CISSP For Dummies

GET CISSP CERTIFIED, WITH THIS COMPREHENSIVE STUDY PLAN!

Revised for the updated 2021 exam, CISSP For Dummies is packed with everything you need to succeed on test day. With deep content review on every domain, plenty of practice questions, and online study tools, this book helps aspiring security professionals unlock the door to success on this high-stakes exam. This book, written by CISSP experts, goes beyond the exam material and includes tips on setting up a 60-day study plan, exam-day advice, and access to an online test bank of questions.

Make your test day stress-free with CISSP For Dummies!

* Review every last detail you need to pass the CISSP certification exam
* Master all 8 test domains, from Security and Risk Management through Software Development Security
* Get familiar with the 2021 test outline
* Boost your performance with an online test bank, digital flash cards, and test-day tips

If you’re a security professional seeking your CISSP certification, this book is your secret weapon as you prepare for the exam.

LAWRENCE C. MILLER, CISSP, is a veteran information security professional. He has served as a consultant for multinational corporations and holds many networking certifications.

PETER H. GREGORY, CISSP, is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, manufacturing, healthcare, and beyond. Larry and Peter have been coauthors of CISSP For Dummies for more than 20 years. INTRODUCTION 1

About This Book 2

Foolish Assumptions 3

Icons Used in This Book 3

Beyond the Book 4

Where to Go from Here 5

PART 1: GETTING STARTED WITH CISSP CERTIFICATION 7

CHAPTER 1: (ISC)2 AND THE CISSP CERTIFICATION 9

About (ISC)2 and the CISSP Certification 9

You Must Be This Tall to Ride This Ride (And Other Requirements) 10

Preparing for the Exam 12

Studying on your own 13

Getting hands-on experience 14

Getting official (ISC)2 CISSP training 14

Attending other training courses or study groups 15

Taking practice exams 15

Are you ready for the exam? 16

Registering for the Exam 16

About the CISSP Examination 17

After the Examination 20

CHAPTER 2: PUTTING YOUR CERTIFICATION TO GOOD USE 23

Networking with Other Security Professionals 24

Being an Active (ISC)2 Member 25

Considering (ISC)2 Volunteer Opportunities 26

Writing certification exam questions 27

Speaking at events 27

Helping at (ISC)2 conferences 27

Reading and contributing to (ISC)2 publications 27

Supporting the (ISC)2 Center for Cyber Safety and Education 28

Participating in bug-bounty programs 28

Participating in (ISC)2 focus groups 28

Joining the (ISC)2 community 28

Getting involved with a CISSP study group 28

Helping others learn more about data security 29

Becoming an Active Member of Your Local Security Chapter 30

Spreading the Good Word about CISSP Certification 31

Leading by example 32

Using Your CISSP Certification to Be an Agent of Change 32

Earning Other Certifications 33

Other (ISC)2 certifications 33

CISSP concentrations 34

Non-(ISC)2 certifications 34

Choosing the right certifications 38

Finding a mentor, being a mentor 39

Building your professional brand 39

Pursuing Security Excellence 40

PART 2: CERTIFICATION DOMAINS 43

CHAPTER 3: SECURITY AND RISK MANAGEMENT 45

Understand, Adhere to, and Promote Professional Ethics 45

(ISC)2 Code of Professional Ethics 46

Organizational code of ethics 47

Understand and Apply Security Concepts 49

Confidentiality 50

Integrity 51

Availability 51

Authenticity 52

Nonrepudiation 52

Evaluate and Apply Security Governance Principles 53

Alignment of security function to business strategy, goals, mission, and objectives 53

