CISSP: Certified Information Systems Security Professional Study Guide 2nd Edition phần 1 ppsx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.18 MB, 72 trang )
CISSP:
Certified Information
Systems Security Professional
Study Guide
2nd Edition
CISSP®:
Certified Information
Systems Security Professional
Study Guide
2nd Edition
Ed Tittel
James Michael Stewart
Mike Chapple
San Francisco • London
Associate Publisher: Neil Edde
Acquisitions and Developmental Editor: Heather O’Connor
Production Editor: Lori Newman
Technical Editor: Patrick Bass
Copyeditor: Judy Flynn
Compositor: Craig Woods, Happenstance Type-O-Rama
Graphic Illustrator: Happenstance Type-O-Rama
CD Coordinator: Dan Mummert
CD Technician: Kevin Ly
Proofreaders: Laurie O’Connell, Nancy Riddiough
Indexer: Ted Laux
Book Designer: Bill Gibson, Judy Fung
Cover Designer: Archer Design
Cover Photographer: Victor Arre, Photodisc
Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No
part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but
not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher.
First edition copyright © 2003 SYBEX Inc.
Library of Congress Card Number: 2003115091
ISBN: 0-7821-4335-0
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States
and/or other countries.
Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved.
FullShot is a trademark of Inbit Incorporated.
The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc.
For more information on Macromedia and Macromedia Director, visit .
This study guide and/or material is not sponsored by, endorsed by or affiliated with International Information
Systems Security Certification Consortium, Inc. (ISC)2® and CISSP® are registered service and/or trademarks of
the International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final
release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied
by software manufacturer(s). The author and the publisher make no representation or warranties of any kind
with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including
but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of
any kind caused or alleged to be caused directly or indirectly from this book.
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
To Our Valued Readers:
Thank you for looking to Sybex for your CISSP exam prep needs. We at Sybex are proud of
our reputation for providing certification candidates with the practical knowledge and skills
needed to succeed in the highly competitive IT marketplace. Certification candidates have
come to rely on Sybex for accurate and accessible instruction on today’s crucial technologies.
For the second year in a row, readers such as you voted Sybex as winner of the “Best Study
Guides” category in the 2003 CertCities Readers Choice Awards.
The author and editors have worked hard to ensure that the new edition of the CISSP®: Certified Information Systems Security Professional Study Guide you hold in your hands is comprehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the
demanding standards of the certification marketplace and help you, the CISSP certification
candidate, succeed in your endeavors.
As always, your feedback is important to us. If you believe you’ve identified an error in the
book, please send a detailed e-mail to And if you have general comments or suggestions, feel free to drop me a line directly at At Sybex we’re
continually striving to meet the needs of individuals preparing for certification exams.
Good luck in pursuit of your CISSP certification!
Neil Edde
Associate Publisher—Certification
Sybex, Inc.
Software License Agreement: Terms and Conditions
The media and/or any online materials accompanying
this book that are available now or in the future contain
programs and/or text files (the “Software”) to be used in
connection with the book. SYBEX hereby grants to you
a license to use the Software, subject to the terms that
follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms.
The Software compilation is the property of SYBEX
unless otherwise indicated and is protected by copyright
to SYBEX or other copyright owner(s) as indicated in
the media files (the “Owner(s)”). You are hereby
granted a single-user license to use the Software for your
personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially
exploit the Software, or any portion thereof, without the
written consent of SYBEX and the specific copyright
owner(s) of any component software included on this
media.
In the event that the Software or components include
specific license requirements or end-user agreements,
statements of condition, disclaimers, limitations or warranties (“End-User License”), those End-User Licenses
supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your
acceptance of such End-User Licenses.
By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations
may exist from time to time.
Software Support
Components of the supplemental Software and any
offers associated with them may be supported by the
specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available
support may be obtained from the Owner(s) using the
information provided in the appropriate read.me files or
listed elsewhere on the media.
Should the manufacturer(s) or other Owner(s) cease to
offer support or decline to honor any offer, SYBEX
bears no responsibility. This notice concerning support
for the Software is provided for your information only.
SYBEX is not the agent or principal of the Owner(s),
and SYBEX is in no way responsible for providing any
support for the Software, nor is it liable or responsible
for any support provided, or not provided, by the
Owner(s).
