File Attachment200149bacoverv05b.jpg

Half Title PageOFFICIAL(ISC)2

GUIDE TO THE

CISSP

CBK

AU8231_C000.fm Page i Thursday, October 19, 2006 6:55 AM

OTHER BOOKS IN THE (ISC)2 PRESS SERIES

Building and Implementing a Security Certification and Accreditation

Program: Official (ISC)2 Guide to the CAPcm CBK

Patrick D. Howard

ISBN: 0-8493-2062-3

Official (ISC)2 Guide to the SSCP CBK

Diana-Lynn Contesti, Douglas Andre, Eric Waxvik,

Paul A. Henry, and Bonnie A. Goins

ISBN: 0-8493-2774-1

Official (ISC)2 Guide to the CISSP-ISSEP CBK

Susan Hansche

ISBN: 0-8493-2341-X

Official (ISC)2 Guide to the CISSP CBK

Harold F. Tipton and Kevin Henry, Editors

ISBN: 0-8493-8231-9

AU8231_C000.fm Page ii Thursday, October 19, 2006 6:55 AM

Title Page

Boca Raton New York

Auerbach Publications is an imprint of theTaylor & Francis Group, an informa business

OFFICIAL(ISC)2

GUIDE TO THE

CISSP

CBK

Edited by Harold F. Tipton, CISSP-ISSAP, ISSMP,and Kevin Henry, CISSP-ISSEP, ISSMP, CAP, SSCP

AU8231_C000.fm Page iii Thursday, October 19, 2006 6:55 AM

Glossary 2007 by Taylor & Francis Group, LLC.

Auerbach PublicationsTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

2007 by (ISC)2Auerbach is an imprint of Taylor & Francis Group, an Informa business

International Standard Book Number-10: 0-8493-8231-9 (Hardcover)International Standard Book Number-13: 978-0-8493-8231-4 (Hardcover)

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable eorts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the conse-quences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microlming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-prot organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identication and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Tipton, Harold F. Ocial (ISC)2 guide to the CISSP CBK : (ISC)2 Press / Harold F. Tipton,

Kevin Henry. p. cm.

Includes bibliographical references and index.ISBN 0-8493-8231-9 (alk. paper)1. Electronic data processing personnel--Certication. 2. Computer

networks--Examinations--Study guides. I. Henry, Kevin. II. Title.

QA76.3.T565 2006004.6--dc22 2006043032

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.comand the Auerbach Web site athttp://www.auerbach-publications.com

AU8231_C000.fm Page iv Thursday, October 19, 2006 6:55 AM

This edition published in the Taylor & Francis e-Library, 2008.

To purchase your own copy of this or any of Taylor & Francis or Routledgescollection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.

ISBN 0-203-88893-6 Master e-book ISBN

v

Foreword to CBK

Study Guide

As the networked world continues to shape and impact every aspect of ourlives, threats to the global network infrastructure continue to rise in paral-lel. Thats why there has never been a greater urgency for a global standardof excellence for those who protect the networked world.

That has been the mission of the International Information SystemsSecurity Certification Consortium (ISC)

2

from its inception. Formed in1989 by multiple professional associations to develop an accepted indus-try standard for the practice of information security, (ISC)

2

created theinformation security industrys first and only CBK

, a global compendiumof industry best practices. Continually updated to incorporate rapidlychanging technologies and threats, the CBK continues to serve as the basisfor (ISC)

2

s education and certification programs. To date, (ISC)

2

has certi-fied more than 40,000 security professionals and practitioners in over 100countries and continues to meet the growing demand for information secu-rity accreditation.

Just as technology and its impact on society have dramatically changedsince (ISC)

2

was first envisioned, so has the role of information securityprofessionals.

The need for highly qualified information security profes-sionals to protect information assets has now been accepted by organiza-tions worldwide both private and public. In recent years, the rise of theChief Information Security Officer position has been a watershed event inthe influence and significance of the information security professional inmaintaining effective IT governance and risk management.

Results from the 2005 Global Information Security Workforce Study, con-ducted by global analyst firm IDC and sponsored by (ISC)

2

, revealed thatultimate responsibility for information security moved up the managementhierarchy, with more respondents identifying the board of directors andCEO, or a CISO/CSO as being accountable for their companys informationsecurity. The study also showed that nearly 75 percent of all respondentsbelieved their influence with executives and the board of directors would

AU8231_C000.fm Page v Thursday, October 19, 2006 6:55 AM

vi

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

increase in the coming year. These findings bode well for the professionand for effectively securing infrastructure.

(ISC)

2

is continuing to do its part to assist all those who choose thisprofession and proliferate standards for professionalism, whether by cre-ating the first information security career guide for high school and col-lege students to meet the growing demand for new talented entries intothe field, establishing Affiliated Local Interest Groups to meet the peernetworking and professional growth needs of (ISC)

2

members and otherinformation security professionals worldwide, working with top organiza-tions such as Microsoft to require certifications of security partners, ororganizing seminars around the world with the most respected thoughtleaders in the industry.

With the ever-growing importance to organizations and society-at-large,(ISC)

2

remains committed to ensuring the highest standards of informationsecurity are maintained by certified professionals worldwide. Its CertifiedInformation Systems Security Professional (CISSP

) certification, consid-ered the Gold Standard in the information security industry, continues tobe an invaluable tool in independently validating a candidates expertise indeveloping information security policies, standards and procedures aswell as managing implementation across the enterprise.

In addition to passing the six-hour CISSP exam, applicants must beendorsed by an existing (ISC)

2

credential-holder, demonstrate sufficientprofessional experience in one or more of the CBK domains, and subscribeto the (ISC)

2

Code of Ethics. The Code of Ethics describes the professionalbehavior expected of the CISSP.

A major factor that sets the CISSP apart from other security certifica-tions is the breadth of knowledge and the experience necessary to pass theexam. CISSP candidates cant be overly specialized in just one domain they must know and understand the full spectrum of the CBK to becomecertified. In order to maintain their certification, holders of the CISSP arerequired to earn 120 Continuing Professional Education (CPE) creditsevery three years. CPE credits are earned through activities related to theinformation security profession including, but not limited to, the following:

Attending educational courses or seminars Attending security conferences Being a member of an association chapter and attending meetings Listening to vendor presentations Completing university/college courses Providing security training Publishing security articles or books Serving on industry boards

AU8231_C000.fm Page vi Thursday, October 19, 2006 6:55 AM

vii

Foreword to CBK Study Guide

Self-study Completing volunteer work, including serving on (ISC)

2

volunteercommittees

Re-certification is required for information security professionals to main-tain their CISSP title.

