(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Your Complete Guide to Preparing for the CISSP Certification, Updated for the CISSP 2024 Objectives

The ISC2® CISSP® Certified Information Systems Security Professional Official Study Guide, 10th Edition is your one-stop resource for complete coverage of the 2024 CISSP objectives. You'll prepare for the exam smarter and faster with Sybex thanks to superior content including: an introductory assessment test that checks your readiness, objective map, written labs, key topic study essentials, and challenging chapter review questions. Reinforce what you have learned with the exclusive Sybex online learning environment and test bank. Get prepared to prove your CISSP knowledge with Sybex.

Coverage of all CISSP Detailed Content Outline objectives in this Study Guide means you'll be ready for:

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security

Interactive learning environment:

Take your certification prep to the next level with Sybex's superior interactive online study tools. To access our learning environment, simply visit www.wiley.com/go/sybextestprep, register to receive your unique PIN, and instantly gain one year of FREE access to:

• Interactive test bank with four additional practice exams, each with 125 unique questions. Practice exams help you identify areas where further review is needed.
• More than 2 hours of audio review read by author Mike Chapple.
• More than 1,000 electronic flashcards to reinforce learning and last minute prep.
• Comprehensive glossary in PDF format gives you instant access to the key terms so you are fully prepared

ABOUT THE CISSP CERTIFICATION

The CISSP is the most globally recognized certification in the information security market. This vendor neutral certification validates an information security professional's deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization. ISC2 is a global nonprofit organization that maintains the Common Body of Knowledge for information security professionals. Candidates must have experience, subscribe to the ISC2 Code of Ethics, and maintain continuing education requirements or recertify every three years. Visit www.isc2.org to learn more.