Warranty
SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any
other form or media than that enclosed herein or posted
to www.sybex.com. If you discover a defect in the media
during this warranty period, you may obtain a replacement of identical format at no charge by sending the
defective media, postage prepaid, with proof of purchase to:
SYBEX Inc.
Product Support Department
1151 Marina Village Parkway
Alameda, CA 94501
Web:
After the 90-day period, you can obtain replacement
media of identical format by sending us the defective
disk, proof of purchase, and a check or money order for
$10, payable to SYBEX.
Disclaimer
SYBEX makes no warranty or representation, either
expressed or implied, with respect to the Software or its
contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX,
its distributors, or dealers be liable to you or any other
party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of
the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further
disclaims any obligation to provide this feature for any
specific duration other than the initial posting.
The exclusion of implied warranties is not permitted by
some states. Therefore, the above exclusion may not
apply to you. This warranty provides you with specific
legal rights; there may be other rights that you may have
that vary from state to state. The pricing of the book
with the Software by SYBEX reflects the allocation of
risk and limitations on liability contained in this agreement of Terms and Conditions.
Shareware Distribution
This Software may contain various programs that are
distributed as shareware. Copyright laws apply to both
shareware and ordinary commercial software, and the
copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to
register it. Individual programs differ on details of trial
periods, registration, and payment. Please observe the
requirements stated in appropriate files.
Copy Protection
The Software in whole or in part may or may not be
copy-protected or encrypted. However, in all cases,
reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.
Acknowledgments
Thanks to Neil Edde and Jordan Gold at Sybex for helping us hook up with this project;
thanks also to Rodnay Zaks for numerous fine gastronomic experiences and for an even greater
number of good ideas. But Neil wins the “great gastronomy prize” for taking me to Chez
Panisse for lunch the last time I visited Sybex’s Alameda offices. Thanks to my mom and dad
for providing me with the basic tools to become a writer and trainer: an inquiring mind, plus
good verbal and debating skills. Thanks to Dina Kutueva, not just for marrying me and completing my life, but also for her magnificent efforts and sacrifices in delivering our beautiful son,
Gregory E. Tittel, in February 2004. You rule my world! And finally, thanks to the whole historical LANWrights gang—Dawn, Mary, Kim, Bill, Chelsea, Natanya, and Michael—for 10
great years of camaraderie, collaboration, and the occasional success. You guys are the greatest;
I couldn’t have done it without you! I'm sorry we haven't all been able to stay together, but I'll
always value our time together and our continuing friendships.
—Ed Tittel
Thanks to Ed Tittel and LANWrights, Inc. for allowing me to contribute to the revision of
this book. Working with you guys is and always has been a pleasure. Thanks to my editor Dawn
Rader for putting up with my bad grammar. Thanks to my third co-author, Mike Chapple, for
helping make this book all it could be. To my parents, Dave and Sue, thanks for your love and
consistent support. To my sister Sharon and nephew Wesley, it’s great having family like you
to spend time with. To Mark, it’s time we bolth got a life. To HERbert and Quin, it’s great having two furry friends around the house. And finally, as always, to Elvis—where did you get that
shiny gold suit? I want to wear it around town to blind anyone who gazes in my direction.
—James Michael Stewart
I’d like to thank Ed Tittel, Dawn Rader, and the team at LANWrights, Inc. for their assistance with this project. I also owe a debt of gratitude to the countless technical experts in government and industry who’ve patiently answered my questions and fueled my passion for
security over the years. Above all, I’d like to thank my wife Renee for her undying patience as
I worked on this book. Without her support, this never would have been possible.