In addition, the CISSP was the first information security credential to beaccredited by ANSI (American National Standards Institute) under ISO/IECStandard 17024. ISO/IEC 17024 establishes a global benchmark for certifica-tion of personnel and is becoming increasingly important to organizationsfor ensuring competency in different professions.

This is the only document that addresses all of the topics and sub-topicscontained in the CISSP CBK. The authors and editors of this comprehen-sive textbook have provided an extensive supplement to the official CISSPCBK Review Seminars, which are designed to help candidates study forCISSP certification.

The Official (ISC)

2

Guide to the CISSP

CBK

is ideal not only for infor-mation security professionals attempting to achieve CISSP certification butalso for those who are trying to decide which, if any, certification to pur-sue. Executives and organizational managers who want a more completeunderstanding of all the elements that are required in effectively protectingtheir enterprise will also find this guide extremely useful.

Sincerely,

Tony Baratta, CISSP-ISSAP, ISSMP, SSCPDirector of Professional Programs(ISC)

2

AU8231_C000.fm Page vii Thursday, October 19, 2006 6:55 AM

AU8231_C000.fm Page viii Thursday, October 19, 2006 6:55 AM

ix

About the Editors

Harold F. Tipton

,

CISSP-ISSAP, ISSMP, currently an independent consult-ant and past president of the International Information System SecurityCertification Consortium, was director of computer security for RockwellInternational Corporation for 15 years. He initiated the Rockwell com-puter and data security program in 1977, and then continued to adminis-ter, develop, enhance, and expand the program to accommodate the con-trol needs produced by technological advances until his retirement fromRockwell in 1994. He has been a member of the Information Systems Secu-rity Association (ISSA) since 1982, was president of the Los Angeles chap-ter in 1984, and president of the national organization of ISSA from 1987 to1989. He was added to the ISSA Hall of Fame and the ISSA Honor Role in2000. He received the Computer Security Institute Lifetime AchievementAward in 1994 and the (ISC)

2

Hal Tipton Award in 2001. He was a memberof the National Institute of Standards and Technology (NIST) Computerand Telecommunications Security Council and the National ResearchCouncil Secure Systems Study Committee (for the National Academy ofScience). He has a B.S. in engineering from the U.S. Naval Academy, anM.A. in personnel administration from George Washington University, anda certificate in computer science from the University of California at Irv-ine. He has published several papers on information security issues in

Information Security Management Handbook

,

Data Security Management,Information Systems Security,

and the National Academy of Sciencesreport,

Computers at Risk

. He has been a speaker at all of the major infor-mation security conferences, including Computer Security Institute, theISSA Annual Working Conference, the Computer Security Workshop, MISconferences, AIS Security for Space Operations, DOE Computer SecurityConference, National Computer Security Conference, IIA Security Confer-ence, EDPAA, UCCEL Security and Audit Users Conference, and IndustrialSecurity Awareness Conference. He has conducted and participated ininformation security seminars for (ISC)

2

, Frost & Sullivan, UCI, CSULB, sys-tem exchange seminars, and the Institute for International Research. He iscurrently serving as editor of

Data Security Management

and

InformationSecurity Management Handbook.

AU8231_C000.fm Page ix Thursday, October 19, 2006 6:55 AM

x

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Kevin Henry

, CISSP-ISSEP, ISSMP, CAP, SSCP, is a well-known speaker andconsultant in the field of information security and business continuity plan-ning. Kevin provides educational and consulting services to organizationsthroughout the world and is an official instructor for (ISC)

2

, the worldsleading certification body in information security. He is responsible forcourse development and delivery for several (ISC)

2

programs.

Kevin has a broad range of experience in both technology and manage-ment of information technology and information security programs. He hasworked for clients ranging from the largest telecommunications firms inthe world to governments, military, and small home-based operations.

Kevin is a highly respected presenter at conferences, seminars, and edu-cational programs worldwide. With over 20 years in telecommunicationsand government experience, he brings a relevant and interesting approachto information security and provides practical and meaningful solutions tothe information security challenges, threats, and regulations we face today.

AU8231_C000.fm Page x Thursday, October 19, 2006 6:55 AM

xi

Contributors

Alec Bass

, CISSP, is a senior security specialist in the Boston area. Duringhis 25-year career, Alec has developed solutions that significantly reducerisk to the digital assets of high-profile manufacturing, communications,home entertainment, financial, research, and federal organizations. He hashelped enterprises enhance their networks security posture, performedpenetration testing, and administered client firewalls for an applicationservice provider.

Before devoting his career to information security, Alec supported theIT infrastructure for a multinational Fortune 200 company and fixed oper-ating system bugs for a leading computer firm.

Peter Berlich,

CISSP-ISSMP, is working as an IT security manager on a largeoutsourcing account at IBM Integrated Technology Services, coming froma progression of IT security- and compliance-related roles in IBM. Beforejoining IBM, he was global Information security manager at ABB, after asuccession of technical and project management roles with a focus on net-work security management. Peter is a member of the (ISC)

2

European Advi-sory Board and the Information Security Forum (ISF) Council. He is theauthor of various articles on the subject of security and privacy manage-ment in publications such as

Infosecurity Today

. With a degree in physics,his personal motto is to give clarity and empowerment.

Todd Fitzgerald,

CISSP, CISA, CISM, is the director of information systemssecurity and a systems security officer for United Government Services,LLC (UGS), Milwaukee, WI. Todd has authored articles on information secu-rity for publications such as

Information Security Magazine

,

The InformationSecurity Handbook

,

The HIPAA Program Reference Book

, and

Managing anInformation Security and Privacy Awareness and Training Program

. Todd, amember of the editorial board for

Information Systems Security: (The ISC)

2

Journal

, is frequently called upon to present at national and local confer-ences, and has received several security industry leadership awards. Toddholds a B.S. in business administration from the University of Wiscon-sinLaCrosse and an M.B.A. from Oklahoma State University.

AU8231_C000.fm Page xi Thursday, October 19, 2006 6:55 AM

xii

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Bonnie Goins

, CISSP, with over 17 years of experience in management con-sulting, information technology, and security, is a recognized subject mat-ter expert in information security management. Her security and businessexpertise has been put to use by many organizations to enhance ordevelop world-class operations. Bonnie holds an M.S. in information sys-tems and a bachelors degree in psychology, as well as the following certi-fications: BS 7799 lead auditor, Certified Information Systems Security Pro-fessional (CISSP), National Security Agency information assurancemethodology (NSA IAM) certified assessor, global information assurancecertification (GIAC), certified information security manager (CISM), andInternet security specialist (ISS).

