CISSP:

Certified Information
Systems Security Professional

Study Guide

2nd Edition

4335cFM.fm Page i Wednesday, June 16, 2004 4:01 PM

4335cFM.fm Page ii Wednesday, June 16, 2004 4:01 PM

San Francisco • London

CISSP

®

:

Certified Information
Systems Security Professional

Study Guide

2nd Edition

Ed Tittel
James Michael Stewart

Mike Chapple

4335cFM.fm Page iii Wednesday, June 16, 2004 4:01 PM

Associate Publisher: Neil Edde
Acquisitions and Developmental Editor: Heather O’Connor
Production Editor: Lori Newman
Technical Editor: Patrick Bass
Copyeditor: Judy Flynn
Compositor: Craig Woods, Happenstance Type-O-Rama
Graphic Illustrator: Happenstance Type-O-Rama
CD Coordinator: Dan Mummert
CD Technician: Kevin Ly
Proofreaders: Laurie O’Connell, Nancy Riddiough
Indexer: Ted Laux
Book Designer: Bill Gibson, Judy Fung
Cover Designer: Archer Design
Cover Photographer: Victor Arre, Photodisc
Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No
part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but
not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written per-
mission of the publisher.
First edition copyright © 2003 SYBEX Inc.
Library of Congress Card Number: 2003115091
ISBN: 0-7821-4335-0
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States
and/or other countries.
Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved.
FullShot is a trademark of Inbit Incorporated.
The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc.

For more information on Macromedia and Macromedia Director, visit .
This study guide and/or material is not sponsored by, endorsed by or affiliated with International Information
Systems Security Certification Consortium, Inc. (ISC)

2

® and CISSP® are registered service and/or trademarks of
the International Information Systems Security Certification Consortium, Inc. All other trademarks are the prop-
erty of their respective owners.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final
release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied
by software manufacturer(s). The author and the publisher make no representation or warranties of any kind
with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including
but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of
any kind caused or alleged to be caused directly or indirectly from this book.
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1

4335cFM.fm Page iv Wednesday, June 16, 2004 4:01 PM

To Our Valued Readers:
Thank you for looking to Sybex for your CISSP exam prep needs. We at Sybex are proud of
our reputation for providing certification candidates with the practical knowledge and skills
needed to succeed in the highly competitive IT marketplace. Certification candidates have
come to rely on Sybex for accurate and accessible instruction on today’s crucial technologies.
For the second year in a row, readers such as you voted Sybex as winner of the “Best Study
Guides” category in the 2003 CertCities Readers Choice Awards.
The author and editors have worked hard to ensure that the new edition of the


CISSP®: Cer-
tified Information Systems Security Professional Study Guide

you hold in your hands is com-
prehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the
demanding standards of the certification marketplace and help you, the CISSP certification
candidate, succeed in your endeavors.
As always, your feedback is important to us. If you believe you’ve identified an error in the
book, please send a detailed e-mail to



And if you have general com-
ments or suggestions, feel free to drop me a line directly at



At Sybex we’re
continually striving to meet the needs of individuals preparing for certification exams.
Good luck in pursuit of your CISSP certification!
Neil Edde
Associate Publisher—Certification
Sybex, Inc.

4335cFM.fm Page v Wednesday, June 16, 2004 4:01 PM

Software License Agreement: Terms and Conditions

The media and/or any online materials accompanying

this book that are available now or in the future contain
programs and/or text files (the “Software”) to be used in
connection with the book. SYBEX hereby grants to you
a license to use the Software, subject to the terms that
follow. Your purchase, acceptance, or use of the Soft-
ware will constitute your acceptance of such terms.
The Software compilation is the property of SYBEX
unless otherwise indicated and is protected by copyright
to SYBEX or other copyright owner(s) as indicated in
the media files (the “Owner(s)”). You are hereby
granted a single-user license to use the Software for your
personal, noncommercial use only. You may not repro-
duce, sell, distribute, publish, circulate, or commercially
exploit the Software, or any portion thereof, without the
written consent of SYBEX and the specific copyright
owner(s) of any component software included on this
media.
In the event that the Software or components include
specific license requirements or end-user agreements,
statements of condition, disclaimers, limitations or war-
ranties (“End-User License”), those End-User Licenses
supersede the terms and conditions herein as to that par-
ticular Software component. Your purchase, accep-
tance, or use of the Software will constitute your
acceptance of such End-User Licenses.
By purchase, use or acceptance of the Software you fur-
ther agree to comply with all export laws and regula-
tions of the United States as such laws and regulations
may exist from time to time.


