INTRODUCTION
Computer, information, and physical security are becoming more important at an exponential
rate since the continual increase in computer crimes. Over the last few years,
the necessity for computer and information security has grown rapidly as web sites
have been defaced, Denial-of-Service attacks have increased, credit card information
has been stolen, publicly available hacking tools have become more sophisticated, and
today’s viruses and worms cause more damage than ever before.
Companies have had to spend millions of dollars to clean up the effects of these
issues and millions of dollars more to secure their perimeter and internal networks
with equipment, software, consultants, and education. But after September 11, 2001,
the necessity and urgency for this type of security has taken on a new paradigm. It is
slowly becoming apparent that governments, nations, and societies are vulnerable to
many different types of attacks that can happen over the network wire and airwaves.
Societies depend heavily on all types of computing power and functionality, mostly
provided by the public and private sectors. This means that although governments are
responsible for protecting their citizens, it is becoming apparent that the citizens and
their businesses must become more secure to protect the nation as a whole.
This type of protection can really only begin through proper education and understanding,
and must continue with the dedicated execution of this knowledge. This book
is written to provide a foundation of the many different areas that make up effective
security. We need to understand all of the threats and dangers we are vulnerable to and
the steps that must be taken to mitigate these vulnerabilities
Becoming a CISSP 1
This chapter presents the following
• The definition of a CISSP
• Reasons to become a CISSP
• What the CISSP exam entails
• The Common Body of Knowledge and what it contains
• The history of (ISC)2 and the CISSP exam
• Recertification requirements
• An assessment test to gauge your current knowledge of security
you gain a CISSP certification, but also to welcome you into the exciting and challenging
world of security.
The Certified Information Systems Security Professional (CISSP) exam covers ten
different subjects, more commonly referred to as domains. The subject matter of each
domain can easily be seen as its own area of study, and in many cases individuals work
exclusively in these fields as experts. For many of these subjects, extensive resources can
be consulted and referenced to become an expert in that area. Because of this, a common
misconception is that the only way to succeed at the CISSP exam is to immerse
yourself in a massive stack of texts and study materials. Fortunately, an easier approach
exists. By using this fourth edition of the CISSP All-in-One Exam Guide, you can successfully
complete and pass the CISSP exam and achieve your CISSP certification. The goal
of this book is to combine into a single resource all the information you need to pass
the CISSP exam. This book should also serve as a useful reference tool long after you’ve
achieved your CISSP certification.
Why Become a CISSP?
As our world changes, the need for improvements in security and technology continues
to grow. Security was once a hot issue only in the field of technology, but now it is becoming
more and more a part of our everyday lives. Security is a concern of every organization,
government agency, corporation, and military unit. Ten years ago computer
and information security was an obscure field that only concerned a few people. Because
the risks were essentially low, few were interested in security expertise. Ethical hacking
and vulnerability assessments required great talent and knowledge and thus were not a
common practice.
Things have changed, however, and today corporations and other organizations are
desperate to recruit talented and experienced security professionals to help protect the
resources they depend on to run their businesses and to remain competitive. With a
CISSP certification, you will be seen as a security professional of proven ability who has
successfully met a predefined standard of knowledge and experience that is well understood
and respected throughout the industry. By keeping this certification current, you
will demonstrate your dedication to staying abreast of security developments.
Reasons for attaining a CISSP certification:
• To meet the growing demand and to thrive in an ever-expanding field
• To broaden your current knowledge of security concepts and practices
• To bring security expertise to your current occupation
• To become more marketable in a competitive workforce
• To show a dedication to the security discipline
• To increase your salary and be eligible for more employment opportunities
The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices, perform
risk analysis, identify necessary countermeasures, and help the organization as a whole
protect its facility, network, systems, and information. The CISSP certification also
shows potential employers you have achieved a level of proficiency and expertise in
skill sets and knowledge required by the security industry. The increasing importance
placed on security in corporate success will only continue in the future, leading to even
greater demands for highly skilled security professionals. CISSP certification shows that
a respected third-party organization has recognized an individual’s technical and theoretical
knowledge and expertise, and distinguishes that individual from those who lack
this level of knowledge.
Understanding and implementing security practices is an essential part of being a
good network administrator, programmer, or engineer. Job descriptions that do not
specifically target security professionals still often require that a potential candidate
have a good understanding of security concepts as well as how to implement them. Due
to staff size and budget restraints, many organizations can’t afford separate network
and security staffs. But this doesn’t mean they don’t believe security is vital to their organization.
Thus, they often try to combine knowledge of technology and security into
a single role. With a CISSP designation, you can put yourself head and shoulders above
other individuals in this regard.
to you and ask, “What is the definition of collusion?” You
need to know how to detect and prevent collusion from taking place, in addition to
knowing the definition of the term.
NOTNOTE Hundreds of scenario-based questions have been added to the
CD-ROM in the back of this book to help you prepare for this exam.
