Full download (isc)2 cissp certified information systems security professional official study guide

Visit to download the full and correct content document: https://ebookmass.com/product/isc2-cissp-certified-information-systems-security-prof essional-official-study-guide-mike-chapple/

More products digital (pdf, epub, mobi) instant download maybe you interests ...

CISSP: Certified Information Systems Security

Professional: Top-Notch Questions: The Latest CISSP Certification Blueprint Macmillane

https://ebookmass.com/product/cissp-certified-informationsystems-security-professional-top-notch-questions-the-latestcissp-certification-blueprint-macmillane/

Official Google Cloud Certified Professional Machine Learning Engineer Study Guide Mona

https://ebookmass.com/product/official-google-cloud-certifiedprofessional-machine-learning-engineer-study-guide-mona/

Official Google Cloud Certified Professional Data Engineer Study Guide 1st Edition Dan Sullivan

https://ebookmass.com/product/official-google-cloud-certifiedprofessional-data-engineer-study-guide-1st-edition-dan-sullivan/

AWS Certified Solutions Architect Official Study Guide: Associate Exam (Aws Certified Solutions Architect Official: Associate Exam)

https://ebookmass.com/product/aws-certified-solutions-architectofficial-study-guide-associate-exam-aws-certified-solutionsarchitect-official-associate-exam/

CCSP Certified Cloud Security Professional. Exam Guide 3rd Edition Unknown

https://ebookmass.com/product/ccsp-certified-cloud-securityprofessional-exam-guide-3rd-edition-unknown/

Ccsp Certified Cloud Security Professional All-In-One Exam Guide Daniel Carter

https://ebookmass.com/product/ccsp-certified-cloud-securityprofessional-all-in-one-exam-guide-daniel-carter/

CCSP Certified Cloud Security Professional All-in-One Exam Guide 3rd Edition Daniel Carter

https://ebookmass.com/product/ccsp-certified-cloud-securityprofessional-all-in-one-exam-guide-3rd-edition-daniel-carter/

CompTIA Security+ Get Certified Get Ahead: SY0 501 Study Guide (Ebook PDF)

https://ebookmass.com/product/comptia-security-get-certified-getahead-sy0-501-study-guide-ebook-pdf/

Fundamentals of Information Systems Security

https://ebookmass.com/product/fundamentals-of-informationsystems-security/

Table of Contents

Cover

TitlePage

Copyright

Dedication

Acknowledgments

AbouttheAuthors

AbouttheTechnicalEditors

Foreword

Introduction

OverviewoftheCISSPExam

TheElementsofThisStudyGuide

InteractiveOnlineLearningEnvironmentandTestBank

StudyGuideExamObjectives

ObjectiveMap

ReaderSupportforThisBook

AssessmentTest

AnswerstoAssessmentTest

Chapter1:SecurityGovernanceThroughPrinciplesandPolicies

Security101

UnderstandandApplySecurityConcepts

SecurityBoundaries

EvaluateandApplySecurityGovernancePrinciples

ManagetheSecurityFunction

SecurityPolicy,Standards,Procedures,andGuidelines

ThreatModeling

SupplyChainRiskManagement

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter2:PersonnelSecurityandRiskManagementConcepts

PersonnelSecurityPoliciesandProcedures

UnderstandandApplyRiskManagementConcepts

SocialEngineering

EstablishandMaintainaSecurityAwareness,Education,and TrainingProgram

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter3:BusinessContinuityPlanning

PlanningforBusinessContinuity

ProjectScopeandPlanning

BusinessImpactAnalysis

ContinuityPlanning

PlanApprovalandImplementation

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter4:Laws,Regulations,andCompliance

CategoriesofLaws

Laws

StatePrivacyLaws

Compliance

ContractingandProcurement

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter5:ProtectingSecurityofAssets

IdentifyingandClassifyingInformationandAssets

EstablishingInformationandAssetHandlingRequirements

DataProtectionMethods

UnderstandingDataRoles

UsingSecurityBaselines

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter6:CryptographyandSymmetricKeyAlgorithms