Organizational processes 54

Organizational roles and responsibilities 56

Security control frameworks 57

Due care and due diligence 60

Determine Compliance and Other Requirements 61

Contractual, legal, industry standards, and regulatory requirements 61

Privacy requirements 66

Understand Legal and Regulatory Issues That Pertain to Information Security 67

Cybercrimes and data breaches 67

Licensing and intellectual property requirements 82

Import/export controls 85

Transborder data flow 85

Privacy 86

Understand Requirements for Investigation Types 93

Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines 94

Policies 95

Standards (and baselines) 95

Procedures 96

Guidelines 96

Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 96

Business impact analysis 99

Develop and document the scope and the plan 107

Contribute to and Enforce Personnel Security Policies and Procedures 120

Candidate screening and hiring 120

Employment agreements and policies 123

Onboarding, transfers, and termination processes 123

Vendor, consultant, and contractor agreements and controls 124

Compliance policy requirements 125

Privacy policy requirements 125

Understand and Apply Risk Management Concepts 125

Identify threats and vulnerabilities 126

Risk assessment/analysis 126

Risk appetite and risk tolerance 132

Risk treatment 133

Countermeasure selection and implementation 133

Applicable types of controls 135

Control assessments (security and privacy) 137

Monitoring and measurement 139

Reporting 140

Continuous improvement 141

Risk frameworks 141

Understand and Apply Threat Modeling Concepts and Methodologies 143

Identifying threats 143

Determining and diagramming potential attacks 144

Performing reduction analysis 145

Remediating threats 145

Apply Supply Chain Risk Management (SCRM) Concepts 146

Risks associated with hardware, software, and services 147

Third-party assessment and monitoring 147

Fourth-party risk 147

Minimum security requirements 147

Service-level agreement requirements 147

Establish and Maintain a Security Awareness, Education, and Training Program 148

Methods and techniques to present awareness and training 148

Periodic content reviews 151

Program effectiveness evaluation 151

CHAPTER 4: ASSET SECURITY 153

Identify and Classify Information and Assets 153

Data classification 157

Asset classification 161

Establish Information and Asset Handling Requirements 162

Provision Resources Securely 164

Information and asset ownership 164

Asset inventory 165

Asset management 166

Manage Data Life Cycle 167

Data roles 168

Data collection 168

Data location 169

Data maintenance 169

Data retention 169

Data remanence 170

Data destruction 171

Ensure Appropriate Asset Retention 171

End of life 171

End of support 172

Determine Data Security Controls and Compliance Requirements 172

Data states 173

Scoping and tailoring 174

Standards selection 175

Data protection methods 176

CHAPTER 5: SECURITY ARCHITECTURE AND ENGINEERING 179

Research, Implement, and Manage Engineering Processes Using Secure Design Principles 180

