Details

Autor(en) / Beteiligte

• Conrad, Eric,
• Feldman, Joshua,
• Misenar, Seth,

Titel

CISSP® study guide

Auflage

4th ed

Ort / Verlag

Cambridge, Massachusetts : Syngress is an imprint of Elsevier,

Erscheinungsjahr

[2023]

Link zum Volltext

• Elsevier Books AutoHoldings

Beschreibungen/Notizen

• Includes index.
• Intro -- CISSP® Study Guide -- Copyright -- Contents -- About the authors -- Chapter 1: Introduction -- How to Prepare for the Exam -- The CISSP Exam Is a Management Exam -- The 2021 Update -- The Notes Card Approach -- Practice Tests -- Read the Glossary -- Readiness Checklist -- How to Take the Exam -- Steps to Becoming a CISSP -- Computer-Based Testing (CBT) -- CISSP CAT -- Taking the Exam -- After the Exam -- Good Luck! -- References -- Chapter 2: Domain 1: Security and Risk Management -- Unique Terms and Definitions -- Introduction -- Cornerstone Information Security Concepts -- Confidentiality, Integrity, and Availability -- Confidentiality -- Integrity -- Availability -- Tension Between the Concepts -- Disclosure, Alteration, and Destruction -- Identity and Authentication, Authorization, and Accountability (AAA) -- Identity and Authentication -- Authorization -- Accountability -- Non-repudiation -- Least Privilege and Need to Know -- Subjects and Objects -- Defense-in-Depth -- Due Care and Due Diligence -- Gross Negligence -- Legal and Regulatory Issues -- Compliance With Laws and Regulations -- Major Legal Systems -- Civil Law (Legal System) -- Common Law -- Religious Law -- Other Systems -- Criminal, Civil, and Administrative Law -- Criminal Law -- Civil Law -- Administrative Law -- Liability -- Due Care -- Due Diligence -- Legal Aspects of Investigations -- Evidence -- Real Evidence -- Direct Evidence -- Circumstantial Evidence -- Corroborative Evidence -- Hearsay -- Best Evidence Rule -- Secondary Evidence -- Evidence Integrity -- Chain of Custody -- Reasonable Searches -- Entrapment and Enticement -- Computer Crime -- Intellectual Property -- Trademark -- Patent -- Copyright -- Copyright Limitations -- Licenses -- Trade Secrets -- Intellectual Property Attacks -- Privacy -- European Union Privacy -- OECD Privacy Guidelines.
• General Data Protection Regulation -- EU-US Safe Harbor -- US Privacy Act of 1974 -- International Cooperation -- Import/Export Restrictions -- Trans-border Data Flow -- Important Laws and Regulations -- US Computer Fraud and Abuse Act -- HIPAA -- United States Breach Notification Laws -- Ethics -- The (ISC)2 Code of Ethics -- The (ISC)2 Code of Ethics Canons in Detail -- Computer Ethics Institute -- IABs Ethics and the Internet -- Information Security Governance -- Security Policy and Related Documents -- Policy -- Components of Program Policy -- Policy Types -- Procedures -- Standards -- Guidelines -- Baselines -- Personnel Security -- Candidate Screening and Hiring -- Onboarding -- Employee Termination -- Security Awareness and Training -- Gamification -- Security Champions -- Access Control Defensive Categories and Types -- Preventive -- Detective -- Corrective -- Recovery -- Deterrent -- Compensating -- Comparing Access Controls -- Risk Analysis -- Assets -- Threats and Vulnerabilities -- Risk=Threat x Vulnerability -- Impact -- Risk Analysis Matrix -- Calculating Annualized Loss Expectancy -- Asset Value -- Exposure Factor -- Single Loss Expectancy -- Annual Rate of Occurrence -- Annualized Loss Expectancy -- Total Cost of Ownership -- Return on Investment -- Budget and Metrics -- Risk Response -- Accept the Risk -- Risk Acceptance Criteria -- Mitigate the Risk -- Transfer the Risk -- Risk Avoidance -- Quantitative and Qualitative Risk Analysis -- The Risk Management Process -- Risk Maturity Modeling -- Security and Third Parties -- Service Provider Contractual Security -- Minimum Security Requirements -- Service Level Agreements and Service Level Requirements -- Attestation -- Right to Penetration Test/Right to Audit -- Supply Chain Risk Management -- Risks Associated With Hardware, Software, and Services -- Vendor Governance -- Acquisitions.
• Divestitures -- Third Party Assessment and Monitoring -- Outsourcing and Offshoring -- Types of Attackers -- Hackers -- Script Kiddies -- Outsiders -- Insiders -- Hacktivist -- Bots and Botnets -- Phishers and Spear Phishers -- Summary of Exam Objectives -- Self-Test -- Self-Test Quick Answer Key -- References -- Chapter 3: Domain 2: Asset Security -- Unique Terms and Definitions -- Introduction -- Classifying Data -- Labels -- Security Compartments -- Clearance -- Formal Access Approval -- Need to Know -- Sensitive Information/Media Security -- Sensitive Information -- Handling -- Storage -- Retention -- Ownership and Inventory -- Asset Inventory -- Asset Retention -- Business or Mission Owners -- Data Owners -- System Owner -- Custodian -- Users -- Data Controllers and Data Processors -- Data Location -- Data Maintenance -- Data Loss Prevention -- Digital Rights Management -- Cloud Access Security Brokers -- Data Collection Limitation -- Memory and Remanence -- Data Remanence -- Memory -- Cache Memory -- RAM and ROM -- DRAM and SRAM -- Firmware -- Flash Memory -- Solid State Drives (SSDs) -- Data Destruction -- Overwriting -- Degaussing -- Destruction -- Shredding -- Determining Data Security Controls -- Certification and Accreditation -- Standards and Control Frameworks -- Standards Selection -- PCI-DSS -- OCTAVE -- ISO 17799 and the ISO 27000 Series -- COBIT -- ITIL -- Scoping and Tailoring -- Data States -- Protecting Data in Use -- Protecting Data in Transit -- Drive and Tape Encryption -- Media Storage and Transportation -- Summary of Exam Objectives -- Self-Test -- Self-Test Quick Answer Key -- References -- Chapter 4: Domain 3: Security Architecture and Engineering -- Unique Terms and Definitions -- Introduction -- Secure Design Principles -- Threat Modeling -- Least Privilege and Defense-in-Depth -- Secure Defaults -- Privacy by Design.
