CISSP Cert Guide

2y ago

40 Views

1 Downloads

3.33 MB

212 Pages

Report/dmca

Download PDF

Transcription

CISSP Cert GuideTroy McMillanRobin M. Abernathy800 East 96th Street,Indianapolis, Indiana 46240 USA

CISSP Cert GuideTroy McMillanRobin M. AbernathyCopyright 2014 by Pearson CertificationAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect tothe use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher andauthors assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the informationcontained herein.ISBN-13: 978-0-7897-5151-5ISBN-10: 0-7897-5151-8Library of Congress Control Number: 2013949991Printed in the United States on AmericaFirst Printing: October 2013TrademarksAll terms mentioned in this book that are known to be trademarksor service marks have been appropriately capitalized. Pearson cannotattest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark orservice mark.Windows is a registered trademark of Microsoft Corporation.Warning and DisclaimerEvery effort has been made to make this book as complete andas accurate as possible, but no warranty or fitness is implied. Theinformation provided is on an “as is” basis. The authors and thepublisher shall have neither liability nor responsibility to any personor entity with respect to any loss or damages arising from theinformation contained in this book or from the use of the CD orprograms accompanying it.Bulk SalesPearson offers excellent discounts on this book when ordered inquantity for bulk purchases or special sales. For more information,please contactU.S. Corporate and Government or sales outside of the U.S., please contactInternational Salesinternational@pearsoned.comAssociate PublisherDave DusthimerAcquisitions EditorBetsy BrownDevelopment EditorAllison Beaumont JohnsonManaging EditorSandra SchroederProject EditorSeth KerneyCopy EditorPaula LowellIndexerErika MillenProofreaderAnne GoebelTechnical EditorsChris CraytonBrock PearsonPublishing CoordinatorVanessa EvansMultimedia DeveloperEric MillerBook DesignerChuti PrasertsithCompositionJake McFarland

Contents at a GlanceIntroductionCHAPTER 1The CISSP CertificationCHAPTER 2Access Control 13CHAPTER 3Telecommunications and Network SecurityCHAPTER 4Information Security Governance and Risk ManagementCHAPTER 5Software Development SecurityCHAPTER 6Cryptography 243CHAPTER 7Security Architecture and DesignCHAPTER 8Operations Security 343CHAPTER 9Business Continuity and Disaster RecoveryCHAPTER 10Legal, Regulations, Investigations, and ComplianceCHAPTER 11Physical (Environmental) SecurityGlossary3203297445481Index 538APPENDIX AMemory Tables On CDAPPENDIX BMemory Tables Answer Key65On CD369405159

Table of ContentsChapter 1The CISSP Certification 3The Goals of the CISSP Certification 3Sponsoring Bodies 3Stated Goals 4The Value of the CISSP Certification 4To the Security Professional 5To the Enterprise 5The Common Body of Knowledge 5Access Control 5Telecommunications and Network Security 6Information Security Governance and Risk Management 6Software Development Security 7Cryptography 7Security Architecture and Design 8Operations Security 8Business Continuity and Disaster Recovery Planning 8Legal, Regulations, Investigations, and Compliance 9Physical and Environmental Security 9Steps to Becoming a CISSP 10Qualifying for the Exam 10Signing Up for the Exam 10About the CISSP Exam 10Chapter 2Access Control 13Foundation Topics 13Access Control Concepts 13CIA13Default Stance 14Defense In Depth 14Access Control Process 15Identify Resources 15Identify Users 15Identify Relationships between Resources and Users 16