—Mike Chapple
Contents at a Glance
Introduction
xxiii
Assessment Test
xxx
Chapter 1
Accountability and Access Control
1
Chapter 2
Attacks and Monitoring
31
Chapter 3
ISO Model, Network Security, and Protocols
55
Chapter 4
Communications Security and Countermeasures
99
Chapter 5
Security Management Concepts and Principles
129
Chapter 6
Asset Value, Policies, and Roles
149
Chapter 7
Data and Application Security Issues
179
Chapter 8
Malicious Code and Application Attacks
219
Chapter 9
Cryptography and Private Key Algorithms
253
Chapter 10
PKI and Cryptographic Applications
287
Chapter 11
Principles of Computer Design
317
Chapter 12
Principles of Security Models
361
Chapter 13
Administrative Management
395
Chapter 14
Auditing and Monitoring
421
Chapter 15
Business Continuity Planning
449
Chapter 16
Disaster Recovery Planning
475
Chapter 17
Law and Investigations
507
Chapter 18
Incidents and Ethics
541
Chapter 19
Physical Security Requirements
563
Glossary
591
Index
649
Contents
Introduction
xxiii
Assessment Test
xxx
Chapter
1
Accountability and Access Control
1
Access Control Overview
Types of Access Control
Access Control in a Layered Environment
The Process of Accountability
Identification and Authentication Techniques
Passwords
Biometrics
Tokens
Tickets
Access Control Techniques
Access Control Methodologies and Implementation
Centralized and Decentralized Access Control
RADIUS and TACACS
Access Control Administration
Account Administration
Account, Log, and Journal Monitoring
Access Rights and Permissions
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
2
2
2
4
5
7
7
10
13
14
15
17
17
18
19
19
20
20
21
22
24
28
Attacks and Monitoring
31
Monitoring
Intrusion Detection
Host-Based and Network-Based IDSs
Knowledge-Based and Behavior-Based Detection
IDS-Related Tools
Penetration Testing
Methods of Attacks
Brute Force and Dictionary Attacks
Denial of Service
Spoofing Attacks
Man-in-the-Middle Attacks
Sniffer Attacks
32
33
33
35
36
37
37
38
40
43
43
44
Contents
xi
Spamming Attacks
Crackers
Access Control Compensations
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
3
44
45
45
45
46
49
53
ISO Model, Network Security, and Protocols
55
OSI Model
History of the OSI Model
OSI Functionality
Encapsulation/Deencapsulation
OSI Layers
TCP/IP Model
Communications and Network Security
Network Cabling
LAN Technologies
Network Topologies
TCP/IP Overview
Internet/Intranet/Extranet Components
Firewalls
Other Network Devices
Remote Access Security Management
Network and Protocol Security Mechanisms
VPN Protocols
Secure Communications Protocols
E-Mail Security Solutions
Dial-Up Protocols
Authentication Protocols
Centralized Remote Authentication Services
Network and Protocol Services
Frame Relay
Other WAN Technologies
Avoiding Single Points of Failure
Redundant Servers
Failover Solutions
RAID
Summary
Exam Essentials
Review Questions
Answers to Review Questions
56
56
57
58
59
63
64
65
68
71
73
78
78
81
82
83
83
84
84
85
85
85
86
87
87
88
88
89
89
91
91
93
97
xii
Contents
Chapter
4
Communications Security and Countermeasures
Virtual Private Network (VPN)
Tunneling
How VPNs Work
Implementing VPNs
Network Address Translation
Private IP Addresses
Stateful NAT
Switching Technologies
Circuit Switching
Packet Switching
Virtual Circuits
WAN Technologies
WAN Connection Technologies
Encapsulation Protocols
Miscellaneous Security Control Characteristics
Transparency
Verifying Integrity
Transmission Mechanisms
Managing E-Mail Security
E-Mail Security Goals
Understanding E-Mail Security Issues
E-Mail Security Solutions
Securing Voice Communications
Social Engineering
Fraud and Abuse
Phreaking
Security Boundaries
Network Attacks and Countermeasures
Eavesdropping
Second-Tier Attacks
Address Resolution Protocol (ARP)
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
5
Security Management Concepts and Principles
Security Management Concepts and Principles
Confidentiality
Integrity
Availability
Other Security Concepts
99
100
100
101
102
103
103
103
104
104
104
105
105
106
108
108
108
109
109
109
110
111
111
113
113
114
115
115
116
116
117
117
118
120
122
126
129
130
130
131
132
133
Contents
Protection Mechanisms
Layering
Abstraction