Software Support

Components of the supplemental Software and any
offers associated with them may be supported by the
specific Owner(s) of that material, but they are not sup-
ported by SYBEX. Information regarding any available
support may be obtained from the Owner(s) using the
information provided in the appropriate read.me files or
listed elsewhere on the media.
Should the manufacturer(s) or other Owner(s) cease to
offer support or decline to honor any offer, SYBEX
bears no responsibility. This notice concerning support
for the Software is provided for your information only.
SYBEX is not the agent or principal of the Owner(s),
and SYBEX is in no way responsible for providing any
support for the Software, nor is it liable or responsible
for any support provided, or not provided, by the
Owner(s).

Warranty

SYBEX warrants the enclosed media to be free of phys-
ical defects for a period of ninety (90) days after pur-
chase. The Software is not available from SYBEX in any
other form or media than that enclosed herein or posted
to

www.sybex.com

. If you discover a defect in the media

during this warranty period, you may obtain a replace-
ment of identical format at no charge by sending the
defective media, postage prepaid, with proof of pur-
chase to:
SYBEX Inc.
Product Support Department
1151 Marina Village Parkway
Alameda, CA 94501
Web:



After the 90-day period, you can obtain replacement
media of identical format by sending us the defective
disk, proof of purchase, and a check or money order for
$10, payable to SYBEX.

Disclaimer

SYBEX makes no warranty or representation, either
expressed or implied, with respect to the Software or its
contents, quality, performance, merchantability, or fit-
ness for a particular purpose. In no event will SYBEX,
its distributors, or dealers be liable to you or any other
party for direct, indirect, special, incidental, consequen-
tial, or other damages arising out of the use of or inabil-
ity to use the Software or its contents even if advised of
the possibility of such damage. In the event that the Soft-
ware includes an online update feature, SYBEX further
disclaims any obligation to provide this feature for any

specific duration other than the initial posting.
The exclusion of implied warranties is not permitted by
some states. Therefore, the above exclusion may not
apply to you. This warranty provides you with specific
legal rights; there may be other rights that you may have
that vary from state to state. The pricing of the book
with the Software by SYBEX reflects the allocation of
risk and limitations on liability contained in this agree-
ment of Terms and Conditions.

Shareware Distribution

This Software may contain various programs that are
distributed as shareware. Copyright laws apply to both
shareware and ordinary commercial software, and the
copyright Owner(s) retains all rights. If you try a share-
ware program and continue using it, you are expected to
register it. Individual programs differ on details of trial
periods, registration, and payment. Please observe the
requirements stated in appropriate files.

Copy Protection

The Software in whole or in part may or may not be
copy-protected or encrypted. However, in all cases,
reselling or redistributing these files without authoriza-
tion is expressly forbidden except as specifically pro-
vided for by the Owner(s) therein.

