- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Learn, prepare, and practice for CISSP exam success with the CISSP Cert Guide from Pearson IT Certification, a leader in IT Certification. Master CISSP exam topics Assess your knowledge with chapter-ending quizzes Review key concepts with exam preparation tasks Practice with realistic exam questions on the CD CISSP Cert Guide is a best-of-breed exam study guide. Leading IT certification experts Troy McMillan and Robin Abernathy share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. You'll get a complete test preparation routine organized around proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan. The companion CD contains the powerful Pearson IT Certification Practice Test engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most, so you can succeed on the exam the first time. This study guide helps you master all the topics on the CISSP exam, including Access control Telecommunications and network security Information security governance and risk management Software development security Cryptography Security architecture and design Operation security Business continuity and disaster recovery planning Legal, regulations, investigations, and compliance Physical (environmental) security Troy McMillan, Product Developer and Technical Editor at Kaplan Cert Prep, specializes in creating certification practice tests and study guides. He has 12 years of experience teaching Cisco, Microsoft, CompTIA, and Security classes for top training companies, including Global Knowledge and New Horizons. He holds more than 20 certifications from Microsoft, Cisco, VMware, and other leading technology organizations. Robin M. Abernathy has more than a decade of experience in IT certification prep. For Kaplan IT Certification Preparation, she has written and edited preparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITIL certifications. She holds multiple IT certifications from these vendors. Companion CD The CD contains two free, complete practice exams, plus memory tables and answers to help you study more efficiently and effectively. Pearson IT Certification Practice Test minimum system requirements: Windows XP (SP3), Windows Vista (SP2), Windows 7, or Windows 8; Microsoft .NET Framework 4.0 Client; Pentium-class 1GHz processor (or equivalent); 512MB RAM; 650MB disk space plus 50MB for each downloaded practice exam; access to the Internet to register and download exam databases
Contents
Introduction Chapter 1 The CISSP Certification 3 The Goals of the CISSP Certification 3 Sponsoring Bodies 3 Stated Goals 4 The Value of the CISSP Certification 4 To the Security Professional 5 To the Enterprise 5 The Common Body of Knowledge 5 Access Control 5 Telecommunications and Network Security 6 Information Security Governance and Risk Management 6 Software Development Security 7 Cryptography 7 Security Architecture and Design 8 Operations Security 8 Business Continuity and Disaster Recovery Planning 8 Legal, Regulations, Investigations, and Compliance 9 Physical and Environmental Security 9 Steps to Becoming a CISSP 10 Qualifying for the Exam 10 Signing Up for the Exam 10 About the CISSP Exam 10 Chapter 2 Access Control 13 Foundation Topics 13 Access Control Concepts 13 CIA 13 Default Stance 14 Defense In Depth 14 Access Control Process 15 Identify Resources 15 Identify Users 15 Identify Relationships Between Resources and Users 16 Identification and Authentication Concepts 16 Three Factors for Authentication 17 Knowledge Factors 17 Identity and Account Management 18 Password Types and Management 19 Ownership Factors 22 Synchronous and Asynchronous Token 22 Memory Cards 22 Smart Cards 23 Characteristic Factors 23 Physiological Characteristics 24 Behavioral Characteristics 25 Biometric Considerations 26 Authorization Concepts 28 Access Control Policies 28 Separation of Duties 29 Least Privilege/Need-to-Know 29 Default to No Access 30 Directory