CryptographicFoundations

ModernCryptography

SymmetricCryptography

CryptographicLifecycle

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter7:PKIandCryptographicApplications

AsymmetricCryptography

HashFunctions

DigitalSignatures

PublicKeyInfrastructure

AsymmetricKeyManagement

HybridCryptography

AppliedCryptography

CryptographicAttacks

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter8:PrinciplesofSecurityModels,Design,andCapabilities

SecureDesignPrinciples

TechniquesforEnsuringCIA

UnderstandtheFundamentalConceptsofSecurityModels

SelectControlsBasedonSystemsSecurityRequirements

UnderstandSecurityCapabilitiesofInformationSystems

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter9:SecurityVulnerabilities,Threats,andCountermeasures

SharedResponsibility

AssessandMitigatetheVulnerabilitiesofSecurity

Architectures,Designs,andSolutionElements

Client-BasedSystems

Server-BasedSystems

IndustrialControlSystems

DistributedSystems

High-PerformanceComputing(HPC)Systems

InternetofThings

EdgeandFogComputing

EmbeddedDevicesandCyber-PhysicalSystems

SpecializedDevices

Microservices

InfrastructureasCode

VirtualizedSystems

Containerization

ServerlessArchitecture

MobileDevices

EssentialSecurityProtectionMechanisms

CommonSecurityArchitectureFlawsandIssues

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter10:PhysicalSecurityRequirements

ApplySecurityPrinciplestoSiteandFacilityDesign

ImplementSiteandFacilitySecurityControls

ImplementandManagePhysicalSecurity

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter11:SecureNetworkArchitectureandComponents

OSIModel

TCP/IPModel

AnalyzingNetworkTraffic

CommonApplicationLayerProtocols

TransportLayerProtocols

DomainNameSystem

InternetProtocol(IP)Networking

ARPConcerns

SecureCommunicationProtocols

ImplicationsofMultilayerProtocols

Microsegmentation

WirelessNetworks

OtherCommunicationProtocols

CellularNetworks

ContentDistributionNetworks(CDNs)

SecureNetworkComponents

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter12:SecureCommunicationsandNetworkAttacks

ProtocolSecurityMechanisms

SecureVoiceCommunications

RemoteAccessSecurityManagement

MultimediaCollaboration

LoadBalancing

ManageEmailSecurity

VirtualPrivateNetwork

SwitchingandVirtualLANs

NetworkAddressTranslation

Third-PartyConnectivity

SwitchingTechnologies

WANTechnologies

Fiber-OpticLinks

SecurityControlCharacteristics

PreventorMitigateNetworkAttacks

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter13:ManagingIdentityandAuthentication

ControllingAccesstoAssets

ManagingIdentificationandAuthentication

ImplementingIdentityManagement

ManagingtheIdentityandAccessProvisioningLifecycle

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter14:ControllingandMonitoringAccess

ComparingAccessControlModels

ImplementingAuthenticationSystems

UnderstandingAccessControlAttacks

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter15:SecurityAssessmentandTesting

BuildingaSecurityAssessmentandTestingProgram

PerformingVulnerabilityAssessments

TestingYourSoftware

ImplementingSecurityManagementProcesses

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter16:ManagingSecurityOperations

ApplyFoundationalSecurityOperationsConcepts

AddressingPersonnelSafetyandSecurity

ProvisionResourcesSecurely

ApplyResourceProtection

ManagedServicesintheCloud

PerformConfigurationManagement(CM)

ManagingChange

ManagingPatchesandReducingVulnerabilities

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter17:PreventingandRespondingtoIncidents

ConductingIncidentManagement

ImplementingDetectiveandPreventiveMeasures

LoggingandMonitoring

AutomatingIncidentResponse

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter18:DisasterRecoveryPlanning

TheNatureofDisaster

UnderstandSystemResilience,HighAvailability,andFault Tolerance

RecoveryStrategy

RecoveryPlanDevelopment

Training,Awareness,andDocumentation

TestingandMaintenance

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter19:InvestigationsandEthics