The International Information Systems Security Certification Consortium (ISC)2
process for earning credentials will change as of October 2007. In order to obtain this
credential, candidates for any of the (ISC)2 credential will be required to obtain an endorsement
of their candidature exclusively from an (ISC)2 certified professional in good
standing. The professional endorsing the candidate can hold any (ISC)2 certification,
such as the CISSP, SSCP, or CAP. This sponsor will vouch for your years of experience.
After passing the exam, you will be asked to supply documentation, supported by a
sponsor, proving that you indeed have this type of experience. The sponsor must sign a
document vouching for the security experience you are submitting. So, make sure you
have this sponsor lined up prior to registering for the exam and providing payment.
You don’t want to pay for and pass the exam, only to find you can’t find a sponsor for
the final step needed to achieve your certification.
The reason behind the sponsorship requirement is to insure that those who achieve
the certification have real-world experience to offer companies. Book knowledge is extremely
important for understanding theory, concepts, standards, and regulations, but
it can never replace hands-on experience. Proving you have practical experience supports
the relevance of the certification.
Afterward, a small sample group of individuals selected at random will be audited
after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on
the candidates’ stated sponsors and contacts to verify that the test taker’s related experience
is true.
What makes this exam challenging is that most candidates, although they work in
the security field, are not necessarily familiar with all ten CBK domains. If a security
professional is considered an expert in vulnerability testing or application security, for
example, she may not be familiar with physical security, cryptography, or security practices.
Thus, studying for this exam will broaden your knowledge of the security field.
The exam questions address the ten CBK security domains, which are described in
Table 1-1.
(ISC)2 attempts to keep up with changes in technology and methodologies brought
to the security field by adding a large number of new questions to the test question
bank each year. These questions are based on current technologies, practices, approaches,
and standards. For example, the CISSP exam given in 1998 did not have questions
pertaining to wireless security, but present and future exams will.
Other examples of material not on past exams include security governance, instant
messaging, phishing, botnets, VoIP, and spam. Though these subjects weren’t issues in
the past, they are now—and in the case of botnets, VoIP, and spam, they will be in the
future.
The test is based on internationally accepted information security standards and
practices. If you look at the (ISC)2 web site for test dates and locations, you may find,
for example, that the same test is offered this Tuesday in California and next Wednesday
in Saudi Arabia.
If you do not pass the exam, you have the option of retaking it as soon as you like.
(ISC)2 used to subject individuals to a waiting period before they could retake the exam,
but this rule has been removed. (ISC)2 keeps track of which exam version you were
given on your first attempt and ensures you receive a different version for any retakes.
(ISC)2 also provides a report to a CISSP candidate who did not pass the exam, detailing
the areas where the candidate was weakest. Though you could retake the exam soon
afterward, it’s wise to devote additional time to these weak areas to improve your score
on the retest.
Domain : Access Control
Description
This domain examines mechanisms and methods used to enable administrators and
managers to control what subjects can access, the extent of their capabilities after
authorization and authentication, and the auditing and monitoring of these activities.
Some of the topics covered include:
• Access control security models
• Identification and authentication technologies and techniques
• Access control administration
• Single sign-on technologies
• Attack methods
Telecommunications and Network Security
This domain examines internal, external, public, and private communication systems;
networking structures; devices; protocols; and remote access and administration.
Some of the topics covered include:
• OSI model and layers
• Local area network (LAN), metropolitan area network (MAN), and wide area
network (WAN) technologies
• Internet, intranet, and extranet issues
• Virtual private networks (VPNs), firewalls, routers, bridges, and repeaters
• Network topologies and cabling
• Attack methods
Information Security and Risk Management
This domain examines the identification of company assets, the proper way to
determine the necessary level of protection required, and what type of budget
to develop for security implementations, with the goal of reducing threats and
monetary loss. Some of the topics covered include:
• Data classification
• Policies, procedures, standards, and guidelines
• Risk assessment and management
• Personnel security, training, and awareness
Application Security
This domain examines the security components within operating systems and
applications and how to best develop and measure their effectiveness. It looks at
software life cycles, change control, and application security. Some of the topics
covered include:
• Data warehousing and data mining
• Various development practices and their risks
• Software components and vulnerabilities
• Malicious code
Cryptography
This domain examines methods and techniques for disguising data for protection
purposes. This involves cryptography techniques, approaches, and technologies.