Paul Hansford

, CISSP, Dip.Infosec, CISMP, FBCS, FCIPD, CLAS, is a principalconsultant with Insight Consulting, part of Siemens Communications. Hehas worked in risk analysis and management policy development, systemaccreditation, security training, competency, and certification issues. In2001, he established the U.K. Governments Infosec Training Paths andCompetencies scheme and, between 2004 and 2006, delivered the Infosecsyllabus at the U.K. National School of Government. Paul is a member of the(ISC)

2

European Advisory Board and the CBK Committee, and in 2005 wasinvolved in the development of the new U.K. Institute for Information Secu-rity Professionals (IISP).

Kevin Henry

, CISSP-ISSEP, ISSMP, CAP, SSCP, is a well-known speaker andconsultant in the field of information security and business continuityplanning. He provides educational and consulting services to organiza-tions throughout the world and is an official instructor for (ISC)

2

, theworlds leading certification body in information security. He is responsi-ble for course development and delivery for several (ISC)

2

programs.Kevin has a broad range of experience in both technology and manage-ment of information technology and information security programs. Hehas worked for clients ranging from the largest telecommunications firmsin the world to governments, military, and small home-based operations.He is a highly respected presenter at conferences, seminars, and educa-tional programs worldwide. With over 20 years of telecommunicationsand government experience, he brings a relevant and interestingapproach to information security and provides practical and meaningfulsolutions to the information security challenges, threats, and regulationswe face today.

Rebecca Herold,

CISSP, CISM, CISA, FLMI, is an information privacy, secu-rity, and compliance consultant, author, and instructor with over 16 yearsof experience assisting organizations of all sizes in all industries through-out the world. Rebecca has written numerous books, including

Managingan Information Security and Privacy Awareness and Training Program

(Auer-

AU8231_C000.fm Page xii Thursday, October 19, 2006 6:55 AM

xiii

Contributors

bach Publications) and

The Privacy Management Toolkit

(InformationShield), along with dozens of book chapters and hundreds of publishedarticles. Rebecca speaks often at conferences, and develops and teachesworkshops for the Computer Security Institute. Rebecca is resident editorfor the IT Compliance Community and also an adjunct professor for theNorwich University Master of Science in Information Assurance (MSIA)program. Rebecca has a B.S. in math and computer science and an M.A. incomputer science and education.

Carl B. Jackson

, CISSP, is the Business Continuity Program Director forPacific Life Insurance Company in Newport Beach, California. He bringsmore than 30 years of experience in the areas of continuity planning, infor-mation security, and information technology internal control and qualityassurance reviews and audits. He has also served with various consultan-cies specializing in Business Continuity Planning and Information Securitywhere his responsibilities included development and oversight of continu-ity methodologies, project management, tools acquisition, and ongoingtesting/maintenance/training/measurement of the enterprisewide busi-ness continuity planning. Carl recently served as Chairman of the Informa-tion Systems Security Association (ISSA) International Board of Directors.Previously, he was a founding board member and past-president of theISSA as well as serving as a founding board member of the Houston, Texas,chapter of the Association of Contingency Planners (ACP). He is a pastmember and past Emeritus member of the Computer Security Institute(CSI) Advisory Council and is the recipient of the 1997 CSI LifetimeAchievement Award. He has also served on the editorial and advisoryboards of both the

Contingency Planning Management (

CPM) magazine and

Datapro Reports on Information Security

.

William Lipiczky

has practiced in the information technology and securityarena for over two decades, beginning his career as a mainframe operator.As information technology and security evolved, he evolved as well. Hisexperience includes networking numerous operating systems (UNIX, Net-Ware, and Windows) and networking hardware platforms. He currently is aprincipal in a security consulting and management firm, as well as a leadCISSP instructor for the International Information System Security Certifi-cation Consortium.

Sean M. Price

, CISSP, is an independent information security consultantlocated in the Washington, D.C. area. He provides security consulting andengineering support for commercial and government entities. His experi-ence includes nine years as an electronics technician in metrology for theU.S. Air Force. He has completed a B.S. in accounting and an M.S. in com-puter information systems. Sean is continually immersed in research anddevelopment activities for secure systems.

AU8231_C000.fm Page xiii Thursday, October 19, 2006 6:55 AM

xiv

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Marcus K. Rogers

, Ph.D., CISSP, CCCI, is the chair of the Cyber ForensicsProgram in the Department of Computer and Information Technology atPurdue University. He is an associate professor and research faculty atCERIAS. Dr. Rogers was a senior instructor for (ISC)

2

, is a member of thequality assurance board for the SCCP designation, and member of theinternational CBK committee. He is a former police detective who workedin the area of fraud and computer crime investigations, and he sits on theeditorial board for several professional journals and is a member of vari-ous national and international committees.

Robert M. Slade,

CISSP, is an information security and management con-sultant from Vancouver, Canada. His research into computer viral pro-grams started when they first appeared as a major problem in the wild;he is best known for a series of review and tutorial articles that were even-tually published as

Robert Slades Guide to Computer Viruses

. As an out-growth of the virus research, he prepared the worlds first course on foren-sic programming, which became the first book on software forensics. As asenior instructor for (ISC)

2

, he is currently working on a glossary of secu-rity terms, as well as references for CISSP candidate students.

James S. Tiller,

CISSP, CISA, is an accomplished executive with over 14years of information security and information technology experience andleadership. He has provided comprehensive, forward-thinking solutionsencompassing a broad spectrum of challenges and industries. Jim hasspent much of his career assisting organizations throughout North Amer-ica, Europe, and most recently Asia, in meeting their security goals andobjectives. He is the author of

The Ethical Hack: Framework for BusinessValue Penetration Testing

and

A Technical Guide to IPsec Virtual Private Net-works

. Jim has been a contributing author to the

Information Security Man-agement Handbook

for the last five years, in addition to several other pub-lications. Also, he is the managing editor of the

Information System Security

journal. Currently, Jim is the managing vice president of security servicesfor INS.