Data Hiding
Encryption
Change Control/Management
Data Classification
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
6
Asset Value, Policies, and Roles
Employment Policies and Practices
Security Management for Employees
Security Roles
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policies
Security Standards, Baselines, and Guidelines
Security Procedures
Risk Management
Risk Terminology
Risk Assessment Methodologies
Quantitative Risk Analysis
Qualitative Risk Analysis
Handling Risk
Security Awareness Training
Security Management Planning
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
7
Data and Application Security Issues
Application Issues
Local/Nondistributed Environment
Distributed Environment
Databases and Data Warehousing
Database Management System (DBMS) Architecture
Database Transactions
Multilevel Security
Aggregation
Inference
xiii
135
136
136
136
137
137
138
140
141
143
147
149
150
150
153
154
155
155
156
157
157
159
161
163
165
166
167
167
169
172
176
179
180
180
182
186
186
188
189
190
190
xiv
Contents
Polyinstantiation
Data Mining
Data/Information Storage
Types of Storage
Storage Threats
Knowledge-Based Systems
Expert Systems
Neural Networks
Security Applications
Systems Development Controls
Software Development
Systems Development Life Cycle
Life Cycle Models
Change Control and Configuration Management
Security Control Architecture
Service Level Agreements
Summary
Exam Essentials
Written Lab
Review Questions
Answers to Review Questions
Answers to Written Lab
Chapter
8
Malicious Code and Application Attacks
Malicious Code
Sources
Viruses
Logic Bombs
Trojan Horses
Worms
Active Content
Countermeasures
Password Attacks
Password Guessing
Dictionary Attacks
Social Engineering
Countermeasures
Denial of Service Attacks
SYN Flood
Distributed DoS Toolkits
Smurf
Teardrop
Land
DNS Poisoning
Ping of Death
191
191
192
192
193
193
194
195
195
195
196
198
201
205
206
208
209
210
211
212
216
218
219
220
220
221
226
226
227
228
229
230
230
231
231
232
232
232
234
234
236
237
237
238
Contents
Application Attacks
Buffer Overflows
Time-of-Check-to-Time-of-Use
Trap Doors
Rootkits
Reconnaissance Attacks
IP Probes
Port Scans
Vulnerability Scans
Dumpster Diving
Masquerading Attacks
IP Spoofing
Session Hijacking
Decoy Techniques
Honey Pots
Pseudo-Flaws
Summary
Exam Essentials
Written Lab
Review Questions
Answers to Review Questions
Answers to Written Lab
Chapter
9
Cryptography and Private Key Algorithms
History
Caesar Cipher
American Civil War
Ultra vs. Enigma
Cryptographic Basics
Goals of Cryptography
Concepts
Cryptographic Mathematics
Ciphers
Modern Cryptography
Cryptographic Keys
Symmetric Key Algorithms
Asymmetric Key Algorithms
Hashing Algorithms
Symmetric Cryptography
Data Encryption Standard (DES)
Triple DES (3DES)
International Data Encryption Algorithm (IDEA)
Blowfish
Skipjack
Advanced Encryption Standard (AES)
xv
238
238
239
239
239
240
240
240
240
241
241
241
242
242
242
243
243
244
245
246
250
252
253
254
254
255
255
256
256
257
258
262
266
266
267
268
270
271
271
272
273
274
274
275
xvi
Contents
Key Distribution
Key Escrow
Summary
Exam Essentials
Written Lab
Review Questions
Answers to Review Questions
Answers to Written Lab
Chapter
11
PKI and Cryptographic Applications
287
Asymmetric Cryptography
Public and Private Keys
RSA
El Gamal
Elliptic Curve
Hash Functions
SHA
MD2
MD4
MD5
Digital Signatures
HMAC
Digital Signature Standard
Public Key Infrastructure
Certificates
Certificate Authorities
Certificate Generation and Destruction
Key Management
Applied Cryptography
Electronic Mail
Web
E-Commerce
Networking
Cryptographic Attacks
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
10
275
277
277
278
279
280
284
286
288
288
289
291
291
292
293
293
294
294
294
295
296
297
297
298
298
300
300
301
303
304
305
307
308
309
311
315
Principles of Computer Design
Computer Architecture
Hardware
Input/Output Structures
Firmware
317
319
319
337
338
Contents
Security Protection Mechanisms
Technical Mechanisms
Security Policy and Computer Architecture
Policy Mechanisms
Distributed Architecture
Security Models
State Machine Model
Bell-LaPadula Model
Biba
Clark-Wilson
Information Flow Model