Identification and Authentication Concepts 16Three Factors for Authentication 17Knowledge Factors 17Identity and Account Management 18Password Types and Management 19Ownership Factors 22Synchronous and Asynchronous Token 22Memory Cards 22Smart Cards 23Characteristic Factors 23Physiological Characteristics 24Behavioral Characteristics 25Biometric Considerations 26Authorization Concepts 28Access Control Policies 28Separation of Duties 29Least Privilege/Need-to-Know 29Default to No Access 30Directory Services 30Single Sign-on 31KerberosSESAME3234Federated Identity Management 35Security Domains 35Accountability 35Auditing and Reporting 36Vulnerability Assessment 37Penetration Testing 38Access Control Categories 39Compensative 40Corrective 40Detective40Deterrent40Directive 40

viCISSP Cert GuidePreventive41Recovery 41Access Control Types 41Administrative (Management) Controls 41Logical (Technical) Controls 43Physical Controls 43Access Control Models 46Discretionary Access Control 46Mandatory Access Control 47Role-based Access Control 47Rule-based Access Control 48Content-dependent Versus Context-dependent 48Access Control Matrix 48Capabilities Table 48Access Control List (ACL) 49Access Control Administration 49Centralized 49Decentralized49Provisioning Life Cycle 50Access Control Monitoring 50IDS50IPS52Access Control Threats 52Password Threats 53Dictionary Attack 53Brute-Force Attack 53Social Engineering Threats 53Phishing/Pharming 54Shoulder Surfing 54Identity Theft 54Dumpster Diving 55DoS/DDoS55Buffer Overflow 55Mobile Code 56

ContentsMalicious Software 56Spoofing56Sniffing and Eavesdropping 57Emanating 57Backdoor/Trapdoor 57Exam Preparation Tasks 57Review All Key Topics 57Complete the Tables and Lists from Memory 58Define Key Terms 59Review Questions 59Answers and Explanations 61Chapter 3Telecommunications and Network Security 65Foundation Topics 66OSI Model 66Application Layer 67Presentation Layer 67Session Layer 67Transport Layer 68Network Layer 68Data Link Layer 68Physical Layer 69Multi-Layer Protocols 70TCP/IP Model 71Application Layer 72Transport Layer 72Internet Layer 74Link Layer 76Encapsulation76Common TCP/UDP Ports 77Logical and Physical Addressing 78IPv478IP Classes 80Public Versus Private IP Addresses 81NAT81vii

viiiCISSP Cert GuideIPv4 Versus IPv6 82MAC Addressing 82Network Transmission 83Analog Versus Digital 83Asynchronous Versus Synchronous 84Broadband Versus Baseband 84Unicast, Multicast, and Broadcast 85Wired Versus Wireless 86Cabling87Coaxial 87Twisted Pair 88Fiberoptic 90Network Topologies 91Ring91Bus92Star92Mesh93Hybrid94Network Technologies 94Ethernet 802.3 94Token Ring 802.5 96FDDI97Contention Methods 97CSMA/CD Versus CSMA/CA 98Collision Domains 98CSMA/CD 99CSMA/CA100Token Passing 101Polling 101Network Protocols/Services 101ARP101DHCPDNS102103FTP, FTPS, SFTP 103

ContentsHTTP, HTTPS, SHTTP etwork Routing 106Distance Vector, Link State, or Hybrid Routing 106RIP107OSPF107IGRP108EIGRP108VRRP108IS-IS108BGP 108Network Devices 109Patch Panel 109MultiplexerHub109109Switch110VLANs111Layer 3 Versus Layer 4 111Router111Gateway 112FirewallTypes112113Architecture 114Virtualization116Proxy Server 116PBX116Honeypot 117ix

xCISSP Cert GuideCloud Computing 117Endpoint Security 119Network Types 119LAN119Intranet119Extranet120MAN120WAN120WAN Technologies 121T Lines 121E Lines 121OC Lines (SONET) 122CSU/DSU122Circuit-Switching Versus Packet-Switching 123Frame Relay 123ATMX.25123124Switched Multimegabit Data Service 124Point-to-Point Protocol 124High-Speed Serial Interface 124PSTN (POTS, PBX) 125VoIP125Remote Connection Technologies 126Dial-up 126ISDNDSL127127Cable128VPN129RADIUS and TACACS 132Remote Authentication Protocols 133Telnet 134TLS/SSL134Multimedia Collaboration 134

