Wiley Publishing, Inc.

CISSP

®

Certified Information Systems
Security Professional

Study Guide

Fourth Edition

James Michael Stewart
Ed Tittel
Mike Chapple

76884ffirs.fm Page iii Wednesday, May 21, 2008 10:51 PM

76884ffirs.fm Page ii Wednesday, May 21, 2008 10:51 PM

CISSP

®

Certified Information Systems
Security Professional

Study Guide

Fourth Edition

76884ffirs.fm Page i Wednesday, May 21, 2008 10:51 PM

76884ffirs.fm Page ii Wednesday, May 21, 2008 10:51 PM

Wiley Publishing, Inc.

CISSP

®

Certified Information Systems
Security Professional

Study Guide

Fourth Edition

James Michael Stewart
Ed Tittel
Mike Chapple

76884ffirs.fm Page iii Wednesday, May 21, 2008 10:51 PM

Acquisitions Editor: Jeff Kellum
Development Editor: Allegro Editorial Services
Technical Editor: Michael Gregg
Production Editor: Rachel McConlogue

Copy Editor: Kim Wimpsett
Production Manager: Tim Tate
Vice President and Executive Group Publisher: Richard Swadley
Vice President and Executive Publisher: Joseph B. Wikert
Vice President and Publisher: Neil Edde
Media Associate Project Manager: Laura Moss-Hollister
Media Assistant Producer: Kit Malone
Media Quality Assurance: Josh Frank
Book Designers: Judy Fung and Bill Gibson
Compositor: Craig J. Woods, Happenstance Type-O-Rama
Proofreaders: Sondra Schneider and Nancy Bell
Indexer: Jack Lewis
Cover Designer: Ryan Sneed
Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-27688-4
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should
be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256,
(317) 572-3447, fax (317) 572-4355, or online at

/>
.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales
or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This

work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other pro-
fessional services. If professional assistance is required, the services of a competent professional person should be
sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organi-
zation or Website is referred to in this work as a citation and/or a potential source of further information does not
mean that the author or the publisher endorses the information the organization or Website may provide or recom-
mendations it may make. Further, readers should be aware that Internet Websites listed in this work may have
changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-
able in electronic books.
Library of Congress Cataloging-in-Publication Data is available from the publisher.
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley
& Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written per-
mission. CISSP is a registered trademark of International Information Systems Security Certification Consortium,
Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with
any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1

76884ffirs.fm Page iv Wednesday, May 21, 2008 10:51 PM

Dear Reader,
Thank you for choosing

CISSP: Certified Information Systems Security Professional Study
Guide.

This book is part of a family of premium quality Sybex books, all written by out-
standing authors who combine practical experience with a gift for teaching.
Sybex was founded in 1976. More than thirty years later, we’re still committed to producing

consistently exceptional books. With each of our titles we’re working hard to set a new standard
for the industry. From the paper we print on, to the authors we work with, our goal is to bring
you the best books available.
I hope you see all that reflected in these pages. I’d be very interested to hear your comments
and get your feedback on how we’re doing. Feel free to let me know what you think about
this or any other Sybex book by sending me an email at



, or if you think
you’ve found a technical error in this book, please visit



.
Customer feedback is critical to our efforts at Sybex.
Best regards,
Neil Edde
Vice President & Publisher
Sybex, an imprint of Wiley

76884ffirs.fm Page v Wednesday, May 21, 2008 10:51 PM

To Cathy, whenever there is trouble, just remember “Some beach, somewhere….”
—James Michael Stewart
To my family: Renee, Richard, Matthew, and Christopher, who lovingly put up
with me during the hours I spent buried in my laptop writing this book.
—Mike Chapple