Noninterference Model
Take-Grant Model
Access Control Matrix
Brewer and Nash Model (a.k.a. Chinese Wall)
Classifying and Comparing Models
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
12
Principles of Security Models
Common Security Models, Architectures, and
Evaluation Criteria
Trusted Computing Base (TCB)
Security Models
Objects and Subjects
Closed and Open Systems
Techniques for Ensuring Confidentiality,
Integrity, and Availability
Controls
IP Security (IPSec)
Understanding System Security Evaluation
Rainbow Series
ITSEC Classes and Required Assurance and Functionality
Common Criteria
Certification and Accreditation
Common Flaws and Security Issues
Covert Channels
Attacks Based on Design or Coding Flaws and
Security Issues
Programming
Timing, State Changes, and Communication Disconnects
Electromagnetic Radiation
xvii
338
338
340
341
342
344
344
345
346
347
348
348
349
349
350
350
351
352
355
359
361
362
363
364
366
367
367
368
369
370
371
375
376
379
380
380
381
384
384
385
xviii
Contents
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
13
Administrative Management
Antivirus Management
Operations Security Concepts
Operational Assurance and Life Cycle Assurance
Backup Maintenance
Changes in Workstation/Location
Need-to-Know and the Principle of Least Privilege
Privileged Operations Functions
Trusted Recovery
Configuration and Change Management Control
Standards of Due Care and Due Diligence
Privacy and Protection
Legal Requirements
Illegal Activities
Record Retention
Sensitive Information and Media
Security Control Types
Operations Controls
Personnel Controls
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
14
Auditing and Monitoring
Auditing
Auditing Basics
Audit Trails
Reporting Concepts
Sampling
Record Retention
External Auditors
Monitoring
Monitoring Tools and Techniques
Penetration Testing Techniques
War Dialing
Sniffing and Eavesdropping
Radiation Monitoring
Dumpster Diving
385
386
388
392
395
396
397
397
398
398
399
399
400
400
401
402
402
402
403
403
405
406
408
409
411
414
418
421
422
422
424
425
426
426
427
428
428
430
431
431
432
432
Contents
Social Engineering
Problem Management
Inappropriate Activities
Indistinct Threats and Countermeasures
Errors and Omissions
Fraud and Theft
Collusion
Sabotage
Loss of Physical and Infrastructure Support
Malicious Hackers or Crackers
Espionage
Malicious Code
Traffic and Trend Analysis
Initial Program Load Vulnerabilities
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
15
Business Continuity Planning
Business Continuity Planning
Project Scope and Planning
Business Organization Analysis
BCP Team Selection
Resource Requirements
Legal and Regulatory Requirements
Business Impact Assessment
Identify Priorities
Risk Identification
Likelihood Assessment
Impact Assessment
Resource Prioritization
Continuity Strategy
Strategy Development
Provisions and Processes
Plan Approval
Plan Implementation
Training and Education
BCP Documentation
Continuity Planning Goals
Statement of Importance
Statement of Priorities
Statement of Organizational Responsibility
Statement of Urgency and Timing
Risk Assessment
xix
433
433
434
434
435
435
435
435
435
436
436
436
436
437
438
439
443
447
449
450
450
451
451
452
453
455
456
456
457
457
458
459
459
460
461
462
462
462
463
463
463
463
464
464
xx
Contents
Risk Acceptance/Mitigation
Vital Records Program
Emergency Response Guidelines
Maintenance
Testing
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Chapter
16
Disaster Recovery Planning
Disaster Recovery Planning
Natural Disasters
Man-Made Disasters
Recovery Strategy
Business Unit Priorities
Crisis Management
Emergency Communications
Work Group Recovery
Alternate Processing Sites
Mutual Assistance Agreements
Database Recovery
Recovery Plan Development
Emergency Response
Personnel Notification
Backups and Offsite Storage
Software Escrow Arrangements
External Communications
Utilities
Logistics and Supplies
Recovery vs. Restoration
Training and Documentation
Testing and Maintenance
Checklist Test
Structured Walk-Through
Simulation Test
Parallel Test
Full-Interruption Test
Maintenance
Summary
Exam Essentials
Written Lab
Review Questions
Answers to Review Questions
