DOCSLIB.ORG

CISSP Exam Cram

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CISSP Exam Cram Exclusive Offer – 40% OFF Pearson IT Certification Video Training pearsonitcertification.com/video Use coupon code PITCVIDEO40 during checkout. Video Instruction from Technology Experts Advance Your Skills Train Anywhere Learn Get started with fundamentals, Train anywhere, at your Learn from trusted author become an expert, own pace, on any device. trainers published by or get certified. Pearson IT Certification. Try Our Popular Video Training for FREE! pearsonitcertification.com/video Explore hundreds of FREE video lessons from our growing library of Complete Video Courses, LiveLessons, networking talks, and workshops. pearsonitcertification.com/video CISSP® Exam Cram Fourth Edition Michael Gregg CISSP® Exam Cram, Fourth Edition Editor-in-Chief Copyright © 2017 by Pearson Education, Inc. Mark Taub All rights reserved. No part of this book shall be reproduced, stored in Product Line a retrieval system, or transmitted by any means, electronic, mechanical, Manager photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the Brett Bartow information contained herein. Although every precaution has been taken Acquisitions in the preparation of this book, the publisher and author assume no Editor responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Michelle Newcomb ISBN-13: 978-0-7897-5553-7 Development Editor ISBN-10: 0-7897-5553-X Ellie C. Bru Library of Congress Control Number: 2016940474 Managing Editor Printed in the United States of America Sandra Schroeder First Printing: August 2016 Project Editor Trademarks Mandie Frank All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson cannot attest Copy Editor to the accuracy of this information. Use of a term in this book should not Larry Sulky be regarded as affecting the validity of any trademark or service mark. Indexer Warning and Disclaimer Every effort has been made to make this book as complete and as Lisa Stumpf accurate as possible, but no warranty or fitness is implied. The information Proofreader provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to H.S. Rupa any loss or damages arising from the information contained in this book. Technical Editors Special Sales Chris Crayton For information about buying this title in bulk quantities, or for special sales Michael Angelo opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, Publishing or branding interests), please contact our corporate sales department at Coordinator [email protected] or (800) 382-3419. Vanessa Evans For government sales inquiries, please contact Page Layout [email protected]. codeMantra For questions about sales outside the U.S., please contact [email protected]. Contents at a Glance Introduction 1 CHAPTER 1 The CISSP Certification Exam 17 CHAPTER 2 Logical Asset Security 27 CHAPTER 3 Physical Asset Security 71 CHAPTER 4 Security and Risk Management 115 CHAPTER 5 Security Engineering 175 CHAPTER 6 The Application and Use of Cryptography 233 CHAPTER 7 Communications and Network Security 295 CHAPTER 8 Identity and Access Management 373 CHAPTER 9 Security Assessment and Testing 425 CHAPTER 10 Security Operations 491 CHAPTER 11 Software Development Security 541 CHAPTER 12 Business Continuity Planning 587 Practice Exam I 631 Answers to Practice Exam I 645 Practice Exam II 661 Answers to Practice Exam II 675 Glossary 691 Index 729 Table of Contents Introduction .............................................. 1 CHAPTER 1: The CISSP Certification Exam ................................ 17 Introduction ......................................... 18 Assessing Exam Readiness ................................ 18 Taking the Exam ...................................... 19 Examples of CISSP Test Questions .......................... 21 Answer to Multiple-Choice Question ........................ 23 Answer to Drag and Drop Question ......................... 23 Answer to Hotspot Question .............................. 23 Exam Strategy ........................................ 24 Question-Handling Strategies ............................. 25 Mastering the Inner Game ................................ 26 Need to Know More? ................................... 26 CHAPTER 2: Logical Asset Security ..................................... 27 Introduction ......................................... 28 Basic Security Principles ................................. 28 Data Management: Determine and Maintain Ownership ........... 30 Data Governance Policy ............................. 30 Roles and Responsibility ............................. 32 Data Ownership ................................... 33 Data Custodians ................................... 34 Data Documentation and Organization .................. 35 Data Warehousing ................................. 35 Data Mining ..................................... 35 Knowledge Management ............................. 36 Data Standards ........................................ 37 Data Lifecycle Control .............................. 37 Data Audit ....................................... 37 Data Storage and Archiving ........................... 38 Data Security, Protection, Sharing, and Dissemination ............. 41 Privacy Impact Assessment ........................... 42 Information Handling Requirements .................... 43 v Contents Data Retention and Destruction ........................ 44 Data Remanence and Decommissioning .................. 45 Classifying Information and Supporting Assets ................. 