76884ffirs.fm Page vi Wednesday, May 21, 2008 10:51 PM


Acknowledgments

I hope our efforts to improve this study guide will lend themselves handily to your understand-
ing and comprehension of the wide berth of CISSP concepts. I’d like to express my thanks to
Sybex for continuing to support this project. Thanks to Ed Tittel and Mike Chapple for con-
tinuing to contribute to this project. Also thanks to all my CISSP course students who have
provided their insight and input to improve my training courseware and ultimately this tome.
To my wonderful wife, Cathy, our life together is just getting started. To my son, Xzavier
Slayde, may you grow to be more than we could imagine. To my parents, Dave and Sue,
thanks for your love and consistent support. To Mark, as best friends go, it could’ve been
worse. And finally, as always, to Elvis—all hail the King!
—James Michael Stewart
Thanks to both Michael Stewart and Mike Chapple for keeping me involved in this inter-
esting project. I’m glad Michael has had the opportunity to keep teaching CISSP courses and
provide us all with a lifeline to the hard-working professionals in the trenches for whom this
credential can mean so much. Congrats also to Michael on the latest addition to his family; my
son, Gregory, just turned four and it seems like only last month we brought him home from
the hospital. May the months and years slip by as pleasantly and painlessly for you as they
have for us. Next, thanks to the folks at Sybex, especially Jeff Kellum for rounding us all up
and keeping us headed in the same direction and for his excellent view of where we need to
take this book. Finally, I’d like to thank my loving and lovely wife, Dina, for putting up with
me and for making our lives together both comfortable and interesting.
—Ed Tittel
Special thanks go to the information security team at the University of Notre Dame.
Gary Dobbins, Bob Winding, David Seidl, and Robert Riley provided hours of interesting
conversation and debate on security issues that inspired and informed much of the mate-
rial in this book.
I would like to thank Jeff Kellum, our editor at Wiley, and the people at Allegro Editorial
Services, who provided invaluable assistance throughout the book development process. I

also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My
coauthors, Ed Tittel and James Michael Stewart, have worked with me ever since we pub-
lished the first edition of this book together five years ago. I’d also like to thank the many
people who participated in the production of this book but whom I never had the chance to
meet: the graphics team, the production staff, and all of those involved in bringing this book
to press.
—Mike Chapple

76884ffirs.fm Page vii Wednesday, May 21, 2008 10:51 PM

About the Authors

James Michael Stewart

, CISSP, has been writing and training for more than 14 years, with
a current focus on security. He has taught dozens of CISSP training courses, not to mention
numerous sessions on Windows security and the Certified Ethical Hacker certification. He is
the author of several books and courseware sets on security certification, Microsoft topics,
and network administration. More information about Michael can be found at his website:

www.impactonline.com

.

Ed Tittel

is a full-time freelance writer, trainer, and consultant specializing in matters related to
information security, markup languages, and networking technologies. He is a regular contributor
to numerous TechTarget websites; teaches online security and technology courses for companies
including HP, Sony, and Motorola; and writes regularly for Tom’s Hardware. Ed’s professional

bio and other information are available at

www.edtittel.com

.

Mike Chapple

, CISSP, is an IT security professional with the University of Notre Dame.
In the past, he was chief information officer of Brand Institute and an information security
researcher with the National Security Agency and the U.S. Air Force. His primary areas of
expertise include network intrusion detection and access controls. Mike is a frequent con-
tributor to TechTarget’s SearchSecurity site, a technical editor for

Information Security


magazine, and the author of several information security titles including

The GSEC Prep
Guide

from Wiley and

Information Security Illuminated

from Jones and Bartlett Publishers.