Services 30 Single Sign-on 31 Kerberos 32 SESAME 34 Federated Identity Management 35 Security Domains 35 Accountability 35 Auditing and Reporting 36 Vulnerability Assessment 37 Penetration Testing 38 Access Control Categories 39 Compensative 40 Corrective 40 Detective 40 Deterrent 40 Directive 40 Preventive 41 Recovery 41 Access Control Types 41 Administrative (Management) Controls 41 Logical (Technical) Controls 43 Physical Controls 43 Access Control Models 46 Discretionary Access Control 46 Mandatory Access Control 47 Role-based Access Control 47 Rule-based Access Control 48 Content-dependent Versus Context-dependent 48 Access Control Matrix 48 Capabilities Table 48 Access Control List (ACL) 49 Access Control Administration 49 Centralized 49 Decentralized 49 Provisioning Life Cycle 50 Access Control Monitoring 50 IDS 50 IPS 52 Access Control Threats 52 Password Threats 53 Dictionary Attack 53 Brute-Force Attack 53 Social Engineering Threats 53 Phishing/Pharming 54 Shoulder Surfing 54 Identity Theft 54 Dumpster Diving 55 DoS/DDoS 55 Buffer Overflow 55 Mobile Code 56 Malicious Software 56 Spoofing 56 Sniffing and Eavesdropping 57 Emanating 57 Backdoor/Trapdoor 57 Exam Preparation Tasks 57 Review All Key Topics 57 Complete the Tables and Lists from Memory 58 Define Key Terms 59 Review Questions 59 Answers and Explanations 61 Chapter 3 Telecommunications and Network Security 65 Foundation Topics 66 OSI Model 66 Application Layer 67 Presentation Layer 67 Session Layer 67 Transport Layer 68 Network Layer 68 Data Link Layer 68 Physical Layer 69 Multi-Layer Protocols 70 TCP/IP Model 71 Application Layer 72 Transport Layer 72 Internet Layer 74 Link Layer 76 Encapsulation 76 Common TCP/UDP Ports 77 Logical and Physical Addressing 78 IPv4 78 IP Classes 80 Public Versus Private IP Addresses 81 NAT 81 IPv4 Versus IPv6 82 MAC Addressing 82 Network Transmission 83 Analog Versus Digital 83 Asynchronous Versus Synchronous 84 Broadband Versus Baseband 84 Unicast, Multicast, and Broadcast 85 Wired Versus Wireless 86 Cabling 87 Coaxial 87 Twisted Pair 88 Fiberoptic 90 Network Topologies 91 Ring 91 Bus 92 Star 92 Mesh 93 Hybrid 94 Network Technologies 94 Ethernet 802.3 94 Token Ring 802.5 96 FDDI 97 Contention Methods 97 CSMA/CD Versus CSMA/CA 98 Collision Domains 98 CSMA/CD 99 CSMA/CA 100 Token Passing 101 Polling 101 Network Protocols/Services 101 ARP 101 DHCP 102 DNS 103 FTP, FTPS, SFTP 103 HTTP, HTTPS, SHTTP 104 ICMP 104 IMAP 105 NAT 105 PAT 105 POP 105 SMTP 105 SNMP 105 Network Routing 106 Distance Vector, Link State, or Hybrid Routing 106 RIP 107 OSPF 107 IGRP 108 EIGRP 108 VRRP 108 IS-IS 108 BGP 108 Network Devices 109 Patch Panel 109 Multiplexer 109 Hub 109 Switch 110 VLANs 111 Layer 3 Versus Layer 4 111 Router 111 Gateway 112 Firewall 112 Types 113 Architecture 114 Virtualization 116 Proxy Server 116 PBX 116 Honeypot 117 Cloud Computing 117 Endpoint Security 119 Network Types 119 LAN 119 Intranet 119 Extranet 120 MAN 120 WAN 120 WAN Technologies 121 T Lines 121 E Lines 121 OC Lines (SONET) 122 CSU/DSU 122 Circuit-Switching Versus Packet-Switching 123 Frame Relay 123 ATM 123 X.25 124 Switched Multimegabit Data Service 124 Point-to-Point Protocol 124 High-Speed Serial Interface 124 PSTN (POTS, PBX) 125 VoIP 125 Remote Connection Technologies 126 Dial-up 126 ISDN 127 DSL 127 Cable 128 VPN 129 RADIUS and TACACS 132 Remote Authentication Protocols 133 Telnet 134 TLS/SSL 134 Multimedia Collaboration 134 Wireless Networks 135 FHSS, DSSS, OFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 135 802.11 Techniques 136 Cellular or Mobile Wireless Techniques 136 WLAN Structure 137 Access Point 137 SSID 137 Infrastructure Mode Versus Ad Hoc Mode 137 WLAN Standards 137 802.11a 138 802.11b 138 802.11f 138 802.11g 138 802.11n 138 Bluetooth 139 Infrared 139 WLAN Security 139 WEP 139 WPA 140 WPA2 140 Personal Versus Enterprise 140 SSID Broadcast 141 MAC Filter 141 Satellites 141 Network Threats 142 Cabling 142 Noise 