AU8231_C000.fm Page xiv Thursday, October 19, 2006 6:55 AM

xv

Introduction to the (ISC)

2

CISSP

CBK

Textbook

The

Official (ISC)

2

Guide to the CISSP

CBK

is an important milestone inthe history of (ISC)

2

. Since its days as a small volunteer organization in1989 to todays position as a leader in the field of information security,(ISC)

2

recognizes, educates, and supports the critical role that informationsecurity professionals play in the stability of the global infrastructure. Cur-rent industry changes have caused information security professionals toreflect on the key role that each individual plays in designing, developing,implementing, and maintaining a strong information security program andaligning personal objectives with the requirements of business, organiza-tions, society, governments, and the military.

To write this valuable reference, skilled authors, who are experts in theirfields, were chosen to contribute the various chapters and share their pas-sion for their areas of expertise. This book was written as an authoritativereference that can be used not only for gaining better understanding of theCISSP CBK,

(ISC)

2

s global compendium of information security best prac-tices, but as a reference book that will hold a prominent position on everyCISSPs bookshelf to be turned to repeatedly for insight into the vast fieldof information security.

The (ISC)

2

CISSP CBK is a taxonomy a collection of topics relevant toinformation security professionals around the world. The CISSP CBK estab-lishes a common framework of information security terms and principlesthat allows information security professionals worldwide to discuss,debate, and resolve matters pertaining to the profession with a commonunderstanding. Understanding the CBK allows intelligent discussion withpeers on information security issues.

The CISSP CBK is continuously evolving. Every year the (ISC)

2

CBK com-mittee reviews the content of the CBK and updates it with a consensus of

AU8231_C000.fm Page xv Thursday, October 19, 2006 6:55 AM

xvi

OFFICIAL (ISC)2 GUIDE TO THE CISSP CBK

best practices from an in-depth job analysis survey of CISSPs around theworld. These best practices may address implementing new technologies,dealing with new threats, incorporating new security tools, and, of course,managing the human factor of security. (ISC)2 strives to represent changesand trends in the industry through our award-winning CISSP CBK ReviewSeminars and other educational materials.

One of the most obvious changes in this book is the streamlining of thedomains of the CISSP. While the number of domains still stands at 10, thecontent in some of the domains has been shifted to other domains to allowfor a more appropriate placement in the flow of material. Some of thedomain titles have also been revised to reflect changing terminology andemphasis in the security professionals day-to-day world.

The following revised ten domains of the CISSP CBK with brief descrip-tions, are in the order recommended for (ISC)2 review seminar instructorsand are in the order you will find them in this book:

Information Security and Risk ManagementAddresses the framework and policies, concepts, principles, struc-

tures, and standards used to establish criteria for the protectionof information assets, to inculcate holistically the criteria, andto assess the effectiveness of that protection. It includes issuesof governance, organizational behavior, ethics, and securityawareness. This domain also addresses risk assessment and riskmanagement.

Access ControlThe collection of mechanisms and procedures that permits manag-

ers of a system to exercise a directing or restraining influenceover the behavior, use, and content of a system. Access controlpermits management to specify what users or processes can do,which resources they can access, and what operations they canperform on a system.

CryptographyAddresses the principles, means, and methods of disguising infor-

mation to ensure its integrity, confidentiality, and authenticity intransit and in storage.

Physical (Environmental) SecurityAddresses the common physical and procedural risks that may

exist in the environment in which an information system ismanaged. This domain also addresses physical and proceduraldefensive and recovery strategies, countermeasures, and re-sources available to the information security professional.These resources include staff, the configuration of the physicalenvironment, security policies and procedures, and an array ofphysical security tools.

AU8231_C000.fm Page xvi Thursday, October 19, 2006 6:55 AM

xvii

Introduction to the (ISC)2 CISSP CBK Textbook

Security Architecture and DesignAddresses the high level and detailed processes, concepts, princi-

ples, structures, and standards used to define, design, imple-ment, monitor, and secure/assure operating systems, applica-tions, equipment, and networks. It addresses the technicalsecurity policies of the organization, as well as the implementa-tion and enforcement of those policies. Security Architecture andDesign must clearly address the design, implementation and op-eration of those controls used to enforce various levels of confi-dentiality, integrity, and availability to ensure effective operationand compliance (with governance and other drivers).

Business Continuity and Disaster Recovery PlanningAddresses the preparation, processes, and practices required to

ensure the preservation of the business in the face of majordisruptions to normal business operations. BCP and DRP involvethe identification, selection, implementation, testing, and updat-ing of processes and specific actions necessary to prudentlyprotect critical business processes from the effects of major sys-tem and network disruptions and to ensure the timely restorationof business operations if significant disruptions occur.

Telecommunications and Network SecurityEncompasses the structures, transmission methods, transport for-

mats, and security measures used to provide integrity, availabil-ity, authentication, and confidentiality for transmissions over pri-vate and public communications networks and media.

Application SecurityRefers to the controls that are included within and applied to system

and application software. Application software includes agents,applets, operating systems, databases, data warehouses, knowl-edge-based systems, etc. These may be used in distributed orcentralized environment.

Operations SecurityAddresses the protection and control of data processing resources

in both centralized (data center) and distributed (client/server,etc.) environments. Although Operations Security involves theconfidentiality and integrity of information and processes, a ma-jor focus is on ensuring the availability of systems for businessunits and their end users.

Legal, Regulations, Compliance and InvestigationsAddresses general computer crime legislation and regulations, the

investigative measures and techniques that can be used to de-termine if an incident has occurred, and the gathering, analysis,and management of evidence if it exists. The focus is on con-cepts and international generally accepted methods, processes,and procedures.

AU8231_C000.fm Page xvii Thursday, October 19, 2006 6:55 AM

xviii

OFFICIAL (ISC)2 GUIDE TO THE CISSP CBK

This textbook has been developed to help information security profes-sionals who want to better understand the knowledge requirements oftheir profession and have that knowledge validated by the CISSP certifica-tion. Since few practitioners have significant work experience in all 10domains, the authors highly recommend that they attend a CBK ReviewSeminar to identify those areas where more concentrated study is neces-sary, then read the sections on the selected domains in-depth in this bookwhere they feel they are most deficient.

Another way to utilize this book is to test yourself first on the 200 CISSPexam sample questions dispersed throughout following each domain chap-ter. When you find you dont know the answer to a domain question, simplyread the preceding chapter.

Although this book includes a broad range of important material, theinformation security field is so wide that professionals are advised toreview other references as well. A list of (ISC)2 recommended reading canbe found at https://www.isc2.org/cgi-bin/content.cgi?category=698.

