1、ALL IN ONECISSPEXAM GUIDESixth EditionShon HarrisNew York Chicago San Francisco Lisbon London Madrid Mexico City Milan New DelhiSan Juan Seoul Singapore Sydney TorontoMcGraw-Hill is an independent entity from(ISC)2 and is not affiliated with(ISC)2 in any manner.This study/training guide and/or mater
2、ial is not sponsored by,endorsed by,or affiliated with(ISC)2 in any manner.This publication and digital content may be usedin assisting students to prepare for the CISSP exam.Neither(ISC)2 nor McGraw-Hill warrant that use of this publication and digital content will ensure passing any exam.(ISC)2,CI
3、SSP,CAP,ISSAP,ISSEP ISSMP,SSCP and CBK are trademarks or registered trademarks of(ISC)2 in the United States and certain other countries.All other trademarks are trademarks of their respective owners.Copyright 2013 by McGraw-Hill Companies.All rights reserved.Except as permitted under the United Sta
4、tes Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a co
5、mputer system,but they may not be reproduced for publication.ISBN:978-0-07-178173-2MHID:0-07-178173-0The material in this eBook also appears in the print version of this title:ISBN:978-0-07-178174-9,MHID:0-07-178174-9.All trademarks are trademarks of their respective owners.Rather than put a tradema
6、rk symbol after every occurrence of a trademarked name,we use names in an editorial fashion only,and to the benefi t of the trademark owner,with no intention of infringement of the trademark.Where such designations appear in this book,they have been printed with initial caps.McGraw-Hill eBooks are a
7、vailable at special quantity discounts to use as premiums and sales promotions,or for use in corporate training programs.To contact a representative please e-mail us at bulksalesmcgraw-.Information has been obtained by McGraw-Hill from sources believed to be reliable.However,because of the possibili
8、ty of human or mechanical error by our sources,McGraw-Hill,or others,McGraw-Hill does not guarantee the accuracy,adequacy,or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.TERMS OF USEThis is a copyrighted w
9、ork and The McGraw-Hill Companies,Inc.(“McGraw-Hill”)and its licensors reserve all rights in and to the work.Use of this work is subject to these terms.Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work,you may not decompile,disassemble,rever
10、se engineer,reproduce,modify,create derivative works based upon,transmit,distribute,disseminate,sell,publish or sublicense the work or any part of it without McGraw-Hills prior consent.You may use the work for your own noncommercial and personal use;any other use of the work is strictly prohibited.Y
11、our right to use the work may be terminated if you fail to comply with these terms.THE WORK IS PROVIDED“AS IS.”McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY,ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,INCLUDING ANY INFORMATION THAT CA
12、N BE ACCESSED THROUGH THE WORK VIA HYPER-LINK OR OTHERWISE,AND EXPRESSLY DISCLAIM ANY WARRANTY,EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.McGraw-Hill and its licensors do not warrant or guarantee that the functions contai
13、ned in the work will meet your requirements or that its operation will be uninterrupted or error free.Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy,error or omission,regardless of cause,in the work or for any damages resulting therefrom.McGraw-Hill ha
14、s no responsibility for the content of any information accessed through the work.Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect,incidental,special,punitive,consequential or similar damages that result from the use of or inability to use the work,even if any
15、of them has been advised of the possibility of such damages.This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract,tort or otherwise.I dedicate this book to some of the most wonderful people I have lost over the last several years.My
16、grandfather(George Fairbairn),who taught me about integrity,unconditional love,and humility.My grandmother(Marge Fairbairn),who taught me about the importance of living life to the fullest,having“fun fun,”and of course,black jack.My dad(Tom Conlon),who taught me how to be strong and face adversity.M
17、y father-in-law(Maynard Harris),who taught me a deep meaning of the importance of family that I never knew before.Each person was a true role model to me.I learned a lot from them,I appreciate all that they have done for me,and I miss them terribly.ABOUT THE AUTHORShon Harris is the founder and CEO
18、of Shon Harris Security LLC and Logical Security LLC,a security consultant,a former engineer in the Air Forces Information Warfare unit,an instructor,and an author.Shon has owned and run her own training and con-sulting companies since 2001.She consults with Fortune 100 corporations and govern-ment