142 Attenuation 142 Crosstalk 143 Eavesdropping 143 ICMP Attacks 143 Ping of Death 143 Smurf 144 Fraggle 144 ICMP Redirect 144 Ping Scanning 145 DNS Attacks 145 DNS Cache Poisoning 145 DoS 146 DDoS 146 DNSSEC 146 URL Hiding 146 Domain Grabbing 147 Cybersquatting 147 Email Attacks 147 Email Spoofing 147 Spear Phishing 148 Whaling 148 Spam 148 Wireless Attacks 148 Wardriving 149 Warchalking 149 Remote Attacks 149 Other Attacks 149 SYN ACK Attacks 149 Session Hijacking 150 Port Scanning 150 Teardrop 150 IP Address Spoofing 150 Exam Preparation Tasks 151 Review All Key Topics 151 Define Key Terms 151 Review Questions 153 Answers and Explanations 155 Chapter 4 Information Security Governance and Risk Management 159 Foundation Topics 159 Security Principles and Terms 159 CIA 160 Vulnerability 160 Threat 161 Threat Agent 161 Risk 161 Exposure 161 Countermeasure 161 Due Care and Due Diligence 162 Job Rotation 163 Separation of Duties 163 Security Frameworks and Methodologies 163 ISO/IEC 27000 Series 164 Zachman Framework 166 The Open Group Architecture Framework (TOGAF) 168 Department of Defense Architecture Framework (DoDAF) 168 British Ministry of Defence Architecture Framework (MODAF) 168 Sherwood Applied Business Security Architecture (SABSA) 168 Control Objectives for Information and Related Technology (CobiT) 170 National Institute of Standards and Technology (NIST) Special Publication (SP) 170 Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework 171 Information Technology Infrastructure Library (ITIL) 172 Six Sigma 173 Capability Maturity Model Integration (CMMI) 174 Top-Down Versus Bottom-Up Approach 174 Security Program Life Cycle 174 Risk Assessment 175 Information and Asset (Tangible/Intangible) Value and Costs 177 Vulnerabilities and Threats Identification 177 Quantitative Risk Analysis 178 Qualitative Risk Analysis 179 Safeguard Selection 179 Total Risk Versus Residual Risk 180 Handling Risk 180 Risk Management Principles 181 Risk Management Policy 181 Risk Management Team 181 Risk Analysis Team 182 Information Security Governance Components 182 Policies 183 Organizational Security Policy 184 System-Specific Security Policy 185 Issue-Specific Security Policy 185 Policy Categories 185 Standards 185 Baselines 185 Guidelines 186 Procedures 186 Information Classification and Life Cycle 186 Commercial Business Classifications 186 Military and Government Classifications 187 Information Life Cycle 188 Security Governance Responsibilities and Roles 188 Board of Directors 188 Management 189 Audit Committee 189 Data Owner 190 Data Custodian 190 System Owner 190 System Administrator 190 Security Administrator 190 Security Analyst 191 Application Owner 191 Supervisor 191 User 191 Auditor 191 Third-Party Governance 191 Onsite Assessment 192 Document Exchange/Review 192 Process/Policy Review 192 Personnel Security (Screening, Hiring, and Termination) 192 Security Awareness Training 193 Security Budget, Metrics, and Effectiveness 194 Exam Preparation Tasks 195 Review All Key Topics 195 Complete the Tables and Lists from Memory 195 Define Key Terms 196 Review Questions 196 Answers and Explanations 198 Chapter 5 Software Development Security 203 Foundation Topics 203 System Development Life Cycle 203 Initiate 204 Acquire/Develop 204 Implement 205 Operate/Maintain 205 Dispose 205 Software Development Life Cycle 206 Gather Requirements 206 Design 207 Develop 207 Test/Validate 208 Release/Maintain 209 Change Management and Configuration Management 209 Software Development Security Best Practices 209 WASC 210 OWASP 210 BSI 210 ISO/IEC 27000 210 Software Development Methods 211 Build and Fix 211 Waterfall 212 V-Shaped 213 Prototyping 214 Incremental 214 Spiral 215 Rapid Application Development (RAD) 216 Agile 216 JAD 218 Cleanroom 218 CMMI 218 Programming Concepts 219 Machine Languages 219 Assembly Languages and Assemblers 219 High-level Languages, Compilers, and Interpreters 219 Object-Oriented Programming 