ContentsWireless Networks 135FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, andGSM 135802.11 Techniques 136Cellular or Mobile Wireless Techniques 136WLAN Structure 137Access Point 137SSID137Infrastructure Mode Versus Ad Hoc Mode 137WLAN Standards 138Bluetooth 139Infrared139WLAN Security 139WEP 139WPA140WPA2140Personal Versus Enterprise 140SSID Broadcast 141MAC Filter 141Satellites141Network Threats 142Cabling142Noise 142Attenuation 142Crosstalk143Eavesdropping 143ICMP Attacks 143Ping of Death 143xi

xiiCISSP Cert GuideSmurf144Fraggle144ICMP Redirect 144Ping Scanning 145DNS Attacks 145DNS Cache Poisoning 145DoS146DDoS146DNSSEC146URL Hiding 146Domain Grabbing 147Cybersquatting 147Email Attacks 147Email Spoofing 147Spear Phishing 148WhalingSpam148148Wireless Attacks 148Wardriving149Warchalking 149Remote Attacks 149Other Attacks 149SYN ACK Attacks 149Session Hijacking 150Port Scanning 150Teardrop150IP Address Spoofing 150Exam Preparation Tasks 151Review All Key Topics 151Define Key Terms 151Review Questions 153Answers and Explanations 155

ContentsChapter 4Information Security Governance and Risk Management 159Foundation Topics 159Security Principles and Terms 159CIA160VulnerabilityThreat160161Threat Agent 161Risk161Exposure 161Countermeasure 161Due Care and Due Diligence 162Job Rotation 163Separation of Duties 163Security Frameworks and Methodologies 163ISO/IEC 27000 Series 164Zachman Framework 166The Open Group Architecture Framework (TOGAF) 168Department of Defense Architecture Framework (DoDAF) 168British Ministry of Defence Architecture Framework (MODAF) 168Sherwood Applied Business Security Architecture (SABSA) 168Control Objectives for Information and Related Technology(CobiT) 170National Institute of Standards and Technology (NIST) SpecialPublication (SP) 170Committee of Sponsoring Organizations (COSO) of the TreadwayCommission Framework 171Information Technology Infrastructure Library (ITIL) 172Six Sigma 173Capability Maturity Model Integration (CMMI) 174Top-Down Versus Bottom-Up Approach 174Security Program Life Cycle 174Risk Assessment 175Information and Asset (Tangible/Intangible) Value and Costs 177Vulnerabilities and Threats Identification 177Quantitative Risk Analysis 178xiii

xivCISSP Cert GuideQualitative Risk Analysis 179Safeguard Selection 179Total Risk Versus Residual Risk 180Handling Risk 180Risk Management Principles 181Risk Management Policy 181Risk Management Team 181Risk Analysis Team 182Information Security Governance Components 182Policies183Organizational Security Policy 184System-Specific Security Policy 185Issue-Specific Security Policy 185Policy Categories 185Standards on Classification and Life Cycle 186Commercial Business Classifications 186Military and Government Classifications 187Information Life Cycle 188Security Governance Responsibilities and Roles 188Board of Directors 188Management 189Audit Committee 189Data Owner 190Data Custodian 190System Owner 190System Administrator 190Security Administrator 190Security Analyst 191Application Owner 191Supervisor191

