Details

The Official (ISC)2 CISSP CBK Reference

The Official (ISC)2 CISSP CBK Reference


6. Aufl.

von: Arthur J. Deane, Aaron Kraus

72,99 €

Verlag: Wiley
Format: EPUB
Veröffentl.: 11.08.2021
ISBN/EAN: 9781119790006
Sprache: englisch
Anzahl Seiten: 672

In den Warenkorb
Als Gutschein
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

Titelbeschreibung

<p><b>The only official, comprehensive reference guide to the CISSP</b></p> <p>Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)<sup>2</sup> for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)<sup>2</sup>, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.</p> <p>This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:</p> <ul> <li>Common and good practices for each objective</li> <li>Common vocabulary and definitions</li> <li>References to widely accepted computing standards</li> <li>Highlights of successful approaches through case studies</li> </ul> <p>Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.</p>

Inhaltsverzeichnis

<p>Foreword xix</p> <p>Introduction xxi</p> <p><b>Domain 1: Security and Risk Management 1</b></p> <p>Understand, Adhere to, and Promote Professional Ethics 2</p> <p>(ISC)<sup>2</sup> Code of Professional Ethics 2</p> <p>Organizational Code of Ethics 3</p> <p>Understand and Apply Security Concepts 4</p> <p>Confidentiality 4</p> <p>Integrity 5</p> <p>Availability 6</p> <p>Limitations of the CIA Triad 7</p> <p>Evaluate and Apply Security Governance Principles 8</p> <p>Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9</p> <p>Organizational Processes 10</p> <p>Organizational Roles and Responsibilities 14</p> <p>Security Control Frameworks 15</p> <p>Due Care and Due Diligence 22</p> <p>Determine Compliance and Other Requirements 23</p> <p>Legislative and Regulatory Requirements 23</p> <p>Industry Standards and Other Compliance Requirements 25</p> <p>Privacy Requirements 27</p> <p>Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28</p> <p>Cybercrimes and Data Breaches 28</p> <p>Licensing and Intellectual Property Requirements 36</p> <p>Import/Export Controls 39</p> <p>Transborder Data Flow 40</p> <p>Privacy 41</p> <p>Understand Requirements for Investigation Types 48</p> <p>Administrative 49</p> <p>Criminal 50</p> <p>Civil 52</p> <p>Regulatory 53</p> <p>Industry Standards 54</p> <p>Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55</p> <p>Policies 55</p> <p>Standards 56</p> <p>Procedures 57</p> <p>Guidelines 57</p> <p>Identify, Analyze, and Prioritize Business Continuity Requirements 58</p> <p>Business Impact Analysis 59</p> <p>Develop and Document the Scope and the Plan 61</p> <p>Contribute to and Enforce Personnel Security Policies and Procedures 63</p> <p>Candidate Screening and Hiring 63</p> <p>Employment Agreements and Policies 64</p> <p>Onboarding, Transfers, and Termination Processes 65</p> <p>Vendor, Consultant, and Contractor Agreements and Controls 67</p> <p>Compliance Policy Requirements 67</p> <p>Privacy Policy Requirements 68</p> <p>Understand and Apply Risk Management Concepts 68</p> <p>Identify Threats and Vulnerabilities 68</p> <p>Risk Assessment 70</p> <p>Risk Response/Treatment 72</p> <p>Countermeasure Selection and Implementation 73</p> <p>Applicable Types of Controls 75</p> <p>Control Assessments 76</p> <p>Monitoring and Measurement 77</p> <p>Reporting 77</p> <p>Continuous Improvement 78</p> <p>Risk Frameworks 78</p> <p>Understand and Apply Threat Modeling Concepts and Methodologies 83</p> <p>Threat Modeling Concepts 84</p> <p>Threat Modeling Methodologies 85</p> <p>Apply Supply Chain Risk Management Concepts 88</p> <p>Risks Associated with Hardware, Software, and Services 88</p> <p>Third-Party Assessment and Monitoring 89</p> <p>Minimum Security Requirements 90</p> <p>Service-Level</p> <p>Requirements 90</p> <p>Frameworks 91</p> <p>Establish and Maintain a Security Awareness, Education, and Training Program 92</p> <p>Methods and Techniques to Present Awareness and Training 93</p> <p>Periodic Content Reviews 94</p> <p>Program Effectiveness Evaluation 94</p> <p>Summary 95</p> <p><b>Domain 