4335cFM.fm Page vi Wednesday, June 16, 2004 4:01 PM


Acknowledgments

Thanks to Neil Edde and Jordan Gold at Sybex for helping us hook up with this project;
thanks also to Rodnay Zaks for numerous fine gastronomic experiences and for an even greater
number of good ideas. But Neil wins the “great gastronomy prize” for taking me to Chez
Panisse for lunch the last time I visited Sybex’s Alameda offices. Thanks to my mom and dad
for providing me with the basic tools to become a writer and trainer: an inquiring mind, plus
good verbal and debating skills. Thanks to Dina Kutueva, not just for marrying me and com-
pleting my life, but also for her magnificent efforts and sacrifices in delivering our beautiful son,
Gregory E. Tittel, in February 2004. You rule my world! And finally, thanks to the whole his-
torical LANWrights gang—Dawn, Mary, Kim, Bill, Chelsea, Natanya, and Michael—for 10
great years of camaraderie, collaboration, and the occasional success. You guys are the greatest;
I couldn’t have done it without you! I'm sorry we haven't all been able to stay together, but I'll
always value our time together and our continuing friendships.
—Ed Tittel
Thanks to Ed Tittel and LANWrights, Inc. for allowing me to contribute to the revision of
this book. Working with you guys is and always has been a pleasure. Thanks to my editor Dawn
Rader for putting up with my bad grammar. Thanks to my third co-author, Mike Chapple, for
helping make this book all it could be. To my parents, Dave and Sue, thanks for your love and
consistent support. To my sister Sharon and nephew Wesley, it’s great having family like you
to spend time with. To Mark, it’s time we bolth got a life. To HERbert and Quin, it’s great hav-
ing two furry friends around the house. And finally, as always, to Elvis—where did you get that
shiny gold suit? I want to wear it around town to blind anyone who gazes in my direction.
—James Michael Stewart
I’d like to thank Ed Tittel, Dawn Rader, and the team at LANWrights, Inc. for their assis-
tance with this project. I also owe a debt of gratitude to the countless technical experts in gov-
ernment and industry who’ve patiently answered my questions and fueled my passion for
security over the years. Above all, I’d like to thank my wife Renee for her undying patience as
I worked on this book. Without her support, this never would have been possible.

—Mike Chapple

4335cFM.fm Page vii Wednesday, June 16, 2004 4:01 PM

Contents at a Glance

Introduction xxiii
Assessment Test xxx

Chapter 1

Accountability and Access Control 1

Chapter 2

Attacks and Monitoring 31

Chapter 3

ISO Model, Network Security, and Protocols 55

Chapter 4

Communications Security and Countermeasures 99

Chapter 5

Security Management Concepts and Principles 129

Chapter 6


Asset Value, Policies, and Roles 149

Chapter 7

Data and Application Security Issues 179

Chapter 8

Malicious Code and Application Attacks 219

Chapter 9

Cryptography and Private Key Algorithms 253

Chapter 10

PKI and Cryptographic Applications 287

Chapter 11

Principles of Computer Design 317

Chapter 12

Principles of Security Models 361

Chapter 13

Administrative Management 395


Chapter 14

Auditing and Monitoring 421

Chapter 15

Business Continuity Planning 449

Chapter 16

Disaster Recovery Planning 475

Chapter 17

Law and Investigations 507

Chapter 18

Incidents and Ethics 541

Chapter 19

Physical Security Requirements 563

Glossary

591

Index 649


4335cFM.fm Page viii Wednesday, June 16, 2004 4:01 PM

4335cFM.fm Page ix Wednesday, June 16, 2004 4:01 PM

Contents

Introduction xxiii
Assessment Test xxx

Chapter 1 Accountability and Access Control 1

Access Control Overview 2
Types of Access Control 2
Access Control in a Layered Environment 4
The Process of Accountability 5
Identification and Authentication Techniques 7
Passwords 7
Biometrics 10
Tokens 13
Tickets 14
Access Control Techniques 15
Access Control Methodologies and Implementation 17
Centralized and Decentralized Access Control 17
RADIUS and TACACS 18
Access Control Administration 19
Account Administration 19
Account, Log, and Journal Monitoring 20
Access Rights and Permissions 20
Summary 21

Exam Essentials 22
Review Questions 24
Answers to Review Questions 28

Chapter 2 Attacks and Monitoring 31

Monitoring 32
Intrusion Detection 33
Host-Based and Network-Based IDSs 33
Knowledge-Based and Behavior-Based Detection 35
IDS-Related Tools 36
Penetration Testing 37
Methods of Attacks 37
Brute Force and Dictionary Attacks 38
Denial of Service 40
Spoofing Attacks 43
Man-in-the-Middle Attacks 43
Sniffer Attacks 44

4335cFM.fm Page x Wednesday, June 16, 2004 4:01 PM

Contents

xi

Spamming Attacks 44
Crackers 45
Access Control Compensations 45
Summary 45
Exam Essentials 46