Answers to Written Lab
464
464
465
465
465
465
466
468
472
475
476
477
481
485
485
485
486
486
486
489
489
491
491
492
493
494
495
495
495
495
496
496
497
497
497
497
498
498
498
498
499
500
504
506
Contents
Chapter
17
Law and Investigations
Categories of Laws
Criminal Law
Civil Law
Administrative Law
Laws
Computer Crime
Intellectual Property
Licensing
Import/Export
Privacy
Investigations
Evidence
Investigation Process
Summary
Exam Essentials
Written Lab
Review Questions
Answers to Review Questions
Answers to Written Lab
Chapter
18
Incidents and Ethics
Major Categories of Computer Crime
Military and Intelligence Attacks
Business Attacks
Financial Attacks
Terrorist Attacks
Grudge Attacks
“Fun” Attacks
Evidence
Incident Handling
Common Types of Incidents
Response Teams
Abnormal and Suspicious Activity
Confiscating Equipment, Software, and Data
Incident Data Integrity and Retention
Reporting Incidents
Ethics
(ISC)2 Code of Ethics
Ethics and the Internet
Summary
Exam Essentials
Review Questions
Answers to Review Questions
xxi
507
508
508
509
510
510
511
514
519
520
521
526
526
528
530
530
532
533
537
539
541
542
543
543
544
544
545
545
546
546
547
549
549
550
551
551
552
552
553
554
555
557
561
xxii
Contents
Chapter
19
Physical Security Requirements
Facility Requirements
Secure Facility Plan
Physical Security Controls
Site Selection
Visibility
Accessibility
Natural Disasters
Facility Design
Work Areas
Server Rooms
Visitors
Forms of Physical Access Controls
Fences, Gates, Turnstiles, and Mantraps
Lighting
Security Guards and Dogs
Keys and Combination Locks
Badges
Motion Detectors
Intrusion Alarms
Secondary Verification Mechanisms
Technical Controls
Smart Cards
Proximity Readers
Access Abuses
Intrusion Detection Systems
Emanation Security
Environment and Life Safety
Personnel Safety
Power and Electricity
Noise
Temperature, Humidity, and Static
Water
Fire Detection and Suppression
Equipment Failure
Summary
Exam Essentials
Review Questions
Answers to Review Questions
Glossary
Index
563
564
565
565
565
565
566
566
566
566
567
567
568
568
568
569
570
570
571
571
571
572
572
572
573
573
574
575
575
575
576
577
577
578
580
581
581
584
588
591
649
Introduction
The CISSP: Certified Information Systems Security Professional Study Guide, 2nd Edition offers
you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam.
By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you
need to achieve this certification. This introduction provides you with a basic overview of this
book and the CISSP exam.
This book is designed for readers and students who want to study for the CISSP certification
exam. If your goal is to become a certified security professional, then the CISSP certification and
this study guide are for you. The purpose of this book is to adequately prepare you to pass the
CISSP exam.
Before you dive into this book, you need to have accomplished a few tasks on your own. You
need to have a general understanding of IT and of security. You should have the necessary 4 years
of experience (or 3 years plus a college degree) in one of the 10 domains covered by the CISSP
exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently
prepared to use this book to study for the CISSP exam. For more information on (ISC)2, see the
next section.
(ISC)2
The CISSP exam is governed by the International Information Systems Security Certification
Consortium, Inc. (ISC)2 organization. (ISC)2 is a global not-for-profit organization. It has four
primary mission goals:
Maintain the Common Body of Knowledge for the field of information systems security
Provide certification for information systems security professionals and practitioners
Conduct certification training and administer the certification exams
Oversee the ongoing accreditation of qualified certification candidates through continued
education
The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. More information about (ISC)2 can be obtained from its website at www.isc2.org.
CISSP and SSCP
(ISC)2 supports and provides two primary certifications: CISSP and SSCP. These certifications are
designed to emphasize the knowledge and skills of an IT security professional across all industries.