76884ffirs.fm Page viii Wednesday, May 21, 2008 10:51 PM


Contents at a Glance

Introduction xxvii
Assessment Test xxxv

Chapter 1

Accountability and Access Control 1

Chapter 2

Attacks and Monitoring 45

Chapter 3

ISO Model, Protocols, Network Security,
and Network Infrastructure 77

Chapter 4

Communications Security and Countermeasures 139

Chapter 5

Security Management Concepts and Principles 179

Chapter 6

Asset Value, Policies, and Roles 205


Chapter 7

Data and Application Security Issues 243

Chapter 8

Malicious Code and Application Attacks 293

Chapter 9

Cryptography and Private Key Algorithms 333

Chapter 10

PKI and Cryptographic Applications 375

Chapter 11

Principles of Computer Design 411

Chapter 12

Principles of Security Models 451

Chapter 13

Administrative Management 495

Chapter 14


Auditing and Monitoring 527

Chapter 15

Business Continuity Planning 563

Chapter 16

Disaster Recovery Planning 591

Chapter 17

Law and Investigations 629

Chapter 18

Incidents and Ethics 665

Chapter 19

Physical Security Requirements 691

Appendix

About the Companion CD 725

Glossary

729


Index 795

76884ffirs.fm Page ix Wednesday, May 21, 2008 10:51 PM

76884ffirs.fm Page x Wednesday, May 21, 2008 10:51 PM

Contents

Introduction xxvii
Assessment Test xxxv

Chapter 1 Accountability and Access Control 1

Access Control Overview 2
Types of Access Control 2
Access Control in a Layered Environment 4
The Process of Accountability 5
Identification and Authentication Techniques 9
Passwords 10
Biometrics 13
Tokens 18
Tickets 20
Single Sign-On 20
Access Control Techniques 23
Discretionary Access Controls 23
Nondiscretionary Access Controls 23
Mandatory Access Controls 24
Role-Based Access Control 25
Lattice-Based Access Controls 26
Access Control Methodologies and Implementation 27

Centralized and Decentralized Access Control 27
RADIUS and TACACS 28
Access Control Administration 29
Account Administration 29
Account, Log, and Journal Monitoring 30
Access Rights and Permissions 30
Summary 34
Exam Essentials 35
Writt

e

n Lab 37
Answers to Written Lab 38
Review Questions 39
Answers to Review Questions 43

Chapter 2 Attacks and Monitoring 45

Monitoring 46
Intrusion Detection 47
Host-Based and Network-Based IDSs 50
Knowledge-Based and Behavior-Based Detection 51

76884.book Page xi Tuesday, May 20, 2008 10:47 AM

xii

Contents


IDS-Related Tools 52
Understanding Honey Pots 52
Understanding Padded Cells 53
Understanding Vulnerability Scanners 53
Penetration Testing 54
Methods of Attack 55
Brute-Force and Dictionary Attacks 56
Denial-of-Service Attacks 58
Spoofing Attacks 62
Man-in-the-Middle Attacks 63
Sniffer Attacks 64
Spamming Attacks 64
Crackers, Hackers, and Attackers 64
Access Control Compensations 65
Summary 65
Exam Essentials 66
Written Lab 68
Answers to Written Lab 69
Review Questions 70
Answers to Review Questions 74

Chapter 3 ISO Model, Protocols, Network Security,
and Network Infrastructure 77

OSI Model 78
History of the OSI Model 78
OSI Functionality 79
Encapsulation/Deencapsulation 80
OSI Layers 81
TCP/IP Model 87

Communications and Network Security 88
Network Cabling 88
LAN Technologies 99
Network Topologies 103
TCP/IP Overview 105
Internet/Intranet/Extranet Components 116
Firewalls 116
Other Network Devices 119
Remote Access Security Management 123
Network and Protocol
Security Mechanisms 124
Secure Communications Protocols 124
Dial-Up Protocols 125
Authentication Protocols 126
Centralized Remote Authentication Services 126

76884.book Page xii Tuesday, May 20, 2008 10:47 AM

Contents

xiii

Avoiding Single Points of Failure 127
Redundant Servers 127
Failover Solutions 127
RAID 128
Summary 129
Exam Essentials 130
Written Lab 131
Answers to Written Lab 132

Review Questions 133
Answers to Review Questions 137

Chapter 4 Communications Security and Countermeasures 139

Virtual Private Network (VPN) 140
Tunneling 141
How VPNs Work 142
Implementing VPNs 142
Network Address Translation 144
Private IP Addresses 145
Stateful NAT 146
Static and Dynamic NAT 146
Automatic Private IP Addressing (APIPA) 147
Switching Technologies 147
Circuit Switching 148
Packet Switching 148
Virtual Circuits 149
WAN Technologies 149
WAN Connection Technologies 151
Dial-Up Encapsulation Protocols 154
Miscellaneous Security Control Characteristics 154
Transparency 154
Verifying Integrity 154
Transmission Mechanisms 155
Managing Email Security 156
Email Security Goals 156
Understanding Email Security Issues 157
Email Security Solutions 158
Securing Voice Communications 160