Review Questions 49
Answers to Review Questions 53

Chapter 3 ISO Model, Network Security, and Protocols 55

OSI Model 56
History of the OSI Model 56
OSI Functionality 57
Encapsulation/Deencapsulation 58
OSI Layers 59
TCP/IP Model 63
Communications and Network Security 64
Network Cabling 65
LAN Technologies 68
Network Topologies 71
TCP/IP Overview 73
Internet/Intranet/Extranet Components 78
Firewalls 78
Other Network Devices 81
Remote Access Security Management 82
Network and Protocol Security Mechanisms 83
VPN Protocols 83
Secure Communications Protocols 84
E-Mail Security Solutions 84
Dial-Up Protocols 85
Authentication Protocols 85
Centralized Remote Authentication Services 85
Network and Protocol Services 86
Frame Relay 87
Other WAN Technologies 87

Avoiding Single Points of Failure 88
Redundant Servers 88
Failover Solutions 89
RAID 89
Summary 91
Exam Essentials 91
Review Questions 93
Answers to Review Questions 97

4335cFM.fm Page xi Wednesday, June 16, 2004 4:01 PM

xii

Contents

Chapter 4 Communications Security and Countermeasures 99

Virtual Private Network (VPN) 100
Tunneling 100
How VPNs Work 101
Implementing VPNs 102
Network Address Translation 103
Private IP Addresses 103
Stateful NAT 103
Switching Technologies 104
Circuit Switching 104
Packet Switching 104
Virtual Circuits 105
WAN Technologies 105
WAN Connection Technologies 106

Encapsulation Protocols 108
Miscellaneous Security Control Characteristics 108
Transparency 108
Verifying Integrity 109
Transmission Mechanisms 109
Managing E-Mail Security 109
E-Mail Security Goals 110
Understanding E-Mail Security Issues 111
E-Mail Security Solutions 111
Securing Voice Communications 113
Social Engineering 113
Fraud and Abuse 114
Phreaking 115
Security Boundaries 115
Network Attacks and Countermeasures 116
Eavesdropping 116
Second-Tier Attacks 117
Address Resolution Protocol (ARP) 117
Summary 118
Exam Essentials 120
Review Questions 122
Answers to Review Questions 126

Chapter 5 Security Management Concepts and Principles 129

Security Management Concepts and Principles 130
Confidentiality 130
Integrity 131
Availability 132
Other Security Concepts 133


4335cFM.fm Page xii Wednesday, June 16, 2004 4:01 PM

Contents

xiii

Protection Mechanisms 135
Layering 136
Abstraction 136
Data Hiding 136
Encryption 137
Change Control/Management 137
Data Classification 138
Summary 140
Exam Essentials 141
Review Questions 143
Answers to Review Questions 147

Chapter 6 Asset Value, Policies, and Roles 149

Employment Policies and Practices 150
Security Management for Employees 150
Security Roles 153
Policies, Standards, Baselines, Guidelines, and Procedures 154
Security Policies 155
Security Standards, Baselines, and Guidelines 155
Security Procedures 156
Risk Management 157
Risk Terminology 157

Risk Assessment Methodologies 159
Quantitative Risk Analysis 161
Qualitative Risk Analysis 163
Handling Risk 165
Security Awareness Training 166
Security Management Planning 167
Summary 167
Exam Essentials 169
Review Questions 172
Answers to Review Questions 176

Chapter 7 Data and Application Security Issues 179

Application Issues 180
Local/Nondistributed Environment 180
Distributed Environment 182
Databases and Data Warehousing 186
Database Management System (DBMS) Architecture 186
Database Transactions 188
Multilevel Security 189
Aggregation 190
Inference 190

4335cFM.fm Page xiii Wednesday, June 16, 2004 4:01 PM

xiv

Contents

Polyinstantiation 191

Data Mining 191
Data/Information Storage 192
Types of Storage 192
Storage Threats 193
Knowledge-Based Systems 193
Expert Systems 194
Neural Networks 195
Security Applications 195
Systems Development Controls 195
Software Development 196
Systems Development Life Cycle 198
Life Cycle Models 201
Change Control and Configuration Management 205
Security Control Architecture 206
Service Level Agreements 208
Summary 209
Exam Essentials 210
Written Lab 211
Review Questions 212
Answers to Review Questions 216
Answers to Written Lab 218

Chapter 8 Malicious Code and Application Attacks 219

Malicious Code 220
Sources 220
Viruses 221
Logic Bombs 226
Trojan Horses 226
Worms 227