ContentsUser191Auditor 191Third-Party Governance 191Onsite Assessment 192Document Exchange/Review 192Process/Policy Review 192Personnel Security (Screening, Hiring, and Termination) 192Security Awareness Training 193Security Budget, Metrics, and Effectiveness 194Exam Preparation Tasks 195Review All Key Topics 195Complete the Tables and Lists from Memory 195Define Key Terms 196Review Questions 196Answers and Explanations 198Chapter 5Software Development Security 203Foundation Topics 203System Development Life Cycle 203Initiate204Acquire/Develop 204Implement 205Operate/Maintain 205Dispose205Software Development Life Cycle 206Gather Requirements 206Design207Develop207Test/Validate 208Release/Maintain209Change Management and Configuration Management 209Software Development Security Best Practices 209WASC210OWASP 210BSI210xv

xviCISSP Cert GuideISO/IEC 27000 210Software Development Methods 211Build and Fix 211Waterfall212V-Shaped 213Prototyping 214IncrementalSpiral214215Rapid Application Development (RAD) 216AgileJAD216218Cleanroom 218CMMI218Programming Concepts 219Machine Languages 219Assembly Languages and Assemblers 219High-level Languages, Compilers, and Interpreters 219Object-Oriented Programming 220Polymorphism 221Cohesion 221Coupling 221Data Structures 221Distributed Object-Oriented Systems 222CORBA222COM and DCOM 222OLE223Java223SOA223Mobile Code 223Java Applets 223ActiveX 224Database Concepts and Security 224DBMS Architecture and Models 224Database Interface Languages 226

ContentsODBC226JDBC227XML227OLE DB 227Data Warehouses and Data Mining 227Database Threats 228Database Views 228Database Locks 228Polyinstantiation 228OLTP ACID Test 229Knowledge-Based Systems 229Software Threats 230Malware 230VirusWorm230231Trojan Horse 231Logic Bomb 232Spyware/AdwareBotnet232Rootkit233232Source Code Issues 233Buffer Overflow 233Escalation of Privileges 235Backdoor 235Malware Protection 235Antivirus Software 235Antimalware Software 236Security Policies 236Software Security Effectiveness 236Certification and Accreditation 236Auditing237Exam Preparation Tasks 237xvii

xviiiCISSP Cert GuideReview All Key Topics 237Define Key Terms 238Complete the Tables and Lists from Memory 238Review Questions 238Answers and Explanations 240Chapter 6Cryptography 243Foundation Topics 244Cryptography Concepts 244Cryptographic Life Cycle 246Cryptography History 246Julius Caesar and the Caesar Cipher 247Vigenere Cipher 248Kerckhoff’s Principle 249World War II Enigma 249Lucifer by IBM 250Cryptosystem Features 250Authentication250Confidentiality 250Integrity 251Authorization251Non-repudiation 251Encryption Systems 251Running Key and Concealment Ciphers 251Substitution Ciphers 252Transposition Ciphers 253Symmetric Algorithms 253Stream-based Ciphers 254Block Ciphers 255Initialization Vectors (IVs) 255Asymmetric Algorithms 255Hybrid Ciphers 256Substitution Ciphers 257One-Time Pads 257Steganography 258

ContentsSymmetric Algorithms 258Digital Encryption Standard (DES) and Triple DES (3DES) 259DES Modes 259Triple DES (3DES) and Modes 262Advanced Encryption Standard (AES) 263IDEA263Skipjack 264Blowfish264Twofish264RC4/RC5/RC6 264CAST265Asymmetric Algorithms 265Diffie-Hellman266RSA 267El Gamal 267ECC 267Knapsack 268Zero Knowledge Proof 268Message Integrity 268Hash Functions 269One-Way Hash 269MD2/MD4/MD5/MD6 Message Authentication Code 273HMAC273CBC-MAC 274CMAC274Digital Signatures 274Public Key Infrastructure 275Certification Authority (CA) and Registration Authority (RA) 275OCSP276xix

xxCISSP Cert GuideCertificates276Certificate Revocation List (CRL) 277PKI Steps 277Cross-Certification 278Key Management 278Trusted Platform Module (TPM) 279Encryption Communication Levels 280Link Encryption 280End-to-End Encryption 281E-mail Security 281PGP281MIME and S/MIME 282Quantum Cryptography 282Internet Security 282Remote Access 283SSL/TLS283HTTP, HTTPS, and SHTTP 284SET284Cookies284SSH285IPsec285Cryptography Attacks 286Ciphertext-Only Attack 287Known Plaintext Attack 287Chosen Plaintext Attack 287Chosen Ciphertext Attack 287Social Engineering 287Brute Force 288Differential Cryptanalysis 288Linear Cryptanalysis 288Algebraic Attack 288Frequency Analysis 288Birthday Attack 289Dictionary Attack 289

