Register your product to gain access to bonus material or receive a coupon.
This EPUB will be accessible from your Account page after purchase.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book. Access to the digital edition of the Cram Sheet is available through product registration at Pearson IT Certification; or see instructions in back pages of your eBook.
CISSP Exam Cram, Fourth Edition, is the perfect study guide to help you pass the tough new electronic version of the CISSP exam. It provides coverage and practice questions for every exam topic, including substantial new coverage of encryption, cloud security, information lifecycles, security management/governance, and more. The book contains an extensive set of preparation tools, such as quizzes, Exam Alerts, and two practice exams.
Covers the critical information you’ll need to pass the CISSP exam!
Introduction . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 1: The CISSP Certification Exam . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . 18
Assessing Exam Readiness . . . . . . . . . . . . . . . . 18
Taking the Exam . . . . . . . . . . . . . . . . . . . 19
Examples of CISSP Test Questions . . . . . . . . . . . . . 21
Answer to Multiple-Choice Question . . . . . . . . . . . . 23
Answer to Drag and Drop Question . . . . . . . . . . . . . 23
Answer to Hotspot Question . . . . . . . . . . . . . . . 23
Exam Strategy . . . . . . . . . . . . . . . . . . . . 24
Question-Handling Strategies . . . . . . . . . . . . . . . 25
Mastering the Inner Game . . . . . . . . . . . . . . . . 26
Need to Know More? . . . . . . . . . . . . . . . . . . 26
CHAPTER 2: Logical Asset Security . . . . . . . . . . . . . . . . . . . 27
Introduction . . . . . . . . . . . . . . . . . . . . . 28
Basic Security Principles . . . . . . . . . . . . . . . . . 28
Data Management: Determine and Maintain Ownership . . . . . . 30
Data Governance Policy . . . . . . . . . . . . . . . 30
Roles and Responsibility . . . . . . . . . . . . . . . 32
Data Ownership . . . . . . . . . . . . . . . . . . 33
Data Custodians . . . . . . . . . . . . . . . . . . 34
Data Documentation and Organization . . . . . . . . . 35
Data Warehousing . . . . . . . . . . . . . . . . . 35
Data Mining . . . . . . . . . . . . . . . . . . . 35
Knowledge Management . . . . . . . . . . . . . . . 36
Data Standards . . . . . . . . . . . . . . . . . . . . 37
Data Lifecycle Control . . . . . . . . . . . . . . . 37
Data Audit . . . . . . . . . . . . . . . . . . . . 37
Data Storage and Archiving . . . . . . . . . . . . . . 38
Data Security, Protection, Sharing, and Dissemination . . . . . . . 41
Privacy Impact Assessment . . . . . . . . . . . . . . 42
Information Handling Requirements . . . . . . . . . . 43
Data Retention and Destruction . . . . . . . . . . . . 44
Data Remanence and Decommissioning . . . . . . . . . 45
Classifying Information and Supporting Assets . . . . . . . . . 46
Data Classification . . . . . . . . . . . . . . . . . 46
Asset Management and Governance . . . . . . . . . . . . . 49
Software Licensing . . . . . . . . . . . . . . . . 50
Equipment Lifecycle . . . . . . . . . . . . . . . . 51
Determine Data Security Controls . . . . . . . . . . . . . 52
Data at Rest . . . . . . . . . . . . . . . . . . . 52
Data in Transit . . . . . . . . . . . . . . . . . . 54
Endpoint Security . . . . . . . . . . . . . . . . . 56
Baselines . . . . . . . . . . . . . . . . . . . . 57
Laws, Standards, Mandates and Resources . . . . . . . . . . . 58
United States Resources . . . . . . . . . . . . . . . 60
International Resources . . . . . . . . . . . . . . . 61
