Information security jobs are going to include firewall engineers, penetration testers, auditors, and lots more. This book is going to be streamlined that is to be included in only core certification information and is going to be presented for ease of last-minute studying. Main objectives of the exam are to be covered concisely with the key concepts that are highlighted.
The CISSP certification is considered to be the most prestigious, globally-recognized, vendor neutral exam for the professionals of information security. In order to participate, US organizations must voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive. In addition to the treaty being signed and subsequently ratified by a majority of the 47 European member countries, the United States has also signed and ratified the treaty. The primary focus of the Convention on Cybercrime is to establish standards in cybercrime policy in order to promote international cooperation during the investigation and prosecution of cybercrime.
In some cases, countries would prefer that their citizens be denied the use of any cryptosystems that their intelligence agencies cannot crack, and therefore those countries attempt to impose import restrictions on cryptographic technologies. During the Cold War, CoCom, the Coordinating Committee for Multilateral Export Controls, was a multinational agreement restricting the export of certain technologies, which included encryption, to many Communist countries.
After the Cold War, the Wassenaar Arrangement became the standard for export controls. This multinational agreement was far less restrictive than the former CoCom, but did still suggest significant limitations on the export of cryptographic algorithms and technologies to countries not included in the Wassenaar Arrangement.
The tremendous surge in outsourcing, especially the ongoing shift toward cloud services, has made contractual security measures much more prominent. SLAs are widely used for general performance expectations, but are increasingly leveraged for security purposes as well. SLAs primarily address availability. The goal of the service provider is to provide evidence that they can and should be trusted.
Typically, a third party provides attestation after performing an audit of the service provider against a known baseline. Leveraging the security department early and often can serve as a preventive control that can allow the organization to make risk-based decisions even prior to vendor or solution acceptance. Professionals performing this function will often be employed at both the originating organization as well as the thirdparty provider. This is doubly true for information security. This includes performing vulnerability assessment and penetration testing of the acquired company before any merger of networks.
Divestitures can represent more risk than acquisitions and pose important questions like how will sensitive data be split up? It is quite common for formerly unified companies to split off and inadvertently maintain duplicate accounts and passwords within the two newly spun-off companies.
This allows former insider attacks, in which an employee of the formerly unified company hacks into a divested company by reusing old credentials. Similar risks exist with the reuse of physical security controls, including keys and badges.
All forms of access for former employees must be revoked. The Hippocratic Oath, taken by doctors, is an example of a code of ethics. Ethics are of paramount concern for information security professionals: because we are often trusted with highly sensitive information, and our employers, clients, and customers must know that we will treat their information with the utmost integrity.
The preamble is the introduction to the code. Therefore, strict adherence to this Code is a condition of certification. Security professionals are charged with the promotion of safe security practices and the improvement of the security of systems and infrastructure for the public good. One point that is detailed within this canon is related to laws from different jurisdictions found to be in conflict.
Another point made by this canon is in regard to providing prudent advice and cautioning the security professional against unnecessarily promoting fear, uncertainty, and doubt. An additional important consideration is to ensure that the professional does not have a conflict of interest in providing quality services. Additionally, this canon requires that individuals protect the integrity of the security profession by avoiding any association with those who might harm the profession.
In that case, choose the answer that is mentioned first in the canons. Also, the most ethical answer is usually the best, so hold yourself to a very high level of ethics for questions posed during the exam.
The code is both short and fairly straightforward. Thou shalt not use a computer to harm other people. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not copy or use proprietary software for which you have not paid. Thou shalt think about the social consequences of the program you are writing or the system you are designing. Thou shalt always use a computer in ways that ensure consideration and 1 respect for your fellow humans.
The RFC is short and easy to read, and it provides five basic ethical principles. It is also the organizational priority provided by senior leadership, which is required for a successful information security program. These documents should be grounded in reality; they are not idealistic documents that sit on shelves collecting dust.
They should mirror the real world and provide guidance on the correct and sometimes required way of doing things. Policy is high level, and it does not delve into specifics. A server security policy would discuss protecting the confidentiality, integrity, and availability of the system, usually in those terms.
It may discuss software updates and patching. However, other documents, like procedures, would change. Procedures are low level and specific. Like policies, procedures are mandatory. Here is a simple example procedure for creating a new user: 1.
Receive a new-user request form and verify its completeness. Verify that the user has read and agreed to the user account security policy. Create the account and assign the proper role.