• Fail Securely -- Separation of Duties (SoD) -- Keep It Simple -- Trust, but Verify -- Zero Trust -- Security Models -- Reading Down and Writing Up -- State Machine Model -- Bell-LaPadula Model -- Simple Security Property -- *Security Property (Star Security Property) -- Strong and Weak Tranquility Property -- Lattice-Based Access Controls -- Integrity Models -- Biba Model -- Simple Integrity Axiom -- * Integrity Axiom -- Clark-Wilson -- Well Formed Transactions -- Certification, Enforcement, and Separation of Duties -- Information Flow Model -- Chinese Wall Model -- Non-interference -- Take-Grant -- Access Control Matrix -- Zachman Framework for Enterprise Architecture -- Graham-Denning Model -- Harrison-Ruzzo-Ullman Model -- Evaluation Methods, Certification, and Accreditation -- The International Common Criteria -- Common Criteria Terms -- Levels of Evaluation -- Secure System Design Concepts -- Layering -- Abstraction -- Security Domains -- The Ring Model -- Open and Closed Systems -- Secure Hardware Architecture -- The System Unit and Motherboard -- The Computer Bus -- Northbridge and Southbridge -- The CPU -- Arithmetic Logic Unit and Control Unit -- Fetch and Execute -- Pipelining -- Interrupts -- Processes and Threads -- Multitasking and Multiprocessing -- Watchdog Timers -- CISC and RISC -- Memory Addressing -- Memory Protection -- Process Isolation -- Hardware Segmentation -- Virtual Memory -- Swapping and Paging -- BIOS -- WORM Storage -- Trusted Platform Module -- Data Execution Prevention and Address Space Layout Randomization -- Secure Operating System and Software Architecture -- The Kernel -- Reference Monitor -- Users and File Permissions -- Linux and UNIX permissions -- Microsoft NTFS Permissions -- Privileged Programs -- Virtualization, Cloud, and Distributed Computing -- Virtualization -- Hypervisor -- Virtualization Benefits.
• Virtualization Security Issues -- Cloud Computing -- Shared Responsibility -- Microservices, Containers, and Serverless -- Microservices -- Containers -- Containers vs. Virtualization -- Serverless -- High-Performance Computing (HPC) and Grid Computing -- Peer-to-Peer -- Thin Clients -- Diskless Workstations -- Thin Client Applications -- Embedded Systems and The Internet of Things (IoT) -- Distributed Systems and Edge Computing Systems -- Industrial Control Systems (ICS) -- System Vulnerabilities, Threats, and Countermeasures -- Emanations -- Covert Channels -- Covert Storage Channels -- Covert Timing Channels -- Backdoors -- Malicious Code (Malware) -- Computer Viruses -- Worms -- Trojans -- Rootkits -- Packers -- Logic Bombs -- Antivirus Software -- Server-Side Attacks -- Client-Side Attacks -- Web Architecture and Attacks -- Applets -- Java -- ActiveX -- OWASP -- XML -- Service Oriented Architecture (SOA) -- Database Security -- Polyinstantiation -- Inference and Aggregation -- Inference and Aggregation Controls -- Data Mining -- Data Analytics -- Countermeasures -- Mobile Device Attacks -- Mobile Device Defenses -- Cornerstone Cryptographic Concepts -- Key Terms -- Confidentiality, Integrity, Authentication, and Non-repudiation -- Confusion, Diffusion, Substitution, and Permutation -- Cryptographic Strength -- Monoalphabetic and Polyalphabetic Ciphers -- Modular Math -- Exclusive Or (XOR) -- Data at Rest and Data in Motion -- Protocol Governance -- Types of Cryptography -- Symmetric Encryption -- Stream and Block Ciphers -- Initialization Vectors and Chaining -- DES -- Modes of DES -- Electronic Code Book (ECB) -- Cipher Block Chaining (CBC) -- Cipher Feedback (CFB) -- Output Feedback (OFB) -- Counter Mode (CTR) -- Single DES -- Triple DES -- International Data Encryption Algorithm (IDEA) -- Advanced Encryption Standard (AES) -- Choosing AES.
• AES Functions.
• CISSP® Study Guide, Fourth Edition provides the latest updates on CISSP® certification, the most prestigious, globally-recognized, vendor neutral exam for information security professionals. In this new edition, readers will learn about what's included in the newest version of the exam's Common Body of Knowledge. The eight domains are covered completely and as concisely as possible. Each domain has its own chapter, including specially designed pedagogy to help readers pass the exam. Clearly stated exam objectives, unique terms/definitions, exam warnings, learning by example, hands-on exercises, and chapter ending questions help readers fully comprehend the material. Provides the most complete and effective study guide to prepare you for passing the CISSP® exam--contains only what you need to pass the test, with no fluff! Eric Conrad has prepared hundreds of professionals for passing the CISSP® exam through SANS, a popular and well-known organization for information security professionals Covers all of the new information in the Common Body of Knowledge updated in May 2021, and also provides tiered end-of-chapter questions for a gradual learning curve, and a complete self-test appendix.
• Description based on print version record.