CISSP All-in-One Exam Guide, Seventh Edition
1st Edition
Published on 10. June 2016
1541 pages
978-0-07-184926-5 (ISBN)
Available for download
Description
Completely revised and updated for the 2015 CISSP body of knowledge, this new edition by Fernando Maym continues Shon Harris s bestselling legacy, providing a comprehensive overhaul of the content that is the leading chosen resource for CISSP exam success, and has made Harris the #1 name in IT security certification. This bestselling self-study guide fully prepares candidates for the challenging Certified Information Systems Security Professional exam and offers 100% coverage of all eight exam domains. This edition has been thoroughly revised to cover the new CISSP 2015 Common Body of Knowledge, including new hot spot and drag and drop question formats, and more. Each chapter features learning objectives, exam tips, practice questions, and in-depth explanations. Beyond exam prep, the guide also serves as an ideal on-the-job reference for IT security professionals. CISSP All-in-One Exam Guide, Seventh Edition provides real-world insights and cautions that call out potentially harmful situations. Fully updated to cover the 8 new domains in the 2015 CISSP body of knowledge Written by leading experts in IT security certification and training Features new hot spot and drag-and-drop question formats Electronic content includes 1400+ updated practice exam questions
More details
Other editions
Additional editions
Shon Harris | Fernando Maymi
CISSP All-in-One Exam Guide, Seventh Edition
Book
07/2016
7th Edition
McGraw-Hill Professional
€67.49
Article exhausted; check for reprint
Content
- Cover
- Title Page
- Copyright Page
- Dedication
- About the Authors
- Contents
- In Memory of Shon Harris
- Foreword
- Acknowledgments
- From the Author
- Why Become a CISSP?
- Chapter 1 Security and Risk Management
- Fundamental Principles of Security
- Availability
- Integrity
- Confidentiality
- Balanced Security
- Security Definitions
- Control Types
- Security Frameworks
- ISO/IEC 27000 Series
- Enterprise Architecture Development
- Security Controls Development
- Process Management Development
- Functionality vs. Security
- The Crux of Computer Crime Laws
- Complexities in Cybercrime
- Electronic Assets
- The Evolution of Attacks
- International Issues
- Types of Legal Systems
- Intellectual Property Laws
- Trade Secret
- Copyright
- Trademark
- Patent
- Internal Protection of Intellectual Property
- Software Piracy
- Privacy
- The Increasing Need for Privacy Laws
- Laws, Directives, and Regulations
- Employee Privacy Issues
- Data Breaches
- U.S. Laws Pertaining to Data Breaches
- Other Nations' Laws Pertaining to Data Breaches
- Policies, Standards, Baselines, Guidelines, and Procedures
- Security Policy
- Standards
- Baselines
- Guidelines
- Procedures
- Implementation
- Risk Management
- Holistic Risk Management
- Information Systems Risk Management Policy
- The Risk Management Team
- The Risk Management Process
- Threat Modeling
- Vulnerabilities
- Threats
- Attacks
- Reduction Analysis
- Risk Assessment and Analysis
- Risk Analysis Team
- The Value of Information and Assets
- Costs That Make Up the Value
- Identifying Vulnerabilities and Threats
- Methodologies for Risk Assessment
- Risk Analysis Approaches
- Qualitative Risk Analysis
- Protection Mechanisms
- Putting It Together
- Total Risk vs. Residual Risk
- Handling Risk
- Outsourcing
- Risk Management Frameworks
- Categorize Information System
- Select Security Controls
- Implement Security Controls
- Assess Security Controls
- Authorize Information System
- Monitor Security Controls
- Business Continuity and Disaster Recovery
- Standards and Best Practices
- Making BCM Part of the Enterprise Security Program
- BCP Project Components
- Personnel Security
- Hiring Practices
- Termination
- Security-Awareness Training
- Degree or Certification?