Exam Prep Questions . . . . . . . . . . . . . . . . . . 64
Answers to Exam Prep Questions . . . . . . . . . . . . . . 67
Need to Know More? . . . . . . . . . . . . . . . . . . 68
CHAPTER 3: Physical Asset Security . . . . . . . . . . . . . . . . . . . 71
Introduction . . . . . . . . . . . . . . . . . . . . . 72
Physical Security Risks . . . . . . . . . . . . . . . . . 72
Natural Disasters . . . . . . . . . . . . . . . . . 73
Man-Made Threats. . . . . . . . . . . . . . . . . 74
Technical Problems . . . . . . . . . . . . . . . . 75
Facility Concerns and Requirements . . . . . . . . . . . . . 76
CPTED . . . . . . . . . . . . . . . . . . . . 76
Area Concerns . . . . . . . . . . . . . . . . . . 77
Location . . . . . . . . . . . . . . . . . . . . 78
Construction . . . . . . . . . . . . . . . . . . . 78
Doors, Walls, Windows, and Ceilings . . . . . . . . . . 79
Asset Placement . . . . . . . . . . . . . . . . . . 82
Physical Port Controls . . . . . . . . . . . . . . . 82
Perimeter Controls . . . . . . . . . . . . . . . . . . . 83
Fences . . . . . . . . . . . . . . . . . . . . . 83
Gates . . . . . . . . . . . . . . . . . . . . . 84
Bollards . . . . . . . . . . . . . . . . . . . . 85
CCTV Cameras . . . . . . . . . . . . . . . . . . 87
Lighting . . . . . . . . . . . . . . . . . . . . 88
Guards and Dogs . . . . . . . . . . . . . . . . . 89
Locks . . . . . . . . . . . . . . . . . . . . . 89
Employee Access Control . . . . . . . . . . . . . . . . 94
Badges, Tokens, and Cards . . . . . . . . . . . . . . 94
Biometric Access Controls . . . . . . . . . . . . . . 96
Environmental Controls . . . . . . . . . . . . . . . . . 98
Heating, Ventilating, and Air Conditioning . . . . . . . . 98
Electrical Power . . . . . . . . . . . . . . . . . . . . 99
Uninterruptible Power Supply . . . . . . . . . . . . . 100
Equipment Life Cycle . . . . . . . . . . . . . . . . . . 101
Fire Prevention, Detection, and Suppression . . . . . . . . . . 101
Fire-Detection Equipment . . . . . . . . . . . . . . 102
Fire Suppression . . . . . . . . . . . . . . . . . 103
Alarm Systems . . . . . . . . . . . . . . . . . . . . 106
Intrusion Detection Systems . . . . . . . . . . . . . 106
Monitoring and Detection . . . . . . . . . . . . . . 107
Exam Prep Questions . . . . . . . . . . . . . . . . . . 109
Answers to Exam Prep Questions . . . . . . . . . . . . . . 112
Suggested Reading and Resources . . . . . . . . . . . . . . 113
CHAPTER 4: Security and Risk Management . . . . . . . . . . . . . . . . 115
Introduction . . . . . . . . . . . . . . . . . . . . . 116
Security Governance . . . . . . . . . . . . . . . . . . 116
Third-Party Governance . . . . . . . . . . . . . . . 118
Organization Processes . . . . . . . . . . . . . . . 119
Protection of Intellectual Properly . . . . . . . . . . . . . 121
Privacy Laws and Protection of Personal Information . . . . . . . 121
Relevant Laws and Regulations . . . . . . . . . . . . . . 123
United States Legal System and Laws . . . . . . . . . . . . 123
International Legal Systems and Laws . . . . . . . . . . . . 124
Computer Crime and Hackers . . . . . . . . . . . . . . . 125
Sexual Harassment . . . . . . . . . . . . . . . . . 128
Risk Management Concepts . . . . . . . . . . . . . . . . 128
Risk Management Frameworks . . . . . . . . . . . . 129
Risk Assessment . . . . . . . . . . . . . . . . . . 130
Countermeasure Selection . . . . . . . . . . . . . . . . 146
Develop and Implement Security Policy . . . . . . . . . . . 149
Security Policy . . . . . . . . . . . . . . . . . . 150
Standards . . . . . . . . . . . . . . . . . . . . 152
Baselines . . . . . . . . . . . . . . . . . . . . 152
Guidelines . . . . . . . . . . . . . . . . . . . . 153