2: Asset Security 97</b></p> <p>Identify and Classify Information and Assets 97</p> <p>Data Classification and Data Categorization 99</p> <p>Asset Classification 101</p> <p>Establish Information and Asset Handling Requirements 104</p> <p>Marking and Labeling 104</p> <p>Handling 105</p> <p>Storage 105</p> <p>Declassification 106</p> <p>Provision Resources Securely 108</p> <p>Information and Asset Ownership 108</p> <p>Asset Inventory 109</p> <p>Asset Management 112</p> <p>Manage Data Lifecycle 115</p> <p>Data Roles 116</p> <p>Data Collection 120</p> <p>Data Location 120</p> <p>Data Maintenance 121</p> <p>Data Retention 122</p> <p>Data Destruction 123</p> <p>Data Remanence 123</p> <p>Ensure Appropriate Asset Retention 127</p> <p>Determining Appropriate Records Retention 129</p> <p>Records Retention Best Practices 130</p> <p>Determine Data Security Controls and Compliance Requirements 131</p> <p>Data States 133</p> <p>Scoping and Tailoring 135</p> <p>Standards Selection 137</p> <p>Data Protection Methods 141</p> <p>Summary 144</p> <p><b>Domain 3: Security Architecture and Engineering 147</b></p> <p>Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149</p> <p>ISO/IEC 19249 150</p> <p>Threat Modeling 157</p> <p>Secure Defaults 160</p> <p>Fail Securely 161</p> <p>Separation of Duties 161</p> <p>Keep It Simple 162</p> <p>Trust, but Verify 162</p> <p>Zero Trust 163</p> <p>Privacy by Design 165</p> <p>Shared Responsibility 166</p> <p>Defense in Depth 167</p> <p>Understand the Fundamental Concepts of Security Models 168</p> <p>Primer on Common Model Components 168</p> <p>Information Flow Model 169</p> <p>Noninterference Model 169</p> <p>Bell–LaPadula Model 170</p> <p>Biba Integrity Model 172</p> <p>Clark–Wilson Model 173</p> <p>Brewer–Nash Model 173</p> <p>Take-Grant Model 175</p> <p>Select Controls Based Upon Systems Security Requirements 175</p> <p>Understand Security Capabilities of Information Systems 179</p> <p>Memory Protection 180</p> <p>Secure Cryptoprocessor 182</p> <p>Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187</p> <p>Client-Based Systems 187</p> <p>Server-Based Systems 189</p> <p>Database Systems 191</p> <p>Cryptographic Systems 194</p> <p>Industrial Control Systems 200</p> <p>Cloud-Based Systems 203</p> <p>Distributed Systems 207</p> <p>Internet of Things 208</p> <p>Microservices 212</p> <p>Containerization 214</p> <p>Serverless 215</p> <p>Embedded Systems 216</p> <p>High-Performance Computing Systems 219</p> <p>Edge Computing Systems 220</p> <p>Virtualized Systems 221</p> <p>Select and Determine Cryptographic Solutions 224</p> <p>Cryptography Basics 225</p> <p>Cryptographic Lifecycle 226</p> <p>Cryptographic Methods 229</p> <p>Public Key Infrastructure 243</p> <p>Key Management Practices 246</p> <p>Digital Signatures and Digital Certificates 250</p> <p>Nonrepudiation 252</p> <p>Integrity 253</p> <p>Understand Methods of Cryptanalytic Attacks 257</p> <p>Brute Force 258</p> <p>Ciphertext Only 260</p> <p>Known Plaintext 260</p> <p>Chosen Plaintext Attack 260</p> <p>Frequency Analysis 261</p> <p>Chosen Ciphertext 261</p> <p>Implementation Attacks 261</p> <p>Side-Channel Attacks 261</p> <p>Fault Injection 263</p> <p>Timing Attacks 263</p> <p>Man-in-the-Middle 263</p> <p>Pass the Hash 263</p> <p>Kerberos Exploitation 264</p> <p>Ransomware 264</p> <p>Apply Security Principles to Site and Facility Design 265</p> <p>Design Site and Facility Security Controls 265</p> <p>Wiring Closets/Intermediate Distribution Facilities 266</p> <p>Server Rooms/Data Centers 267</p> <p>Media Storage Facilities 268</p> <p>Evidence Storage 269</p> <p>Restricted and Work Area Security 270</p> <p>Utilities and Heating, Ventilation, and Air Conditioning 272</p> <p>Environmental Issues 275</p> <p>Fire Prevention, Detection, and Suppression 277</p> <p>Summary 281</p> <p><b>Domain 4: Communication and Network Security 283</b></p> <p>Assess and Implement Secure Design Principles in Network Architectures 283</p> <p>Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285</p> <p>The OSI Reference Model 286</p> <p>The TCP/IP Reference