Simple CISSP

The CISSP certification is the gold standard for security professionals. This exam resource is up to date for the 2015 CISSP Common Body of Knowledge created by ISC2. SIMPLE CISSP has been intentionally kept as brief as possible without the 'fluff' many other tomes include. In the appendix is a complete outline of each domain including all terms and concepts that you will need to know for the exam. Each outline follows the chapters exactly so you can easily find more detail on each topic when you need to. About the Author About the Exam What’s in This Book How to Use This Book Security and Risk Management Domain CIA AAA From Vulnerability to Exposure Administrative, Technical and Physical Controls Security Frameworks ISO 27000 Series Enterprise Architecture Development Zachman The Open-Group Architecture Framework Department of Defense Architecture Framework Ministry of Defence Architecture Framework Sherwood Applied Business Security Architecture Architecture Framework Terms Strategic Alignment Business Enablement Process Enhancement Security Effectiveness Frameworks for Implementation COBIT NIST SP 800-53 COSO Process Development ITIL Six Sigma Capability Maturity Model Integration The Process Life Cycle Computer Crime Law Law Computer Crime OECD Safe Harbor Import and Export Law Types of Legal Systems Civil (Code) Law System Common Law System Criminal Civil/Tort Administrative Customary Law System Religious Law System Mixed Law System Intellectual Property Trade Secret Copyright Trademark Patent Protection of Intellectual Property Privacy Federal Privacy Act of 1974 Federal Information Security Management Act of 2002 Department of Veterans Affairs Information Security Protection Act Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health Act (HITECH) USA Patriot Act Gramm-Leach-Bliley Act Personal Information Protection and Electronic Documents Act Payment Card Industry Data Security Standard Economic Espionage Act of 1996 International Data Breaches Policies, Standards, Baselines, Guidelines and Procedures Policies Standards Baselines Guidelines Procedures All About Risk Management Information Systems Risk Management The Risk Management Team The Risk Management Process Modeling Threats Vulnerabilities Information Processes People Threats Attacks Reduction Analysis Assessing and Analyzing Risk Risk Analysis Team Calculating Value Identifying Vulnerabilities and Threats Methodologies for Risk Assessment Risk Analysis Approaches Quantitative Risk Analysis Qualitative Risk Analysis Protection Mechanisms Total Risk vs. Residual Risk Outsourcing Managing Risk Categorize Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize Information System Monitor Security Controls Business Continuity and Disaster Recovery Standards and Best Practices Making BCM Part of the Enterprise Security Program BCP Project Components Personnel Security Hiring practices Termination Security-Awareness Training Security Governance Ethics Asset Security Domain Information Life Cycle Acquisition Use Archival Disposal Information Classification Classification Levels Classification Controls Layers of Responsibility Executive Management Data Owner Data Custodian System Owner Security Administrator Supervisor Change Control Analyst Data Analyst User Auditor Retention Policies Protecting Privacy Data Owners Data Processors Data Remanence Limits on Collection Protecting Assets Data Security Controls Media Controls Data Leakage Data Leak Prevention Implementation, Testing and Tuning Network DLP Endpoint DLP Hybrid DLP Protecting Other Assets Protecting Mobile Devices Paper Records Safes Security Engineering Domain System Architecture Computer Architecture The Central Processing Unit Multiprocessing Memory Types Random Access memory Read-Only Memory Cache Memory Memory Mapping Buffer Overflows Memory Leaks Operating Systems Process Management Thread Management Process Activity Memory Management Virtual Memory Input/Output Device Management CPU Architecture Integration Operating System Architectures Virtual Machines System Security Architecture Security Policy Security Architecture Requirements Trusted Computer Base Security Perimeter Reference Monitor Security Kernel Security Models Bell-LaPadula Model Biba Model Clark-Wilson Model Noninterference Model Brewer and Nash Model Graham-Denning Model Harrison-Ruzzo-Ullman Model Recap Systems Evaluation Certification vs. Accreditation Open vs. Closed Systems Distributed System Security Cloud Computing Parallel Computing Databases Web Applications Mobile Devices Cyber-Physical Systems Industrial Control Systems A Few Threats to Review The History of Cryptography Cryptography Definitions and Concepts Kerckhoff’s Principle The Strength of the Cryptosystem Services of Cryptosystems One-Time Pad Running and Concealment Ciphers Steganography Types of Ciphers Methods of Encryption Symmetric Cryptography Asymmetric Cryptography Block Ciphers Stream Ciphers Block vs. Stream Ciphers Initialization Vectors Strong Encryption Algorithm Techniques Recap Types of Symmetric Systems Data Encryption Standard Triple-DES Advanced Encryption Standard International Data Encryption Algorithm Blowfish RC4 RC5 RC6 Types of Asymmetric Systems Diffie-Hellman Algorithm RSA El Gamal Elliptic Curve Cryptosystems Knapsack Zero Knowledge Proof Message Integrity The One-Way Hash HMAC CBC-MAC Cipher-Based Message Authentication Code MD4 MD5 SHA Attacks Against One-Way Hash Functions Digital Signatures Digital Signature Standard Public Key Infrastructure Certificate Authorities Certificates PKI Steps Key Management Trusted Platform Module Attacks on Cryptography Ciphertext-Only Attacks Known-Plaintext Attacks Chosen-Plaintext Attacks Chosen-Ciphertext Attacks Differential Cryptanalysis Linear Cryptanalysis Side-Channel Attacks Replay Attacks Analytical Attacks Social Engineering Attacks Meet-in-the-Middle Attacks Site and Facility Security The Site Planning Process Crime Prevention Through Environmental Design Natural Access Control Natural Surveillance Natural Territory Reinforcement Designing a Physical Security Program Facility