46 Data Classification ................................. 46 Asset Management and Governance ......................... 49 Software Licensing ................................ 50 Equipment Lifecycle ................................ 51 Determine Data Security Controls .......................... 52 Data at Rest ...................................... 52 Data in Transit .................................... 54 Endpoint Security ................................. 56 Baselines ........................................ 57 Laws, Standards, Mandates and Resources ..................... 58 United States Resources ............................. 60 International Resources .............................. 61 Exam Prep Questions ................................... 64 Answers to Exam Prep Questions ........................... 67 Need to Know More? ................................... 68 CHAPTER 3: Physical Asset Security ..................................... 71 Introduction ......................................... 72 Physical Security Risks .................................. 72 Natural Disasters .................................. 73 Man-Made Threats................................. 74 Technical Problems ................................ 75 Facility Concerns and Requirements ......................... 76 CPTED ........................................ 76 Area Concerns .................................... 77 Location ........................................ 78 Construction ..................................... 78 Doors, Walls, Windows, and Ceilings .................... 79 Asset Placement ................................... 82 Physical Port Controls .............................. 82 Perimeter Controls ..................................... 83 Fences ......................................... 83 Gates .......................................... 84 Bollards ........................................ 85 vi CISSP Exam Cram CCTV Cameras ................................... 87 Lighting ........................................ 88 Guards and Dogs .................................. 89 Locks .......................................... 89 Employee Access Control ................................ 94 Badges, Tokens, and Cards ............................ 94 Biometric Access Controls ............................ 96 Environmental Controls ................................. 98 Heating, Ventilating, and Air Conditioning ................ 98 Electrical Power ....................................... 99 Uninterruptible Power Supply .........................100 Equipment Life Cycle ...................................101 Fire Prevention, Detection, and Suppression ...................101 Fire-Detection Equipment ...........................102 Fire Suppression ..................................103 Alarm Systems ........................................106 Intrusion Detection Systems ..........................106 Monitoring and Detection ............................107 Exam Prep Questions ...................................109 Answers to Exam Prep Questions ...........................112 Suggested Reading and Resources ...........................113 CHAPTER 4: Security and Risk Management ...............................115 Introduction .........................................116 Security Governance ....................................116 Third-Party Governance .............................118 Organization Processes ..............................119 Protection of Intellectual Properly ..........................121 Privacy Laws and Protection of Personal Information .............121 Relevant Laws and Regulations ............................123 United States Legal System and Laws ........................123
Load more

Recommended publications
  • A Study of Email Encryption on Android OS
    International Journal of Information Engineering and Applications 2018; 1(2): 67-70 http://www.aascit.org/journal/information A Study of Email Encryption on Android OS Ghasaq Bahaa Abdulhussein Department of Computer Network Engineering, Faulty of Art Science &Technology, University of Northampton, Northampton, UK Email address Citation Ghasaq Bahaa Abdulhussein. A Study of Email Encryption on Android OS. International Journal of Information Engineering and Applications. Vol. 1, No. 2, 2018, pp. 67-70. Received : January 27, 2018; Accepted : February 18, 2018; Published : March 23, 2018 Abstract: In the past, mobile devices are used for making/receiving calls and SMS. Smartphones become the most common and typical mobile devices in recent years. They merge the PDA (personal digital assistant) with the functionality of mobile phone. Moreover, they are provided many functionality of the computers, such as processing, communication, data storage and etc. Also, they provide many services that the computers make them available, for example web browser, video call, GPS, Wi- Fi, different social media application and etc. Recently, email is one of many relevant communication services that accessed commonly using smartphones. One of most popular operating systems in smartphones that using it, is android. In this paper, email encryption on android is present using Asymmetric key for files, emails, and texts to encrypt/ decrypt, sign email/file, and verify. Both OpenKeychain and Samsung email is used in this paper to simulate the use of PGP on android. This paper proposed the use of asymmetric in the same mobile application which is compatible with all OS platforms software. Keywords: Mobile Security, Android, Security, Email, Encryption, Public Key 1.