Threat modeling 182

Least privilege (and need to know) 186

Defense in depth 187

Secure defaults 188

Fail securely 188

Separation of duties 189

Keep it simple 189

Zero trust 189

Privacy by design 191

Trust but verify 192

Shared responsibility 194

Understand the Fundamental Concepts of Security Models 196

Select Controls Based Upon Systems Security Requirements 199

Evaluation criteria 200

System certification and accreditation 205

Understand Security Capabilities of Information Systems 208

Trusted Computing Base 208

Trusted Platform Module 209

Secure modes of operation 209

Open and closed systems 210

Memory protection 210

Encryption and decryption 210

Protection rings 211

Security modes 211

Recovery procedures 212

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 213

Client-based systems 214

Server-based systems 215

Database systems 215

Cryptographic systems 216

Industrial control systems 217

Cloud-based systems 218

Distributed systems 220

Internet of Things 221

Microservices 221

Containerization 222

Serverless 223

Embedded systems 224

High-performance computing systems 225

Edge computing systems 225

Virtualized systems 226

Web-based systems 226

Mobile systems 228

Select and Determine Cryptographic Solutions 228

Plaintext and ciphertext 230

Encryption and decryption 230

End-to-end encryption 230

Link encryption 231

Putting it all together: The cryptosystem 232

Classes of ciphers 233

Types of ciphers 234

Cryptographic life cycle 237

Cryptographic methods 238

Public key infrastructure 248

Key management practices 248

Digital signatures and digital certificates 250

Nonrepudiation 250

Integrity (hashing) 251

Understand Methods of Cryptanalytic Attacks 253

Brute force 254

Ciphertext only 254

Known plaintext 255

Frequency analysis 255

Chosen ciphertext 255

Implementation attacks 255

Side channel 255

Fault injection 256

Timing 256

Man in the middle 256

Pass the hash 257

Kerberos exploitation 257

Ransomware 257

Apply Security Principles to Site and Facility Design 259

Design Site and Facility Security Controls 261

Wiring closets, server rooms, and more 264

Restricted and work area security 265

Utilities and heating, ventilation, and air conditioning 266

Environmental issues 267

Fire prevention, detection, and suppression 268

Power 272

CHAPTER 6: COMMUNICATION AND NETWORK SECURITY 275

Assess and Implement Secure Design Principles in Network Architectures 275

OSI and TCP/IP models 277

The OSI Reference Model 278

The TCP/IP Model 315

Secure Network Components 316

Operation of hardware 316

Transmission media 317

Network access control devices 318

Endpoint security 328

Implement Secure Communication Channels According to Design 331

Voice 331

Multimedia collaboration 332

Remote access 332

Data communications 336

Virtualized networks 336

Third-party connectivity 338

CHAPTER 7: IDENTITY AND ACCESS MANAGEMENT 339

Control Physical and Logical Access to Assets 340

Information 340

Systems and devices 340

Facilities 342

Applications 342

Manage Identification and Authentication of People, Devices, and Services 343

Identity management implementation 343

Single-/multifactor authentication 343

Accountability 358

Session management 359

Registration, proofing, and establishment of identity 360

Federated identity management 361

Credential management systems 361

Single sign-on 362

Just-in-Time 363

Federated Identity with a Third-Party Service 363

On-premises 365

Cloud 365

Hybrid 365

Implement and Manage Authorization Mechanisms 365

Role-based access control 366

Rule-based access control 367

Mandatory access control 367

Discretionary access control 368

Attribute-based access control 369

Risk-based access control 370

Manage the Identity and Access Provisioning Life Cycle 370

Implement Authentication Systems 372

OpenID Connect/Open Authorization 372

Security Assertion Markup Language 372

Kerberos 373

Radius and Tacacs+ 376

CHAPTER 8: SECURITY ASSESSMENT AND TESTING 379

Design and Validate Assessment, Test, and Audit Strategies 379

Conduct Security Control Testing 381

Vulnerability assessment 381

Penetration testing 383

Log reviews 388

Synthetic transactions 389

Code review and testing 390

Misuse case testing 391

Test coverage analysis 392

Interface testing 392

Breach attack simulations 393

Compliance checks 393

Collect Security Process Data 393

Account management 395

Management review and approval 395

Key performance and risk indicators 396

Backup verification data 397

Training and awareness 399

Disaster recovery and business continuity 400

Analyze Test Output and Generate Reports 400

Remediation 401

Exception handling 402

Ethical disclosure 403

Conduct or Facilitate Security Audits 404

CHAPTER 9: SECURITY OPERATIONS 407

Understand and Comply with Investigations 408

Evidence collection and handling 408

Reporting and documentation 415

Investigative techniques 416

Digital forensics tools, tactics, and procedures 418

Artifacts 419

Conduct Logging and Monitoring Activities 419

Intrusion detection and prevention 419

Security information and event management 421

Security orchestration, automation, and response 421

Continuous monitoring 422

Egress monitoring 422

Log management 423

Threat intelligence 423

User and entity behavior analysis 424

Perform Configuration Management 424

Apply Foundational Security Operations Concepts 426

Need-to-know and least privilege 427

Separation of duties and responsibilities 428

Privileged account management 429

Job rotation 431

Service-level agreements 433

Apply Resource Protection 436

Media management 436

Media protection techniques 438

Conduct Incident Management 438

Operate and Maintain Detective and Preventative Measures 440

Implement and Support Patch and Vulnerability Management 442

Understand and Participate in Change Management Processes 443

Implement Recovery Strategies 444

Backup storage strategies 444

Recovery site strategies 445

Multiple processing sites 445

System resilience, high availability, quality of service, and fault tolerance 445

Implement Disaster Recovery Processes 448

Response 451

Personnel 453

Communications 454

Assessment 455

Restoration 455

Training and awareness 456

Lessons learned 456

Test Disaster Recovery Plans 456

Read-through or tabletop 457

Walkthrough 457

Simulation 458

Parallel 459

Full interruption (or cutover) 459

Participate in Business Continuity Planning and Exercises 460

Implement and Manage Physical Security 460

Address Personnel Safety and Security Concerns 461

CHAPTER 10: SOFTWARE DEVELOPMENT SECURITY 463

Understand and Integrate Security in the Software

Development Life Cycle 464

Development methodologies 464

Maturity models 473

Operation and maintenance 474

Change management 475

Integrated product team 476

Identify and Apply Security Controls in Software Development Ecosystems 476

Programming languages 477

Libraries 478

Tool sets 478

Integrated development environment 480

Runtime 480

Continuous integration/continuous delivery 481

Security orchestration, automation, and response 481

Software configuration management 482

Code repositories 483

Application security testing 484

Assess the Effectiveness of Software Security 486

Auditing and logging of changes 486

Risk analysis and mitigation 487

Assess Security Impact of Acquired Software 489

Define and Apply Secure Coding Guidelines and Standards 490

Security weaknesses and vulnerabilities at the source-code level 491

Security of application programming interfaces 492

Secure coding practices 493

Software-defined security 495

PART 3: THE PART OF TENS 497

CHAPTER 11: TEN WAYS TO PREPARE FOR THE EXAM 499

Know Your Learning Style 499

Get a Networking Certification First 500

Register Now 500

Make a 60-Day Study Plan 500

Get Organized and Read 501

Join a Study Group 501

Take Practice Exams 502

Take a CISSP Training Seminar 502

Adopt an Exam-Taking Strategy 502

Take a Breather 503

CHAPTER 12: TEN TEST-DAY TIPS 505

Get a Good Night’s Rest 505

Dress Comfortably 506

Eat a Good Meal 506

Arrive Early 506

Bring Approved Identification 506

Bring Snacks and Drinks 507

Bring Prescription and Over-the-Counter Medications 507

Leave Your Mobile Devices Behind 507

Take Frequent Breaks 507

Guess — As a Last Resort 508

Glossary 509

Index 565