Active Content 228
Countermeasures 229
Password Attacks 230
Password Guessing 230
Dictionary Attacks 231
Social Engineering 231
Countermeasures 232
Denial of Service Attacks 232
SYN Flood 232
Distributed DoS Toolkits 234
Smurf 234
Teardrop 236
Land 237
DNS Poisoning 237
Ping of Death 238

4335cFM.fm Page xiv Wednesday, June 16, 2004 4:01 PM

Contents

xv

Application Attacks 238
Buffer Overflows 238
Time-of-Check-to-Time-of-Use 239
Trap Doors 239
Rootkits 239
Reconnaissance Attacks 240
IP Probes 240
Port Scans 240

Vulnerability Scans 240
Dumpster Diving 241
Masquerading Attacks 241
IP Spoofing 241
Session Hijacking 242
Decoy Techniques 242
Honey Pots 242
Pseudo-Flaws 243
Summary 243
Exam Essentials 244
Written Lab 245
Review Questions 246
Answers to Review Questions 250
Answers to Written Lab 252

Chapter 9 Cryptography and Private Key Algorithms 253

History 254
Caesar Cipher 254
American Civil War 255
Ultra vs. Enigma 255
Cryptographic Basics 256
Goals of Cryptography 256
Concepts 257
Cryptographic Mathematics 258
Ciphers 262
Modern Cryptography 266
Cryptographic Keys 266
Symmetric Key Algorithms 267
Asymmetric Key Algorithms 268

Hashing Algorithms 270
Symmetric Cryptography 271
Data Encryption Standard (DES) 271
Triple DES (3DES) 272
International Data Encryption Algorithm (IDEA) 273
Blowfish 274
Skipjack 274
Advanced Encryption Standard (AES) 275

4335cFM.fm Page xv Wednesday, June 16, 2004 4:01 PM

xvi

Contents

Key Distribution 275
Key Escrow 277
Summary 277
Exam Essentials 278
Written Lab 279
Review Questions 280
Answers to Review Questions 284
Answers to Written Lab 286

Chapter 10 PKI and Cryptographic Applications 287

Asymmetric Cryptography 288
Public and Private Keys 288
RSA 289
El Gamal 291

Elliptic Curve 291
Hash Functions 292
SHA 293
MD2 293
MD4 294
MD5 294
Digital Signatures 294
HMAC 295
Digital Signature Standard 296
Public Key Infrastructure 297
Certificates 297
Certificate Authorities 298
Certificate Generation and Destruction 298
Key Management 300
Applied Cryptography 300
Electronic Mail 301
Web 303
E-Commerce 304
Networking 305
Cryptographic Attacks 307
Summary 308
Exam Essentials 309
Review Questions 311
Answers to Review Questions 315

Chapter 11 Principles of Computer Design 317

Computer Architecture 319
Hardware 319
Input/Output Structures 337

Firmware 338

4335cFM.fm Page xvi Wednesday, June 16, 2004 4:01 PM

Contents

xvii

Security Protection Mechanisms 338
Technical Mechanisms 338
Security Policy and Computer Architecture 340
Policy Mechanisms 341
Distributed Architecture 342
Security Models 344
State Machine Model 344
Bell-LaPadula Model 345
Biba 346
Clark-Wilson 347
Information Flow Model 348
Noninterference Model 348
Take-Grant Model 349
Access Control Matrix 349
Brewer and Nash Model (a.k.a. Chinese Wall) 350
Classifying and Comparing Models 350
Summary 351
Exam Essentials 352
Review Questions 355
Answers to Review Questions 359

Chapter 12 Principles of Security Models 361


Common Security Models, Architectures, and
Evaluation Criteria 362
Trusted Computing Base (TCB) 363
Security Models 364
Objects and Subjects 366
Closed and Open Systems 367
Techniques for Ensuring Confidentiality,
Integrity, and Availability 367
Controls 368
IP Security (IPSec) 369
Understanding System Security Evaluation 370
Rainbow Series 371
ITSEC Classes and Required Assurance and Functionality 375
Common Criteria 376
Certification and Accreditation 379
Common Flaws and Security Issues 380
Covert Channels 380
Attacks Based on Design or Coding Flaws and
Security Issues 381
Programming 384
Timing, State Changes, and Communication Disconnects 384
Electromagnetic Radiation 385

