register your book or ebook at - download.e-bookshelf.de · contents at a glance introduction. . ....
TRANSCRIPT
Register your book or ebook at www.dummies.com/go/getaccess.
Select your product, and then follow the prompts to validate your purchase.
You’ll receive an email with your PIN and instructions.
This book comes with access to more content online. Create custom quizzes from hundreds
of study questions!
CISSP6th Edition
by Lawrence C. Miller and Peter H. Gregory
CISSP For Dummies®, 6th EditionPublished by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. CISSP is a registered certification mark of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018941678
ISBN 978-1-119-50581-5 (pbk); ISBN 978-1-119-50610-2 (ebk); ISBN 978-1-119-50609-6 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Contents at a GlanceIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Part 1: Getting Started with CISSP Certification . . . . . . . . . . . . . . 7CHAPTER 1: (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9CHAPTER 2: Putting Your Certification to Good Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Part 2: Certification Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41CHAPTER 3: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43CHAPTER 4: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143CHAPTER 5: Security Architecture and Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . 155CHAPTER 6: Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 239CHAPTER 7: Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315CHAPTER 8: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357CHAPTER 9: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379CHAPTER 10: Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Part 3: The Part of Tens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453CHAPTER 11: Ten Test-Planning Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455CHAPTER 12: Ten Test-Day Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Table of Contents vii
Table of ContentsINTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Foolish Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Icons Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Beyond the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Where to Go from Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
PART 1: GETTING STARTED WITH CISSP CERTIFICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
CHAPTER 1: (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . 9
About (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . 9You Must Be This Tall to Ride This Ride (and Other Requirements) . . . .10Preparing for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Studying on your own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Getting hands-on experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Getting official (ISC)2 CISSP training . . . . . . . . . . . . . . . . . . . . . . . . . .14Attending other training courses or study groups . . . . . . . . . . . . . .14Take the practice exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Are you ready for the exam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Registering for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16About the CISSP Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17After the Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
CHAPTER 2: Putting Your Certification to Good Use . . . . . . . . . . . . . . 23Networking with Other Security Professionals . . . . . . . . . . . . . . . . . . . .24Being an Active (ISC)2 Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Considering (ISC)2 Volunteer Opportunities . . . . . . . . . . . . . . . . . . . . . .26
Writing certification exam questions . . . . . . . . . . . . . . . . . . . . . . . . .26Speaking at events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Helping at (ISC)2 conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Read and contribute to (ISC)2 publications . . . . . . . . . . . . . . . . . . . .27Support the (ISC)2 Center for Cyber Safety and Education . . . . . . .27Participating in (ISC)2 focus groups . . . . . . . . . . . . . . . . . . . . . . . . . . .28Join the (ISC)2 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Get involved with a CISSP study group . . . . . . . . . . . . . . . . . . . . . . . .28Help others learn more about data security . . . . . . . . . . . . . . . . . . .28
Becoming an Active Member of Your Local Security Chapter . . . . . . .29Spreading the Good Word about CISSP Certification . . . . . . . . . . . . . . .30
Wear the colors proudly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Lead by example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
viii CISSP For Dummies
Using Your CISSP Certification to Be an Agent of Change . . . . . . . . . . .32Earning Other Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Other (ISC)2 certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33CISSP concentrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Non-(ISC)2 certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34Choosing the right certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Find a mentor, be a mentor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Pursue Security Excellence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
PART 2: CERTIFICATION DOMAINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
CHAPTER 3: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . 43Apply Security Governance Principles . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Alignment of security function to business strategy, goals, mission, and objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Organizational processes (security executive oversight) . . . . . . . . .45Security roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . .46Control frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48Due care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Due diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Understand and Apply Concepts of Confidentiality, Integrity, and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Legislative and regulatory compliance . . . . . . . . . . . . . . . . . . . . . . . .53Privacy requirements compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context . . . . . . . . . . . . . . . . . . . . . .58
Computer crimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Licensing and intellectual property . . . . . . . . . . . . . . . . . . . . . . . . . . .72Import/export controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Trans-border data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75Data breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Understand Professional Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Exercise the (ISC)2 Code of Professional Ethics . . . . . . . . . . . . . . . . .83Support your organization’s code of ethics . . . . . . . . . . . . . . . . . . . .83
Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . .85
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Standards (and baselines) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Table of Contents ix
Understand Business Continuity Requirements . . . . . . . . . . . . . . . . . . .87Develop and document project scope and plan . . . . . . . . . . . . . . . .90Conduct Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .98Developing the Business Continuity Plan . . . . . . . . . . . . . . . . . . . .106Implementing the BCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Contribute to Personnel Security Policies . . . . . . . . . . . . . . . . . . . . . . .111Employment candidate screening . . . . . . . . . . . . . . . . . . . . . . . . . .112Employment agreements and policies . . . . . . . . . . . . . . . . . . . . . . .114Employment termination processes . . . . . . . . . . . . . . . . . . . . . . . . .115Vendor, consultant, and contractor controls . . . . . . . . . . . . . . . . . .115Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Understand and Apply Risk Management Concepts . . . . . . . . . . . . . .116Identify threats and vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . .116Risk assessment/analysis (treatment) . . . . . . . . . . . . . . . . . . . . . . .117Risk treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122Countermeasure selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124Types of controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Control assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127Monitoring and measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129Asset valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Risk frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Understand and Apply Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . .132Identifying threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133Determining and diagramming potential attacks . . . . . . . . . . . . . .134Performing reduction analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135Technologies and processes to remediate threats . . . . . . . . . . . .135
Integrate Security Risk Considerations into Supply Chain Management, Mergers, and Acquisitions . . . . . . . . . . . . . . . . . .136
Hardware, software, and services . . . . . . . . . . . . . . . . . . . . . . . . . . .137Third-party assessment and monitoring . . . . . . . . . . . . . . . . . . . . .137Minimum security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Service-level requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Establish and Manage Information Security Education, Training, and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Appropriate levels of awareness, training and education required within organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Measuring the effectiveness of security training . . . . . . . . . . . . . .140Periodic reviews for content relevancy . . . . . . . . . . . . . . . . . . . . . .141
x CISSP For Dummies
CHAPTER 4: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Classify Information and Supporting Assets . . . . . . . . . . . . . . . . . . . . .143
Commercial data classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144Government data classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Determine and Maintain Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . .146Protect Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148Ensure Appropriate Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Determine Data Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Scoping and tailoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Standards selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Establish Handling Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
CHAPTER 5: Security Architecture and Engineering . . . . . . . . . . . . . 155Implement and Manage Engineering Processes Using Secure Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155Understand the Fundamental Concepts of Security Models . . . . . . .157
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159Access control models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Select Controls Based upon Systems Security Requirements . . . . . .162Evaluation criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163System certification and accreditation . . . . . . . . . . . . . . . . . . . . . . .167Security controls and countermeasures . . . . . . . . . . . . . . . . . . . . .169
Understand Security Capabilities of Information Systems . . . . . . . . .173Computer architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173Trusted Computing Base (TCB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180Trusted Platform Module (TPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . .181Secure modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181Open and closed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182Protection rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183Security modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183Recovery procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184Vulnerabilities in security architectures . . . . . . . . . . . . . . . . . . . . . .184
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements . . . . . . . . . . . . . . . . . .185
Client-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185Server-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186Database systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187Large-scale parallel data systems . . . . . . . . . . . . . . . . . . . . . . . . . . .187Distributed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188Cryptographic systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Table of Contents xi
Industrial control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189Cloud-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Assess and Mitigate Vulnerabilities in Web-Based Systems . . . . . . . .193Assess and Mitigate Vulnerabilities in Mobile Systems . . . . . . . . . . . .194Assess and Mitigate Vulnerabilities in Embedded Devices . . . . . . . . .195Apply Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Cryptographic lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198Plaintext and ciphertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199Cryptography alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205Not quite the metric system: Symmetric and asymmetric key systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206Message authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219Key management functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220Key escrow and key recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221Methods of attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Apply Security Principles to Site and Facility Design . . . . . . . . . . . . . .224Choosing a secure location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226Designing a secure facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Implement Site and Facility Security Controls . . . . . . . . . . . . . . . . . . . .229Wiring closets, server rooms, media storage facilities, and evidence storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229Restricted and work area security . . . . . . . . . . . . . . . . . . . . . . . . . . .230Utilities and HVAC considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .231Water issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234Fire prevention, detection, and suppression . . . . . . . . . . . . . . . . . .234