We would like to thank the authors who contributed to this book and theefforts of the many people who made an undertaking such as this success-ful. We trust that you will find this to be a valuable reference that will leadyou to a greater appreciation of the important field of information security.

AU8231_C000.fm Page xviii Thursday, October 19, 2006 6:55 AM

xix

Contents

Domain 1Information Security and Risk Management............................................ 1

Todd Fitzgerald, CISSP, Bonnie Goins, CISSP, and Rebecca Herold, CISSP

Introduction.................................................................................................... 1CISSP Expectations ................................................................................... 2

The Business Case for Information Security Management ...................... 4Core Information Security Principles: Confidentiality,

Availability, Integrity (CIA).................................................................... 5Confidentiality....................................................................................... 5Integrity ................................................................................................. 6Availability............................................................................................. 6

Security Management Practice................................................................ 7Information Security Management Governance ........................................ 7

Security Governance Defined .................................................................. 8Security Policies, Procedures, Standards, Guidelines, and

Baselines .................................................................................................. 9Security Policy Best Practices .......................................................... 10Types of Security Policies ................................................................. 12Standards............................................................................................. 13Procedures .......................................................................................... 14Baselines.............................................................................................. 15Guidelines............................................................................................ 16Combination of Policies, Standards, Baselines, Procedures,

and Guidelines .................................................................................. 16Policy Analogy .................................................................................... 16

Audit Frameworks for Compliance ....................................................... 17COSO .................................................................................................... 17ITIL........................................................................................................ 18COBIT ................................................................................................... 18ISO 17799/BS 7799............................................................................... 18

Organizational Behavior ............................................................................. 19Organizational Structure Evolution ...................................................... 20

Todays Security Organizational Structure..................................... 21Best Practices .......................................................................................... 22

AU8231_bookTOC.fm Page xix Monday, October 23, 2006 12:52 PM

xx

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Job Rotation ........................................................................................23Separation of Duties ...........................................................................23Least Privilege (Need to Know) ........................................................25Mandatory Vacations .........................................................................25Job Position Sensitivity......................................................................25

Responsibilities of the Information Security Officer ..........................26Communicate Risks to Executive Management ..............................26Budget for Information Security Activities......................................27Ensure Development of Policies, Procedures, Baselines,

Standards, and Guidelines...............................................................28Develop and Provide Security Awareness Program.......................28Understand Business Objectives......................................................28Maintain Awareness of Emerging Threats and Vulnerabilities.....29Evaluate Security Incidents and Response......................................29Develop Security Compliance Program ...........................................29Establish Security Metrics.................................................................29Participate in Management Meetings...............................................30Ensure Compliance with Government Regulations........................30Assist Internal and External Auditors ..............................................30Stay Abreast of Emerging Technologies ..........................................30

Reporting Model ......................................................................................31Business Relationships ......................................................................31Reporting to the CEO .........................................................................31Reporting to the Information Technology (IT) Department .........32Reporting to Corporate Security ......................................................32Reporting to the Administrative Services Department..................33Reporting to the Insurance and Risk Management

Department .......................................................................................33Reporting to the Internal Audit Department ...................................33Reporting to the Legal Department..................................................34Determining the Best Fit ....................................................................34

Enterprisewide Security Oversight Committee...................................34Vision Statement.................................................................................34Mission Statement ..............................................................................35

Security Planning.....................................................................................42Strategic Planning ...............................................................................43Tactical Planning ................................................................................43Operational and Project Planning ....................................................43

Personnel Security ..................................................................................44Hiring Practices...................................................................................44

Security Awareness, Training, and Education .........................................51Why Conduct Formal Security Awareness Training? .........................51

Training Topics ...................................................................................52What Might a Course in Security Awareness Look Like?...............52

Awareness Activities and Methods.......................................................54

AU8231_bookTOC.fm Page xx Monday, October 23, 2006 12:52 PM

xxi

Contents

Job Training ............................................................................................. 55Professional Education........................................................................... 56Performance Metrics .............................................................................. 56

Risk Management......................................................................................... 56Risk Management Concepts................................................................... 57

Qualitative Risk Assessments ........................................................... 58Quantitative Risk Assessments ........................................................ 60Selecting Tools and Techniques for Risk Assessment .................. 62Risk Assessment Methodologies ...................................................... 62

Risk Management Principles ................................................................. 64Risk Avoidance ................................................................................... 64Risk Transfer ....................................................................................... 64Risk Mitigation .................................................................................... 65Risk Acceptance ................................................................................. 65Who Owns the Risk?........................................................................... 66

Risk Assessment...................................................................................... 66Identify Vulnerabilities ...................................................................... 66Identify Threats .................................................................................. 67Determination of Likelihood ............................................................. 67Determination of Impact.................................................................... 68Determination of Risk ........................................................................ 68Reporting Findings ............................................................................. 69Countermeasure Selection ................................................................ 69Information Valuation ........................................................................ 70

Ethics............................................................................................................. 71Regulatory Requirements for Ethics Programs................................... 73Example Topics in Computer Ethics .................................................... 74

Computers in the Workplace ............................................................ 74Computer Crime ................................................................................. 74Privacy and Anonymity ..................................................................... 75Intellectual Property .......................................................................... 75Professional Responsibility and Globalization............................... 75

Common Computer Ethics Fallacies..................................................... 75The Computer Game Fallacy............................................................. 76The Law-Abiding Citizen Fallacy....................................................... 76The Shatterproof Fallacy ................................................................... 76The Candy-from-a-Baby Fallacy ........................................................ 77The Hackers Fallacy .......................................................................... 77The Free Information Fallacy ............................................................ 77

Hacking and Hacktivism......................................................................... 77The Hacker Ethic ................................................................................ 78

Ethics Codes of Conduct and Resources ............................................. 78The Code of Fair Information Practices........................................... 78

AU8231_bookTOC.fm Page xxi Monday, October 23, 2006 12:52 PM

xxii

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087 ................................................79

Computer Ethics Institute (CEI)........................................................79National Conference on Computing and Values .............................80The Working Group on Computer Ethics ........................................80National Computer Ethics and Responsibilities Campaign

(NCERC).............................................................................................80(ISC)

2

Code of Ethics ..........................................................................81Organizational Ethics Plan of Action ....................................................82How a Code of Ethics Applies to CISSPs...............................................84

References.....................................................................................................87Other References .........................................................................................87Sample Questions ........................................................................................88

Domain 2Access Control.......................................................................................... 93