Introduction xxxv

Assessment Test lx

Chapter 1 Security Governance Through Principles and Policies 1

Security 101 3

Understand and Apply Security Concepts 4

Security Boundaries 13

Evaluate and Apply Security Governance Principles 14

Manage the Security Function 16

Security Policy, Standards, Procedures, and Guidelines 27

Threat Modeling 29

Supply Chain Risk Management 35

Summary 38

Study Essentials 39

Written Lab 41

Review Questions 42

Chapter 2 Personnel Security and Risk Management Concepts 49

Personnel Security Policies and Procedures 51

Understand and Apply Risk Management Concepts 60

Social Engineering 90

Establish and Maintain a Security Awareness, Education, and Training Program 106

Summary 110

Study Essentials 111

Written Lab 114

Review Questions 115

Chapter 3 Business Continuity Planning 121

Planning for Business Continuity 122

Project Scope and Planning 123

Business Impact Analysis 131

Continuity Planning 137

Plan Approval and Implementation 140

Summary 145

Study Essentials 145

Written Lab 146

Review Questions 147

Chapter 4 Laws, Regulations, and Compliance 151

Categories of Laws 152

Laws 155

State Privacy Laws 179

Compliance 179

Contracting and Procurement 181

Summary 182

Study Essentials 182

Written Lab 184

Review Questions 185

Chapter 5 Protecting Security of Assets 189

Identifying and Classifying Information and Assets 190

Establishing Information and Asset Handling Requirements 198

Data Protection Methods 208

Understanding Data Roles 214

Using Security Baselines 216

Summary 219

Study Essentials 220

Written Lab 221

Review Questions 222

Chapter 6 Cryptography and Symmetric Key Algorithms 227

Cryptographic Foundations 228

Modern Cryptography 246

Symmetric Cryptography 253

Cryptographic Life Cycle 263

Summary 264

Study Essentials 264

Written Lab 266

Review Questions 267

Chapter 7 PKI and Cryptographic Applications 271

Asymmetric Cryptography 272

Hash Functions 279

Digital Signatures 283

Public Key Infrastructure 286

Asymmetric Key Management 292

Hybrid Cryptography 293

Applied Cryptography 294

Cryptographic Attacks 306

Summary 309

Study Essentials 310

Written Lab 311

Review Questions 312

Chapter 8 Principles of Security Models, Design, and Capabilities 317

Secure Design Principles 319

Techniques for Ensuring CIA 330

Understand the Fundamental Concepts of Security Models 332

Select Controls Based on Systems Security Requirements 345

Understand Security Capabilities of Information Systems 349

Summary 352

Study Essentials 353

Written Lab 354

Review Questions 355

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 359

Shared Responsibility 360

Data Localization and Data Sovereignty 362

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 363

ClientBased Systems 378

ServerBased Systems 381

Industrial Control Systems 384

Distributed Systems 386

HighPerformance Computing (HPC) Systems 387

RealTime Operating Systems 388

Internet of Things 389

Edge and Fog Computing 390

Embedded Devices and CyberPhysical Systems 391

Microservices 396

Infrastructure as Code 397

Immutable Architecture 398

Virtualized Systems 399

Containerization 406

Mobile Devices 407

Essential Security Protection Mechanisms 424

Common Security Architecture Flaws and Issues 427

Summary 431

Study Essentials 432

Written Lab 436

Review Questions 437

Chapter 10 Physical Security Requirements 443

Apply Security Principles to Site and Facility Design 444

Implement Site and Facility Security Controls 449

Implement and Manage Physical Security 473

Summary 480

Study Essentials 481

Written Lab 484

Review Questions 485

Chapter 11 Secure Network Architecture and Components 491

OSI Model 493

TCP/IP Model 501

Analyzing Network Traffic 502

Common Application Layer Protocols 503

Transport Layer Protocols 504

Domain Name System 506

Internet Protocol (IP) Networking 512

ARP Concerns 516

Secure Communication Protocols 517

Implications of Multilayer Protocols 518

Segmentation 523

Edge Networks 526

Wireless Networks 527

Satellite Communications 543

Cellular Networks 544

Content Distribution Networks (CDNs) 544

Secure Network Components 545

Summary 572

Study Essentials 573

Written Lab 575

Review Questions 576

Chapter 12 Secure Communications and Network Attacks 581

Protocol Security Mechanisms 582

Secure Voice Communications 587

Remote Access Security Management 591

Multimedia Collaboration 595

Monitoring and Management 597

Load Balancing 597

Manage Email Security 600

Virtual Private Network 606

Switching and Virtual LANs 613

Network Address Translation 617

ThirdParty Connectivity 622

Switching Technologies 624

WAN Technologies 626

FiberOptic Links 629

Prevent or Mitigate Network Attacks 630

Summary 631

Study Essentials 632

Written Lab 635

Review Questions 636

Chapter 13 Managing Identity and Authentication 641

Controlling Access to Assets 643

The AAA Model 645

Implementing Identity Management 662

Managing the Identity and Access Provisioning Life Cycle 668

Summary 672

Study Essentials 672

Written Lab 675

Review Questions 676

Chapter 14 Controlling and Monitoring Access 681

Comparing Access Control Models 682

Implementing Authentication Systems 694

ZeröTrust Access Policy Enforcement 702

Understanding Access Control Attacks 703

Summary 719

Study Essentials 720

Written Lab 721

Review Questions 722

Chapter 15 Security Assessment and Testing 727

Building a Security Assessment and Testing Program 729

Performing Vulnerability Assessments 735

Testing Your Software 750

Training and Exercises 758

Implementing Security Management Processes and Collecting Security Process Data 759