Investigations

MajorCategoriesofComputerCrime

Ethics

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter20:SoftwareDevelopmentSecurity

IntroducingSystemsDevelopmentControls

EstablishingDatabasesandDataWarehousing

StorageThreats

UnderstandingKnowledge-BasedSystems

Summary

ExamEssentials

WrittenLab

ReviewQuestions

Chapter21:MaliciousCodeandApplicationAttacks

Malware

MalwarePrevention

ApplicationAttacks

InjectionVulnerabilities

ExploitingAuthorizationVulnerabilities

ExploitingWebApplicationVulnerabilities

ApplicationSecurityControls

SecureCodingPractices

Summary

ExamEssentials

WrittenLab

ReviewQuestions

AppendixA:AnswerstoReviewQuestions

Chapter1:SecurityGovernanceThroughPrinciplesandPolicies

Chapter2:PersonnelSecurityandRiskManagementConcepts

Chapter3:BusinessContinuityPlanning

Chapter4:Laws,Regulations,andCompliance

Chapter5:ProtectingSecurityofAssets

Chapter6:CryptographyandSymmetricKeyAlgorithms

Chapter7:PKIandCryptographicApplications

Chapter8:PrinciplesofSecurityModels,Design,and Capabilities

Chapter9:SecurityVulnerabilities,Threats,and Countermeasures

Chapter10:PhysicalSecurityRequirements

Chapter11:SecureNetworkArchitectureandComponents

Chapter12:SecureCommunicationsandNetworkAttacks

Chapter13:ManagingIdentityandAuthentication

Chapter14:ControllingandMonitoringAccess

Chapter15:SecurityAssessmentandTesting

Chapter16:ManagingSecurityOperations

Chapter17:PreventingandRespondingtoIncidents

Chapter18:DisasterRecoveryPlanning

Chapter19:InvestigationsandEthics

Chapter20:SoftwareDevelopmentSecurity

Chapter21:MaliciousCodeandApplicationAttacks

AppendixB:AnswerstoWrittenLabs

Chapter1:SecurityGovernanceThroughPrinciplesandPolicies

Chapter2:PersonnelSecurityandRiskManagementConcepts

Chapter3:BusinessContinuityPlanning

Chapter4:Laws,Regulations,andCompliance

Chapter5:ProtectingSecurityofAssets

Chapter6:CryptographyandSymmetricKeyAlgorithms

Chapter7:PKIandCryptographicApplications

Chapter8:PrinciplesofSecurityModels,Design,and Capabilities

Chapter9:SecurityVulnerabilities,Threats,and Countermeasures

Chapter10:PhysicalSecurityRequirements

Chapter11:SecureNetworkArchitectureandComponents

Chapter12:SecureCommunicationsandNetworkAttacks

Chapter13:ManagingIdentityandAuthentication

Chapter14:ControllingandMonitoringAccess

Chapter15:SecurityAssessmentandTesting

Chapter16:ManagingSecurityOperations

Chapter17:PreventingandRespondingtoIncidents

Chapter18:DisasterRecoveryPlanning

Chapter19:InvestigationsandEthics

Chapter20:SoftwareDevelopmentSecurity

Chapter21:MaliciousCodeandApplicationAttacks

Index

EndUserLicenseAgreement

List of Tables

Chapter2

TABLE2.1Comparisonofquantitativeandqualitativerisk analysis

TABLE2.2Quantitativeriskanalysisformulas

Chapter5

TABLE5.1Securingemaildata

TABLE5.2Unmodifieddatawithinadatabase

TABLE5.3Maskeddata

Chapter6

TABLE6.1ANDoperationtruthtable