19、agencies on extensive security issues.She has authored three best-selling CISSP books,was a contributing author to Gray Hat Hacking:The Ethical Hackers Handbook and Security Information and Event Management(SIEM)Implementation,and a technical editor for Information Security Magazine.Shon has also de
20、veloped many digital security products for Pearson Publishing.About the Technical EditorPolisetty Veera Subrahmanya Kumar,CISSP,CISA,PMP,PMI-RMP,MCPM,ITIL,has more than two decades of experience in the field of Information Technology.His areas of specialization include information security,business
21、continuity,project manage-ment,and risk management.In the recent past he served his term as Chairperson for Project Management Institutes PMI-RMP(PMI-Risk Management Professional)Cre-dentialing Committee and was a member of ISACAs India Growth Task Force team.In the past he worked as content develop
22、ment team leader on a variety of PMI standards development projects.He was a lead instructor for the PMI PMBOK review seminars.CONTENTS AT A GLANCE Chapter 1 Becoming a CISSP .1 Chapter 2 Information Security Governance and Risk Management .21 Chapter 3 Access Control .157 Chapter 4 Security Archite
23、cture and Design .297 Chapter 5 Physical and Environmental Security .427 Chapter 6 Telecommunications and Network Security .515 Chapter 7 Cryptography .759 Chapter 8 Business Continuity and Disaster Recovery .885 Chapter 9 Legal,Regulations,Compliance,and Investigations .979 Chapter 10 Software Deve
24、lopment Security .1081 Chapter 11 Security Operations .1233 Appendix A Comprehensive Questions .1319 Appendix B About the Download .1379Index.1385vGlossary.G-1This page intentionally left blank CONTENTSForeword .xxAcknowledgments .xxiii Chapter 1 Becoming a CISSP .1Why Become a CISSP?.1The CISSP Exa
25、m .2CISSP:A Brief History .6How Do You Sign Up for the Exam?.7What Does This Book Cover?.7Tips for Taking the CISSP Exam .8How to Use This Book .9Questions .10Answers .19 Chapter 2 Information Security Governance and Risk Management .21Fundamental Principles of Security .22Availability.23Integrity .
26、23Confidentiality .24Balanced Security .24Security Definitions .26Control Types .28Security Frameworks .34ISO/IEC 27000 Series .36Enterprise Architecture Development .41Security Controls Development .55COSO .59Process Management Development .60Functionality vs.Security .68Security Management .69Risk
27、 Management .70Who Really Understands Risk Management?.71Information Risk Management Policy .72The Risk Management Team .73Risk Assessment and Analysis .74Risk Analysis Team .75The Value of Information and Assets .76Costs That Make Up the Value .76Identifying Vulnerabilities and Threats .77Methodolo
28、gies for Risk Assessment .78Risk Analysis Approaches .85viiCISSP All-in-One Exam GuideviiiQualitative Risk Analysis .89Protection Mechanisms .92Putting It Together .96Total Risk vs.Residual Risk .96Handling Risk .97Outsourcing .100Policies,Standards,Baselines,Guidelines,and Procedures .101Security P
29、olicy .102Standards .105Baselines .106Guidelines .106Procedures .107Implementation .108Information Classification .109Classifications Levels .110Classification Controls .113Layers of Responsibility .114Board of Directors.115Executive Management .116Chief Information Officer .118Chief Privacy Officer
30、 .118Chief Security Officer .119Security Steering Committee .120Audit Committee .121Data Owner .121Data Custodian .122System Owner .122Security Administrator .122Security Analyst .123Application Owner .123Supervisor .123Change Control Analyst .124Data Analyst .124Process Owner .124Solution Provider
31、.124User .125Product Line Manager .125Auditor .125Why So Many Roles?.126Personnel Security .126Hiring Practices .128Termination .129Security-Awareness Training .130Degree or Certification?.131Security Governance .132Metrics .132ContentsixSummary .137Quick Tips .138Questions .141Answers .150 Chapter
32、3 Access Control .157Access Controls Overview .157Security Principles .158Availability.159Integrity .159Confidentiality .160Identification,Authentication,Authorization,and Accountability .160Identification and Authentication .162Password Management .174Authorization .203Access Control Models .219Dis
33、cretionary Access Control .220Mandatory Access Control .221Role-Based Access Control .224Access Control Techniques and Technologies .227Rule-Based Access Control .227Constrained User Interfaces .228Access Control Matrix .229Content-Dependent Access Control .231Context-Dependent Access Control .231Ac
34、cess Control Administration .232Centralized Access Control Administration .233Decentralized Access Control Administration .240Access Control Methods .241Access Control Layers .241Administrative Controls .242Physical Controls .243Technical Controls .245Accountability .248Review of Audit Information .