    [Show full text]
  • A Bottom-Up Approach to the Secure and Standardized Internet of Things Timothy Claeys
    Security for the internet of things : a bottom-up approach to the secure and standardized internet of things Timothy Claeys To cite this version: Timothy Claeys. Security for the internet of things : a bottom-up approach to the secure and stan- dardized internet of things. Computers and Society [cs.CY]. Université Grenoble Alpes, 2019. English. NNT : 2019GREAM062. tel-02948567 HAL Id: tel-02948567 https://tel.archives-ouvertes.fr/tel-02948567 Submitted on 24 Sep 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE Pour obtenir le grade de DOCTEUR DE LA COMMUNAUTÉ UNIVERSITÉ GRENOBLE ALPES Spécialité : Informatique Arrêté ministériel : 25 mai 2016 Présentée par Timothy Claeys Thèse dirigée par Bernard Tourancheau Professeur, Université Grenoble Alpes et coencadrée par Franck Rousseau Maitre de Conférence, Grenoble INP préparée au sein de Laboratoire d’Informatique de Grenoble (LIG) dans l’École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII). Sécurité pour l’Internet des Objets: Une approche de bas
    [Show full text]
  • Cryptography Domain – Part 2
    CISSP® Common Body of Knowledge Review: Cryptography Domain – Part 2 Version: 5.9.2 CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. Learning Objective Cryptography Domain The Cryptography domain addresses the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality, and authentication. The candidate is expected to know basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction and use of digital signatures to provide authenticity of electronic transactions, and non-repudiation of the parties involved; and the organization and management of the Public Key Infrastructure (PKIs) and digital certification and management. Reference: CISSP CIB, January 2012 (Rev. 5) - 2 - Review of Part 1 • Classic ciphers: – Substitution cipher – Transposition cipher – Polyalphabetic (or running key) cipher – Concealment • Modern ciphers: – Block cipher – Stream cipher – Steganography – Combination - 3 - Review of Part 1 • Hash Function Cryptography – Non-keyed Digest (for integrity) – Keyed Digest (for authentication) – Digital Signature (for non-repudiation) • Symmetric Cryptography – Block Ciphers • Confusion & Diffusion – Confusion: S-box – Diffusion: Feistel network & Columnar transposition – Stream Ciphers • XOR operation – Modes of operation • Block mode: ECB and CBC • Stream mode: CFB, OFB, CTR - 4 - Review of Part 1 • Asymmetric Cryptography – Diffie-Hellman Algorithm – Factorization Algorithm – Discrete Logarithm Algorithm • Hybrid Cryptography – Make use of asymmetric cryptography to keep the ephemeral secret key secret.
    [Show full text]
  • An Authentication Framework for Web Access to Remote Hosts
    NAT'L INST; OF llilllliHi I NIST PL ^(-/CATIONS A 11 ID 5 SS2745 NISTIR 6278 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack John E. Koontz Judith Devaney U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899 oc 100 U56 NIST HO. 6278 1999 NISTIR 6278 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack John E. Koontz Judith Devaney U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899 January 1999 &&WOF Cq WSM Sr <- > Mr ES o* U.S. DEPARTMENT OF COMMERCE William M. Daley, Secretary TECHNOLOGY ADMINISTRATION Gary R. Bachula, Acting Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Raymond G. Kammer, Director U.S. DEPARTMENT OF ENERGY Washington, D.C. 20858 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack, John E. Koontz, Judith Devaney Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 January 14, 1999 Abstract An authentication framework is described that provides a secure means for clients to access remote computing resources via the Web. Clients authenticate themselves to a proxy Web server using a secure protocol and a digital certificate. The server constructs a fingerprint (digest) of the certificate using a secure hash function. This hash value acts as a user’s identification, which is used to obtain remote login information for that user from an authentication database. Client commands can then be executed by the Web server on remote hosts using the Secure Shell protocol.
    [Show full text]
  • An Advanced Introduction to Gnupg
    An Advanced Introduction to GnuPG Neal H. Walfield August 18, 2017 2 Copyright © 2017 g10 Code GmbH. This work is licensed under a Creative Commons Attribution 4.0 Interna- tional License. Contents I Main Matter 7 1 Introduction 9 1.1 History . 10 1.2 OpenPGP Criticism . 11 1.2.1 Usability . 11 1.2.2 Deniability . 11 1.2.3 Forward Sececy . 12 1.3 Modern Chat Protocols . 12 1.4 Privacy . 13 1.5 Scope . 13 2 A GnuPG Primer 15 3 Cryptography 17 4 OpenPGP 19 4.1 Data at Rest . 20 4.2 Unbuffered Message Processing . 22 4.3 OpenPGP Messages . 22 4.4 Encryption . 23 4.4.1 Hybrid Encryption . 24 4.4.2 Algorithm . 25 4.4.3 An Encrypted Message . 25 4.5 Signing . 30 4.5.1 Multiple Signers . 30 4.5.2 Algorithm . 31 4.5.3 Example . 32 4.6 Keys . 36 3 4 CONTENTS 4.6.1 Multiple Public and Private Key Pairs . 36 4.6.2 Self Signatures . 38 4.6.3 Example . 38 4.7 Key Signing . 43 4.7.1 Local Signatures . 44 4.7.2 Confidence . 44 4.7.3 Trusted Introducers . 45 4.7.4 Non-Revocable Signatures . 46 4.7.5 Example . 46 4.8 Revocations . 48 4.9 Notations . 49 4.10 Summary . 50 5 Passwords 51 5.1 Diceware . 51 6 Key Creation 53 6.1 Keys Aren’t Forever, Revocation Certificates Are . 54 6.1.1 Backing Up a Revocation Certificate . 56 6.1.2 Publishing a Revocation Certificate . 57 6.1.3 Recruiting Your Friends .