Procedures . . . . . . . . . . . . . . . . . . . 153
Types of Controls . . . . . . . . . . . . . . . . . . . 154
Administrative Controls . . . . . . . . . . . . . . . 154
Technical Controls . . . . . . . . . . . . . . . . . 155
Physical Controls . . . . . . . . . . . . . . . . . 155
Access Control Categories . . . . . . . . . . . . . . 155
Implement Personnel Security . . . . . . . . . . . . . . . 156
New-Hire Agreements and Policies . . . . . . . . . . . 157
Separation of Duties . . . . . . . . . . . . . . . . 157
Job Rotation . . . . . . . . . . . . . . . . . . . 158
Least Privilege . . . . . . . . . . . . . . . . . . 158
Mandatory Vacations . . . . . . . . . . . . . . . . 159
Termination . . . . . . . . . . . . . . . . . . . 159
Security Education, Training, and Awareness . . . . . . . . . . 160
Security Awareness . . . . . . . . . . . . . . . . . 161
Social Engineering . . . . . . . . . . . . . . . . . 162
Professional Ethics Training and Awareness . . . . . . . . . . 163
ISC2 Code of Ethics . . . . . . . . . . . . . . . . 164
Computer Ethics Institute . . . . . . . . . . . . . . 165
Internet Architecture Board . . . . . . . . . . . . . . 165
NIST SP 800-14 . . . . . . . . . . . . . . . . . 166
Common Computer Ethics Fallacies . . . . . . . . . . . 167
Regulatory Requirements for Ethics Programs . . . . . . . 167
Exam Prep Questions . . . . . . . . . . . . . . . . . . 169
Answers to Exam Prep Questions . . . . . . . . . . . . . . 172
Need to Know More? . . . . . . . . . . . . . . . . . . 173
CHAPTER 5: Security Engineering . . . . . . . . . . . . . . . . . . . . 175
Introduction . . . . . . . . . . . . . . . . . . . . . 176
Fundamental Concepts of Security Models . . . . . . . . . . 176
Central Processing Unit . . . . . . . . . . . . . . . 176
Storage Media . . . . . . . . . . . . . . . . . . 181
I/O Bus Standards . . . . . . . . . . . . . . . . . 183
Virtual Memory and Virtual Machines . . . . . . . . . . 184
Computer Configurations . . . . . . . . . . . . . . 186
Security Architecture . . . . . . . . . . . . . . . . . . 187
Protection Rings . . . . . . . . . . . . . . . . . 187
Trusted Computer Base . . . . . . . . . . . . . . . 189
Open and Closed Systems . . . . . . . . . . . . . . 192
Security Modes of Operation . . . . . . . . . . . . . 193
Operating States . . . . . . . . . . . . . . . . . 194
Recovery Procedures . . . . . . . . . . . . . . . . 195
Process Isolation . . . . . . . . . . . . . . . . . 195
Common Formal Security Models . . . . . . . . . . . . . 196
State Machine Model . . . . . . . . . . . . . . . . 197
Information Flow Model . . . . . . . . . . . . . . . 199
Noninterference Model . . . . . . . . . . . . . . . 199
Confidentiality . . . . . . . . . . . . . . . . . . 199
Integrity . . . . . . . . . . . . . . . . . . . . 202
Other Models . . . . . . . . . . . . . . . . . . 205
Product Security Evaluation Models . . . . . . . . . . . . . 206
The Rainbow Series . . . . . . . . . . . . . . . . 207
Information Technology Security Evaluation Criteria . . . . . 210
Common Criteria . . . . . . . . . . . . . . . . . 210
System Validation . . . . . . . . . . . . . . . . . . . 213
Certification and Accreditation . . . . . . . . . . . . . 213
Security Guidelines and Governance . . . . . . . . . . . . 214
Enterprise Architecture . . . . . . . . . . . . . . . 215
Regulatory Compliance and Process Control . . . . . . . . 218
Vulnerabilities of Security Architectures . . . . . . . . . . . 218
Buffer Overflow . . . . . . . . . . . . . . . . . . 219
Back Doors . . . . . . . . . . . . . . . . . . . 220
State Attacks . . . . . . . . . . . . . . . . . . . 220
