Table of Contents (CISSP 2012 Edition) CONTENT UPDATES... 6 ABOUT THIS BOOK... 7 NETWORK INFRASTRUCTURE, PROTOCOLS AND TECHNOLOGIES... 8 OPEN SYSTEM INTERCONNECT... 8 LAN NETWORKING...10 ROUTING AND SWITCHING...13 IP ADDRESSING...14 WIRELESS BASED LOCAL AREA NETWORKING...16 RFID...20 WAN NETWORKING AND ACCESS AGGREGATION...20 VOIP...23 CLOUD COMPUTING...23 ERP...25 SERVICE PACKS AND PATCHES...27 CAS AND OTHER SSO MECHANISMS...28 INFOCARD AND OPENID...28 OTP AND KYPS...29 DACS...29 SAML AND WS-SECURITY...30 OVAL...30 OPSEC...31 SPECIAL CONSIDERATIONS...31 WINDOWS, LINUX, NETWARE AND IPV4...36 WINDOWS NETWORKING...36 WINDOWS BASED WEB SERVICE...37 LINUX NETWORKING...38 NETWARE NETWORKING...39 TCP/IP SPECIFIC SECURITY RISKS...42 COMPUTER AND NETWORK SECURITY...50 SECURITY PLANNING...50 EQUIPMENTS AND DEVICES...51 1
POINTS OF FAILURE...53 MALWARE...54 VIRUSES AND WORMS...54 SPYWARE...55 TROJAN HORSE...55 KEYSTROKE LOGGER...56 SOFTWARE FLAWS...56 SNIFFING, EAVESDROPPING AND FOOTPRINTING...57 DOS AND DDOS...59 SOCIAL ENGINEERING...59 IDENTITY THEFT...60 BACKDOORS AND ROOTKITS...61 OTHER VULNERABILITIES...62 P3P...63 DATABASE SPECIFIC RISKS...63 CONCEALING HARD DISK DATA...65 CRYPTOGRAPHY...70 OVERVIEW...70 DES...70 IPSEC AND SSL...70 SYMMETRIC AND ASYMMETRIC ALGORITHMS...71 DIGITAL SIGNATURE...72 HASH FUNCTION...72 PGP...73 DISK BASED ENCRYPTION...73 EES...73 OPENSSL...74 OCSP AND CRL...75 SECURITY STRATEGIES...77 INFORMATION SECURITY BASELINES...77 POLICIES AND CONTROLS...77 INTERNAL PREVENTIVE CONTROLS VERSUS COMPENSATING CONTROLS...83 ORANGE BOOK...84 INTERNET SECURITY...85 FIREWALL SECURITY...86 VIRUS SECURITY...87 WEB SERVER SECURITY...87 NAME RESOLUTION SECURITY...88 MAIL SERVER SECURITY...88 2
RAS SERVER SECURITY...89 PROXY SERVER SECURITY...89 AUTHENTICATION SERVER SECURITY...90 IM SECURITY...90 INCIDENT RESPONSE...91 COVERT CHANNEL ANALYSIS...92 CHANGE CONTROL...93 PLANNING AND SCOPING OF THE ASSESSMENT OF RISK...95 METHODOLOGIES FOR PROPER ASSESSMENT OF RISK...96 INCIDENT MONITORING...98 CSIRT...99 OWNERSHIP & RESPONSIBILITY...102 ACCOUNTS AND PASSWORD MANAGEMENT...103 SECURITY AWARENESS TRAINING...105 CONTINUITY AND DISASTER RECOVERY...110 CONTINGENCY VS CONTINUITY...110 DRP AND COOP...111 BUSINESS IMPACT ANALYSIS...112 BCP VS BCP (PLANNING VS PLAN)...114 BCM, BCMT AND BCSC...114 BCP AT THE DEPARTMENTAL LEVEL...115 HAZARDOUS COMMUNICATION...115 SITE ARRANGEMENT...116 PREFABRICATED BUILDING AND