Model 299</p> <p>Internet Protocol Networking 302</p> <p>Secure Protocols 311</p> <p>Implications of Multilayer Protocols 313</p> <p>Converged Protocols 315</p> <p>Microsegmentation 316</p> <p>Wireless Networks 319</p> <p>Cellular Networks 333</p> <p>Content Distribution Networks 334</p> <p>Secure Network Components 335</p> <p>Operation of Hardware 335</p> <p>Repeaters, Concentrators, and Amplifiers 341</p> <p>Hubs 341</p> <p>Bridges 342</p> <p>Switches 342</p> <p>Routers 343</p> <p>Gateways 343</p> <p>Proxies 343</p> <p>Transmission Media 345</p> <p>Network Access Control 352</p> <p>Endpoint Security 354</p> <p>Mobile Devices 355</p> <p>Implement Secure Communication Channels According to Design 357</p> <p>Voice 357</p> <p>Multimedia Collaboration 359</p> <p>Remote Access 365</p> <p>Data Communications 371</p> <p>Virtualized Networks 373</p> <p>Third-Party</p> <p>Connectivity 374</p> <p>Summary 374</p> <p><b>Domain 5: Identity and Access Management 377</b></p> <p>Control Physical and Logical Access to Assets 378</p> <p>Access Control Definitions 378</p> <p>Information 379</p> <p>Systems 380</p> <p>Devices 381</p> <p>Facilities 383</p> <p>Applications 386</p> <p>Manage Identification and Authentication of People, Devices, and Services 387</p> <p>Identity Management Implementation 388</p> <p>Single/Multifactor Authentication 389</p> <p>Accountability 396</p> <p>Session Management 396</p> <p>Registration, Proofing, and Establishment of Identity 397</p> <p>Federated Identity Management 399</p> <p>Credential Management Systems 399</p> <p>Single Sign-On 400</p> <p>Just-In-Time 401</p> <p>Federated Identity with a Third-Party Service 401</p> <p>On Premises 402</p> <p>Cloud 403</p> <p>Hybrid 403</p> <p>Implement and Manage Authorization Mechanisms 404</p> <p>Role-Based Access Control 405</p> <p>Rule-Based Access Control 405</p> <p>Mandatory Access Control 406</p> <p>Discretionary Access Control 406</p> <p>Attribute-Based Access Control 407</p> <p>Risk-Based Access Control 408</p> <p>Manage the Identity and Access Provisioning Lifecycle 408</p> <p>Account Access Review 409</p> <p>Account Usage Review 411</p> <p>Provisioning and Deprovisioning 411</p> <p>Role Definition 412</p> <p>Privilege Escalation 413</p> <p>Implement Authentication Systems 414</p> <p>OpenID Connect/Open Authorization 414</p> <p>Security Assertion Markup Language 415</p> <p>Kerberos 416</p> <p>Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417</p> <p>Summary 418</p> <p><b>Domain 6: Security Assessment and Testing 419</b></p> <p>Design and Validate Assessment, Test, and Audit Strategies 420</p> <p>Internal 421</p> <p>External 422</p> <p>Third-Party 423</p> <p>Conduct Security Control Testing 423</p> <p>Vulnerability Assessment 423</p> <p>Penetration Testing 428</p> <p>Log Reviews 435</p> <p>Synthetic Transactions 435</p> <p>Code Review and Testing 436</p> <p>Misuse Case Testing 437</p> <p>Test Coverage Analysis 438</p> <p>Interface Testing 439</p> <p>Breach Attack Simulations 440</p> <p>Compliance Checks 441</p> <p>Collect Security Process Data 442</p> <p>Technical Controls and Processes 443</p> <p>Administrative Controls 443</p> <p>Account Management 444</p> <p>Management Review and Approval 445</p> <p>Management Reviews for Compliance 446</p> <p>Key Performance and Risk Indicators 447</p> <p>Backup Verification Data 450</p> <p>Training and Awareness 450</p> <p>Disaster Recovery and Business Continuity 451</p> <p>Analyze Test Output and Generate Report 452</p> <p>Typical Audit Report Contents 453</p> <p>Remediation 454</p> <p>Exception Handling 455</p> <p>Ethical Disclosure 456</p> <p>Conduct or Facilitate Security Audits 458</p> <p>Designing an Audit Program 458</p> <p>Internal Audits 459</p> <p>External Audits 460</p> <p>Third-Party Audits 460</p> <p>Summary 461</p> <p><b>Domain 7: Security Operations 463</b></p> <p>Understand and Comply with Investigations 464</p> <p>Evidence Collection and Handling 465</p> <p>Reporting and Documentation 467</p> <p>Investigative Techniques 469</p> <p>Digital Forensics Tools, Tactics, and Procedures 