Covert Channels . . . . . . . . . . . . . . . . . 220
Incremental Attacks . . . . . . . . . . . . . . . . 221
Emanations . . . . . . . . . . . . . . . . . . . 222
Web-based Vulnerabilities . . . . . . . . . . . . . . 223
Mobile System Vulnerabilities . . . . . . . . . . . . . 225
Exam Prep Questions . . . . . . . . . . . . . . . . . . 227
Answers to Exam Prep Questions . . . . . . . . . . . . . . 230
Need to Know More? . . . . . . . . . . . . . . . . . . 231
CHAPTER 6: The Application and Use of Cryptography . . . . . . . . . . . . 233
Introduction . . . . . . . . . . . . . . . . . . . . . 234
Cryptographic Basics. . . . . . . . . . . . . . . . . . 234
History of Encryption . . . . . . . . . . . . . . . . . . 237
Steganography . . . . . . . . . . . . . . . . . . . . 243
Steganography Operation . . . . . . . . . . . . . . 244
Digital Watermark . . . . . . . . . . . . . . . . . 245
Algorithms . . . . . . . . . . . . . . . . . . . . . . 246
Cipher Types and Methods . . . . . . . . . . . . . . . . 247
Symmetric Encryption . . . . . . . . . . . . . . . . . 249
Data Encryption Standard . . . . . . . . . . . . . . 252
Triple-DES . . . . . . . . . . . . . . . . . . . 255
Advanced Encryption Standard (AES) . . . . . . . . . . 257
International Data Encryption Algorithm . . . . . . . . . 258
Rivest Cipher Algorithms . . . . . . . . . . . . . . 258
Asymmetric Encryption . . . . . . . . . . . . . . . . . 259
Diffie-Hellman . . . . . . . . . . . . . . . . . . 261
RSA . . . . . . . . . . . . . . . . . . . . . . 262
El Gamal. . . . . . . . . . . . . . . . . . . . 263
Elliptical Curve Cryptosystem . . . . . . . . . . . . . 263
Merkle-Hellman Knapsack . . . . . . . . . . . . . . 264
Review of Symmetric and Asymmetric Cryptographic Systems . . 264
Hybrid Encryption . . . . . . . . . . . . . . . . . . . 265
Integrity and Authentication . . . . . . . . . . . . . . . 266
Hashing and Message Digests . . . . . . . . . . . . . 267
Digital Signatures . . . . . . . . . . . . . . . . . 270
Cryptographic System Review . . . . . . . . . . . . . 272
Public Key Infrastructure . . . . . . . . . . . . . . . . . 272
Certificate Authority . . . . . . . . . . . . . . . . 272
Registration Authority . . . . . . . . . . . . . . . 273
Certificate Revocation List . . . . . . . . . . . . . . 273
Digital Certificates . . . . . . . . . . . . . . . . . 274
The Client’s Role in PKI . . . . . . . . . . . . . . . 276
Email Protection Mechanisms . . . . . . . . . . . . . . . 277
Pretty Good Privacy . . . . . . . . . . . . . . . . 278
Other Email Security Applications . . . . . . . . . . . 278
Securing TCP/IP with Cryptographic Solutions . . . . . . . . . 279
Application/Process Layer Controls . . . . . . . . . . . 280
Host to Host Layer Controls . . . . . . . . . . . . . 280
Internet Layer Controls . . . . . . . . . . . . . . . 282
Network Access Layer Controls . . . . . . . . . . . . 283
Link and End-to-End Encryption . . . . . . . . . . . . 284
Cryptographic Attacks . . . . . . . . . . . . . . . . . . 285
Exam Prep Questions . . . . . . . . . . . . . . . . . . 289
Answers to Exam Prep Questions . . . . . . . . . . . . . . 292
Need to Know More? . . . . . . . . . . . . . . . . . . 293
CHAPTER 7: Communications and Network Security . . . . . . . . . . . . . 295
Introduction . . . . . . . . . . . . . . . . . . . . . 296
Secure Network Design . . . . . . . . . . . . . . . . . 296
Network Models and Standards . . . . . . . . . . . . . . 296
OSI Model . . . . . . . . . . . . . . . . . . . 297
Encapsulation/De-encapsulation . . . . . . . . . . . . 303
TCP/IP . . . . . . . . . . . . . . . . . . . . . . . 304