ContentsReplay Attack 289Analytic Attack 289Statistical Attack 289Factoring Attack 289Reverse Engineering 289Meet-in-the-Middle Attack 290Exam Preparation Tasks 290Review All Key Topics 290Complete the Tables and Lists from Memory 290Define Key Terms 291Review Questions 291Answers and Explanations 293Chapter 7Security Architecture and Design 297Foundation Topics 297Security Model Concepts 297Confidentiality 297Integrity297Availability 298Defense in Depth 298System Architecture 298System Architecture Steps 299ISO/IEC 42010:2011 299Computing Platforms 300Mainframe/Thin Clients 300Distributed Systems 300Middleware 301Embedded Systems 301Mobile Computing 301Virtual Computing 301Security Services 302Boundary Control Services 302Access Control Services 302Integrity Services 303xxi

xxiiCISSP Cert GuideCryptography Services 303Auditing and Monitoring Services 303System Components 303CPU and Multiprocessing 303Memory and Storage 304Input/Output Devices 307Operating Systems 307Multitasking 308Memory Management 309System Security Architecture 310Security Policy 310Security Requirements 310Security Zones 311Security Architecture Frameworks 312Zachman Framework 312SABSA312TOGAF 312ITIL313Security Architecture Documentation 314ISO/IEC 27000 Series 314CobiT314Security Model Types and Security Models 314Security Model Types 315State Machine Models 315Multilevel Lattice Models 315Matrix-Based Models 315Noninference Models 316Information Flow Models 316Security Models 317Bell-LaPadula Model 317Biba Model 318Clark-Wilson Integrity Model 319Lipner Model 320Brewer-Nash (Chinese Wall) Model 320

ContentsGraham-Denning Model 320Harrison-Ruzzo-Ullman Model 321Security Modes 321Dedicated Security Mode 321System High Security Mode 321Compartmented Security Mode 321Multilevel Security Mode 321Assurance 322System Evaluation 322TCSEC322Rainbow Series 323Orange Book 323Red Book 326ITSEC326Common Criteria 328Certification and Accreditation 329Security Architecture Maintenance 330Security Architecture Threats 330Maintenance Hooks 331Time-of-Check/Time-of-Use Attacks 331Web-Based Attacks 332XML332SAMLOWASP332333Server-Based Attacks 333Data Flow Control 333Database Security 333Inference 333Aggregation334Contamination 334Data Mining Warehouse 334Distributed Systems Security 334Cloud Computing 335xxiii

xxivCISSP Cert GuideGrid Computing 335Peer-to-Peer Computing 335Exam Preparation Tasks 336Review All Key Topics 336Complete the Tables and Lists from Memory 336Define Key Terms 336Review Questions 337Answers and Explanations 339Chapter 8Operations Security 343Foundation Topics 343Operations Security Concepts 343Need-to-Know/Least Privilege 343Separation of Duties 344Job Rotation 344Sensitive Information Procedures 344Record Retention 345Monitor Special Privileges 345Resource Protection 345Protecting Tangible and Intangible Assets 346Facilities 346Hardware346Software 347Information Assets 347Asset Management 348Redundancy and Fault Tolerance 348Backup and Recovery Systems 348Identity and Access Management 349Media Management 349SAN353NAS353HSM353Media History 354Media Labeling and Storage 354