220 Polymorphism 221 Cohesion 221 Coupling 221 Data Structures 221 Distributed Object-Oriented Systems 222 CORBA 222 COM and DCOM 222 OLE 223 Java 223 SOA 223 Mobile Code 223 Java Applets 223 ActiveX 224 Database Concepts and Security 224 DBMS Architecture and Models 224 Database Interface Languages 226 ODBC 226 JDBC 227 XML 227 OLE DB 227 Data Warehouses and Data Mining 227 Database Threats 228 Database Views 228 Database Locks 228 Polyinstantiation 228 OLTP ACID Test 229 Knowledge-Based Systems 229 Software Threats 230 Malware 230 Virus 230 Worm 231 Trojan Horse 231 Logic Bomb 232 Spyware/Adware 232 Botnet 232 Rootkit 233 Source Code Issues 233 Buffer Overflow 233 Escalation of Privileges 235 Backdoor 235 Malware Protection 235 Antivirus Software 235 Antimalware Software 236 Security Policies 236 Software Security Effectiveness 236 Certification and Accreditation 236 Auditing 237 Exam Preparation Tasks 237 Review All Key Topics 237 Define Key Terms 238 Complete the Tables and Lists from Memory 238 Review Questions 238 Answers and Explanations 240 Chapter 6 Cryptography 243 Foundation Topics 244 Cryptography Concepts 244 Cryptographic Life Cycle 246 Cryptography History 246 Julius Caesar and the Caesar Cipher 247 Vigenere Cipher 248 Kerckhoff's Principle 249 World War II Enigma 249 Lucifer by IBM 250 Cryptosystem Features 250 Authentication 250 Confidentiality 250 Integrity 251 Authorization 251 Non-repudiation 251 Encryption Systems 251 Running Key and Concealment Ciphers 251 Substitution Ciphers 252 Transposition Ciphers 253 Symmetric Algorithms 253 Stream-based Ciphers 254 Block Ciphers 255 Initialization Vectors (IVs) 255 Asymmetric Algorithms 255 Hybrid Ciphers 256 Substitution Ciphers 257 One-Time Pads 257 Steganography 258 Symmetric Algorithms 258 Digital Encryption Standard (DES) and Triple DES (3DES) 259 DES Modes 259 Triple DES (3DES) and Modes 262 Advanced Encryption Standard (AES) 263 IDEA 263 Skipjack 264 Blowfish 264 Twofish 264 RC4/RC5/RC6 264 CAST 265 Asymmetric Algorithms 265 Diffie-Hellman 266 RSA 267 El Gamal 267 ECC 267 Knapsack 268 Zero Knowledge Proof 268 Message Integrity 268 Hash Functions 269 One-Way Hash 269 MD2/MD4/MD5/MD6 271 SHA/SHA-2/SHA-3 271 HAVAL 272 RIPEMD-160 272 Tiger 272 Message Authentication Code 273 HMAC 273 CBC-MAC 274 CMAC 274 Digital Signatures 274 Public Key Infrastructure 275 Certification Authority (CA) and Registration Authority (RA) 275 OCSP 276 Certificates 276 Certificate Revocation List (CRL) 277 PKI Steps 277 Cross-Certification 278 Key Management 278 Trusted Platform Module (TPM) 279 Encryption Communication Levels 280 Link Encryption 280 End-to-End Encryption 281 E-mail Security 281 PGP 281 MIME and S/MIME 282 Quantum Cryptography 282 Internet Security 282 Remote Access 283 SSL/TLS 283 HTTP, HTTPS, and SHTTP 284 SET 284 Cookies 284 SSH 285 IPsec 285 Cryptography Attacks 286 Ciphertext-Only Attack 287 Known Plaintext Attack 287 Chosen Plaintext Attack 287 Chosen Ciphertext Attack 287 Social Engineering 287 Brute Force 288 Differential Cryptanalysis 288 Linear Cryptanalysis 288 Algebraic Attack 288 Frequency Analysis 288 Birthday Attack 289 Dictionary Attack 289 Replay Attack 289 Analytic Attack 289 Statistical Attack 289 Factoring Attack 289 Reverse Engineering 289 Meet-in-the-Middle Attack 290 Exam Preparation Tasks 290 Review All Key Topics 290 Complete the Tables and Lists from Memory 290 Define Key Terms 291 Review Questions 291 Answers and Explanations 293 Chapter 7 Security Architecture and Design 297 Foundation Topics 297 Security Model Concepts 297 Confidentiality 297 Integrity 297 Availability 298 Defense in Depth 298 System Architecture 298 System Architecture Steps 299 ISO/IEC 42010:2011 299 Computing Platforms 300 Mainframe/Thin Clients 300 Distributed Systems 300 Middleware 301 Embedded Systems 301 Mobile Computing 301 Virtual Computing 301 Security Services 302 Boundary Control Services 302 Access Control Services 302