Network Access Layer . . . . . . . . . . . . . . . . 305
Internet Layer . . . . . . . . . . . . . . . . . . 306
Host-to-Host (Transport) Layer . . . . . . . . . . . . 311
Application Layer . . . . . . . . . . . . . . . . . 314
LANs and Their Components . . . . . . . . . . . . . . . 318
LAN Communication Protocols . . . . . . . . . . . . 318
Network Topologies . . . . . . . . . . . . . . . . 319
LAN Cabling . . . . . . . . . . . . . . . . . . . 322
Network Types . . . . . . . . . . . . . . . . . . 325
Network Storage . . . . . . . . . . . . . . . . . 325
Communication Standards . . . . . . . . . . . . . . . . 327
Network Equipment . . . . . . . . . . . . . . . . . . 328
Repeaters . . . . . . . . . . . . . . . . . . . . 328
Hubs . . . . . . . . . . . . . . . . . . . . . 328
Bridges . . . . . . . . . . . . . . . . . . . . . 328
Switches . . . . . . . . . . . . . . . . . . . . 329
Mirrored Ports and Network Taps . . . . . . . . . . . 330
VLANs . . . . . . . . . . . . . . . . . . . . . 331
Routers . . . . . . . . . . . . . . . . . . . . . 332
Gateways . . . . . . . . . . . . . . . . . . . . 333
Routing . . . . . . . . . . . . . . . . . . . . . . . 333
WANs and Their Components . . . . . . . . . . . . . . . 336
Packet Switching . . . . . . . . . . . . . . . . . 336
Circuit Switching . . . . . . . . . . . . . . . . . 337
Cloud Computing. . . . . . . . . . . . . . . . . . . 341
Voice Communications and Wireless Communications . . . . . . 342
Voice over IP . . . . . . . . . . . . . . . . . . . 343
Cell Phones . . . . . . . . . . . . . . . . . . . 344
802.11 Wireless Networks and Standards . . . . . . . . . 346
Network Access Control Devices . . . . . . . . . . . . . . 355
Firewalls . . . . . . . . . . . . . . . . . . . . 355
Demilitarized Zone . . . . . . . . . . . . . . . . 357
Firewall Design . . . . . . . . . . . . . . . . . . 359
Remote Access . . . . . . . . . . . . . . . . . . . . 359
Point-to-Point Protocol . . . . . . . . . . . . . . . 360
Remote Authentication Dial-in User Service . . . . . . . . 362
Terminal Access Controller Access Control System . . . . . . 362
IPsec . . . . . . . . . . . . . . . . . . . . . 362
Message Privacy and Multimedia Collaboration . . . . . . . . . 364
Exam Prep Questions . . . . . . . . . . . . . . . . . . 366
Answers to Exam Prep Questions . . . . . . . . . . . . . . 370
Need to Know More? . . . . . . . . . . . . . . . . . . 371
CHAPTER 8: Identity and Access Management . . . . . . . . . . . . . . . 373
Introduction . . . . . . . . . . . . . . . . . . . . . 374
Identification, Authentication, and Authorization of People and Devices . .. 375
Authentication Techniques . . . . . . . . . . . . . . 376
Identity Management Implementation . . . . . . . . . . 391
Single Sign-On . . . . . . . . . . . . . . . . . . . . 392
Kerberos . . . . . . . . . . . . . . . . . . . . 393
Sesame . . . . . . . . . . . . . . . . . . . . . 396
Authorization and Access Control Techniques . . . . . . . . . 397
Discretionary Access Control . . . . . . . . . . . . . 397
Mandatory Access Control . . . . . . . . . . . . . . 398
Role-Based Access Control . . . . . . . . . . . . . . 401
Other Types of Access Controls . . . . . . . . . . . . 402
Access Control Models . . . . . . . . . . . . . . . . . 403
Centralized Access Control . . . . . . . . . . . . . . 403
Decentralized Access Control . . . . . . . . . . . . . 407
Audit and Monitoring . . . . . . . . . . . . . . . . . . 408
Monitoring Access and Usage . . . . . . . . . . . . . 408
Intrusion Detection Systems . . . . . . . . . . . . . 409
Intrusion Prevention Systems . . . . . . . . . . . . . 414