Some of the topics covered include:
• Symmetric versus asymmetric algorithms and uses
• Public key infrastructure (PKI) and hashing functions
• Encryption protocols and implementation
• Attack methods
Security Architecture and Design
This domain examines concepts, principles, and standards for designing and
implementing secure applications, operating systems, and systems. This covers
international security measurement standards and their meaning for different types
of platforms. Some of the topics covered include:
• Operating states, kernel functions, and memory mapping
• Enterprise architecture
• Security models, architectures, and evaluations
• Evaluation criteria: Trusted Computer Security Evaluation Criteria (TCSEC),
Information Technology Security Evaluation Criteria (ITSEC), and Common Criteria
• Common flaws in applications and systems
• Certification and accreditation
Operations Security
This domain examines controls over personnel, hardware, systems, and auditing and
monitoring techniques. It also covers possible abuse channels and how to recognize
and address them. Some of the topics covered include:
• Administrative responsibilities pertaining to personnel and job functions
• Maintenance concepts of antivirus, training, auditing, and resource protection activities
• Preventive, detective, corrective, and recovery controls
• Standards, compliance, and due care concepts
• Security and fault tolerance technologies
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
This domain examines the preservation of business activities when faced with
disruptions or disasters. It involves the identification of real risks, proper risk
assessment, and countermeasure implementation. Some of the topics covered include:
• Business resource identification and value assignment
• Business impact analysis and prediction of possible losses
• Unit priorities and crisis management
• Plan development, implementation, and maintenance
Legal Regulations, Compliance, and Investigation
This domain examines computer crimes, laws, and regulations. It includes techniques
for investigating a crime, gathering evidence, and handling procedures. It also covers
how to develop and implement an incident-handling program. Some of the topics
covered include:
• Types of laws, regulations, and crimes
• Licensing and software piracy
• Export and import laws and issues
• Evidence types and admissibility into court
• Incident handling
Physical (Environmental) Security
This domain examines threats, risks, and countermeasures to protect facilities,
hardware, data, media, and personnel. This involves facility selection, authorized
entry methods, and environmental and safety procedures. Some of the topics
covered include:
• Restricted areas, authorization methods, and controls
• Motion detectors, sensors, and alarms
• Intrusion detection
• Fire detection, prevention, and suppression
• Fencing, security guards, and security badge types
CISSP: A Brief History
Historically, the field of computer and information security has not been a structured
and disciplined profession; rather, the field has lacked many well-defined professional
objectives and thus has often been misperceived.
In the mid-1980s, members of the computer security profession recognized they
needed a certification program that would give their profession structure and provide
ways for computer security professionals to demonstrate competence and present evidence
of their qualifications. Establishing such a program would help the credibility of
the computer and information security profession as a whole and the individuals who
make up the profession.
In November 1988, the Special Interest Group for Computer Security (SIG-CS) of
the Data Processing Management Association (DPMA) brought together several organizations
interested in forming a security certification program. They included the Information
Systems Security Association (ISSA), the Canadian Information Processing
Society (CIPS), the Computer Security Institute (CSI), Idaho State University, and several
U.S. and Canadian government agencies. As a voluntary joint effort, these organizations
developed the necessary components to offer a full-fledged security certification
for interested professionals. (ISC)2 was formed in mid-1989 as a nonprofit corporation
to develop a security certification program for information systems security practitioners.
The certification was designed to measure professional competence and help
companies in their selection of security professionals and personnel. (ISC)2 was established
in North America, but quickly gained international acceptance and now offers
testing capabilities all over the world.
Because security is such a broad and diversified field in the technology and business
world, the original consortium decided on an information systems security CBK composed
of ten domains that pertain to every part of computer, network, business, and
information security. In addition, because technology continues to rapidly evolve, staying
up-to-date on security trends, technology, and business developments is required to
maintain the CISSP certification. The group also developed a Code of Ethics, test specifications,
a draft study guide, and the exam itself.
CAUTIOCAUTION There has been a lot of controversy in the industry about
(ISC)2, a nonprofit organization that maintains the CISSP certification and
provides training for this certification. Many times the (ISC)2 Institute has
told companies that they cannot have an exam set up for them unless the
companies take the (ISC)2 Institute’s training. This is a conflict of interest
that has been brought up for years, and civil suits have been threatened. Feel
comfortable to take training that best fits your needs, whether it be through
the (ISC)2 Institute or another vendor.
How Do You Become a CISSP?
To become a CISSP, start at www.isc2.org, where you will find an exam registration
form you must fill out and send to (ISC)2. You will be asked to provide your security
work history, as well as documents for the necessary educational requirements. Graduch01.
ating with a master’s degree from one of the listed National Centers of Excellence and
having two years of experience will also qualify you. These National Centers of Excellence
are listed at www.nsa.gov/ia/academia/CAE.pdf, and the list of colleges and universities
is growing. You will also be asked to read the (ISC)2 Code of Ethics and sign a
form, indicating that you understand these requirements and promise to abide by
them. You then provide payment along with the registration form, where you indicate
your preference as to the exam location. The numerous testing sites and dates can be
found at www.isc2.org.
Although (ISC)2 used to count cumulative years of job experience toward the requirements
to take the CISSP exam, it has tightened its criteria; test takers must carry
out full-time employment in two or more domains. People often think they do not
have the necessary experience required to take this exam when they actually do, so it’s
always a good idea to contact (ISC)2 directly to find out if you are indeed qualified before
throwing this chance away.