CHAPTER 6: Communication and Network Security . . . . . . . . . . . . 239Implement Secure Design Principles in Network Architectures . . . . .239
OSI and TCP/IP models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241Cryptography used to maintain communication security . . . . . . .279
Secure Network Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280Operation of hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280Transmission media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280Network access control devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .282Endpoint security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292Content distribution networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294Physical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Design and Establish Secure Communication Channels . . . . . . . . . . .295Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300Facsimile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
xii CISSP For Dummies
Multimedia collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303Data communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308Virtualized networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Prevent or Mitigate Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .310Bluejacking and bluesnarfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310ICMP flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Smurf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Fraggle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311DNS Server Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Session hijacking (spoofing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312Session hijacking (session token interception) . . . . . . . . . . . . . . . .312SYN flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312Teardrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312UDP flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
CHAPTER 7: Identity and Access Management . . . . . . . . . . . . . . . . . . . 315Control Physical and Logical Access to Assets . . . . . . . . . . . . . . . . . . .316
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316Systems and devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317Life safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Manage Identification and Authentication of People, Devices, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Identity management implementation . . . . . . . . . . . . . . . . . . . . . .319Single/multi-factor authentication . . . . . . . . . . . . . . . . . . . . . . . . . .328Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343Session management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344Registration and proofing of identity . . . . . . . . . . . . . . . . . . . . . . . .344Federated identity management . . . . . . . . . . . . . . . . . . . . . . . . . . . .346Credential management systems . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Integrate Identity-as-a-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347Integrate Third-Party Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . .348Implement and Manage Authorization Mechanisms . . . . . . . . . . . . . .348
Access control techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349Prevent or Mitigate Access Control Attacks . . . . . . . . . . . . . . . . . . . . . .353Manage the Identity and Access Provisioning Lifecycle . . . . . . . . . . . .355
CHAPTER 8: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . 357Design and Validate Assessment and Test Strategies . . . . . . . . . . . . .357Conduct Security Control Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Table of Contents xiii
Vulnerability assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359Penetration testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361Log reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365Synthetic transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367Code review and testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368Misuse case testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368Test coverage analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370Interface testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Collect Security Process Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371Account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371Management review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372Key performance and risk indicators . . . . . . . . . . . . . . . . . . . . . . . .373Backup verification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374Training and awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375Disaster recovery and business continuity . . . . . . . . . . . . . . . . . . .375
Analyze Test Output and Generate Reports . . . . . . . . . . . . . . . . . . . . .376Conduct or Facilitate Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . .376
CHAPTER 9: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Understand and Support Investigations . . . . . . . . . . . . . . . . . . . . . . . .379
Evidence collection and handling . . . . . . . . . . . . . . . . . . . . . . . . . . .379Reporting and documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386Investigative techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387Digital forensics tools, tactics, and procedures . . . . . . . . . . . . . . . .389
Understand Requirements for Investigation Types . . . . . . . . . . . . . . .390Conduct Logging and Monitoring Activities . . . . . . . . . . . . . . . . . . . . . .391
Intrusion detection and prevention . . . . . . . . . . . . . . . . . . . . . . . . .391Security information and event management . . . . . . . . . . . . . . . .393Continuous monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393Egress monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Securely Provisioning Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394Understand and Apply Foundational Security Operations Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Need-to-know and least privilege . . . . . . . . . . . . . . . . . . . . . . . . . . .396Separation of duties and responsibilities . . . . . . . . . . . . . . . . . . . .397Privileged account management . . . . . . . . . . . . . . . . . . . . . . . . . . . .398Job rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400Information lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402Service-level agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Apply Resource Protection Techniques . . . . . . . . . . . . . . . . . . . . . . . . .405Media management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406Hardware and software asset management . . . . . . . . . . . . . . . . . .407