    [Show full text]
  • Survey of Security Algorithms in Cloud
    International Journal of Computer Applications (0975 – 8887) Volume 115 – No. 19, April 2015 Survey of Security Algorithms in Cloud Swaranjeet Kaur Amritpal Kaur M.Tech Research scholar Assistant Professor Sri Guru Granth Sahib World University Sri Guru Granth Sahib World University Fatehgarh Sahib,Punjab Fatehgarh Sahib,Punjab ABSTRACT Cloud Computing allows people to share data, no matter Cloud Computing refers to the delivery of computing where they are and what type of device they are using. resources over the web. Computing resources are shared Examples of cloud services are: rather than having personal devices to handle applications. Social Networking Sites, e.g., facebook, twitter etc, Information is accessed simply at anywhere, anyhow by connecting our device with web. Cloud Computing is E-mail communication, predicated on web services used for storing, transferring Google Docs (word, spreadsheets etc), and lots of alternative operations associated with information. Security is the major issue in cloud Amazon MP3 (to keep music in cloud), computing. The different algorithms have been proposed to provide security to critical data. This paper gives a brief Apple iCloud (works with Apple products) and introduction to some existing security algorithms in Cloud DropBox Computing. There is an absence of actual definition of cloud General Terms computing. Certainly, the dearth of a regular definition of Cloud Computing, Security issues and Security cloud computing has generated a good quantity of algorithms. confusion. There appears to be several definitions of cloud computing. The United States National Institute of 1. INTRODUCTION Standards and Technology (NIST) has printed a working The term cloud refers to a network of remote servers definition that appears to have captured the normally hosted in the internet to store, manage and process data united aspects of cloud computing.
    [Show full text]
  • FORENSIC ANALYSIS of PGP-ENCRYPTED FILES (From 20Th May- 15Th July)
    SUMMER PROJECT REPORT Institute for Development and Research in Banking Technology (IDRBT) -Established by Reserve Bank of India, HYDERABAD FORENSIC ANALYSIS OF PGP-ENCRYPTED FILES (From 20th May- 15th July) Done By Vidya G, B.Tech Computer Science and Engineering, III Year Completed SASTRA UNIVERSITY (through Indian Academy of Sciences) Under the guidance of DR. B.M. MEHTRE, Associate Professor IDRBT, HYDERABAD 1 INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY (IDRBT) Road No. 1, Castle Hills, Masab Tank, Hyderabad-500057 CERTIFICATE OF COMPLETION This is to certify that Miss Vidya G, pursuing B. Tech degree in the Department of Computer Science and Engineering at SASTRA University, Thanjavur, Tamil Nadu, has undertaken a project as an intern in the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad from 20th May, 2013 to 15th July, 2013. She was assigned the project “FORENSIC ANALYSIS OF PGP ENCRYPTED FILES” which she completed successfully under my guidance at IDRBT. We wish her all the best for a bright future. Dr. B.M.MEHTRE (Project Guide) Associate Professor IDRBT, Hyderabad 2 ACKNOWLEDGEMENT I would like to express my sincere gratitude to the Institute for Development and Research in Banking Technology (IDRBT) and particularly Dr. B.M. Mehtre who was my guide for this project. This opportunity of learning about forensic analysis and cryptographic challenges was a boon to me as one rarely gets such exposure. I would like to add that this short period in IDRBT has added a different facet to my life as this is a unique organization being a combination of academics, research, technology, communication services, crucial applications, etc.
    [Show full text]
  • An Introduction to Cryptography Copyright © 1990–2000 Network Associates, Inc
    An Introduction to Cryptography Copyright © 1990–2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. PGP*, Version 7.0 09-00. Printed in the United States of America. PGP, Pretty Good, and Pretty Good Privacy are registered trademarks of Network Associates, Inc. and/or its Affiliated Companies in the US and other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. Portions of this software may use public key algorithms described in U.S. Patent numbers 4,200,770, 4,218,582, 4,405,829, and 4,424,414, licensed exclusively by Public Key Partners; the IDEA(tm) cryptographic cipher described in U.S. patent number 5,214,703, licensed from Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption Algorithm, licensed from Northern Telecom, Ltd. IDEA is a trademark of Ascom Tech AG. Network Associates Inc. may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. The compression code in PGP is by Mark Adler and Jean-Loup Gailly, used with permission from the free Info-ZIP implementation. LDAP software provided courtesy University of Michigan at Ann Arbor, Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). Copyright © 1995-1999 The Apache Group. All rights reserved. See text files included with the software or the PGP web site for further information.
    [Show full text]