Summary 762

Exam Essentials 763

Written Lab 764

Review Questions 765

Chapter 16 Managing Security Operations 769

Apply Foundational Security Operations Concepts 771

Address Personnel Safety and Security 778

Provision Information and Assets Securely 780

Managed Services in the Cloud 786

Perform Configuration Management (CM) 790

Manage Change 793

Manage Patches and Reduce Vulnerabilities 797

Summary 801

Study Essentials 802

Written Lab 804

Review Questions 805

Chapter 17 Preventing and Responding to Incidents 809

Conducting Incident Management 811

Implementing Detection and Preventive Measures 818

Logging and Monitoring 842

Automating Incident Response 854

Summary 860

Study Essentials 860

Written Lab 863

Review Questions 864

Chapter 18 Disaster Recovery Planning 869

The Nature of Disaster 871

Understand System Resilience, High Availability, and Fault Tolerance 883

Recovery Strategy 888

Recovery Plan Development 898

Training, Awareness, and Documentation 906

Testing and Maintenance 907

Summary 911

Study Essentials 912

Written Lab 913

Review Questions 914

Chapter 19 Investigations and Ethics 919

Investigations 920

Major Categories of Computer Crime 934

Ethics 940

Summary 944

Study Essentials 945

Written Lab 946

Review Questions 947

Chapter 20 Software Development Security 951

Introducing Systems Development Controls 953

Establishing Databases and Data Warehousing 984

Storage Threats 994

Understanding Knowledge Based Systems 995

Summary 998

Study Essentials 998

Written Lab 1000

Review Questions 1001

Chapter 21 Malicious Code and Application Attacks 1005

Malware 1006

Malware Prevention 1018

Application Attacks 1021

Injection Vulnerabilities 1024

Exploiting Authorization Vulnerabilities 1030

Exploiting Web Application Vulnerabilities 1033

Application Security Controls 1038

Secure Coding Practices 1044

Summary 1048

Study Essentials 1048

Written Lab 1049

Review Questions 1050

Appendix A Answers to Review Questions 1055

Chapter 1: Security Governance Through Principles and Policies 1056

Chapter 2: Personnel Security and Risk Management Concepts 1059

Chapter 3: Business Continuity Planning 1063

Chapter 4: Laws, Regulations, and Compliance 1065

Chapter 5: Protecting Security of Assets 1068

Chapter 6: Cryptography and Symmetric Key Algorithms 1070

Chapter 7: PKI and Cryptographic Applications 1072

Chapter 8: Principles of Security Models, Design, and Capabilities 1074

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1077

Chapter 10: Physical Security Requirements 1082

Chapter 11: Secure Network Architecture and Components 1085

Chapter 12: Secure Communications and Network Attacks 1089

Chapter 13: Managing Identity and Authentication 1092

Chapter 14: Controlling and Monitoring Access 1095

Chapter 15: Security Assessment and Testing 1097

Chapter 16: Managing Security Operations 1099

Chapter 17: Preventing and Responding to Incidents 1102

Chapter 18: Disaster Recovery Planning 1104

Chapter 19: Investigations and Ethics 1106

Chapter 20: Software Development Security 1108

Chapter 21: Malicious Code and Application Attacks 1111

Appendix B Answers to Written Labs 1115

Chapter 1: Security Governance Through Principles and Policies 1116

Chapter 2: Personnel Security and Risk Management Concepts 1116

Chapter 3: Business Continuity Planning 1117

Chapter 4: Laws, Regulations, and Compliance 1118

Chapter 5: Protecting Security of Assets 1119

Chapter 6: Cryptography and Symmetric Key Algorithms 1119

Chapter 7: PKI and Cryptographic Applications 1120

Chapter 8: Principles of Security Models, Design, and Capabilities 1121

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 1121

Chapter 10: Physical Security Requirements 1123

Chapter 11: Secure Network Architecture and Components 1124

Chapter 12: Secure Communications and Network Attacks 1125

Chapter 13: Managing Identity and Authentication 1126

Chapter 14: Controlling and Monitoring Access 1127

Chapter 15: Security Assessment and Testing 1127

Chapter 16: Managing Security Operations 1128

Chapter 17: Preventing and Responding to Incidents 1129

Chapter 18: Disaster Recovery Planning 1130

Chapter 19: Investigations and Ethics 1131

Chapter 20: Software Development Security 1131

Chapter 21: Malicious Code and Application Attacks 1131

Index 1133