Conduct Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407Operate and Maintain Detective and Preventive Measures . . . . . . . .409
xiv CISSP For Dummies
Implement and Support Patch and Vulnerability Management . . . . .411Understand and Participate in Change Management Processes . . . .412Implement Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Backup storage strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413Recovery site strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413Multiple processing sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413System resilience, high availability, quality of service, and fault tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Implement Disaster Recovery (DR) Processes . . . . . . . . . . . . . . . . . . . .415Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423Training and awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Test Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423Read-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424Walkthrough or tabletop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424Parallel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425Full interruption (or cutover) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Participate in Business Continuity (BC) Planning and Exercises . . . . .427Implement and Manage Physical Security . . . . . . . . . . . . . . . . . . . . . . .427Address Personnel Safety and Security Concerns . . . . . . . . . . . . . . . .428
CHAPTER 10: Software Development Security . . . . . . . . . . . . . . . . . . . . . 429Understand and Integrate Security in the Software Development Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Development methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430Maturity models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437Operation and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439Integrated product team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
Identify and Apply Security Controls in Development Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Security of the software environments . . . . . . . . . . . . . . . . . . . . . .440Configuration management as an aspect of secure coding . . . . .442Security of code repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Assess the Effectiveness of Software Security . . . . . . . . . . . . . . . . . . .444Auditing and logging of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . .444Risk analysis and mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445Acceptance testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
Table of Contents xv
Assess Security Impact of Acquired Software . . . . . . . . . . . . . . . . . . . .447Define and Apply Secure Coding Guidelines and Standards . . . . . . .448
Security weaknesses and vulnerabilities at the source-code level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448Security of application programming interfaces . . . . . . . . . . . . . .450Secure coding practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
PART 3: THE PART OF TENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
CHAPTER 11: Ten Test-Planning Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Know Your Learning Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455Get a Networking Certification First . . . . . . . . . . . . . . . . . . . . . . . . . . . .456Register Now! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456Make a 60-Day Study Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456Get Organized and Read! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457Join a Study Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458Take Practice Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458Take a CISSP Training Seminar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458Adopt an Exam-Taking Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459Take a Breather . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
CHAPTER 12: Ten Test-Day Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Get a Good Night’s Rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Dress Comfortably . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Eat a Good Meal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Arrive Early . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Bring a Photo ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Bring Snacks and Drinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Bring Prescription and Over-the-Counter Medications . . . . . . . . . . . .463Leave Your Mobile Devices Behind . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Take Frequent Breaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Guess — as a Last Resort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Introduction 1
IntroductionSince 1994, security practitioners around the world have been pursuing a
well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since
2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification.
Today, there are more than 120,000 CISSPs worldwide. Ironically, some certifica-tion skeptics might argue that the CISSP certification is becoming less relevant because so many people have earned the certification. However, the CISSP certifi-cation isn’t less relevant because more people are attaining it — more people are attaining it because it’s now more relevant than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophisticated cyberattacks becoming all too frequent occurrences in our modern era.
There are many excellent and reputable information security training and educa-tion programs available. In addition to technical and industry certifications, there are also many fully accredited postsecondary degree, certificate and apprenticeship programs available for information security practitioners. And there are certainly plenty of self-taught, highly skilled individuals working in the information security field who have a strong understanding of core security concepts, techniques and technologies.
But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications and prey on the obliviousness of business and other leaders — who think “wiping” a server, for example, means “like, with a cloth or something” — in order to pursue a fulfilling career in the information security field, or perhaps for other more dubious purposes.