4335cFM.fm Page xvii Wednesday, June 16, 2004 4:01 PM

xviii

Contents


Summary 385
Exam Essentials 386
Review Questions 388
Answers to Review Questions 392

Chapter 13 Administrative Management 395

Antivirus Management 396
Operations Security Concepts 397
Operational Assurance and Life Cycle Assurance 397
Backup Maintenance 398
Changes in Workstation/Location 398
Need-to-Know and the Principle of Least Privilege 399
Privileged Operations Functions 399
Trusted Recovery 400
Configuration and Change Management Control 400
Standards of Due Care and Due Diligence 401
Privacy and Protection 402
Legal Requirements 402
Illegal Activities 402
Record Retention 403
Sensitive Information and Media 403
Security Control Types 405
Operations Controls 406
Personnel Controls 408
Summary 409
Exam Essentials 411
Review Questions 414
Answers to Review Questions 418


Chapter 14 Auditing and Monitoring 421

Auditing 422
Auditing Basics 422
Audit Trails 424
Reporting Concepts 425
Sampling 426
Record Retention 426
External Auditors 427
Monitoring 428
Monitoring Tools and Techniques 428
Penetration Testing Techniques 430
War Dialing 431
Sniffing and Eavesdropping 431
Radiation Monitoring 432
Dumpster Diving 432

4335cFM.fm Page xviii Wednesday, June 16, 2004 4:01 PM

Contents

xix

Social Engineering 433
Problem Management 433
Inappropriate Activities 434
Indistinct Threats and Countermeasures 434
Errors and Omissions 435
Fraud and Theft 435
Collusion 435

Sabotage 435
Loss of Physical and Infrastructure Support 435
Malicious Hackers or Crackers 436
Espionage

436

Malicious Code 436
Traffic and Trend Analysis 436
Initial Program Load Vulnerabilities 437
Summary 438
Exam Essentials 439
Review Questions 443
Answers to Review Questions 447

Chapter 15 Business Continuity Planning 449

Business Continuity Planning 450
Project Scope and Planning 450
Business Organization Analysis 451
BCP Team Selection 451
Resource Requirements 452
Legal and Regulatory Requirements 453
Business Impact Assessment 455
Identify Priorities 456
Risk Identification 456
Likelihood Assessment 457
Impact Assessment 457
Resource Prioritization 458
Continuity Strategy 459

Strategy Development 459
Provisions and Processes 460
Plan Approval 461
Plan Implementation 462
Training and Education 462
BCP Documentation 462
Continuity Planning Goals 463
Statement of Importance 463
Statement of Priorities 463
Statement of Organizational Responsibility 463
Statement of Urgency and Timing 464
Risk Assessment 464

4335cFM.fm Page xix Wednesday, June 16, 2004 4:01 PM

xx

Contents

Risk Acceptance/Mitigation 464
Vital Records Program 464
Emergency Response Guidelines 465
Maintenance 465
Testing 465
Summary 465
Exam Essentials 466
Review Questions 468
Answers to Review Questions 472

Chapter 16 Disaster Recovery Planning 475


Disaster Recovery Planning 476
Natural Disasters 477
Man-Made Disasters 481
Recovery Strategy 485
Business Unit Priorities 485
Crisis Management 485
Emergency Communications 486
Work Group Recovery 486
Alternate Processing Sites 486
Mutual Assistance Agreements 489
Database Recovery 489
Recovery Plan Development 491
Emergency Response 491
Personnel Notification 492
Backups and Offsite Storage 493
Software Escrow Arrangements 494
External Communications 495
Utilities 495
Logistics and Supplies 495
Recovery vs. Restoration 495
Training and Documentation 496
Testing and Maintenance 496
Checklist Test 497
Structured Walk-Through 497
Simulation Test 497
Parallel Test 497
Full-Interruption Test 498
Maintenance 498
Summary 498

Exam Essentials 498
Written Lab 499
Review Questions 500
Answers to Review Questions 504
Answers to Written Lab 506