James S. Tiller, CISSP

Introduction..................................................................................................93CISSP

Expectations................................................................................93Confidentiality, Integrity, and Availability ...........................................93

Definitions and Key Concepts ....................................................................94Determining Users...................................................................................95Defining Resources..................................................................................96Specifying Use..........................................................................................97Accountability..........................................................................................97Access Control Principles ......................................................................98

Separation of Duties ...........................................................................98Least Privilege ...................................................................................101

Information Classification ....................................................................101Data Classification Benefits .............................................................102Establishing a Data Classification Program...................................103Labeling and Marking .......................................................................107Data Classification Assurance.........................................................107Summary ............................................................................................108

Access Control Categories and Types ....................................................108Control Categories ................................................................................108

Preventative ......................................................................................108Deterrent............................................................................................109Detective ............................................................................................109Corrective ..........................................................................................110Recovery ............................................................................................111Compensating ...................................................................................111

Types of Controls ..................................................................................112Administrative...................................................................................113

AU8231_bookTOC.fm Page xxii Monday, October 23, 2006 12:52 PM

xxiii

Contents

Physical.............................................................................................. 124Technical ........................................................................................... 125

Access Control Threats ............................................................................ 130Denial of Service.................................................................................... 130Buffer Overflows.................................................................................... 131Mobile Code........................................................................................... 132Malicious Software................................................................................ 133Password Crackers ............................................................................... 134Spoofing/Masquerading ....................................................................... 136Sniffers, Eavesdropping, and Tapping................................................ 137Emanations ............................................................................................ 138Shoulder Surfing.................................................................................... 139Object Reuse.......................................................................................... 139Data Remanence.................................................................................... 140Unauthorized Targeted Data Mining .................................................. 142Dumpster Diving.................................................................................... 143Backdoor/Trapdoor.............................................................................. 144Theft........................................................................................................ 144Social Engineering................................................................................. 145

E-mail Social Engineering ................................................................ 145Help Desk Fraud................................................................................ 146

Access to Systems ..................................................................................... 147Identification and Authentication ....................................................... 147

Types of Identification ..................................................................... 148Types of Authentication .................................................................. 149Authentication Method Summary .................................................. 167

Identity and Access Management ....................................................... 169Identity Management............................................................................ 170

Identity Management Challenges ................................................... 172Identity Management Technologies............................................... 173

Access Control Technologies .............................................................. 179Single Sign-On.................................................................................... 179Kerberos ............................................................................................ 181Secure European System for Applications in a Multi-Vendor

Environment (SESAME)................................................................. 184Security Domain ............................................................................... 185Section Summary.............................................................................. 186

Access to Data............................................................................................ 186Discretionary and Mandatory Access Control .................................. 186

Access Control Lists ........................................................................ 188Access Control Matrix ..................................................................... 188Rule-Based Access Control ............................................................. 188Role-Based Access Control ............................................................. 189Content-Dependent Access Control............................................... 191Constrained User Interface ............................................................. 191

AU8231_bookTOC.fm Page xxiii Monday, October 23, 2006 12:52 PM

xxiv

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Capability Tables ..............................................................................191Temporal (Time-Based) Isolation...................................................192Centralized Access Control .............................................................192Decentralized Access Control .........................................................192Section Summary ..............................................................................192

Intrusion Detection and Prevention Systems.........................................194Intrusion Detection Systems................................................................195

Network Intrusion Detection System .............................................196Host-Based Intrusion Detection System ........................................197

Analysis Engine Methods .....................................................................198Pattern/Stateful Matching Engine ...................................................199Anomaly-Based Engine.....................................................................200

Intrusion Responses .............................................................................201Alarms and Signals ...........................................................................203

IDS Management ....................................................................................204Access Control Assurance ........................................................................205

Audit Trail Monitoring ..........................................................................205Audit Event Types ............................................................................205Auditing Issues and Concerns.........................................................206

Information Security Activities............................................................207Penetration Testing ..........................................................................208Types of Testing ...............................................................................213Summary ............................................................................................215

References...................................................................................................215Sample Questions ......................................................................................215

Domain 3Cryptography ......................................................................................... 219

Kevin Henry, CISSP

Introduction................................................................................................219CISSP Expectations................................................................................219Core Information Security Principles: Confidentiality, Integrity,

and Availability....................................................................................219Key Concepts and Definitions ..................................................................220

The History of Cryptography...............................................................222The Early (Manual) Era ....................................................................222The Mechanical Era ..........................................................................222The Modern Era ................................................................................223

Emerging Technology ...........................................................................223Quantum Cryptography...................................................................223

Protecting Information .........................................................................225Data Storage ......................................................................................225Data Transmission............................................................................225

Uses of Cryptography ...........................................................................226

AU8231_bookTOC.fm Page xxiv Monday, October 23, 2006 12:52 PM

xxv

Contents

Availability......................................................................................... 226Confidentiality................................................................................... 226Integrity ............................................................................................. 226

Additional Features of Cryptographic Systems ................................ 226Nonrepudiation................................................................................. 227Authentication .................................................................................. 227Access Control.................................................................................. 227

Methods of Cryptography.................................................................... 227Stream-Based Ciphers...................................................................... 227Block Ciphers.................................................................................... 229

Encryption Systems................................................................................... 229Substitution Ciphers............................................................................. 229

Playfair Cipher .................................................................................. 229Transposition Ciphers ..................................................................... 230Monoalphabetic and Polyalphabetic Ciphers .............................. 231Modular Mathematics and the Running Key Cipher.................... 233One-Time Pads.................................................................................. 234Steganography .................................................................................. 235Watermarking.................................................................................... 235Code Words....................................................................................... 235Symmetric Ciphers........................................................................... 236Examples of Symmetric Algorithms............................................... 237Advantages and Disadvantages of Symmetric Algorithms ......... 252

Asymmetric Algorithms ....................................................................... 253Confidential Messages ..................................................................... 253Open Message................................................................................... 254Confidential Messages with Proof of Origin.................................. 254RSA ..................................................................................................... 254DiffieHellmann Algorithm .............................................................. 257El Gamal ............................................................................................. 258Elliptic Curve Cryptography ........................................................... 258Advantages and Disadvantages of Asymmetric Key

Algorithms....................................................................................... 258Hybrid Cryptography....................................................................... 259

Message Integrity Controls....................................................................... 260Checksums............................................................................................. 260Hash Function........................................................................................ 260