TABLE6.2ORoperationtruthtable

TABLE6.3NOToperationtruthtable

TABLE6.4ExclusiveORoperationtruthtable

TABLE6.5UsingtheVigenèresystem

TABLE6.6Theencryptionoperation

TABLE6.7Symmetricandasymmetrickeycomparison

TABLE6.8Comparisonofsymmetricandasymmetric cryptographysystems

TABLE6.9Symmetricencryptionmemorizationchart

Chapter7

TABLE7.1Hashalgorithmmemorizationchart

TABLE7.2Digitalcertificateformats

Chapter8

TABLE8.1Subjectsandobjects

TABLE8.2Failtermsdefinitionsrelatedtophysicalanddigital products

TABLE8.3Anaccesscontrolmatrix

TABLE8.4CommonCriteriaevaluationassurancelevels

Chapter10

TABLE10.1Staticvoltageanddamage

TABLE10.2Fireextinguisherclasses

Chapter11

TABLE11.1IPclasses

TABLE11.2IPclasses'defaultsubnetmasks

TABLE11.3802.11wirelessnetworkingamendments

TABLE11.4UTPcategories

Chapter12

TABLE12.1Commonload-balancingschedulingtechniques

TABLE12.2Circuitswitchingvs.packetswitching

TABLE12.3BandwidthlevelsofSDHandSONET

List of Illustrations

Chapter1

FIGURE1.1TheCIATriad

FIGURE1.2ThefiveelementsofAAAservices

FIGURE1.3Strategic,tactical,andoperationalplantimeline comparison

FIGURE1.4Anexampleofdiagrammingtorevealthreat concerns

FIGURE1.5Ariskmatrixorriskheatmap Chapter2

FIGURE2.1Ex-employeesmustreturnallcompanyproperty.

FIGURE2.2Thecyclicalrelationshipsofriskelements

FIGURE2.3Thesixmajorelementsofquantitativeriskanalysis

FIGURE2.4Thecategoriesofsecuritycontrolsinadefense-indepthimpleme...

FIGURE2.5Theelementsoftheriskmanagementframework (RMF)(fromNISTSP...

Chapter3

FIGURE3.1EarthquakehazardmapoftheUnitedStates Chapter5

FIGURE5.1Dataclassifications

FIGURE5.2Clearingaharddrive

Chapter6

FIGURE6.1Challenge-responseauthenticationprotocol

FIGURE6.2Themagicdoor

FIGURE6.3Symmetrickeycryptography

FIGURE6.4Asymmetrickeycryptography

Chapter7

FIGURE7.1Asymmetrickeycryptography

FIGURE7.2Steganographytool

FIGURE7.3Imagewithembeddedmessage

Chapter8

FIGURE8.1Transitivetrust

FIGURE8.2TheTCB,securityperimeter,andreference monitor

FIGURE8.3Thetake-grantmodel'sdirectedgraph

FIGURE8.4TheBell–LaPadulamodel

FIGURE8.5TheBibamodel

FIGURE8.6MemorizingBell–LaPadulaandBiba

FIGURE8.7TheClark–Wilsonmodel

Chapter9

FIGURE9.1Thefour-layerprotectionringmodel

FIGURE9.2Thelifecycleofanexecutedprocess

FIGURE9.3Typesofhypervisors

FIGURE9.4Applicationcontainersversusahypervisor

Chapter10

FIGURE10.1Asmartcard'sISO7816interface

FIGURE10.2Hotandcoldaisles

FIGURE10.3Thefiretriangle

FIGURE10.4Thefourprimarystagesoffire

FIGURE10.5Asecurephysicalboundarywithanaccesscontrol vestibuleand...

Chapter11

FIGURE11.1TheOSImodel

FIGURE11.2OSImodelencapsulation

FIGURE11.3TheOSImodelpeerlayerlogicalchannels

FIGURE11.4OSImodellayer-basednetworkcontainernames

FIGURE11.5ComparingtheOSImodelwiththeTCP/IPmodel

FIGURE11.6TheTCPthree-wayhandshake

FIGURE11.7AnRFIDantenna

FIGURE11.8Theconfigurationdialogboxesforatransparent (left)vs.ano...