Construction Entry Points Computer and Equipment Rooms Protecting Assets Protecting Mobile Devices Using Safes Internal Support Systems Electric Power Environmental Issues Fire Control Fire Prevention Fire Detection Fire Suppression Communication and Network Security Domain Telecommunications Open Systems Interconnection Reference Model Protocol Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Functions and Protocols in the OSI Model Application Presentation Session Transport Network Data Link Physical Other Protocols TCP/IP TCP/IP Model TCP and UDP The TCP Handshake Ports IPv4 IPV6 Layer 2 Security Standards Converged Protocols Types of Transmission Analog and Digital Asynchronous and Synchronous Broadband and Baseband Pulling It All Together (So Far) Cabling Coaxial Cable Twisted-Pair Cable Fiber-Optic Cable Cabling Problems Networking Topologies Media Access Technologies Token Passing CSMA Polling Ethernet Token Ring FDDI Transmission Methods Network Protocols and Services Address Resolution Protocol Dynamic Host Configuration Protocol Internet Control Message Protocol Simple Network Management Protocol Domain Name Service E-Mail Services Network Address Translation Routing Protocols Networking Devices Repeaters, Hubs, Bridges, Switches and Routers Gateways PBXs Firewalls Packet-Filtering Stateful Proxy Dynamic Packet-Filtering Kernel Proxy Next-Generation Firewall Architectures Proxy Servers Honeypots and Tarpits Unified Threat Management Content Distribution Networks Software Defined Networking Intranets and Extranets Local Area Networks Wide Area Networks Metropolitan Area Networks Multiservice Access Technologies Remote Connectivity Communication Options VPNs Authentication Protocols Wireless Networks Wireless Communication Techniques WLAN Architecture Wireless Standards Other Wireless Networks Network Encryption Link and End-to-End Encryption Email Encryption Internet Security Network Attacks Denial of Service Ransomware Sniffing DNS Hijacking Drive-by Download Identity and Access Management Domain Security Principles Identification, Authentication, Authorization, and Accountability Identity Identity Management Directories Web Access Management Authentication Managing Passwords Self-Service Password Reset Assisted Password Reset Single Sign-On Managing Accounts Biometrics Passwords Cards Authorization Access Criteria Default to No Access Kerberos Security Domains Federation Access Control and Markup Languages OpenID Identity Services Access Control Models Discretionary Access Control Mandatory Access Control Role-Based Access Control Rule-Based Access Control Access Control Techniques and Technologies Access Control Administration Centralized Access Control Administration Decentralized Access Control Administration Access Control Methods Accountability Implementing Access Control Monitoring and Reacting to Access Control Threats to Access Control Security Assessment and Testing Domain Audit Strategies The Process Internal Audit Teams Third-Party (External) Audit teams Service Organization Controls Auditing Technical Controls Vulnerability Testing Penetration testing War Dialing Postmortem Log Reviews Synthetic Transactions Misuse Case Testing Code Reviews Interface Testing Auditing Administration Controls Account Management Backup Verification Disaster Recovery and Business Continuity Security Training and Security Awareness Training Key Performance and Risk Indicators Reporting Technical Reporting Executive Summaries Management Review Security Operations Domain Operations Department Roles Administrative Management Security and Network Personnel Accountability Clipping Levels Assurance Levels Operational Responsibilities Configuration Management Physical Security Locks Personnel Access Controls External Boundary Protection Mechanisms Fences Lighting Surveillance Devices Intrusion Detection Systems Patrol Force and Guards Auditing Physical Access Secure Resource Provisioning Network and Resource Availability Preventative Measures Managing Incidents Disaster Recovery Business Process Recovery Facility Recovery Supply and Technology Recovery Choosing a Software Backup Facility End-User Environment Data Backup Alternatives Electronic Backup Solutions High Availability Insurance Recovery and Restoration Developing Goals for the Plans Implementing Strategies Investigations Computer Forensics and Proper Collection of Evidence Motive, Opportunity and Means Computer Criminal Behavior Incident Investigators The Forensic Investigation Process What is Admissible in Court? Surveillance, Search and Seizure Interviewing Suspects Liability and Its Ramifications Software Development Security Domain Defining Good Code Where Do We Place Security? Environment vs. Application Implementation and Default Issues Software Development Life Cycle Project Management Requirements Gathering Phase Design Phase Development Phase Testing/Validation Phase Release/Maintenance Phase Software Development Models Integrated Product Team Capability Maturity Model Integration Change Control Programming Languages and Concepts Assemblers, Compilers, Interpreters Object-Oriented Concepts Distributed Computing Distributed Computing Environment CORBA and ORBs COM and DCOM Java Platform, Enterprise Edition Service-Oriented Architecture Mobile Code Web Security Administrative Interfaces Authentication and Access Control Input Validation Parameter Validation Session Management Web Application Security Best Practices Database Management Database Management Software Database Models Database Programming Interfaces Relational Database Components Integrity Data Warehousing and Data Mining Malicious Software (Malware) Viruses Worms Rootkit Spyware and Adware Botnets Logic Bombs Trojan Horses Spam Detection Antimalware Programs Appendix Security and Risk Management Domain Outline Asset Security Domain Outline Security Engineering Domain Outline Communication and Network Security Domain Outline Identity and Access Management Domain Outline Security Assessment and Testing Domain Outline Security Operations Domain Outline Software Development Security Domain Outline Index