Simple Hash Functions .................................................................... 261MD5 Message Digest Algorithm...................................................... 261Secure Hash Algorithm (SHA) and SHA-1 ...................................... 262HAVAL................................................................................................ 262RIPEMD-160 ....................................................................................... 262Attacks on Hashing Algorithms and Message

Authentication Codes .................................................................... 263Message Authentication Code (MAC) ................................................ 264

AU8231_bookTOC.fm Page xxv Monday, October 23, 2006 12:52 PM

xxvi

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

HMAC..................................................................................................264Digital Signatures .......................................................................................265

Digital Signature Standard (DSS).........................................................265Uses of Digital Signatures.....................................................................266

Encryption Management ...........................................................................266Key Management ...................................................................................266

Key Recovery ....................................................................................267Key Distribution Centers .................................................................268

Standards for Financial Institutions....................................................268Public Key Infrastructure (PKI) ...........................................................269

Revocation of a Certificate ..............................................................271Cross-Certification............................................................................271

Legal Issues Surrounding Cryptography............................................271Cryptanalysis and Attacks ........................................................................271

Ciphertext-Only Attack .........................................................................271Known Plaintext Attack ........................................................................271Chosen Plaintext Attack .......................................................................272Chosen Ciphertext Attack ....................................................................272Social Engineering .................................................................................272Brute Force.............................................................................................272Differential Power Analysis ..................................................................273Frequency Analysis ...............................................................................273Birthday Attack......................................................................................273Dictionary Attack...................................................................................273Replay Attack .........................................................................................273Factoring Attacks ..................................................................................273Reverse Engineering .............................................................................273Attacking the Random Number Generators.......................................274Temporary Files.....................................................................................274

Encryption Usage .......................................................................................274E-mail Security Using Cryptography...................................................274Protocols and Standards ......................................................................275Pretty Good Privacy (PGP)...................................................................275Secure/Multipurpose Internet Mail Extension (S/MIME) .................275Internet and Network Security ............................................................275

IPSec ...................................................................................................275SSL/TLS ..............................................................................................276

References...................................................................................................276Sample Questions ......................................................................................277

Domain 4Physical (Environmental) Security........................................................ 281

Paul Hansford, CISSP

Introduction................................................................................................281

AU8231_bookTOC.fm Page xxvi Monday, October 23, 2006 12:52 PM

xxvii

Contents

CISSP Expectations ............................................................................... 282Physical (Environmental) Security Challenges...................................... 282

Threats and Vulnerabilities ................................................................. 283Threat Types..................................................................................... 283Vulnerabilities................................................................................... 285

Site Location............................................................................................... 285Site Fabric and Infrastructure ............................................................. 285

The Layered Defense Model..................................................................... 286Physical Considerations....................................................................... 287

Working with Others to Achieve Physical and ProceduralSecurity............................................................................................ 287

Physical and Procedural Security Methods, Tools, andTechniques...................................................................................... 288

Procedural Controls......................................................................... 288Infrastructure Support Systems.......................................................... 290

Fire Prevention, Detection, and Suppression ............................... 290Boundary Protection........................................................................ 292

Building Entry Points............................................................................ 293Keys and Locking Systems .............................................................. 293Walls, Doors, and Windows ............................................................ 295Access Controls ................................................................................ 296Closed-Circuit Television (CCTV) .................................................. 296Intrusion Detection Systems........................................................... 298Portable Device Security ................................................................. 299Asset and Risk Registers ................................................................. 299

Information Protection and Management Services............................... 300Managed Services ................................................................................. 300Audits, Drills, Exercises, and Testing ................................................. 300Vulnerability and Penetration Tests................................................... 301Maintenance and Service Issues ......................................................... 301Education, Training, and Awareness .................................................. 301

Summary ..................................................................................................... 302References .................................................................................................. 302Sample Questions ...................................................................................... 303

Domain 5Security Architecture and Design ......................................................... 307

William Lipiczky, CISSP

Introduction................................................................................................ 307CISSP

Expectations.............................................................................. 307Security Architecture and Design Components and Principles .......... 308

Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001................................................................................................... 308

Design Principles................................................................................... 309

AU8231_bookTOC.fm Page xxvii Monday, October 23, 2006 12:52 PM

xxviii

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Diskless Workstations, Thin Clients, and Thin Processing.........309Operating System Protection ..........................................................310

Hardware ................................................................................................311Personal Digital Assistants (PDAs) and Smart Phones................314Central Processing Unit (CPU)........................................................315Storage ...............................................................................................316Input/Output Devices .......................................................................318Communications Devices ................................................................319Networks and Partitioning...............................................................319

Software..................................................................................................320Operating Systems............................................................................320Application Programs ......................................................................321Processes and Threads....................................................................322

Firmware.................................................................................................323Trusted Computer Base (TCB) ............................................................323Reference Monitor.................................................................................324

Security Models and Architecture Theory .............................................324Lattice Models .......................................................................................324State Machine Models...........................................................................325Research Models ...................................................................................325

Noninterference Models ..................................................................325Information Flow Models .................................................................325

BellLaPadula Confidentiality Model..................................................325Biba Integrity Model..............................................................................326ClarkWilson Integrity Model ..............................................................326Access Control Matrix and Information Flow Models ......................327

Information Flow Models .................................................................328GrahamDenning Model ..................................................................328HarrisonRuzzoUllman Model.......................................................328BrewerNash (Chinese Wall) ..........................................................328

Security Product Evaluation Methods and Criteria...............................329Rainbow Series ......................................................................................329

Trusted Computer Security Evaluation Criteria (TCSEC) ...........329Information Technology Security Evaluation Criteria (ITSEC)........330Common Criteria ...................................................................................331Software Engineering Institutes Capability Maturity Model

Integration (SEI-CMMI) .......................................................................331Certification and Accreditation ...........................................................332

Sample Questions ......................................................................................332

Domain 6Business Continuity and Disaster Recovery Planning......................... 337

Carl B. Jackson, CISSP

Introduction................................................................................................337

AU8231_bookTOC.fm Page xxviii Monday, October 23, 2006 12:52 PM

xxix

Contents

CISSP Expectations ............................................................................... 338Core Information Security Principles: Availability, Integrity,

Confidentiality (AIC)........................................................................... 339Why Continuity Planning?.................................................................... 339

Reality of Terrorist Attack............................................................... 339Natural Disasters .............................................................................. 340Internal and External Audit Oversight........................................... 340Legislative and Regulatory Requirements .................................... 340