- Security Governance
- Metrics
- Ethics
- The Computer Ethics Institute
- The Internet Architecture Board
- Corporate Ethics Programs
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 2 Asset Security
- Information Life Cycle
- Acquisition
- Use
- Archival
- Disposal
- Information Classification
- Classifications Levels
- Classification Controls
- Layers of Responsibility
- Executive Management
- Data Owner
- Data Custodian
- System Owner
- Security Administrator
- Supervisor
- Change Control Analyst
- Data Analyst
- User
- Auditor
- Why So Many Roles?
- Retention Policies
- Developing a Retention Policy
- Protecting Privacy
- Data Owners
- Data Processers
- Data Remanence
- Limits on Collection
- Protecting Assets
- Data Security Controls
- Media Controls
- Data Leakage
- Data Leak Prevention
- Protecting Other Assets
- Protecting Mobile Devices
- Paper Records
- Safes
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 3 Security Engineering
- System Architecture
- Computer Architecture
- The Central Processing Unit
- Multiprocessing
- Memory Types
- Operating Systems
- Process Management
- Memory Management
- Input/Output Device Management
- CPU Architecture Integration
- Operating System Architectures
- Virtual Machines
- System Security Architecture
- Security Policy
- Security Architecture Requirements
- Security Models
- Bell-LaPadula Model
- Biba Model
- Clark-Wilson Model
- Noninterference Model
- Brewer and Nash Model
- Graham-Denning Model
- Harrison-Ruzzo-Ullman Model
- Systems Evaluation
- Common Criteria
- Why Put a Product Through Evaluation?
- Certification vs. Accreditation
- Certification
- Accreditation
- Open vs. Closed Systems
- Open Systems
- Closed Systems
- Distributed System Security
- Cloud Computing
- Parallel Computing
- Databases
- Web Applications
- Mobile Devices
- Cyber-Physical Systems
- A Few Threats to Review
- Maintenance Hooks
- Time-of-Check/Time-of-Use Attacks
- Cryptography in Context
- The History of Cryptography
- Cryptography Definitions and Concepts
- Kerckhoffs' Principle
- The Strength of the Cryptosystem
- Services of Cryptosystems
- One-Time Pad
- Running and Concealment Ciphers
- Steganography
- Types of Ciphers
- Substitution Ciphers
- Transposition Ciphers
- Methods of Encryption
- Symmetric vs. Asymmetric Algorithms
- Symmetric Cryptography
- Block and Stream Ciphers
- Hybrid Encryption Methods
- Types of Symmetric Systems
- Data Encryption Standard
- Triple-DES
- Advanced Encryption Standard
- International Data Encryption Algorithm
- Blowfish
- RC4
- RC5
- RC6
- Types of Asymmetric Systems
- Diffie-Hellman Algorithm
- RSA
- El Gamal
- Elliptic Curve Cryptosystems
- Knapsack
- Zero Knowledge Proof
- Message Integrity
- The One-Way Hash
- Various Hashing Algorithms
- MD4
- MD5
- SHA
- Attacks Against One-Way Hash Functions
- Digital Signatures
- Digital Signature Standard
- Public Key Infrastructure
- Certificate Authorities
- Certificates
- The Registration Authority
- PKI Steps
- Key Management
- Key Management Principles
- Rules for Keys and Key Management
- Trusted Platform Module
- TPM Uses
- Attacks on Cryptography
- Ciphertext-Only Attacks
- Known-Plaintext Attacks
- Chosen-Plaintext Attacks
- Chosen-Ciphertext Attacks
- Differential Cryptanalysis
- Linear Cryptanalysis
- Side-Channel Attacks
- Replay Attacks
- Algebraic Attacks
- Analytic Attacks
- Statistical Attacks
- Social Engineering Attacks
- Meet-in-the-Middle Attacks
- Site and Facility Security
- The Site Planning Process
- Crime Prevention Through Environmental Design
- Designing a Physical Security Program
- Protecting Assets
- Protecting Mobile Devices
- Using Safes
- Internal Support Systems
- Electric Power
- Environmental Issues
- Fire Prevention, Detection, and Suppression
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 4 Communication and Network Security
- Telecommunications
- Open Systems Interconnection Reference Model