35、250Protecting Audit Data and Log Information .251Keystroke Monitoring .251Access Control Practices .252Unauthorized Disclosure of Information .253Access Control Monitoring .255Intrusion Detection .255Intrusion Prevention Systems .265Threats to Access Control .268Dictionary Attack .269Brute Force Att
36、acks .270Spoofing at Logon .270CISSP All-in-One Exam GuidexPhishing and Pharming .271Threat Modeling .273Summary .277Quick Tips .277Questions .282Answers .291 Chapter 4 Security Architecture and Design .297Computer Security .298System Architecture .300Computer Architecture .303The Central Processing
37、 Unit .304Multiprocessing.309Operating System Components .312Memory Types .325Virtual Memory .337Input/Output Device Management .340CPU Architecture .342Operating System Architectures .347Virtual Machines .355System Security Architecture .357Security Policy .357Security Architecture Requirements .35
38、9Security Models.365State Machine Models .367Bell-LaPadula Model .369Biba Model .372Clark-Wilson Model .374Information Flow Model .377Noninterference Model .380Lattice Model .381Brewer and Nash Model .383Graham-Denning Model .384Harrison-Ruzzo-Ullman Model .385Security Modes of Operation .386Dedicat
39、ed Security Mode .387System High-Security Mode .387Compartmented Security Mode .387Multilevel Security Mode .388Trust and Assurance .390Systems Evaluation Methods .391Why Put a Product Through Evaluation?.391The Orange Book .392The Orange Book and the Rainbow Series .397The Red Book .398Information
40、Technology Security Evaluation Criteria .399ContentsxiCommon Criteria .402Certification vs.Accreditation .406Certification .406Accreditation .406Open vs.Closed Systems .408Open Systems .408Closed Systems .408A Few Threats to Review .409Maintenance Hooks .409Time-of-Check/Time-of-Use Attacks .410Summ
41、ary .412Quick Tips .413Questions .416Answers .423 Chapter 5 Physical and Environmental Security .427Introduction to Physical Security .427The Planning Process .430Crime Prevention Through Environmental Design .435Designing a Physical Security Program .442Protecting Assets .457Internal Support System
42、s .458Electric Power .459Environmental Issues .465Ventilation .467Fire Prevention,Detection,and Suppression .467Perimeter Security .475Facility Access Control .476Personnel Access Controls .483External Boundary Protection Mechanisms .484Intrusion Detection Systems .493Patrol Force and Guards .497Dog
43、s .497Auditing Physical Access .498Testing and Drills .498Summary .499Quick Tips .499Questions .502Answers .509 Chapter 6 Telecommunications and Network Security .515Telecommunications .517Open Systems Interconnection Reference Model .517Protocol .518Application Layer .521Presentation Layer .522Sess
44、ion Layer .523CISSP All-in-One Exam GuidexiiTransport Layer .525Network Layer .527Data Link Layer .528Physical Layer .530Functions and Protocols in the OSI Model .530Tying the Layers Together .532TCP/IP Model .534TCP .535IP Addressing .541IPv6 .544Layer 2 Security Standards .547Types of Transmission
45、 .550Analog and Digital .550Asynchronous and Synchronous .552Broadband and Baseband .554Cabling .556Coaxial Cable .557Twisted-Pair Cable .557Fiber-Optic Cable .558Cabling Problems .560Networking Foundations .562Network Topology .563Media Access Technologies .565Network Protocols and Services .580Dom
46、ain Name Service .590E-mail Services .599Network Address Translation .604Routing Protocols .608Networking Devices.612Repeaters .612Bridges.613Routers .615Switches .617Gateways .621PBXs .624Firewalls .628Proxy Servers .653Honeypot .655Unified Threat Management .656Cloud Computing .657Intranets and Ex
47、tranets .660Metropolitan Area Networks .663Wide Area Networks .665Telecommunications Evolution .666Dedicated Links .669WAN Technologies .673ContentsxiiiRemote Connectivity.695Dial-up Connections .695ISDN .697DSL .698Cable Modems .700VPN .702Authentication Protocols .709Wireless Technologies .712Wire
48、less Communications .712WLAN Components .716Wireless Standards .723War Driving for WLANs .728Satellites .729Mobile Wireless Communication .730Mobile Phone Security .736Summary .739Quick Tips .740Questions .744Answers .753 Chapter 7 Cryptography .759The History of Cryptography .760Cryptography Defini
49、tions and Concepts .765Kerckhoffs Principle .767The Strength of the Cryptosystem .768Services of Cryptosystems .769One-Time Pad .771Running and Concealment Ciphers .773Steganography.774Types of Ciphers .777Substitution Ciphers .778Transposition Ciphers .778Methods of Encryption .781Symmetric vs.Asym
50、metric Algorithms .782Symmetric Cryptography .782Block and Stream Ciphers.787Hybrid Encryption Methods .792Types of Symmetric Systems .800Data Encryption Standard .800Triple-DES .808The Advanced Encryption Standard .809International Data Encryption Algorithm .809Blowfish .810RC4 .810RC5 .810RC6 .810