Industry and Professional Standards ................................................. 341NFPA 1600.......................................................................................... 341ISO 17799 ........................................................................................... 341Defense Security Service (DSS)....................................................... 341National Institute of Standards and Technology (NIST) ............. 341Good Business Practice or the Standard of Due Care ................. 341

Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning ................... 341

Revenue Loss .................................................................................... 342Extra Expense ................................................................................... 343Compromised Customer Service.................................................... 343Embarrassment or Loss of Confidence Impact ............................ 343Hidden Benefits of Continuity Planning......................................... 343

Organization of the BCP/DRP Domain Chapter ..................................... 344Project Initiation Phase ........................................................................ 344Current State Assessment Phase ........................................................ 345Design and Development Phase.......................................................... 345Implementation Phase.......................................................................... 345Management Phase ............................................................................... 346Project Initiation Phase Description................................................... 346

Project Scope Development and Planning .................................... 346Executive Management Support..................................................... 348BCP Project Scope and Authorization ........................................... 348Executive Management Leadership and Awareness.................... 350Continuity Planning Project Team Organization and

Management.................................................................................... 351Disaster or Disruption Avoidance and Mitigation........................ 353Project Initiation Phase Activities and Tasks Work Plan ............ 354

Current State Assessment Phase Description................................... 354Understanding Enterprise Strategy, Goals, and Objectives........ 354Enterprise Business Processes Analysis ....................................... 355People and Organizations ............................................................... 355Time Dependencies.......................................................................... 355Motivation, Risks, and Control Objectives.................................... 355Budgets .............................................................................................. 355Technical Issues and Constraints .................................................. 356

Continuity Planning Process Support Assessment........................... 356

AU8231_bookTOC.fm Page xxix Monday, October 23, 2006 12:52 PM

xxx

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Threat Assessment ...........................................................................356Risk Management..............................................................................358Business Impact Assessment (BIA) ................................................359Benchmarking and Peer Review .....................................................362Sample Current State Assessment Phase Activities and

Tasks Work Plan .............................................................................363Development Phase Description .........................................................363

Recovery Strategy Development ....................................................363Work Plan Development ..................................................................366Develop and Design Recovery Strategies ......................................366Data and Software Backup Approaches.........................................369DRP Recovery Strategies for IT.......................................................370BCP Recovery Strategies for Enterprise Business Processes .....371Developing Continuity Plan Documents and Infrastructure

Strategies .........................................................................................373Developing Testing/Maintenance/Training Strategies.................373Plan Development Phase Description............................................374Building Continuity Plans ................................................................375Contrasting Crisis Management and Continuity Planning

Approaches .....................................................................................379Building Crisis Management Plans .................................................379Testing/Maintenance/Training Development Phase

Description......................................................................................381Developing Continuity and Crisis Management Process

Training and Awareness Strategies..............................................386Sample Phase Activities and Tasks Work Plan .............................386

Implementation Phase Description.....................................................386Analyze CPPT Implementation Work Plans...................................386Program Short- and Long-Term Testing ........................................388Continuity Plan Testing (Exercise) Procedure Deployment .......388Program Training, Awareness, and Education..............................391Emergency Operations Center (EOC) ............................................392

Management Phase Description..........................................................392Program Oversight ...........................................................................392Continuity Planning Manager Roles and Responsibilities...........392

Terminology................................................................................................395References...................................................................................................398Sample Questions ......................................................................................398Appendix A: Addressing Legislative Compliance within Business

Continuity Plans.......................................................................................401

Rebecca Herold, CISSP

HIPAA ......................................................................................................401

AU8231_bookTOC.fm Page xxx Monday, October 23, 2006 12:52 PM

xxxi

Contents

GLB.......................................................................................................... 402Patriot Act .............................................................................................. 402Other Issues........................................................................................... 404

OCC Banking Circular 177 ............................................................... 404

Domain 7Telecommunications and Network Security......................................... 407

Alec Bass, CISSP and Peter Berlich, CISSP-ISSMP

Introduction................................................................................................ 407CISSP

Expectations.............................................................................. 408Basic Concepts........................................................................................... 408

Network Models .................................................................................... 408OSI Reference Model ........................................................................ 409TCP/IP Model .................................................................................... 413

Network Security Architecture ........................................................... 414The Role of the Network in IT Security.......................................... 414Network Security Objectives and Attack Modes.......................... 416Methodology of an Attack ............................................................... 419Network Security Tools ................................................................... 421

Layer 1: Physical Layer ............................................................................. 423Concepts and Architecture.................................................................. 423

Communication Technology........................................................... 423Network Topology............................................................................ 424

Technology and Implementation ........................................................ 427Cable .................................................................................................. 427Twisted Pair ...................................................................................... 428Coaxial Cable..................................................................................... 429Fiber Optics....................................................................................... 429Patch Panels...................................................................................... 430Modems ............................................................................................. 430Wireless Transmission Technologies ............................................ 431

Layer 2: Data-Link Layer ........................................................................... 433Concepts and Architecture.................................................................. 433

Architecture ...................................................................................... 433Transmission Technologies ............................................................ 434

Technology and Implementation ........................................................ 441Ethernet ............................................................................................. 441Wireless Local Area Networks ........................................................ 445Address Resolution Protocol (ARP)............................................... 450Point-to-Point Protocol (PPP) ......................................................... 450

Layer 3: Network Layer ............................................................................. 450Concepts and Architecture.................................................................. 450

Local Area Network (LAN) .............................................................. 450

AU8231_bookTOC.fm Page xxxi Monday, October 23, 2006 12:52 PM

xxxii

OFFICIAL (ISC)

2

GUIDE TO THE CISSP

CBK

Wide Area Network (WAN) Technologies .....................................452Metropolitan Area Network (MAN) ................................................462Global Area Network (GAN) ............................................................463

Technology and Implementation ........................................................464Routers...............................................................................................464Firewalls .............................................................................................464End Systems ......................................................................................468Internet Protocol (IP) .......................................................................471Virtual Private Network (VPN)........................................................475Tunneling ...........................................................................................479Dynamic Host Configuration Protocol (DHCP).............................479Internet Control Message Protocol (ICMP) ...................................480Internet Group Management Protocol (IGMP)..............................481

Layer 4: Transport Layer ..........................................................................482Concepts and Architecture ..................................................................482

Transmission Control Protocol (TCP) ...........................................483User Datagram Protocol (UDP).......................................................484

Technology and Implementation ........................................................484Scanning Techniques .......................................................................484Denial of Service ...........................................................................