Email the new account document to the user and their manager. The steps of this procedure are mandatory. Security administrators do not have the option of skipping Step 1, for example, and create an account without a form. Other safeguards depend on this procedure.
The help desk cannot do that unless Step 5 was completed; without that word, the help desk cannot securely reset the password. This mitigates the risks of social engineering attacks, during which an imposter tries to trick the help desk into resetting a password for an account he or she is not authorized to access.
Standards are mandatory. Not only do they lower the TCO of a safeguard, but they also support disaster recovery. The system must meet the baseline described by those benchmarks.
Baselines are discretionary. It is acceptable to harden the system without following the aforementioned benchmarks, as long as it is at least as secure as a system hardened using the benchmarks. Formal exceptions to baselines will require senior management sign-off. Table 1.
Step 2: Download patches from update server. Background checks should be performed, contractors need to be securely managed, and users must be properly trained and made aware of security risks, as we will discuss next. Awareness changes user behavior, while training provides a skill set. Reminding users to never share accounts or write their passwords down is an example of awareness.
It is assumed that some users are doing the wrong thing, and awareness is designed to change that behavior. Security training teaches a user how to do something.
Examples include training new help desk personnel to open, modify, and close service tickets; training network engineers to configure a router, or training a security administrator to create a new account.
This includes a check of criminal records and verification of all experience, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process. Beyond account revocation, termination should be a fair process. There are ethical and legal reasons for employing fair termination, but there is also an additional information security advantage.
This is especially true for IT personnel. They are not direct employees, and sometimes have access to systems at multiple organizations. Third-party personnel with access to sensitive data must be trained and made aware of risks, just as employees are. Background checks may also be required, depending on the level of access required. Information security policies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed.
Clear rules dictating where and when a third party may access or store data must be developed. Offshoring is outsourcing to another country. They may also enhance the IT resources available to a company especially a small company , which can improve confidentiality, integrity, and availability of data.
Offshoring can raise privacy and regulatory issues. Always consult with legal staff before offshoring data. Contracts must ensure that data is protected, regardless of where it is located. In this section, each type of access control will be defined on the basis of how it adds to the security of the system. Administrative also called directive controls are implemented by creating and following organizational policy, procedure, or regulation.
User training and awareness also fall into this category. Technical controls are implemented using software, hardware, or firmware that restricts logical access on an IT system.
Examples include firewalls, routers, encryption, etc. Physical controls are implemented with physical devices, such as locks, fences, gates, and security guards. It applies restrictions to what a potential user, either authorized or unauthorized, can do.
An example of an administrative preventive control is a preemployment drug screening. It is designed to prevent an organization from hiring an employee who is using illegal drugs. Examples of detective controls are intrusion detection systems that send alerts after a successful attack, closed-circuit television cameras that alert guards to an intruder, and a building alarm system that is triggered by an intruder.
The corrective access control typically works hand in hand with detective access controls. Antivirus software has both components. First, the antivirus software runs a scan and uses its definition file to detect whether there is any software that matches its virus list.
If it detects a virus, the corrective controls take over and either places the suspicious software in quarantine or deletes it from the system. Recovery means that the system must be restored, which involves reinstallation from OS media or image, data restored from backups, etc. Another example is large fines for drivers who speed. A deterrent control is a sanction policy that makes users understand that they will be fired if they are caught surfing illicit or illegal websites.
We must hold ourselves to a higher standard when judging risk. Our risk decisions will dictate which safeguards we should deploy in order to protect our assets, and the amount of money and resources we will spend doing so. Poor decisions will result in wasted money, or even worse, compromised data. Assets can be data, systems, people, buildings, property, and so forth. The value or critical nature of the asset will dictate what safeguards you deploy.
A vulnerability is a weakness that can allow a threat to cause harm. Examples of vulnerabilities are buildings that are not built to withstand earthquakes, a data center without proper backup power, or a Microsoft Windows 10 system that has not been patched in a long time. Assign a number to both threats and vulnerabilities.
We will use a range of 1—5 the range is arbitrary; whatever range you choose to use, keep it consistent when comparing different risks. Impact, or consequences, is the severity of the damage, sometimes expressed in dollars. Low risks are handled via normal processes; moderate risks require management notification; high risks require senior management notification; and extreme risks require immediate action including a detailed mitigation plan and senior management notification.