The CISSP certification is widely held as the professional standard for information security professionals. It enables security professionals to distinguish themselves from others in the information security field by validating both their knowledge and experience. Likewise, it enables businesses and other organizations to iden-tify qualified information security professionals and verify the knowledge and
experience of candidates for critical information security roles in their respective organizations. Thus, the CISSP certification is more relevant and important than ever before.
About This BookSome say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge many miles across but only a few inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.
The problem with lots of currently available CISSP preparation materials is in defining how high (or deep) the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, “What level of knowl-edge must a CISSP candidate possess to succeed on the CISSP exam?”
Our goal in this book is simple: To help you prepare for and pass the CISSP exami-nation so that you can join the ranks of respected certified security professionals who dutifully serve and protect organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object.
And we don’t intend for this book to be an all-purpose, be-all-and-end-all, one-stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 6th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but by itself, it won’t make you an information security expert. That takes knowledge, skills, and experience!
2 CISSP For Dummies
Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabilities, require that each of us — as security professionals — constantly press forward, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys.
Foolish AssumptionsIt’s been said that most assumptions have outlived their uselessness, but we assume a few things nonetheless! Mainly, we assume the following:
» You have at least five years of professional experience in two or more of the eight domains covered on the CISSP exam (corresponding to Chapters 3 through 10 of this book). Actually, this is more than an assumption, it’s a requirement for CISSP certification. However, even if you don’t yet have the minimum experience, some experience waivers are available for certain certifications and college education (we cover the specifics in Chapter 1), and you can still take the CISSP exam and then apply for certification after you meet the experience requirement.
» You have general IT experience, perhaps even many years of experience. Passing the CISSP exam requires not only considerable knowledge of information security, but also underlying IT technologies and fundamentals such as networks, operating systems, and programming.
» You have access to the Internet. Throughout this book, we provide lots of URLs for websites about technologies, standards, laws, tools, security associations, and other certifications that you’ll find helpful as you prepare for the CISSP exam.
» You are a “white hat” security professional. By this, we mean that you act lawfully and will have no problem abiding by the (ISC)2 Code of Ethics (which is a requirement for CISSP certification).
If these assumptions describe you, then this book is for you! If none of these assumptions describes you, keep reading anyway. It’s a great book and when you finish reading it, you’ll know quite a bit about information security and the CISSP certification!
Introduction 3
Icons Used in This BookThroughout this book, you occasionally see icons in the left margin that call atten-tion to important information that’s particularly worth noting. No smiley faces winking at you or any other cute little emoticons, but you’ll definitely want to take note! Here’s what to look for and what to expect:
This icon identifies general information and core concepts that are well worth committing to your non-volatile memory, your gray matter, or your noggin — along with anniversaries, birthdays, and other important stuff! You should certainly understand and review this information before taking your CISSP exam.
Tips are never expected but always appreciated, and we sure hope you’ll appreciate these tips! This icon includes helpful suggestions and tidbits of useful information that may save you some time and headaches.
This is the stuff your mother warned you about . . . well, okay — probably not, but you should take heed nonetheless. These helpful alerts point out easily confused or difficult-to-understand terms and concepts.
You won’t find a map of the human genome or the secret to cold fusion in this book (or maybe you will, hmm), but if you’re an insufferable insomniac, take note. This icon explains the jargon beneath the jargon and is the stuff legends — well, at least nerds — are made of. So, if you’re seeking to attain the seventh level of NERD-vana, keep an eye out for these icons!
Beyond the BookIn addition to what you’re reading right now, this book also comes with a free access-anywhere Cheat Sheet that includes tips to help you prepare for the CISSP exam and your date with destiny — well, your exam day. To get this Cheat Sheet, simply go to www.dummies.com and type CISSP For Dummies Cheat Sheet in the Search box.