- Protocol
- Application Layer
- Presentation Layer
- Session Layer
- Transport Layer
- Network Layer
- Data Link Layer
- Physical Layer
- Functions and Protocols in the OSI Model
- Tying the Layers Together
- Multilayer Protocols
- TCP/IP Model
- TCP
- IP Addressing
- IPv6
- Layer 2 Security Standards
- Converged Protocols
- Types of Transmission
- Analog and Digital
- Asynchronous and Synchronous
- Broadband and Baseband
- Cabling
- Coaxial Cable
- Twisted-Pair Cable
- Fiber-Optic Cable
- Cabling Problems
- Networking Foundations
- Network Topology
- Media Access Technologies
- Transmission Methods
- Network Protocols and Services
- Domain Name Service
- E-mail Services
- Network Address Translation
- Routing Protocols
- Networking Devices
- Repeaters
- Bridges
- Routers
- Switches
- Gateways
- PBXs
- Firewalls
- Proxy Servers
- Honeypot
- Unified Threat Management
- Content Distribution Networks
- Software Defined Networking
- Intranets and Extranets
- Metropolitan Area Networks
- Metro Ethernet
- Wide Area Networks
- Telecommunications Evolution
- Dedicated Links
- WAN Technologies
- Remote Connectivity
- Dial-up Connections
- ISDN
- DSL
- Cable Modems
- VPN
- Authentication Protocols
- Wireless Networks
- Wireless Communications Techniques
- WLAN Components
- Evolution of WLAN Security
- Wireless Standards
- Best Practices for Securing WLANs
- Satellites
- Mobile Wireless Communication
- Network Encryption
- Link Encryption vs. End-to-End Encryption
- E-mail Encryption Standards
- Internet Security
- Network Attacks
- Denial of Service
- Sniffing
- DNS Hijacking
- Drive-by Download
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 5 Identity and Access Management
- Security Principles
- Availability
- Integrity
- Confidentiality
- Identification, Authentication, Authorization, and Accountability
- Identification and Authentication
- Authentication
- Authorization
- Federation
- Identity as a Service
- Integrating Identity Services
- Access Control Models
- Discretionary Access Control
- Mandatory Access Control
- Role-Based Access Control
- Rule-Based Access Control
- Access Control Techniques and Technologies
- Constrained User Interfaces
- Access Control Matrix
- Content-Dependent Access Control
- Context-Dependent Access Control
- Access Control Administration
- Centralized Access Control Administration
- Decentralized Access Control Administration
- Access Control Methods
- Access Control Layers
- Administrative Controls
- Physical Controls
- Technical Controls
- Accountability
- Review of Audit Information
- Protecting Audit Data and Log Information
- Keystroke Monitoring
- Access Control Practices
- Unauthorized Disclosure of Information
- Access Control Monitoring
- Intrusion Detection Systems
- Intrusion Prevention Systems
- Threats to Access Control
- Dictionary Attack
- Brute-Force Attacks
- Spoofing at Logon
- Phishing and Pharming
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 6 Security Assessment and Testing
- Audit Strategies
- Internal Audits
- Third-Party Audits
- Auditing Technical Controls
- Vulnerability Testing
- Penetration Testing
- War Dialing
- Other Vulnerability Types
- Postmortem
- Log Reviews
- Synthetic Transactions
- Misuse Case Testing
- Code Reviews
- Interface Testing
- Auditing Administrative Controls
- Account Management
- Backup Verification
- Disaster Recovery and Business Continuity
- Security Training and Security Awareness Training
- Key Performance and Risk Indicators
- Reporting
- Technical Reporting
- Executive Summaries
- Management Review
- Before the Management Review
- Reviewing Inputs
- Management Actions
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 7 Security Operations
- The Role of the Operations Department
- Administrative Management
- Security and Network Personnel
- Accountability
- Clipping Levels
- Assurance Levels
- Operational Responsibilities