Network Access Control . . . . . . . . . . . . . . . 414
Keystroke Monitoring . . . . . . . . . . . . . . . . 415
Exam Prep Questions . . . . . . . . . . . . . . . . . . 417
Answers to Exam Prep Questions . . . . . . . . . . . . . . 421
Suggesting Reading and Resources . . . . . . . . . . . . . 422
CHAPTER 9: Security Assessment and Testing . . . . . . . . . . . . . . . 425
Introduction . . . . . . . . . . . . . . . . . . . . . 426
Security Assessments and Penetration Test Strategies. . . . . . . 426
Audits . . . . . . . . . . . . . . . . . . . . . 426
Vulnerability Assessments . . . . . . . . . . . . . . 427
Penetration Testing . . . . . . . . . . . . . . . . 428
Test Techniques and Methods . . . . . . . . . . . . . . . 432
Security Threats and Vulnerabilities . . . . . . . . . . . . . 435
Threat Actors . . . . . . . . . . . . . . . . . . 435
Attack Methodologies . . . . . . . . . . . . . . . . 437
Network Security Threats and Attack Techniques . . . . . . . . 439
Session Hijacking . . . . . . . . . . . . . . . . . 440
Sniffing . . . . . . . . . . . . . . . . . . . . . 440
Wiretapping . . . . . . . . . . . . . . . . . . . 441
DoS Attacks . . . . . . . . . . . . . . . . . . . 442
Distributed Denial of Service . . . . . . . . . . . . . 443
Botnets . . . . . . . . . . . . . . . . . . . . . 443
Other Network Attack Techniques . . . . . . . . . . . 446
Access Control Threats and Attack Techniques . . . . . . . . . 448
Unauthorized Access . . . . . . . . . . . . . . . . 448
Access Aggregation . . . . . . . . . . . . . . . . . 448
Password Attacks . . . . . . . . . . . . . . . . . 449
Spoofing . . . . . . . . . . . . . . . . . . . . 453
Eavesdropping and Shoulder Surfing . . . . . . . . . . 453
Identity Theft . . . . . . . . . . . . . . . . . . 453
Social-based Threats and Attack Techniques . . . . . . . . . . 454
Malicious Software Threats and Attack Techniques . . . . . . . . 456
Viruses . . . . . . . . . . . . . . . . . . . . . 456
Worms . . . . . . . . . . . . . . . . . . . . . 457
Logic Bombs . . . . . . . . . . . . . . . . . . . 457
Backdoors and Trojans . . . . . . . . . . . . . . . 458
Rootkits . . . . . . . . . . . . . . . . . . . . 461
Crimeware Kits . . . . . . . . . . . . . . . . . . 461
Advanced Persistent Threats . . . . . . . . . . . . . 462
Ransomware . . . . . . . . . . . . . . . . . . . 462
How Computer Crime Has Changed . . . . . . . . . . . . 464
Well-Known Computer Crimes and Criminals . . . . . . . . . 465
Investigating Computer Crime . . . . . . . . . . . . . . . 466
Computer Crime Jurisdiction . . . . . . . . . . . . . 467
Incident Response . . . . . . . . . . . . . . . . . 467
Forensics . . . . . . . . . . . . . . . . . . . . . . 472
Standardization of Forensic Procedures . . . . . . . . . . 473
Computer Forensics . . . . . . . . . . . . . . . . 474
Investigations . . . . . . . . . . . . . . . . . . . . . 479
Search, Seizure, and Surveillance . . . . . . . . . . . . 479
Interviews and Interrogations . . . . . . . . . . . . . 480
Honeypots and Honeynets . . . . . . . . . . . . . . 480
Evidence Types . . . . . . . . . . . . . . . . . . 481
Trial . . . . . . . . . . . . . . . . . . . . . . . . 482
The Evidence Life-Cycle . . . . . . . . . . . . . . 483
Exam Prep Questions . . . . . . . . . . . . . . . . . . 484
Answers to Exam Prep Questions . . . . . . . . . . . . . . 487
Need to Know More? . . . . . . . . . . . . . . . . . . 488
CHAPTER 10: Security Operations . . . . . . . . . . . . . . . . . . . . 491
Introduction . . . . . . . . . . . . . . . . . . . . . 492
Foundational Security Operations Concepts . . . . . . . . . . 492
Managing Users and Accounts . . . . . . . . . . . . . 493