Social Engineering 160
Fraud and Abuse 161
Phreaking 162
Security Boundaries 163
Network Attacks and Countermeasures 164
Eavesdropping 164
Second-Tier Attacks 165

76884.book Page xiii Tuesday, May 20, 2008 10:47 AM

xiv

Contents

Summary 168
Exam Essentials 169
Written Lab 171
Answers to Written Lab 172
Review Questions 173
Answers to Review Questions 177

Chapter 5 Security Management Concepts and Principles 179

Security Management Concepts and Principles 180
Confidentiality 180
Integrity 181
Availability 183
Other Security Concepts 183
Protection Mechanisms 187
Layering 187

Abstraction 188
Data Hiding 188
Encryption 188
Change Control/Management 189
Data Classification 190
Planning to Plan 193
Summary 193
Exam Essentials 195
Written Lab 196
Answers to Written Lab 197
Review Questions 198
Answers to Review Questions 202

Chapter 6 Asset Value, Policies, and Roles 205

Employment Policies and Practices 206
Security Management for Employees 206
Security Roles 211
Security Management Planning 212
Policies, Standards, Baselines, Guidelines, and Procedures 214
Security Policies 214
Security Standards, Baselines, and Guidelines 215
Security Procedures 216
Risk Management 217
Risk Terminology 218
Risk Assessment Methodologies 220
Quantitative Risk Analysis 223
Qualitative Risk Analysis 227
Handling Risk 229


76884.book Page xiv Tuesday, May 20, 2008 10:47 AM

Contents

xv

Security Awareness Training 230
Summary 231
Exam Essentials 233
Written Lab 235
Answers to Written Lab 236
Review Questions 237
Answers to Review Questions 241

Chapter 7 Data and Application Security Issues 243

Application Issues 244
Local/Nondistributed Environment 244
Distributed Environment 246
Databases and Data Warehousing 250
Database Management System (DBMS) Architecture 250
Database Transactions 254
Security for Multilevel Databases 255
ODBC 257
Aggregation 257
Data Mining 259
Data/Information Storage 260
Types of Storage 260
Storage Threats 261
Knowledge-Based Systems 261

Expert Systems 262
Neural Networks 263
Decision Support Systems 263
Security Applications 264
Systems Development Controls 264
Software Development 264
Systems Development Life Cycle 269
Life Cycle Models 272
Gantt Charts and PERT 277
Change Control and Configuration Management 278
Software Testing 279
Security Control Architecture 280
Service-Level Agreements 283
Summary 283
Exam Essentials 284
Written Lab 285
Answers to Written Lab 286
Review Questions 287
Answers to Review Questions 291

76884.book Page xv Tuesday, May 20, 2008 10:47 AM

xvi

Contents

Chapter 8 Malicious Code and Application Attacks 293

Malicious Code 294
Sources 294

Viruses 295
Logic Bombs 300
Trojan Horses 300
Worms 301
Spyware and Adware 303
Active Content 303
Countermeasures 304
Password Attacks 305
Password Guessing 305
Dictionary Attacks 306
Social Engineering 307
Countermeasures 307
Denial-of-Service Attacks 308
SYN Flood 308
Distributed DoS Toolkits 309
Smurf 309
DNS Amplification Attacks 311
Teardrop 311
Land 313
DNS Poisoning 313
Ping of Death 314
Application Attacks 314
Buffer Overflows 314
Time-of-Check-to-Time-of-Use 315
Trap Doors 315
Rootkits 315
Web Application Security 316
Cross-Site Scripting (XSS) 316
SQL Injection 317
Reconnaissance Attacks 319