CISSP is a certification for security professionals who have the task of designing a security infrastructure for an organization. System Security Certified Practitioner (SSCP) is a certification for
security professionals who have the responsibility of implementing a security infrastructure in an
organization. The CISSP certification covers material from the 10 CBK domains:
1.
Access Control Systems and Methodology
2.
Telecommunications and Network Security
xxiv
Introduction
3.
Security Management Practices
4.
Applications and Systems Development Security
5.
Cryptography
6.
Security Architecture and Models
7.
Operations Security
8.
Business Continuity Planning and Disaster Recovery Planning
9.
Law, Investigations, and Ethics
10. Physical Security
The SSCP certification covers material from 7 CBK domains:
Access Controls
Administration
Audit and Monitoring
Cryptography
Data Communications
Malicious Code/Malware
Risk, Response, and Recovery
The content for the CISSP and SSCP domains overlap significantly, but the focus is different
for each set of domains. CISSP focuses on theory and design, whereas SSCP focuses more on
implementation. This book focuses only on the domains for the CISSP exam.
Prequalifications
(ISC)2 has defined several qualification requirements you must meet to become a CISSP. First,
you must be a practicing security professional with at least 4 years’ experience or with 3 years’
experience and a college degree. Professional experience is defined as security work performed
for salary or commission within one or more of the 10 CBK domains.
Second, you must agree to adhere to the code of ethics. The CISSP Code of Ethics is a set of
guidelines the (ISC)2 wants all CISSP candidates to follow in order to maintain professionalism
in the field of information systems security. You can find it in the Information section on the
(ISC)2 website at www.isc2.org.
(ISC)2 has created a new program known as an Associate of (ISC)2. This program allows
someone without any or enough experience to take the CISSP exam and then obtain experience
afterward. They are given 5 years to obtain 4 years of security experience. Only after providing
proof of experience, usually by means of endorsement and a resume, does (ISC)2 award the individual the CISSP certification label.
To sign up for the exam, visit the (ISC)2 website and follow the instructions listed there on registering to take the CISSP exam. You’ll provide your contact information, payment details, and
security-related professional experience. You’ll also select one of the available time and location
settings for the exam. Once (ISC)2 approves your application to take the exam, you’ll receive a
confirmation e-mail with all the details you’ll need to find the testing center and take the exam.
Introduction
xxv
Overview of the CISSP Exam
The CISSP exam consists of 250 questions, and you are given 6 hours to complete it. The exam
is still administered in a booklet and answer sheet format. This means you’ll be using a pencil
to fill in answer bubbles.
The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and
concept than implementation and procedure. It is very broad but not very deep. To successfully
complete the exam, you’ll need to be familiar with every domain but not necessarily be a master
of each domain.
You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.
(ISC)2 administers the exam itself. In most cases, the exams are held in large conference
rooms at hotels. Existing CISSP holders are recruited to serve as proctors or administrators over
the exams. Be sure to arrive at the testing center around 8:00 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m.
CISSP Exam Question Types
Every single question on the CISSP exam is a four-option multiple choice question with a single
correct answer. Here’s an example:
1.
What is the most important goal and top priority of a security solution?
A. Prevention of disclosure
B. Maintaining integrity
C. Human safety
D. Sustaining availability
You must select the one correct or best answer and mark it on your answer sheet. In some
cases, the correct answer will be very obvious to you. In other cases, there will be several
answers that seem correct. In these instances, you must choose the best answer for the question
asked. Watch for general, specific, universal, superset, and subset answer selections. In other
cases, none of the answers will seem correct. In these instances, you’ll need to select the least
incorrect answer.
Advice on Taking the Exam
There are two key elements to the CISSP exam. First, you need to know the material from the
10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a
250-question exam, you have just under 90 seconds for each question. Thus, it is important to
work quickly, without rushing but without wasting time.
A key factor to keep in mind is that guessing is better than not answering a question. If you
skip a question, you will not get credit. But if you guess, you have at least a 25-percent chance
of improving your score. Wrong answers are not counted against you. So, near the end of the
sixth hour, be sure an answer is selected for every line on the answer sheet.
You can write on the test booklet, but nothing written on it will count for or against your
score. Use the booklet to make notes and keep track of your progress. We recommend circling
each answer you select before you mark it on your answer sheet.
