The Official (ISC)2 CISSP CBK Reference [6 ed.]
1119789990, 9781119789994
The only official, comprehensive reference guide to the CISSP Thoroughly updated for 2021 and beyond, this is the author
270
52
6MB
English
Pages 672
Year 2021
Report DMCA / Copyright
DOWNLOAD EPUB FILE
Table of contents :
Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Foreword
Introduction
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security
Domain 1 Security and Risk Management
Understand, Adhere to, and Promote Professional Ethics
(ISC)2 Code of Professional Ethics
Organizational Code of Ethics
Understand and Apply Security Concepts
Confidentiality
Integrity
Availability
Evaluate and Apply Security Governance Principles
Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives
Organizational Processes
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care and Due Diligence
Determine Compliance and Other Requirements
Legislative and Regulatory Requirements
Industry Standards and Other Compliance Requirements
Privacy Requirements
Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context
Cybercrimes and Data Breaches
Licensing and Intellectual Property Requirements
Import/Export Controls
Transborder Data Flow
Privacy
Understand Requirements for Investigation Types
Administrative
Criminal
Civil
Regulatory
Industry Standards
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Policies
Standards
Procedures
Guidelines
Identify, Analyze, and Prioritize Business Continuity Requirements
Business Impact Analysis
Develop and Document the Scope and the Plan
Contribute to and Enforce Personnel Security Policies and Procedures
Candidate Screening and Hiring
Employment Agreements and Policies
Onboarding, Transfers, and Termination Processes
Vendor, Consultant, and Contractor Agreements and Controls
Compliance Policy Requirements
Privacy Policy Requirements
Understand and Apply Risk Management Concepts
Identify Threats and Vulnerabilities
Risk Assessment
Risk Response/Treatment
Countermeasure Selection and Implementation
Applicable Types of Controls
Control Assessments
Monitoring and Measurement
Reporting
Continuous Improvement
Risk Frameworks
Understand and Apply Threat Modeling Concepts and Methodologies
Threat Modeling Concepts
Threat Modeling Methodologies
Apply Supply Chain Risk Management Concepts
Risks Associated with Hardware, Software, and Services
Third-Party Assessment and Monitoring
Minimum Security Requirements
Service-Level Requirements
Frameworks
Establish and Maintain a Security Awareness, Education, and Training Program
Methods and Techniques to Present Awareness and Training
Periodic Content Reviews
Program Effectiveness Evaluation
Summary
Domain 2 Asset Security
Identify and Classify Information and Assets
Data Classification and Data Categorization
Asset Classification
Establish Information and Asset Handling Requirements
Marking and Labeling
Handling
Storage
Declassification
Provision Resources Securely
Information and Asset Ownership
Asset Inventory
Asset Management
Manage Data Lifecycle
Data Roles
Data Collection
Data Location
Data Maintenance
Data Retention
Data Destruction
Data Remanence
Ensure Appropriate Asset Retention
Determining Appropriate Records Retention
Records Retention Best Practices
Determine Data Security Controls and Compliance Requirements
Data States
Scoping and Tailoring
Standards Selection
Data Protection Methods
Summary
Domain 3 Security Architecture and Engineering
Research, Implement, and Manage Engineering Processes Using Secure Design Principles
ISO/IEC 19249
Threat Modeling
Secure Defaults
Fail Securely
Separation of Duties
Keep It Simple
Trust, but Verify
Zero Trust
Privacy by Design
Shared Responsibility
Defense in Depth
Understand the Fundamental Concepts of Security Models
Primer on Common Model Components
Information Flow Model
Noninterference Model
Bell–LaPadula Model
Biba Integrity Model
Clark–Wilson Model
Brewer–Nash Model
Take-Grant Model
Select Controls Based Upon Systems Security Requirements
Understand Security Capabilities of Information Systems
Memory Protection
Secure Cryptoprocessor
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
Client-Based Systems
Server-Based Systems
Database Systems
Cryptographic Systems
Industrial Control Systems
Cloud-Based Systems
Distributed Systems
Internet of Things
Microservices
Containerization
Serverless
Embedded Systems
High-Performance Computing Systems
Edge Computing Systems
Virtualized Systems
Select and Determine Cryptographic Solutions
Cryptography Basics
Cryptographic Lifecycle
Cryptographic Methods
Public Key Infrastructure
Key Management Practices
Digital Signatures and Digital Certificates
Nonrepudiation
Integrity
Understand Methods of Cryptanalytic Attacks
Brute Force
Ciphertext Only
Known Plaintext
Chosen Plaintext Attack
Frequency Analysis
Chosen Ciphertext
Implementation Attacks
Side-Channel Attacks
Fault Injection
Timing Attacks
Man-in-the-Middle
Pass the Hash
Kerberos Exploitation
Ransomware
Apply Security Principles to Site and Facility Design
Design Site and Facility Security Controls
Wiring Closets/Intermediate Distribution Facilities
Server Rooms/Data Centers
Media Storage Facilities
Evidence Storage
Restricted and Work Area Security
Utilities and Heating, Ventilation, and Air Conditioning
Environmental Issues
Fire Prevention, Detection, and Suppression
Summary
Domain 4 Communication and Network Security
Assess and Implement Secure Design Principles in Network Architectures
Open System Interconnection and Transmission Control Protocol/Internet Protocol Models
The OSI Reference Model
The TCP/IP Reference Model
Internet Protocol Networking
Secure Protocols