470</p> <p>Artifacts 475</p> <p>Conduct Logging and Monitoring Activities 478</p> <p>Intrusion Detection and Prevention 478</p> <p>Security Information and Event Management 480</p> <p>Continuous Monitoring 481</p> <p>Egress Monitoring 483</p> <p>Log Management 484</p> <p>Threat Intelligence 486</p> <p>User and Entity Behavior Analytics 488</p> <p>Perform Configuration Management 489</p> <p>Provisioning 490</p> <p>Asset Inventory 492</p> <p>Baselining 492</p> <p>Automation 493</p> <p>Apply Foundational Security Operations Concepts 494</p> <p>Need-to-Know/Least Privilege 494</p> <p>Separation of Duties and Responsibilities 495</p> <p>Privileged Account Management 496</p> <p>Job Rotation 498</p> <p>Service-Level</p> <p>Agreements 498</p> <p>Apply Resource Protection 499</p> <p>Media Management 500</p> <p>Media Protection Techniques 501</p> <p>Conduct Incident Management 502</p> <p>Incident Management Plan 503</p> <p>Detection 505</p> <p>Response 506</p> <p>Mitigation 507</p> <p>Reporting 508</p> <p>Recovery 510</p> <p>Remediation 510</p> <p>Lessons Learned 511</p> <p>Operate and Maintain Detective and Preventative Measures 511</p> <p>Firewalls 512</p> <p>Intrusion Detection Systems and Intrusion Prevention Systems 514</p> <p>Whitelisting/Blacklisting 515</p> <p>Third-Party-Provided Security Services 515</p> <p>Sandboxing 517</p> <p>Honeypots/Honeynets 517</p> <p>Anti-malware 518</p> <p>Machine Learning and Artificial Intelligence Based Tools 518</p> <p>Implement and Support Patch and Vulnerability Management 519</p> <p>Patch Management 519</p> <p>Vulnerability Management 521</p> <p>Understand and Participate in Change Management Processes 522</p> <p>Implement Recovery Strategies 523</p> <p>Backup Storage Strategies 524</p> <p>Recovery Site Strategies 527</p> <p>Multiple Processing Sites 527</p> <p>System Resilience, High Availability, Quality of Service, and Fault Tolerance 528</p> <p>Implement Disaster Recovery Processes 529</p> <p>Response 529</p> <p>Personnel 530</p> <p>Communications 531</p> <p>Assessment 532</p> <p>Restoration 533</p> <p>Training and Awareness 534</p> <p>Lessons Learned 534</p> <p>Test Disaster Recovery Plans 535</p> <p>Read-through/Tabletop 536</p> <p>Walkthrough 536</p> <p>Simulation 537</p> <p>Parallel 537</p> <p>Full Interruption 537</p> <p>Participate in Business Continuity Planning and Exercises 538</p> <p>Implement and Manage Physical Security 539</p> <p>Perimeter Security Controls 541</p> <p>Internal Security Controls 543</p> <p>Address Personnel Safety and Security Concerns 545</p> <p>Travel 545</p> <p>Security Training and Awareness 546</p> <p>Emergency Management 546</p> <p>Duress 547</p> <p>Summary 548</p> <p><b>Domain 8: Software Development Security 549</b></p> <p>Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550</p> <p>Development Methodologies 551</p> <p>Maturity Models 561</p> <p>Operation and Maintenance 567</p> <p>Change Management 568</p> <p>Integrated Product Team 571</p> <p>Identify and Apply Security Controls in Software Development Ecosystems 572</p> <p>Programming Languages 572</p> <p>Libraries 577</p> <p>Toolsets 578</p> <p>Integrated Development Environment 579</p> <p>Runtime 580</p> <p>Continuous Integration and Continuous Delivery 581</p> <p>Security Orchestration, Automation, and Response 583</p> <p>Software Configuration Management 585</p> <p>Code Repositories 586</p> <p>Application Security Testing 588</p> <p>Assess the Effectiveness of Software Security 590</p> <p>Auditing and Logging of Changes 590</p> <p>Risk Analysis and Mitigation 595</p> <p>Assess Security Impact of Acquired Software 599</p> <p>Commercial Off-the-Shelf 599</p> <p>Open Source 601</p> <p>Third-Party 602</p> <p>Managed Services (SaaS, IaaS, PaaS) 602</p> <p>Define and Apply Secure Coding Guidelines and Standards 604</p> <p>Security Weaknesses and Vulnerabilities at the Source-Code Level 605</p> <p>Security of Application Programming Interfaces 613</p> <p>API Security Best Practices 613</p> <p>Secure Coding Practices 618</p> <p>Software-Defined Security 621</p> <p>Summary 624</p> <p>Index 625</p>