FIGURE11.9Aringtopology

FIGURE11.10Alinearbustopologyandatreebustopology

FIGURE11.11Astartopology

FIGURE11.12Ameshtopology

Chapter12

FIGURE12.1IPsec'sencryptionofapacketintransportmode

FIGURE12.2IPsec'sencryptionofapacketintunnelmode

FIGURE12.3TwoLANsbeingconnectedusingatunnel-mode VPNacrosstheinte...

FIGURE12.4Aclientconnectingtoanetworkviaaremoteaccess/tunnelVPN...

Chapter13

FIGURE13.1GraphofFRRandFARerrorsindicatingtheCER point

Chapter14

FIGURE14.1Role-BasedAccessControl

FIGURE14.2Arepresentationoftheboundariesprovidedby lattice-basedacc...

FIGURE14.3Wiresharkcapture

Chapter15

FIGURE15.1NmapscanofawebserverrunfromaLinux system

FIGURE15.2DefaultApacheserverpagerunningontheserver scannedinFigu...

FIGURE15.3NmapscanofalargenetworkrunfromaMac systemusingtheTer...

FIGURE15.4Networkvulnerabilityscanofthesamewebserver thatwasport...

FIGURE15.5Webapplicationvulnerabilityscanofthesame webserverthatw...

FIGURE15.6Scanningadatabase-backedapplicationwith sqlmap

FIGURE15.7Penetrationtestingprocess

FIGURE15.8TheMetasploitFrameworkautomatedsystem exploitationtoolallo...

FIGURE15.9Faganinspectionsfollowarigidformalprocess, withdefineden...

FIGURE15.10Prefuzzinginputfilecontainingaseriesof1s

FIGURE15.11TheinputfilefromFigure15.10afterbeingrun throughthezz...

Chapter16

FIGURE16.1Cloudsharedresponsibilitymodel

FIGURE16.2Creatinganddeployingimages

FIGURE16.3Webserveranddatabaseserver Chapter17

FIGURE17.1Incidentmanagement

FIGURE17.2SYNfloodattack

FIGURE17.3Aman-in-the-middleattack

FIGURE17.4Intrusionpreventionsystem

FIGURE17.5Viewingalogentry Chapter18

FIGURE18.1Seismichazardmap

FIGURE18.2FloodhazardmapforMiami–DadeCounty, Florida

FIGURE18.3Failoverclusterwithnetworkloadbalancing Chapter20

FIGURE20.1RStudioDesktopIDE

FIGURE20.2Securityvs.user-friendlinessvs.functionality

FIGURE20.3Theiterativelifecyclemodelwithfeedbackloop

FIGURE20.4Thespirallifecyclemode

FIGURE20.5SoftwareAssuranceMaturityModel

FIGURE20.6TheIDEALmodel

FIGURE20.7Ganttchart

FIGURE20.8TheDevOpsmodel

FIGURE20.9Hierarchicaldatamodel

FIGURE20.10Customerstablefromarelationaldatabase

FIGURE20.11ODBCastheinterfacebetweenapplicationsand aback-enddatab...

Chapter21

FIGURE21.1Accountnumberinputpage

FIGURE21.2Accountinformationpage

FIGURE21.3AccountinformationpageafterblindSQL injection

FIGURE21.4Accountcreationpage

FIGURE21.5Examplewebserverdirectorystructure

FIGURE21.6Messageboardpostrenderedinabrowser

FIGURE21.7XSSattackrenderedinabrowser

FIGURE21.8Webapplicationfirewall

FIGURE21.9SQLerrordisclosure

Copyright©2021byJohnWiley&Sons,Inc.Allrightsreserved.

PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey

PublishedsimultaneouslyinCanadaandtheUnitedKingdom

ISBN:978-1-119-78623-8

ISBN:978-1-119-78633-7(ebk)

ISBN:978-1-119-78624-5(ebk)

Nopartofthispublicationmaybereproduced,storedinaretrieval systemortransmittedinanyformorbyanymeans,electronic, mechanical,photocopying,recording,scanningorotherwise,exceptas permittedunderSections107or108ofthe1976UnitedStatesCopyright Act,withouteitherthepriorwrittenpermissionofthePublisher,or authorizationthroughpaymentoftheappropriateper-copyfeetothe CopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923, (978)750-8400,fax(978)646-8600.RequeststothePublisherfor permissionshouldbeaddressedtothePermissionsDepartment,John Wiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011, fax(201)748-6008,oronlineat http://www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Whilethepublisherand authorhaveusedtheirbesteffortsinpreparingthisbook,theymakeno representationsorwarrantieswithrespecttotheaccuracyor completenessofthecontentsofthisbookandspecificallydisclaimany impliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose. Nowarrantymaybecreatedorextendedbysalesrepresentativesor writtensalesmaterials.Theadviceandstrategiescontainedhereinmay notbesuitableforyoursituation.Youshouldconsultwithaprofessional whereappropriate.Neitherthepublishernorauthorshallbeliablefor anylossofprofitoranyothercommercialdamages,includingbutnot limitedtospecial,incidental,consequential,orotherdamages.

Forgeneralinformationonourotherproductsandservicesortoobtain technicalsupport,pleasecontactourCustomerCareDepartmentwithin theU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317) 572-4002.

Wileyalsopublishesitsbooksinavarietyofelectronicformats.Some contentthatappearsinprintmaynotbeavailableinelectronicformats.

FormoreinformationaboutWileyproducts,visitourwebsiteat www.wiley.com.

LibraryofCongressControlNumber:2021935479

TRADEMARKS:WILEYandtheWileylogoaretrademarksorregistered trademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnited Statesandothercountries,andmaynotbeusedwithoutwritten permission.(ISC)2 andCISSParetrademarksorregisteredtrademarksof (ISC)2,Inc.Allothertrademarksarethepropertyoftheirrespective owners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductor vendormentionedinthisbook.

Coverimage(s):©JeremyWoodhouse/GettyImages,Inc.

Coverdesign:Wiley

ToDewittLatimer,mymentor,friend,andcolleague.Imissyou dearly. MikeChapple

ToCathy,yourperspectiveontheworldandlifeoftensurprisesme, challengesme,andmakesmeloveyouevenmore.

JamesMichaelStewart

ToNimfa,thanksforsharingyourlifewithmeforthepast29years andlettingmeshareminewithyou.

DarrilGibson

Acknowledgments

We'dliketoexpressourthankstoWileyforcontinuingtosupportthis project.Extrathankstothedevelopmenteditor,KellyTalbot,and technicaleditors,JerryRayome,ChrisCrayton,andAaronKraus,who performedamazingfeatsinguidingustoimprovethisbook.Thanksas welltoouragent,CaroleJelen,forcontinuingtoassistinnailingdown theseprojects.

—Mike,James,andDarril

Specialthanksgotomymanyfriendsandcolleaguesinthecybersecurity communitywhoprovidedhoursofinterestingconversationanddebate onsecurityissuesthatinspiredandinformedmuchofthematerialinthis book.

IwouldliketothanktheteamatWiley,whoprovidedinvaluable assistancethroughoutthebookdevelopmentprocess.Ialsooweadebtof gratitudetomyliteraryagent,CaroleJelenofWatersideProductions.My coauthors,JamesMichaelStewartandDarrilGibson,weregreat collaboratorsandI'dliketothankthembothfortheirthoughtful contributionstomychapters.

I'dalsoliketothankthemanypeoplewhoparticipatedintheproduction ofthisbookbutwhomIneverhadthechancetomeet:thegraphicsteam, theproductionstaff,andallofthoseinvolvedinbringingthisbookto press.

—MikeChapple

ThankstoMikeChappleandDarrilGibsonforcontinuingtocontribute tothisproject.ThanksalsotoallmyCISSPcoursestudentswhohave providedtheirinsightandinputtoimprovemytrainingcoursewareand ultimatelythistome.Tomyadoringwife,Cathy:Buildingalifeanda familytogetherhasbeenmorewonderfulthanIcouldhaveever imagined.ToSlaydeandRemi:Youaregrowingupsofastandlearning atanoutstandingpace,andyoucontinuetodelightandimpressmedaily. Youarebothgrowingintoamazingindividuals.Tomymom,Johnnie:It iswonderfultohaveyoucloseby.ToMark:Nomatterhowmuchtime haspassedorhowlittleweseeeachother,Ihavebeenandalwayswillbe

yourfriend.Andfinally,asalways,toElvis:Youwerewayaheadofthe currentbaconobsessionwithyourpeanutbutter/banana/bacon sandwich;Ithinkthat'sproofyoutraveledthroughtime!