ContentsSanitizing and Disposing of Media 355Network and Resource Management 355Operations Processes 356Incident Response Management 356Change Management 357Configuration Management 358Patch Management 359Audit and Review 360Operations Security Threats and Preventative Measures 361Clipping Levels 361Deviations from Standards 361Unusual or Unexplained Events 361Unscheduled Reboots 362Trusted Recovery 362Trusted Paths 362Input/Output Controls 362System Hardening 362Vulnerability Management Systems 363IDS/IPS 363Monitoring and Reporting 363Antimalware/Antivirus 364Exam Preparation Tasks 364Review All Key Topics 364Complete the Tables and Lists from Memory 364Define Key Terms 364Review Questions 365Answers and Explanations 367Chapter 9Business Continuity and Disaster Recovery 369Foundation Topics 369Business Continuity and Disaster Recovery Concepts 369Disruptions 370Disasters 370Technological Disasters 371Man-made Disasters 371xxv

xxviCISSP Cert GuideNatural Disasters 371Disaster Recovery and the Disaster Recovery Plan (DRP) 371Continuity Planning and the Business Continuity Plan (BCP) 372Business Impact Analysis (BIA) 372Contingency Plan 372Availability373Reliability 373Business Impact Analysis (BIA) Development 373Identify Critical Processes and Resources 374Identify Outage Impacts, and Estimate Downtime 374Identify Resource Requirements 375Identify Recovery Priorities 376Recoverability 376Fault Tolerance 376Business Continuity Scope and Plan 376Personnel Components 377Project Scope 377Business Continuity Steps 377Preventive Controls 378Redundant Systems, Facilities, and Power 379Fault-Tolerant Technologies 379Insurance379Data Backup 380Fire Detection and Suppression 380Create Recovery Strategies 380Categorize Asset Recovery Priorities 381Business Process Recovery 382Facility Recovery 382Hot Site 383Cold Site 383Warm Site 384Tertiary Site 384Reciprocal Agreements 384Redundant Sites 385

ContentsSupply and Technology Recovery 385Hardware Backup 386Software Backup 386Human Resources 387Supplies 387Documentation388User Environment Recovery 388Data Recovery 388Data Backup Types and Schemes 389Electronic Backup 392High Availability 392Training Personnel 393Critical Teams and Duties 393Damage Assessment Team 394Legal Team 394Media Relations Team 394Recovery Team 395Relocation Team 395Restoration Team 395Salvage Team 395Security Team 395BCP Testing 396Checklist Test 396Table-top Exercise 396Structured Walk-Through Test 397Simulation Test 397Parallel Test 397Full-Interruption Test 397Functional Drill 397Evacuation Drill 397BCP Maintenance 398Exam Preparation Tasks 398Review All Key Topics 398Complete the Tables and Lists from Memory 399Exam Preparation Tasks 398xxvii

xxviiiCISSP Cert GuideDefine Key Terms 399Review Questions 399Answers and Explanations 401Chapter 10Legal, Regulations, Investigations, and Compliance 405Foundation Topics 406Computer Crime Concepts 406Computer-Assisted Crime 406Computer-Targeted Crime 406Incidental Computer Crime 406Computer Prevalence Crime 407Hackers Versus Crackers 407Major Legal Systems 407Civil Code Law 408Common Law 408Criminal Law 408Civil/Tort Law 408Administrative/Regulatory Law 409Customary Law 409Religious Law 409Mixed Law 409Intellectual Property Law 409Patent410Trade Secret 410TrademarkCopyright411411Software Piracy and Licensing Issues 412Internal Protection 413Privacy413Personally Identifiable Information (PII) 414Laws and Regulations 414Sarbanes-Oxley (SOX) Act 415Health Insurance Portability and Accountability Act (HIPAA) 415Gramm-Leach-Bliley Act (GLBA) of 1999 415Computer Fraud and Abuse Act (CFAA) 416