TERTIARY LOCATION...117 AN ACTIVE/ACTIVE MODEL TO RESOURCE REDUNDANCY...118 REPLICATION, MIRRORING AND VAULTING...118 SERVICE AGREEMENT...118 DATA SYNCHRONIZATION CONCERN...121 REMOTE ACCESS CONCERN...122 SITE SECURITY...122 SECURITY THEORIES AND ACCESS CONTROL MODELS...125 DEFAULT DENY AND DEFAULT PERMIT...125 TRUSTED SYSTEM VS UNTRUSTED SYSTEM...126 THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM...126 DEFENSE IN DEPTH...127 MODELS...128 ACLS VERSUS CAPABILITIES...129 THE AAA CONCEPT...131 RECOMMENDED ACCESS CONTROL MEASURES...134 3
PHYSICAL SECURITY FOR COMPUTER EQUIPMENTS...140 GENERAL GUIDELINES...140 PHYSICAL SITE PREPARATION AND MANAGEMENT...142 FIRE PROTECTION...143 MAINTENANCE AND TESTING...144 EQUIPMENT AND MEDIA MANAGEMENT...145 STANDARDS AND GUIDELINES...148 THE ISC2 CODE OF ETHICS...148 THE SARBANES OXLEY ACT AND THE COSO FRAMEWORK...149 SOGP...150 COMMON CRITERIA (CC)...150 HIPAA...151 OECD GUIDELINES...153 CEI S COMMANDMENTS OF ETHICS...155 COBIT...157 ISO STANDARDS...158 VAL IT...159 ITAF...159 FISMA...160 OTHER STANDARDS...160 ADVANCED SECURITY TOPICS...163 ENDPOINT SECURITY...163 SOFTWARE AS A SERVICE SECURITY...164 VIRTUALIZATION SECURITY...165 STORAGE SECURITY...165 NAME RESOLUTION SECURITY...166 INFORMATION SECURITY PLANNING, MANAGEMENT AND GOVERNANCE...169 IT STRATEGIC PLANNING...169 SWOT ANALYSIS...170 IT OPERATIONS MANAGEMENT...171 INFORMATION MANAGEMENT POLICY...172 ENTERPRISE SECURITY...173 ORGANIZATIONAL STRUCTURE AND SUPPORT...174 SENIOR MANAGEMENT SUPPORT...175 4
INFORMATION SECURITY PROGRAM AND POLICY DEVELOPMENT FROM A STRATEGIC PERSPECTIVE...176 IS GOVERNANCE...179 HR AND SECURITY...181 CONCERNS ON M & A...181 CHANGE MANAGEMENT...182 CHANGE MANAGEMENT VS CHANGE CONTROL...185 CONFIGURATION MANAGEMENT...186 PREPARING FOR EMERGENCY RESPONSE...188 RESPONDING TO INCIDENTS AND MANAGING RECOVERY...189 RISK MANAGEMENT...193 THE INFOSEC ASSESSMENT METHODOLOGY (IAM)...195 LOSS CALCULATIONS...196 SECURITY SYSTEM DESIGN...200 GENERAL GUIDELINES...200 DEVELOPMENT MODELS AND FRAMEWORKS...201 SOFTWARE TESTING...205 THE RELEVANT BUSINESS AND LEGAL DISCIPLINES...212 BUSINESS PROCESS REENGINEERING...212 BALANCED SCORECARD...213 OUTSOURCING...214 QUOTATIONS AND TENDERS...215 RFP...216 LOI...216 RFEI...217 RFSQ...218 SOURCE SELECTION PLAN...219 VENDORS OF RECORD...220 SERVICE LEVEL AGREEMENT, DISCLAIMER AND THE WARRANTY/LIABILITY TERMS...220 INVESTIGATION...224 COMPUTER FORENSICS...227 5