JamesMichaelStewart

It'sbeenapleasureworkingwithtalentedpeoplelikeJamesMichael StewartandMikeChapple.Thankstobothofyouforallyourworkand collaborativeeffortsonthisproject.Thetechnicaleditors,JerryRayome, ChrisCrayton,andAaronKraus,provideduswithsomeoutstanding feedback,andthisbookisbetterbecauseoftheirefforts.Thankstothe teamatWiley(includingprojectmanagers,editors,andgraphicartists) foralltheworkyoudidhelpingusgetthisbooktoprint.Last,thanksto mywife,Nimfa,forputtingupwithmyoddhoursasIworkedonthis book.

About the Authors

MikeChapple,PhD, CISSP,Security+,CySA+,PenTest+,CISA, CISM,CCSP,CIPP/US,isateachingprofessorofIT,analytics,and operationsattheUniversityofNotreDame.Inthepast,hewaschief informationofficerofBrandInstituteandaninformationsecurity researcherwiththeNationalSecurityAgencyandtheU.S.AirForce.His primaryareasofexpertiseincludenetworkintrusiondetectionandaccess controls.MikeisafrequentcontributortoTechTarget'sSearchSecurity siteandtheauthorofmorethan25books,includingthecompanionbook tothisstudyguide:CISSPOfficial(ISC)2 PracticeTests,CompTIA CySA+StudyGuide:ExamCS0-001,CompTIASecurity+StudyGuide: ExamSY0-601,andCyberwarfare:InformationOperationsina ConnectedWorld.MikeoffersstudygroupsfortheCISSP,SSCP, Security+,andCSA+certificationsonhiswebsiteat www.certmike.com.

JamesMichaelStewart,CISSP,CEH,CHFI,ECSA,CND,ECIH, CySA+,PenTest+,CASP+,Security+,Network+,A+,CISM,andCFR,has beenwritingandtrainingformorethan25years,withacurrentfocuson security.HehasbeenteachingCISSPtrainingcoursessince2002,notto mentionothercoursesoninternetsecurityandethical hacking/penetrationtesting.Heistheauthorofandcontributortomore than75booksonsecuritycertification,Microsofttopics,andnetwork administration,includingCompTIASecurity+ReviewGuide:ExamSY0601.MoreinformationaboutMichaelcanbefoundathiswebsiteat www.impactonline.com.

DarrilGibson,CISSP,Security+,CASP,istheCEOofYCDA(shortfor YouCanDoAnything),andhehasauthoredorcoauthoredmorethan40 books.Darrilregularlywrites,consults,andteachesonawidevarietyof technicalandsecuritytopicsandholdsseveralcertifications.Heregularly postsblogarticlesat blogs.getcertifiedgetahead.com aboutcertification topicsandusesthatsitetohelppeoplestayabreastofchangesin certificationexams.Heloveshearingfromreaders,especiallywhenthey passanexamafterusingoneofhisbooks,andyoucancontacthim throughthebloggingsite.

About the Technical Editors

JerryRayome, BS/MSComputerScience,CISSP,hasbeenemployed asamemberoftheCyberSecurityProgramatLawrenceLivermore NationalLaboratoryforover20years,providingcybersecurityservices thatincludesoftwaredevelopment,penetrativetesting,incident response,firewallimplementation/administration,firewallauditing, honeynetdeployment/monitoring,cyberforensicinvestigations,NIST 800-53controlimplementation/assessment,cloudriskassessment,and cloudsecurityauditing.