Privileged Entities . . . . . . . . . . . . . . . . . 495
Controlling Access . . . . . . . . . . . . . . . . . 495
Clipping Levels . . . . . . . . . . . . . . . . . . 496
Resource Protection . . . . . . . . . . . . . . . . . . 496
Due Care and Due Diligence . . . . . . . . . . . . . 496
Asset Management . . . . . . . . . . . . . . . . . 497
System Hardening . . . . . . . . . . . . . . . . . 497
Change and Configuration Management . . . . . . . . . 498
Trusted Recovery . . . . . . . . . . . . . . . . . 500
Remote Access . . . . . . . . . . . . . . . . . . 502
Media Management, Retention, and Destruction . . . . . . 502
Telecommunication Controls . . . . . . . . . . . . . . . 503
Cloud Computing . . . . . . . . . . . . . . . . . 503
Email . . . . . . . . . . . . . . . . . . . . . 504
Whitelisting, Blacklisting, and Graylisting . . . . . . . . . 506
Fax . . . . . . . . . . . . . . . . . . . . . . 506
PBX . . . . . . . . . . . . . . . . . . . . . . 507
Anti-malware . . . . . . . . . . . . . . . . . . . 509
Honeypots and Honeynets . . . . . . . . . . . . . . 510
Patch Management . . . . . . . . . . . . . . . . . 511
System Resilience, Fault Tolerance, and Recovery Controls . . . . . 511
Backups . . . . . . . . . . . . . . . . . . . . 511
Fault Tolerance . . . . . . . . . . . . . . . . . . 513
RAID . . . . . . . . . . . . . . . . . . . . . 514
Recovery Controls . . . . . . . . . . . . . . . . . 516
Monitoring and Auditing Controls . . . . . . . . . . . . . 518
Auditing User Activity . . . . . . . . . . . . . . . 519
Monitoring Application Transactions . . . . . . . . . . 520
Security Information and Event Management (SIEM) . . . . . 521
Network Access Control . . . . . . . . . . . . . . . 522
Keystroke Monitoring . . . . . . . . . . . . . . . . 523
Emanation Security . . . . . . . . . . . . . . . . 524
Controlling Physical Access . . . . . . . . . . . . . . 524
Intrusion Detection Systems . . . . . . . . . . . . . . . 525
Network-Based Intrusion Detection Systems . . . . . . . . 526
Host-Based Intrusion-Detection Systems . . . . . . . . . 527
Signature-Based, Anomaly-Based, and Rule-Based
IDS Engines . . . . . . . . . . . . . . . . . . 527
Intrusion Prevention Systems . . . . . . . . . . . . . 530
Responding to Operational Security Incidents . . . . . . . . . 530
Incident Response . . . . . . . . . . . . . . . . . 530
The Disaster Recovery Life Cycle . . . . . . . . . . . . . 531
Teams and Responsibilities . . . . . . . . . . . . . . 533
Exam Prep Questions . . . . . . . . . . . . . . . . . . 535
Answers to Exam Prep Questions . . . . . . . . . . . . . . 538
Need to Know More? . . . . . . . . . . . . . . . . . . 539
CHAPTER 11: Software Development Security . . . . . . . . . . . . . . . . 541
Introduction . . . . . . . . . . . . . . . . . . . . . 542
Software Development . . . . . . . . . . . . . . . . . 542
Avoiding System Failure . . . . . . . . . . . . . . . 543
The System Development Lifecycle . . . . . . . . . . . 545
Development Methods . . . . . . . . . . . . . . . . . 554
The Waterfall Model . . . . . . . . . . . . . . . . 554
The Spiral Model . . . . . . . . . . . . . . . . . 554
Joint Application Development . . . . . . . . . . . . 555
Rapid Application Development . . . . . . . . . . . . 556
Incremental Development . . . . . . . . . . . . . . 556
Prototyping . . . . . . . . . . . . . . . . . . . 556
Modified Prototype Model (MPM) . . . . . . . . . . . 557
Computer-Aided Software Engineering . . . . . . . . . . 557
Agile Development Methods . . . . . . . . . . . . . 557
Capability Maturity Model . . . . . . . . . . . . . . 558
Scheduling . . . . . . . .