4335cFM.fm Page xx Wednesday, June 16, 2004 4:01 PM

Contents

xxi

Chapter 17 Law and Investigations 507

Categories of Laws 508
Criminal Law 508
Civil Law 509
Administrative Law 510
Laws 510
Computer Crime 511
Intellectual Property 514
Licensing 519
Import/Export 520
Privacy 521
Investigations 526
Evidence 526
Investigation Process 528
Summary 530
Exam Essentials 530
Written Lab 532

Review Questions 533
Answers to Review Questions 537
Answers to Written Lab 539

Chapter 18 Incidents and Ethics 541

Major Categories of Computer Crime 542
Military and Intelligence Attacks 543
Business Attacks 543
Financial Attacks 544
Terrorist Attacks 544
Grudge Attacks 545
“Fun” Attacks 545
Evidence 546
Incident Handling 546
Common Types of Incidents 547
Response Teams 549
Abnormal and Suspicious Activity 549
Confiscating Equipment, Software, and Data 550
Incident Data Integrity and Retention 551
Reporting Incidents 551
Ethics 552
(ISC)

2

Code of Ethics 552
Ethics and the Internet 553
Summary 554
Exam Essentials 555

Review Questions 557
Answers to Review Questions 561

4335cFM.fm Page xxi Wednesday, June 16, 2004 4:01 PM

xxii

Contents

Chapter 19 Physical Security Requirements 563

Facility Requirements 564
Secure Facility Plan 565
Physical Security Controls 565
Site Selection 565
Visibility 565
Accessibility 566
Natural Disasters 566
Facility Design 566
Work Areas 566
Server Rooms 567
Visitors 567
Forms of Physical Access Controls 568
Fences, Gates, Turnstiles, and Mantraps 568
Lighting 568
Security Guards and Dogs 569
Keys and Combination Locks 570
Badges 570
Motion Detectors 571
Intrusion Alarms 571

Secondary Verification Mechanisms 571
Technical Controls 572
Smart Cards 572
Proximity Readers 572
Access Abuses 573
Intrusion Detection Systems 573
Emanation Security 574
Environment and Life Safety 575
Personnel Safety 575
Power and Electricity 575
Noise 576
Temperature, Humidity, and Static 577
Water 577
Fire Detection and Suppression 578
Equipment Failure 580
Summary 581
Exam Essentials 581
Review Questions 584
Answers to Review Questions 588

Glossary

591

Index 649

4335cFM.fm Page xxii Wednesday, June 16, 2004 4:01 PM

Introduction


The

CISSP: Certified Information Systems Security Professional Study Guide, 2nd Edition

offers
you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam.
By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you
need to achieve this certification. This introduction provides you with a basic overview of this
book and the CISSP exam.
This book is designed for readers and students who want to study for the CISSP certification
exam. If your goal is to become a certified security professional, then the CISSP certification and
this study guide are for you. The purpose of this book is to adequately prepare you to pass the
CISSP exam.
Before you dive into this book, you need to have accomplished a few tasks on your own. You
need to have a general understanding of IT and of security. You should have the necessary 4 years
of experience (or 3 years plus a college degree) in one of the 10 domains covered by the CISSP
exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently
prepared to use this book to study for the CISSP exam. For more information on (ISC)2, see the
next section.

(ISC)

2

The CISSP exam is governed by the International Information Systems Security Certification
Consortium, Inc. (ISC)

2

organization. (ISC)


2

is a global not-for-profit organization. It has four
primary mission goals:


Maintain the Common Body of Knowledge for the field of information systems security


Provide certification for information systems security professionals and practitioners


Conduct certification training and administer the certification exams


Oversee the ongoing accreditation of qualified certification candidates through continued
education
The (ISC)

2

is operated by a board of directors elected from the ranks of its certified practi-
tioners. More information about (ISC)

2

can be obtained from its website at

www.isc2.org


.

CISSP and SSCP

(ISC)

2

supports and provides two primary certifications: CISSP and SSCP. These certifications are
designed to emphasize the knowledge and skills of an IT security professional across all industries.
CISSP is a certification for security professionals who have the task of designing a security infra-
structure for an organization. System Security Certified Practitioner (SSCP) is a certification for
security professionals who have the responsibility of implementing a security infrastructure in an
organization. The CISSP certification covers material from the 10 CBK domains:

1.

Access Control Systems and Methodology

2.

Telecommunications and Network Security

4335cINTRO.fm Page xxiii Thursday, June 10, 2004 5:38 AM

xxiv

Introduction


3.