Implications of Multilayer Protocols
Converged Protocols
Microsegmentation
Wireless Networks
Cellular Networks
Content Distribution Networks
Secure Network Components
Operation of Hardware
Repeaters, Concentrators, and Amplifiers
Hubs
Bridges
Switches
Routers
Gateways
Proxies
Transmission Media
Network Access Control
Endpoint Security
Mobile Devices
Implement Secure Communication Channels According to Design
Voice
Multimedia Collaboration
Remote Access
Data Communications
Virtualized Networks
Third-Party Connectivity
Summary
Domain 5 Identity and Access Management
Control Physical and Logical Access to Assets
Access Control Definitions
Information
Systems
Devices
Facilities
Applications
Manage Identification and Authentication of People, Devices, and Services
Identity Management Implementation
Single/Multifactor Authentication
Accountability
Session Management
Registration, Proofing, and Establishment of Identity
Federated Identity Management
Credential Management Systems
Single Sign-On
Just-In-Time
Federated Identity with a Third-Party Service
On Premises
Cloud
Hybrid
Implement and Manage Authorization Mechanisms
Role-Based Access Control
Rule-Based Access Control
Mandatory Access Control
Discretionary Access Control
Attribute-Based Access Control
Risk-Based Access Control
Manage the Identity and Access Provisioning Lifecycle
Account Access Review
Account Usage Review
Provisioning and Deprovisioning
Role Definition
Privilege Escalation
Implement Authentication Systems
OpenID Connect/Open Authorization
Security Assertion Markup Language
Kerberos
Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus
Summary
Domain 6 Security Assessment and Testing
Design and Validate Assessment, Test, and Audit Strategies
Internal
External
Third-Party
Conduct Security Control Testing
Vulnerability Assessment
Penetration Testing
Log Reviews
Synthetic Transactions
Code Review and Testing
Misuse Case Testing
Test Coverage Analysis
Interface Testing
Breach Attack Simulations
Compliance Checks
Collect Security Process Data
Technical Controls and Processes
Administrative Controls
Account Management
Management Review and Approval
Management Reviews for Compliance
Key Performance and Risk Indicators
Backup Verification Data
Training and Awareness
Disaster Recovery and Business Continuity
Analyze Test Output and Generate Report
Typical Audit Report Contents
Remediation
Exception Handling
Ethical Disclosure
Conduct or Facilitate Security Audits
Designing an Audit Program
Internal Audits
External Audits
Third-Party Audits
Summary
Domain 7 Security Operations
Understand and Comply with Investigations
Evidence Collection and Handling
Reporting and Documentation
Investigative Techniques
Digital Forensics Tools, Tactics, and Procedures
Artifacts
Conduct Logging and Monitoring Activities
Intrusion Detection and Prevention
Security Information and Event Management
Continuous Monitoring
Egress Monitoring
Log Management
Threat Intelligence
User and Entity Behavior Analytics
Perform Configuration Management
Provisioning
Asset Inventory
Baselining
Automation
Apply Foundational Security Operations Concepts
Need-to-Know/Least Privilege
Separation of Duties and Responsibilities
Privileged Account Management
Job Rotation
Service-Level Agreements
Apply Resource Protection
Media Management
Media Protection Techniques
Conduct Incident Management
Incident Management Plan
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
Operate and Maintain Detective and Preventative Measures
Firewalls
Intrusion Detection Systems and Intrusion Prevention Systems
Whitelisting/Blacklisting
Third-Party-Provided Security Services
Sandboxing
Honeypots/Honeynets
Anti-malware
Machine Learning and Artificial Intelligence Based Tools
Implement and Support Patch and Vulnerability Management
Patch Management
Vulnerability Management
Understand and Participate in Change Management Processes
Implement Recovery Strategies
Backup Storage Strategies
Recovery Site Strategies
Multiple Processing Sites
System Resilience, High Availability, Quality of Service, and Fault Tolerance
Implement Disaster Recovery Processes
Response
Personnel
Communications
Assessment
Restoration
Training and Awareness
Lessons Learned
Test Disaster Recovery Plans
Read-through/Tabletop
Walkthrough
Simulation
Parallel
Full Interruption
Participate in Business Continuity Planning and Exercises
Implement and Manage Physical Security
Perimeter Security Controls
Internal Security Controls
Address Personnel Safety and Security Concerns
Travel
Security Training and Awareness
Emergency Management
Duress
Summary
Domain 8 Software Development Security
Understand and Integrate Security in the Software Development Life Cycle (SDLC)
Development Methodologies
Maturity Models
Operation and Maintenance
Change Management
Integrated Product Team
Identify and Apply Security Controls in Software Development Ecosystems
Programming Languages
Libraries
Toolsets
Integrated Development Environment
Runtime
Continuous Integration and Continuous Delivery
Security Orchestration, Automation, and Response
Software Configuration Management
Code Repositories
Application Security Testing
Assess the Effectiveness of Software Security
Auditing and Logging of Changes
Risk Analysis and Mitigation
Assess Security Impact of Acquired Software
Commercial Off-the-Shelf
Open Source
Third-Party
Managed Services (SaaS, IaaS, PaaS)
Define and Apply Secure Coding Guidelines and Standards
Security Weaknesses and Vulnerabilities at the Source-Code Level
Security of Application Programming Interfaces
API Security Best Practices
Secure Coding Practices
Software-Defined Security
Summary
Index
EULA