IP Probes 319
Port Scans 320
Vulnerability Scans 320
Dumpster Diving 320
Masquerading Attacks 321
IP Spoofing 321
Session Hijacking 321
Decoy Techniques 322
Honey Pots 322
Pseudoflaws 322

76884.book Page xvi Tuesday, May 20, 2008 10:47 AM

Contents

xvii

Summary 323
Exam Essentials 323
Written Lab 324
Answers to Written Lab 325
Review Questions 326
Answers to Review Questions 330

Chapter 9 Cryptography and Private Key Algorithms 333

Historical Milestones in Cryptography 334
Caesar Cipher 334
American Civil War 335
Ultra vs. Enigma 335

Cryptographic Basics 336
Goals of Cryptography 336
Cryptography Concepts 337
Cryptographic Mathematics 339
Ciphers 345
Modern Cryptography 351
Cryptographic Keys 351
Symmetric Key Algorithms 352
Asymmetric Key Algorithms 353
Hashing Algorithms 356
Symmetric Cryptography 357
Data Encryption Standard 357
Triple DES 359
International Data Encryption Algorithm 360
Blowfish 360
Skipjack 361
Advanced Encryption Standard 361
Key Distribution 363
Key Escrow 364
Summary 365
Exam Essentials 365
Written Lab 367
Answers to Written Lab 368
Review Questions 369
Answers to Review Questions 373

Chapter 10 PKI and Cryptographic Applications 375

Asymmetric Cryptography 376
Public and Private Keys 377

RSA 377
El Gamal 379
Elliptic Curve 379

76884.book Page xvii Tuesday, May 20, 2008 10:47 AM

xviii

Contents

Hash Functions 380
SHA 381
MD2 382
MD4 382
MD5 383
Digital Signatures 384
HMAC 385
Digital Signature Standard 385
Public Key Infrastructure 386
Certificates 386
Certificate Authorities 387
Certificate Generation and Destruction 388
Key Management 390
Applied Cryptography 390
Electronic Mail 391
Web 393
E-commerce 394
Networking 395
Cryptographic Attacks 399
Summary 400

Exam Essentials 401
Written Labs 402
Answers to Written Labs 403
Review Questions 404
Answers to Review Questions 408

Chapter 11 Principles of Computer Design 411

Computer Architecture 413
Hardware 413
Input/Output Structures 432
Firmware 434
Security Protection Mechanisms 434
Technical Mechanisms 435
Security Policy and Computer Architecture 437
Policy Mechanisms 438
Distributed Architecture 439
Summary 441
Exam Essentials 441
Written Lab 443
Answers to Written Lab 444
Review Questions 445
Answers to Review Questions 449

76884.book Page xviii Tuesday, May 20, 2008 10:47 AM

Contents

xix


Chapter 12 Principles of Security Models 451

Security Models 453
Trusted Computing Base (TCB) 454
State Machine Model 455
Information Flow Model 455
Noninterference Model 456
Take-Grant Model 456
Access Control Matrix 457
Bell-LaPadula Model 458
Biba Model 460
Clark-Wilson Model 461
Brewer and Nash Model (aka Chinese Wall) 462
Objects and Subjects 462
Closed and Open Systems 463
Techniques for Ensuring Confidentiality,
Integrity, and Availability 463
Controls 464
Trust and Assurance 465
Understanding System Security Evaluation 466
Rainbow Series 466
ITSEC Classes and Required Assurance and Functionality 471
Common Criteria 472
Certification and Accreditation 475
Common Flaws and Security Issues 478
Covert Channels 478
Attacks Based on Design or Coding Flaws and
Security Issues 479
Programming 482
Timing, State Changes, and Communication Disconnects 482

Electromagnetic Radiation 483
Summary 483
Exam Essentials 484
Written Lab 486
Answers to Written Lab 487
Review Questions 488
Answers to Review Questions 492

Chapter 13 Administrative Management 495

Operations Security Concepts 496
Antivirus Management 496
Operational Assurance and Life Cycle Assurance 498
Backup Maintenance 499
Changes in Workstation/Location 499