Back cover copy

<p><b>"The CISSP continues to be a mark of distinction around the world, signifying not only experiential and practical knowledge but also a commitment to lifelong learning and improvement. The CISSP CBK is a living, breathing resource that cybersecurity practitioners and leaders can refer to as they go about the daily mission of inspiring a safe and secure cyber world."</b><br />—<b>Clar Rosso, CEO, (ISC)<sup>2</sup></b></p> <p>Information security professionals play a pivotal role in protecting the essential fabric of business, finance, communications, and virtually all aspects of 21st century daily life. This updated, authoritative Common Body of Knowledge (CBK<sup>®</sup>) from (ISC)<sup>2</sup> provides a resource for IT professionals who are designing, engineering, implementing, and managing information security programs to protect their organizations from increasingly sophisticated attacks.</p> <p>With exhaustive coverage of all eight domains of CISSP, this book provides a comprehensive guide to applying these principles in everyday practice. The 300+ CISSP objectives and sub-objectives are covered in a format that supplies common practices for each, a common lexicon with definitions, and appropriate references to both widely accepted computing standards and case studies that highlight successful approaches to problems. Written and reviewed by a team of highly knowledgeable CISSPs representing a variety of organizations and roles, it explains and defines all things related to CISSP.</p> <p>Explored in depth are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. From understanding essential security concepts to the exercise of due care, legal compliance, professional ethics, and practical defense against an ever-growing variety of attacks, this book constitutes a vital reference that will serve you well throughout your career.</p>

Country of final manufacture

US

Diese Produkte könnten Sie auch interessieren:

MDX Solutions
MDX Solutions
von: George Spofford, Sivakumar Harinath, Christopher Webb, Dylan Hai Huang, Francesco Civardi
PDF ebook
53,99 €
Concept Data Analysis
Concept Data Analysis
von: Claudio Carpineto, Giovanni Romano
PDF ebook
107,99 €
Handbook of Virtual Humans
Handbook of Virtual Humans
von: Nadia Magnenat-Thalmann, Daniel Thalmann
PDF ebook
150,99 €