- Unusual or Unexplained Occurrences
- Deviations from Standards
- Unscheduled Initial Program Loads (aka Rebooting)
- Configuration Management
- Trusted Recovery
- Input and Output Controls
- System Hardening
- Remote Access Security
- Physical Security
- Facility Access Control
- Personnel Access Controls
- External Boundary Protection Mechanisms
- Intrusion Detection Systems
- Patrol Force and Guards
- Dogs
- Auditing Physical Access
- Secure Resource Provisioning
- Asset Inventory
- Configuration Management
- Provisioning Cloud Assets
- Network and Resource Availability
- Mean Time Between Failures
- Mean Time to Repair
- Single Points of Failure
- Backups
- Contingency Planning
- Preventative Measures
- Firewalls
- Intrusion Detection and Prevention Systems
- Antimalware
- Patch Management
- Honeypots
- The Incident Management Process
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Disaster Recovery
- Business Process Recovery
- Facility Recovery
- Supply and Technology Recovery
- Choosing a Software Backup Facility
- End-User Environment
- Data Backup Alternatives
- Electronic Backup Solutions
- High Availability
- Insurance
- Recovery and Restoration
- Developing Goals for the Plans
- Implementing Strategies
- Investigations
- Computer Forensics and Proper Collection of Evidence
- Motive, Opportunity, and Means
- Computer Criminal Behavior
- Incident Investigators
- The Forensic Investigation Process
- What Is Admissible in Court?
- Surveillance, Search, and Seizure
- Interviewing Suspects
- Liability and Its Ramifications
- Liability Scenarios
- Third-Party Risk
- Contractual Agreements
- Procurement and Vendor Processes
- Compliance
- Personal Safety Concerns
- Summary
- Quick Tips
- Questions
- Answers
- Chapter 8 Software Development Security
- Building Good Code
- Where Do We Place Security?
- Different Environments Demand Different Security
- Environment vs. Application
- Functionality vs. Security
- Implementation and Default Issues
- Software Development Life Cycle
- Project Management
- Requirements Gathering Phase
- Design Phase
- Development Phase
- Testing/Validation Phase
- Release/Maintenance Phase
- Secure Software Development Best Practices
- Software Development Models
- Build and Fix Model
- Waterfall Model
- V-Shaped Model (V-Model)
- Prototyping
- Incremental Model
- Spiral Model
- Rapid Application Development
- Agile Models
- Integrated Product Team
- DevOps
- Capability Maturity Model Integration
- Change Control
- Software Configuration Management
- Security of Code Repositories
- Programming Languages and Concepts
- Assemblers, Compilers, Interpreters
- Object-Oriented Concepts
- Other Software Development Concepts
- Application Programming Interfaces
- Distributed Computing
- Distributed Computing Environment
- CORBA and ORBs
- COM and DCOM
- Java Platform, Enterprise Edition
- Service-Oriented Architecture
- Mobile Code
- Java Applets
- ActiveX Controls
- Web Security
- Specific Threats for Web Environments
- Web Application Security Principles
- Database Management
- Database Management Software
- Database Models
- Database Programming Interfaces
- Relational Database Components
- Integrity
- Database Security Issues
- Data Warehousing and Data Mining
- Malicious Software (Malware)
- Viruses
- Worms
- Rootkit
- Spyware and Adware
- Botnets
- Logic Bombs
- Trojan Horses
- Antimalware Software
- Spam Detection
- Antimalware Programs
- Assessing the Security of Acquired Software
- Summary
- Quick Tips
- Questions
- Answers
- Appendix A Comprehensive Questions
- Answers
- Appendix B About the Download
- System Requirements
- Total Tester Premium Practice Exam Software
- Downloading Total Tester
- Installing and Running Total Tester
- Hotspot and Drag-and-Drop Questions
- McGraw-Hill Professional Media Center Download
- Technical Support
- Total Seminars Technical Support
- McGraw-Hill Education Content Support
- Glossary
- Index