Once calculated, ALE allows you to make informed decisions to mitigate the risk. This section will use an example of risk due to lost or stolen unencrypted laptops. Assume your company has laptops that contain PII. You are the security officer, and you are concerned about the risk of exposure of PII due to lost or stolen laptops. You would like to purchase and deploy a laptop encryption solution. The solution is expensive, so you need to convince management that the solution is worthwhile.
Theft of unencrypted PII has occurred previously and has cost the company many times the value of the laptop in regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc. Tangible assets, such as computers or buildings, are straightforward to calculate.
Intangible assets are more challenging. For example, what is the value of brand loyalty? For example, when looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is TCO combines upfront costs often a one-time capital expense plus the annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc. These ongoing costs are usually considered operational expenses. You estimate that it will take four staff hours per laptop to install the software, or staff hours.
The math is summarized in Table 1. Implementing laptop encryption will change the EF. The laptop encryption project has a positive ROI and is a wise investment.
Metrics can greatly assist the information security budgeting process. They help illustrate potentially costly risks and demonstrate the effectiveness and potential cost savings of existing controls. They can also help champion the cause of information security. Options include accepting the risk, mitigating or eliminating the risk, transferring the risk, and avoiding the risk.
In some cases, it is cheaper to leave an asset unprotected due to a specific risk, rather than make the effort and spend the money required to protect it. This cannot be an ignorant decision; all options must be considered before accepting the risk. High and extreme risks cannot be accepted. There are cases where accepting the risk is not an option, such as data protected by laws or regulations and risk to human life or safety.
Lowering risk is also called risk reduction, and the process of lowering risk is also called reduction analysis. The laptop encryption example given in the previous ALE section is an example of mitigating the risk.
The risk of lost PII due to stolen laptops was mitigated by encrypting the data on the laptops. The risk has not been eliminated entirely; a weak or exposed encryption password could expose the PII, but the risk has been reduced to an acceptable level. In some cases, it is possible to remove specific risks entirely; this is called eliminating the risk.
Most homeowners do not assume the risk of fire for their houses; they pay an insurance company to assume that risk for them. The insurance companies are experts in risk analysis; buying risk is their business.
If the risk analysis discovers high or extreme risks that cannot be easily mitigated, avoiding the risk and the project may be the best option. Quantitative is more objective; qualitative is more subjective. Hybrid risk analysis combines the two by using quantitative analysis for risks that may be easily expressed in hard numbers, such as money, and qualitative analysis for the remainder. Calculating the ALE is an example of quantitative risk analysis.
The risk analysis matrix shown previously in Table 1. The guide describes a nine-step risk analysis process: 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Information systems may be attacked by a variety of attackers, ranging from script kiddies to worms to militarized attacks.
Attackers may use a variety of methods in their attempts to compromise the confidentiality, integrity, and availability of systems. The term originally described a nonmalicious explorer who used technologies in ways its creators did not intend.
A hacktivist is a hacker activist who attacks computer systems for political reasons. Script kiddies attack computer systems with tools of which they have little or no understanding.
The outsider seeks to gain unauthorized access. Outsiders launch the majority of attacks, but most are usually mitigated by defense-in-depth perimeter controls. An insider attack may be intentional or accidental. Insider attackers range from poorly trained administrators who make mistakes to malicious individuals who intentionally compromise the security of systems. An authorized insider who attacks a system may be in a position to cause significant impact.
The term zombie is sometimes used to describe a bot. Phishing is a social engineering attack that sometimes includes other attacks, including clientside attacks. Users who click links in phishing emails may be subject to client-side attacks and theft of credentials. Simply visiting a phishing site is dangerous, and the client may be automatically compromised. Governance helps ensure that a company has the proper administrative controls to mitigate risk.
Risk analysis helps ensure that an organization properly identifies, analyzes, and mitigates risk. An understanding and appreciation of legal systems, concepts, and terms are required of an information security practitioner working in the information-centric world today. The impact of the ubiquity of information systems on legal systems cannot be overstated. Whether the major legal system is civil, common, religious, or a hybrid, information systems have made a lasting impact on legal systems throughout the world, causing the creation of new laws and reinterpretation of existing laws, as well as a new appreciation for the unique aspects that computers bring to the courts.
Finally, the nature of information security and the inherent sensitivity therein makes ethical frameworks an additional point requiring attention. You suffer seven DoS attacks on average per year. You have tested this service and believe it will mitigate the attacks. What is the ARO in the above scenario? Is the DoS mitigation service a good investment? Possible answers Readme. Drag and drop: Identify from the list below items that can be classified as objects.