Security Management Practices

4.

Applications and Systems Development Security

5.

Cryptography

6.

Security Architecture and Models

7.

Operations Security

8.

Business Continuity Planning and Disaster Recovery Planning

9.

Law, Investigations, and Ethics

10.


Physical Security
The SSCP certification covers material from 7 CBK domains:


Access Controls


Administration


Audit and Monitoring


Cryptography


Data Communications


Malicious Code/Malware


Risk, Response, and Recovery
The content for the CISSP and SSCP domains overlap significantly, but the focus is different
for each set of domains. CISSP focuses on theory and design, whereas SSCP focuses more on
implementation. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)


2

has defined several qualification requirements you must meet to become a CISSP. First,
you must be a practicing security professional with at least 4 years’ experience or with 3 years’
experience and a college degree. Professional experience is defined as security work performed
for salary or commission within one or more of the 10 CBK domains.
Second, you must agree to adhere to the code of ethics. The CISSP Code of Ethics is a set of
guidelines the (ISC)

2

wants all CISSP candidates to follow in order to maintain professionalism
in the field of information systems security. You can find it in the Information section on the
(ISC)

2

website at

www.isc2.org

.
(ISC)

2

has created a new program known as an Associate of (ISC)

2


. This program allows
someone without any or enough experience to take the CISSP exam and then obtain experience
afterward. They are given 5 years to obtain 4 years of security experience. Only after providing
proof of experience, usually by means of endorsement and a resume, does (ISC)

2

award the indi-
vidual the CISSP certification label.
To sign up for the exam, visit the (ISC)

2

website and follow the instructions listed there on reg-
istering to take the CISSP exam. You’ll provide your contact information, payment details, and
security-related professional experience. You’ll also select one of the available time and location
settings for the exam. Once (ISC)

2

approves your application to take the exam, you’ll receive a
confirmation e-mail with all the details you’ll need to find the testing center and take the exam.

4335cINTRO.fm Page xxiv Thursday, June 10, 2004 5:38 AM

Introduction

xxv


Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you are given 6 hours to complete it. The exam
is still administered in a booklet and answer sheet format. This means you’ll be using a pencil
to fill in answer bubbles.
The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and
concept than implementation and procedure. It is very broad but not very deep. To successfully
complete the exam, you’ll need to be familiar with every domain but not necessarily be a master
of each domain.
You’ll need to register for the exam through the (ISC)

2

website at

www.isc2.org

.
(ISC)

2

administers the exam itself. In most cases, the exams are held in large conference
rooms at hotels. Existing CISSP holders are recruited to serve as proctors or administrators over
the exams. Be sure to arrive at the testing center around 8:00 a.m., and keep in mind that abso-
lutely no one will be admitted into the exam after 8:30 a.m.

CISSP Exam Question Types

Every single question on the CISSP exam is a four-option multiple choice question with a single

correct answer. Here’s an example:

1.

What is the most important goal and top priority of a security solution?
A. Prevention of disclosure
B. Maintaining integrity
C. Human safety
D. Sustaining availability
You must select the one correct or best answer and mark it on your answer sheet. In some
cases, the correct answer will be very obvious to you. In other cases, there will be several
answers that seem correct. In these instances, you must choose the best answer for the question
asked. Watch for general, specific, universal, superset, and subset answer selections. In other
cases, none of the answers will seem correct. In these instances, you’ll need to select the least
incorrect answer.

Advice on Taking the Exam

There are two key elements to the CISSP exam. First, you need to know the material from the
10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a
250-question exam, you have just under 90 seconds for each question. Thus, it is important to
work quickly, without rushing but without wasting time.
A key factor to keep in mind is that guessing is better than not answering a question. If you
skip a question, you will not get credit. But if you guess, you have at least a 25-percent chance
of improving your score. Wrong answers are not counted against you. So, near the end of the
sixth hour, be sure an answer is selected for every line on the answer sheet.
You can write on the test booklet, but nothing written on it will count for or against your
score. Use the booklet to make notes and keep track of your progress. We recommend circling
each answer you select before you mark it on your answer sheet.


4335cINTRO.fm Page xxv Thursday, June 10, 2004 5:38 AM