76884.book Page xix Tuesday, May 20, 2008 10:47 AM

xx

Contents

Need to Know and the Principle of Least Privilege 500
Privileged Operations Functions 501
Trusted Recovery 502
Configuration and Change Management Control 503
Standards of Due Care and Due Diligence 504
Privacy and Protection 505
Legal Requirements 505
Illegal Activities 505

Record Retention 505
Sensitive Information and Media 506
Security Control Types 509
Operations Controls 510
Personnel Controls 513
Summary 514
Exam Essentials 516
Written Lab

518

Answers to Written Lab

519

Review Questions 520
Answers to Review Questions 524

Chapter 14 Auditing and Monitoring 527

Auditing 528
Auditing Basics 528
Audit Trails 530
Reporting Concepts 532
Sampling 532
Record Retention 533
External Auditors 534
Monitoring 535
Monitoring Tools and Techniques 535
Penetration-Testing Techniques 537

Planning Penetration Testing 538
Penetration Testing Teams 539
Ethical Hacking 540
War Dialing 540
Sniffing and Eavesdropping 541
Radiation Monitoring 542
Dumpster Diving 542
Social Engineering 543
Problem Management 544
Inappropriate Activities 544
Indistinct Threats and Countermeasures 545
Errors and Omissions 545
Fraud and Theft 545

76884.book Page xx Tuesday, May 20, 2008 10:47 AM

Contents

xxi

Collusion 546
Sabotage 547
Loss of Physical and Infrastructure Support 547
Malicious Attackers 548
Espionage 548
Malicious Code 549
Traffic and Trend Analysis 550
Initial Program Load Vulnerabilities 550
Summary 551
Exam Essentials 552

Written Lab 555
Answers to Written Lab 556
Review Questions 557
Answers to Review Questions 561

Chapter 15 Business Continuity Planning 563

Business Continuity Planning 564
Project Scope and Planning 565
Business Organization Analysis 566
BCP Team Selection 566
Resource Requirements 567
Legal and Regulatory Requirements 569
Business Impact Assessment 570
Identify Priorities 571
Risk Identification 572
Likelihood Assessment 572
Impact Assessment 573
Resource Prioritization 575
Continuity Planning 575
Strategy Development 576
Provisions and Processes 576
Plan Approval 578
Plan Implementation 578
Training and Education 578
BCP Documentation 579
Continuity Planning Goals 579
Statement of Importance 579
Statement of Priorities 579
Statement of Organizational Responsibility 580

Statement of Urgency and Timing 580
Risk Assessment 580
Risk Acceptance/Mitigation 580
Vital Records Program 581
Emergency-Response Guidelines 581

76884.book Page xxi Tuesday, May 20, 2008 10:47 AM

xxii

Contents

Maintenance 581
Testing 581
Summary 582
Exam Essentials 582
Written Lab 583
Answers to Written Lab 584
Review Questions 585
Answers to Review Questions 589

Chapter 16 Disaster Recovery Planning 591

The Nature of Disaster 592
Natural Disasters 593
Man-Made Disasters 597
Recovery Strategy 602
Business Unit Priorities 602
Crisis Management 602
Emergency Communications 603

Work Group Recovery 603
Alternate Processing Sites 604
Mutual Assistance Agreements 607
Database Recovery 608
Recovery Plan Development 610
Emergency Response 610
Personnel Notification 611
Backups and Off-Site Storage 612
Software Escrow Arrangements 615
External Communications 616
Utilities 616
Logistics and Supplies 616
Recovery vs. Restoration 616
Training and Documentation 617
Testing and Maintenance 618
Checklist Test 618
Structured Walk-Through 619
Simulation Test 619
Parallel Test 619
Full-Interruption Test 619
Maintenance 619
Summary 620
Exam Essentials 621
Written Lab 621
Answers to Written Lab 622
Review Questions 623
Answers to Review Questions 627

76884.book Page xxii Tuesday, May 20, 2008 10:47 AM