ContentsFederal Privacy Act of 1974 416Federal Intelligence Surveillance Act (FISA) of 1978 416Electronic Communications Privacy Act (ECPA) of 1986 416Computer Security Act of 1987 417United States Federal Sentencing Guidelines of 1991 417Communications Assistance for Law Enforcement Act (CALEA) of 1994 417Personal Information Protection and Electronic Documents Act(PIPEDA) 417Basel II 417Payment Card Industry Data Security Standard (PCI DSS) 418Federal Information Security Management Act (FISMA) of 2002 418Economic Espionage Act of 1996 418USA PATRIOT Act 418Health Care and Education Reconciliation Act of 2010 418Employee Privacy Issues and Expectation of Privacy 419European Union 419Export/Import Issues 420Compliance420Liability 420Due Diligence Versus Due Care 421Negligence421Liability Issues 422Incident Response 423Event Versus Incident 423Incident Response Team and Incident Investigations 424Rules of Engagement, Authorization, and Scope 424Incident Response Procedures 424Forensic and Digital Investigations 425Identify Evidence 427Preserve and Collect Evidence 427Examine and Analyze Evidence 428Present Findings 428Decide428IOCE/SWGDE429xxix

xxxCISSP Cert GuideCrime Scene 429MOM429Chain of Custody 430InterviewingEvidence430430Five Rules of Evidence 431Types of Evidence 431Best Evidence 432Secondary Evidence 432Direct Evidence 432Conclusive Evidence 432Circumstantial Evidence 432Corroborative Evidence 433Opinion Evidence 433Hearsay Evidence 433Surveillance, Search, and Seizure 433Media Analysis 434Software Analysis 434Network Analysis 435Hardware/Embedded Device Analysis 435Security Professional Ethics 435(ISC)2 Code of Ethics 436Computer Ethics Institute 436Internet Architecture Board 437Organizational Ethics 437Exam Preparation Tasks 437Review All Key Topics 437Define Key Terms 438Review Questions 439Answers and Explanations 441Chapter 11Physical (Environmental) Security 445Foundation Topics 445Geographical Threats 445Internal Versus External Threats 445Natural Threats 446

ContentsHurricane/Tropical Storm 446Tornadoes446EarthquakesFloods446447System Threats 447Electrical 447CommunicationsUtilities447448Man-Made Threats 0Collusion451Politically Motivated Threats 451StrikesRiots451451Civil Disobedience 452Terrorist Acts 452Bombing452Site and Facility Design 453Layered Defense Model 453CPTED 453Natural Access Control 453Natural Surveillance 454Natural Territorials Reinforcement 454Physical Security Plan 454Deter Criminal Activity 454Delay Intruders 454Detect Intruders 455Assess Situation 455Respond to Intrusions and Disruptions 455xxxi

xxxiiCISSP Cert GuideFacility Selection Issues 455Visibility455Surrounding Area and External Entities 456Accessibility 456Construction 456Internal Compartments 457Computer and Equipment Rooms 457Perimeter Security 458Gates and Fences 458Barriers (Bollards) 458Fences459Gates459Walls460Perimeter Intrusion Detection 460Infrared Sensors 460Electromechanical Systems 460Photoelectric Systems 460Acoustical Detection Systems 461Wave Motion Detector 461Capacitance Detector 461CCTV461Lighting461Types of Systems 461Types of Lighting 462Patrol Force 462Access Control 462Building and Internal Security 463Doors463Door Lock Types 463Turnstiles and Mantraps 464Locks464Biometrics466Glass Entries 466Visitor Control 466