ChrisCraytonisatechnicalconsultant,trainer,author,andindustryleadingtechnicaleditor.Hehasworkedasacomputertechnologyand networkinginstructor,informationsecuritydirector,network administrator,networkengineer,andPCspecialist.Chrishasauthored severalprintandonlinebooksonPCrepair,CompTIAA+,CompTIA Security+,andMicrosoftWindows.Hehasalsoservedastechnicaleditor andcontentcontributoronnumeroustechnicaltitlesforseveralleading publishingcompanies.Heholdsnumerousindustrycertifications, includingCISSP,MCSE,CompTIAS+,N+,A+,andmanyothers.Hehas alsobeenrecognizedwithmanyprofessionalandteachingawards,andhe hasservedasastate-levelSkillsUSAfinalcompetitionjudge.

AaronKraus,CISSP,CCSP,isaninformationsecuritypractitioner, instructor,andauthorwhohasworkedacrossindustriesandaroundthe world.Hehasspentmorethan15yearsasaconsultantorsecurityrisk managerinroleswithgovernment,financialservices,andtechstartups, includingmostrecentlyincyberriskinsurance,andhasspent13years teaching,writing,anddevelopingsecuritycoursewareatLearningTree International,whereheisalsodeanofcybersecuritycurriculum.His writingandeditingexperienceincludesofficial(ISC)2 referencebooks, practiceexams,andstudyguidesforbothCISSPandCCSP.

Foreword

Welcometothe(ISC)2® CISSP® CertifiedInformationSystemsSecurity ProfessionalOfficialStudyGuide,9thEdition.

Datafromthe2020CybersecurityWorkforceStudyshowsthat47 percentofemployersrequiretheirsecuritystafftoholdvendor-neutral cybersecuritycertificationsandthattheCertifiedInformationSystems SecurityProfessional(CISSP)isthemostcommonlyheld.

Accordingtothestudy,employersvaluecertifiedcybersecurity professionalsforanumberofqualities,fromhavingincreasedconfidence instrategiesandpracticestocommunicatinganddemonstratingthat confidenceandcompetencetocustomers.Otherbenefitsofcertification citedbyemployersincludereducingtheimpactofasecuritybreach, knowingthattechnologyandbestpracticesareuptodate,andenhancing theorganization'sreputationwithinitsgivenindustry.

Inadditiontoengenderingconfidenceonthepartoftheiremployersand organizations,securityprofessionalswithcybersecuritycertificationscan boosttheirsalariesby27percentonaverage.Therehasneverbeena bettertimetouseyourinformationtechnologyskillstohelpprotectyour organization'sinfrastructure,information,systems,andprocessesandto improveandgrowinyourprofessionaljourney.

TheCISSPcertificationisthegoldstandardformasteryinthefieldof cybersecurity,demonstratingtoemployersthatyouhavestrong

knowledgeandskillswithinabroadrangeofcybersecuritydisciplines andanabilitytobuildandmanagenearlyallaspectsofanorganization's securityoperations.Italsosignalsyourcommitmenttoongoing professionaldevelopmentasyoucontinuetostayabreastofindustry changesandsharpenyourskills.

Thisstudyguidewillsteeryouthroughtheeightsubjectareadomainson whichtheCISSPexamwilltestyourknowledge.Stepbystep,itwillcover thefundamentalsinvolvedineachtopicandgraduallybuildtowardmore focusedareasoflearningtoprepareyou,basedonthecontentcoveredin the(ISC)2 CISSPCommonBodyofKnowledge(CBK).

AsyoupreparetositfortheCISSPexam,thisguidewillhelpyoubuilda solidunderstandingofconceptsofdesign,implementation,and managementofbest-in-classcybersecurityprograms,aswellasthe ethicalfidelityrequiredofCISSPholders.

Ihopethatyouwillfindthe(ISC)2® CISSP® CertifiedInformation SystemsSecurityProfessionalOfficialStudyGuide9thEditionhelpfulin yourcybersecurityjourney,exampreparation,andcontinued professionalgrowth.

Sincerely,

ClarRosso CEO,(ISC)2