of ISC2. This program allows someone without any or enough experience to qualify as a CISSP applicant to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement (discussed later), can the individual be awarded the full CISSP certification.
If you are just getting started on your journey to CISSP certification and do not yet have the work experience, then our book can still be a useful tool in your preparation for the exam. However, you may find that some of the topics covered assume knowledge that you don't have. For those topics, you may need to do some additional research using other materials, and then return to this book to continue learning about the CISSP topics.
The CISSP exam is governed by the International Information System Security Certification Consortium ISC2. ISC2 is a global nonprofit organization. It has the mission of "ISC2 strengthens the influence, diversity and vitality of the field through advocacy, expertise and workforce empowerment that accelerates cyber safety and cybersecurity in an interconnected world."
ISC2 is operated by a board of directors elected from the ranks of its certified practitioners.
ISC2 supports and provides a wide variety of certifications, including CISSP, ISSAP, ISSMP, ISSEP, SSCP, CCSM, CCSP, CGRCSM, and CSSLP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about ISC2 and its other certifications from its website at isc2.org.
isc2.org
The CISSP credential is for security professionals "with the knowledge, skills and abilities to lead an organization's information security program."
The CISSP certification covers material from the eight topical domains. These eight domains are as follows:
These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.
ISC2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years' work experience or with four years' experience and a recent IT or IS degree or an approved security certification (as mentioned previously). Professional experience is defined as security work performed (with or without pay) within two or more of the eight CISSP domains.
Second, you must agree to adhere to a formal code of ethics. The ISC2 Code of Ethics is a set of guidelines ISC2 wants all certification candidates to follow to maintain professionalism in the field of information systems security. You can find the ISC2 Code of Ethics at isc2.org/ethics.
isc2.org/ethics
The CISSP exam focuses on security from an overview perspective; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you'll need to be familiar with every domain but not necessarily be a master of each domain.
The CISSP exam is in an adaptive format that ISC2 calls CISSP CAT (Computerized Adaptive Testing). For complete details of this form of exam presentation, please see www.isc2.org/certifications/CISSP/CISSP-CAT.
www.isc2.org/certifications/CISSP/CISSP-CAT
The CISSP CAT exam has a minimum of 100 questions and a maximum of 150. Not all items (i.e., questions) presented count toward your proficiency level, competency requirements, or passing status. There are 25 unscored questions that are called pre-test or unscored items by ISC2, whereas the scored questions are called operational items. The questions are not labeled on the exam as to whether they are scored (i.e., operational items) or unscored (i.e., pre-test questions). Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions. However, an exam's pass/fail report is determined by only the last 75 operational items answered by the test candidate.
The CISSP CAT grants a maximum of three (3) hours to take...
Dateiformat: ePUBKopierschutz: Adobe-DRM (Digital Rights Management)
Systemvoraussetzungen:
Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet – also für „fließenden” Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!
Weitere Informationen finden Sie in unserer E-Book Hilfe.