ContentsEquipment Rooms 467Work Areas 467Secure Data Center 467Restricted Work Area 468Environmental Security 468Fire Protection 468Fire Detection 468Fire Suppression 468Power Supply 470Types of Outages 470Preventative Measures 470HVAC471Water Leakage and Flooding 471Environmental Alarms 472Equipment Security 472Corporate Procedures 472Tamper Protection 472EncryptionInventory472473Physical Protection of Security Devices 473Tracking Devices 473Portable Media Procedures 473Safes, Vaults, and Locking 473Personnel Privacy and Safety 474Exam Preparation Tasks 475Review All Key Topics 475Define Key Terms 475Review Questions 476Answers and Explanations 478GlossaryIndex481538Appendix A Memory Tables On CDAppendix B Memory Tables Answer Key On CDxxxiii

xxxivCISSP Cert GuideAbout the AuthorsTroy McMillan is a Product Developer and Technical Editor for Kaplan Cert Prepas well as a full time trainer and writer. He became a professional trainer 12 yearsago teaching Cisco, Microsoft, CompTIA, and Wireless classes.Troy’s book CCNA Essentials by Sybex Publishing was released in November 2011.It has been chosen as the textbook for both online and instructor-led classes at several colleges in the United States.Troy also is a courseware developer. Among the work he has done in this area iswireless training materials for Motorola in 2011 and instructor materials for a seriesof books by Sybex on Windows Server 2008 R2 in 2011.Troy also teaches Cisco, Microsoft, CompTIA, and Security classes for several largecorporate training companies. Among these are Global Knowledge and New Horizons.He now creates certification practice tests and study guides for the Transcender andSelf-Test brands. Troy lives in Atlanta, Georgia.Troy’s professional accomplishments include B.B.A., MCSE (NT/2000/ 2003,2008), CCNA, CCNP, MCP I, CNA, A , Net , MCT, Server , I-Net , MCSA,CIW p, CIWa, CIW security analyst, CWNA, CWSP, CWNT, CWNE, MCTS:Vista Configuration, MCITP: Enterprise Support Technician, MCITP: Server Administrator, MCITP: Consumer Support Technician, MCTS: Forefront Client andServer Configuration, MCTS: Business Desktop Deployment with BDD, MCTS:Office Project Server 2007, MCTS: Windows Active Directory: Configuration,MCTS: Applications Infrastructure: Configuration, MCTS: Network Infrastructure: Configuration, CCSI, and VCP.Robin M. Abernathy has been working in the IT certification preparation industry at Kaplan IT Certification Preparation, the owners of the Transcender and SelfTest brands, for more than a decade. Robin has written and edited certificationpreparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITILcertifications and holds multiple IT certifications from these vendors.Robin provides training on computer hardware and software, networking, security,and project management. Over the past couple years, she has ventured into thetraditional publishing industry by technically editing several publications. Morerecently, she has presented at technical conferences and hosted webinars on IT certification topics.

DedicationsDedicationsThis is dedicated to my soulmate and wife, Heike. —TroyFor my husband Michael and my son Jonas. —Robinxxxv

xxxviCISSP Cert GuideAcknowledgmentsFrom Troy: Special thanks to all that helped with this book, but especially to DaveDusthimer for suggesting me for this book, to Betsy Brown for guiding us throughthe process, to Andrew Cupp and Allison Johnson for keeping us on schedule, andmost of all to my co-author, Robin Abernathy.From Robin: I would be remiss if I did not first of all mention my gratitude to Godfor blessing me throughout my life. I do nothing on my own. It is only through Himthat I have the strength and wisdom to accomplish my goals.When my father and his business partner asked me to take over a retail computerstore in the mid-1990s, I had no idea that a BIG journey was just starting. So thanks,Wayne McDaniel (a.k.a. Dad) and Roy Green for seeing something in me that Ididn’t even see in myself and for taking a chance on a very green techie. Also, thanksto my mom, Lucille McDaniel, for supporting my career changes over the years,even if you didn’t understand them. Thanks to Mike White for sharing your knowledge and giving me a basis on which to build my expertise over the coming years.Thanks to Zackie Bosarge, a great mentor who gave me my first “real” job in the ITfield at Alabama Institute for the Deaf and Blind.Thanks also to my little family, my husband Michael and my son Jonas. Thanks forbeing willing to have Friday night fun nights without me while I spent my extra timeknee-deep in CISSP topics.