You also get access to hundreds of practice CISSP exam questions, as well as dozens of flash cards. Use the exam questions to help you identify specific topics and domains in which you may need to spend a little more time studying, and to get familiar with the types of questions you’ll encounter on the CISSP exam (including multiple choice, drag and drop, and hotspot). To gain access to the online practice, all you have to do is register. Just follow these simple steps:
4 CISSP For Dummies
1. Register your book or ebook at Dummies.com to get your PIN. Go to www.dummies.com/go/getaccess.
2. Select your product from the dropdown list on that page.
3. Follow the prompts to validate your product, and then check your email for a confirmation message that includes your PIN and instructions for logging in.
If you do not receive this email within two hours, please check your spam folder before contacting us through our Technical Support website at http://support.wiley.com or by phone at 877-762-2974.
Now you’re ready to go! You can come back to the practice material as often as you want — simply log on with the username and password you created during your initial login. No need to enter the access code a second time.
Your registration is good for one year from the day you activate your PIN.
Where to Go from HereIf you don’t know where you’re going, any chapter will get you there — but Chapter 1 may be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is indi-vidually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though we don’t recommend upside down or backwards).
Introduction 5
1Getting Started with CISSP Certification
IN THIS PART . . .
Get acquainted with (ISC)2 and the CISSP certification.
Advance your security career as a CISSP.
CHAPTER 1 (ISC)2 and the CISSP Certification 9
Chapter 1(ISC)2 and the CISSP Certification
In this chapter, you get to know the (ISC)2 and learn about the CISSP certification including professional requirements, how to study for the exam, how to get registered, what to expect during the exam, and of course, what to expect after
you pass the CISSP exam!
About (ISC)2 and the CISSP CertificationThe International Information System Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a not-for-profit, tax-exempt corpora-tion chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.
IN THIS CHAPTER
» Learning about (ISC)2 and the CISSP certification
» Understanding CISSP certification requirements
» Developing a study plan
» Registering for the exam
» Taking the CISSP exam
» Getting your exam results
10 PART 1 Getting Started with CISSP Certification
The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This pro-cess helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread crit-icism that has diminished the popularity of many vendor certifications over the years).
The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to pre-pare and publish international standards for businesses, governments, and soci-eties worldwide.
The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through eight distinct domains:
» Security and Risk Management
» Asset Security
» Security Architecture and Engineering
» Communication and Network Security
» Identity and Access Management (IAM)
» Security Assessment and Testing
» Security Operations
» Software Development Security
You Must Be This Tall to Ride This Ride (and Other Requirements)
The CISSP candidate must have a minimum of five cumulative years of profes-sional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of
CHAPTER 1 (ISC)2 and the CISSP Certification 11
information security — and perform work that requires you to apply that knowl-edge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)
» Security Analyst
» Security Architect
» Security Auditor
» Security Consultant
» Security Engineer
» Security Manager
Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)
» Systems Administrator
» Network Administrator
» Database Administrator
» Software Developer
For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.
Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:
» A four-year college degree (or regional equivalent)
» An advanced degree in information security from a U.S. National Centers of Academic Excellence in Cyber Defense (CAE-CD)
» A credential that appears on the (ISC)2-approved list, which includes more than 45 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+ (For the complete list, go to www.isc2.org/Certifications/CISSP/Prerequisite-Pathway).
12 PART 1 Getting Started with CISSP Certification
See Chapter 2 to learn more about relevant certifications on the (ISC)2-approved list for an experience waiver.
In the U.S., CAE-CD programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense.
Preparing for the ExamMany resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or online training environment, (ISC)2 offers CISSP training seminars.
We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for two hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.
Studying on your ownSelf-study might include books and study references, a study group, and practice exams.
Begin by downloading the free official CISSP Certification Exam Outline from the (ISC)2 website at www.isc2.org/exam-outline. This booklet provides a good basic outline of the exam and the subjects on which you’ll be tested.
Next, read this (ISC)2-approved book and review the online practice at www. dummies.com (see the Introduction for more information). CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then, read any additional study resources you can to further your knowledge and reinforce your understanding of the exam topics. You can find