Drag and drop the objects from left to right Fig. Correct answer and explanation: C. The ARO is the number of attacks in a year. Incorrect answers and explanations: Answers A, B, and D are incorrect. Correct answer and explanation: D.
Incorrect answers and explanations: Answers A, B, and C are incorrect. This means it is less expensive to accept the risk of DoS attacks or to find a less expensive mitigation strategy. The annual TCO is higher, not lower. Correct answer and explanation: A.
Incorrect answers and explanations: Answers B, C, and D are incorrect. The eight domains are covered completely and as concisely as possible, allowing users to ace the exam. Each domain has its own chapter that includes a specially-designed pedagogy to help users pass the exam, including clearly-stated exam objectives, unique terms and definitions, exam warnings, "learning by example" modules, hands-on exercises, and chapter ending questions. Provides the most complete and effective study guide to prepare users for passing the CISSP exam, giving them exactly what they need to pass the test Authored by Eric Conrad who has prepared hundreds of professionals for passing the CISSP exam through SANS, a popular and well-known organization for information security professionals Covers all of the new information in the Common Body of Knowledge updated in January , and also provides two exams, tiered end-of-chapter questions for a gradual learning curve, and a complete self-test appendix.
The only official, comprehensive reference guide to the CISSP All new for and beyond, this is the authoritative common body of knowledge CBK from ISC 2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Totally updated for , here's the ultimate study guide for the CISSP exam Considered the most desired certification for IT security professionals, the Certified Information Systems Security Professional designation is also a career-booster.
This comprehensive study guide covers every aspect of the exam and the latest revision of the CISSP body of knowledge. It offers advice on how to pass each section of the exam and features expanded coverage of biometrics, auditing and accountability, software security testing, and other key topics. Included is a CD with two full-length, question sample exams to test your progress.
CISSP certification identifies the ultimate IT security professional; this complete study guide is fully updated to cover all the objectives of the CISSP exam Provides in-depth knowledge of access control, application development security, business continuity and disaster recovery planning, cryptography, Information Security governance and risk management, operations security, physical environmental security, security architecture and design, and telecommunications and network security Also covers legal and regulatory investigation and compliance Includes two practice exams and challenging review questions on the CD Professionals seeking the CISSP certification will boost their chances of success with CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition.
The book's 14 chapters provide in-depth discussions of the following topics: systems security; operating system hardening; application security; virtualization technologies; network security; wireless networks; network access; network authentication; risk assessment and risk mitigation; general cryptographic concepts; public key infrastructure; redundancy planning; environmental controls and implementing disaster recovery and incident response procedures; and legislation and organizational policies.
Each chapter includes information on exam objectives, exam warnings, and the top five toughest questions along with their answers. The only book keyed to the new SY objectives that has been crafted for last minute cramming Easy to find, essential material with no fluff — this book does not talk about security in general, just how it applies to the test Includes review of five toughest questions by topic - sure to improve your score.
Using 25 CISSP practice questions with detailed explanations, this book will attempt to answer how to think like a member of a senior management team who has the goal of balancing risk, cost, and most of all, human life. The questions will take you through how to resist thinking from a technical perspective to one that is more holistic of the entire organization.
Like all of Study Notes and Theory's CISSP practice questions, these questions correlate multiple high-level security concepts and require thinking like a manager. Extracting the most value comes from understanding not only which choice is correct, but more importantly, why the other choices are wrong. As an information security professional, it is essential to stay current on the latest advances in technology and the effluence of security threats. Numerous illustrated examples and practical exercises are included in this book to demonstrate concepts and real-life scenarios.
Earning your CISSP is a respected achievement that validates your knowledge, skills, and experience in building and managing the security posture of your organization and provides you with membership to an elite network of professionals worldwide. In each section, it defines each domain. You can specify the type of files you want, for your gadget. Not only was the story interesting, engaging and relatable, it also teaches lessons. All rights reserved. All other trademarks are the property of their respective owners.
Sign In or Register. This book is streamlined to include only core certification information, and is presented for ease of last-minute studying. Then I dived a little deep with the Study guide The rest of the week and did the review questions at the end of each domain.
All a studied here was the Summary, the Exam Essentials and some specific topics I wasn't comfortable with 2 days. With an OverDrive account, you can save your favorite libraries for at-a-glance information about availability. Find out more about OverDrive accounts. Eric Conrad. Elsevier Science. File Name: 11th hour cissp 3rd edition.
Skip to main content.
0コメント