CISSP通行证 英文版PDF电子书下载

1 Security Management Practices 1

Objective1.01 Management Responsibilities 2

Objective1.02 Risk Management 3

Risk Analysis 4

Objective1.03 Possible Threats 5

Objective1.04 Security Control Types 7

Objective1.05 Calculating Risk 10

Quantitative Versus Qualitative Approaches 10

Dealing with Risk 13

Countermeasure Selection 13

Objective1.06 Security Policies and their Supporting Counterparts 14

Security Policy 15

Standards 15

Baselines 15

Guidelines 16

Procedures 16

Objective1.07 Roles and Responsibilities 17

Data Owner 17

Data Custodian 17

User 17

Security Auditor 18

Objective1.08 Information Classification 18

Military Versus Commercial Classifications 19

Objective1.09 Employee Management 21

Operational Administrative Controls 22

CHECKPOINT 23

Review Questions 24

Review Answers 26

2 Access Control 29

Definitions 30

Objective2.01 Identification and Authentication 30

Three Steps to Access Control 31

Authentication 31

Biometrics 32

Passwords 35

Cognitive Password 36

One-Time Password 37

Cryptographic Keys 39

Passphrase 39

Memory Cards 39

Smart Cards 40

Authorization 40

Objective2.02 Single Sign-On Technologies 41

Kerberos 42

Directory Services 42

SESAME 45

Thin Clients 45

Objective2.03 Access Control Models and Techniques 46

DAC 46

MAC 47

RBAC 48

Access Control Techniques 49

Restricted Interfaces 50

Capability Table and ACLs 50

Content-Dependent Access Control 51

Other Access Techniques 52

Objective2.04 Access Control Administration 52

Centralized Access Control Administration 52

RADIUS 53

Diameter 54

TACACS 54

Decentralized Access Control Administration 55

Objective2.05 Intrusion Detection System 55

Network-Based and Host-Based 55

Signature-Based and Behavior-Based 57

Downfalls of IDS 58

Objective2.06 Unauthorized Access Control and Attacks 58

Unauthorized Disclosure of Information 59

Emanation Security 60

Attack Types 60

Penetration Testing 62

CHECKPOINT 63

Review Questions 65

Review Answers 67

3 Security Models and Architecture 69

Central Processing Unit 70

Objective3.01 System Components 70

Storage and Memory Types 73

Virtual Memory 75

Data Access Storage 77

Processing Instructions 77

Operating States 78

Objective3.02 Operation System Security Mechanisms 78

Process Isolation 79

Protection Rings 79

Virtual Machine 81

Trusted Computing Base 81

Reference Monitor and Security Kernel 82

Objective3.03 Security Models 83

The Different Models 83

Bell-LaPadula Model 84

State Machine Models 84

Biba 86

Clark-Wilson Model 88

Non-Interference Model 88

Access Control Matrix Model 89

Information Flow Model 89

Brewer and Nash Model 90

Graham-Denning and Harrison-Ruzzo-Ullman Models 90

Objective3.04 Security Evaluation Criteria 92

Security Evaluations 93

Trusted Computer System Evaluation Criteria 93

Rainbow Series 94

Information Technology Security Evaluation Criteria 95

Common Criteria 95

Certification Versus Accreditation 97

CHECKPOINT 99

Review Questions 100

Review Answers 102

4 Physical Security 105

Objective4.01 Controls Pertaining to Physical Security 106

Facility Location 107

Facility Construction 109

Computing Area 112

Hardware Backups 113

Objective4.02 Electrical Power and Environmental Issues 114

UPS 114

Power Interference 115

Environmental Considerations 118

Ventilation 118

Objective4.03 Fire Detection and Suppression 119

Water, Steam, and Gas 119

Fire Prevention 120

Fire Detection 120

Fire Types 122

Fire Suppression 122

Halon 123

Fire Extinguishing Issues 123

Water Sprinklers 124

Emergency Response 125

Objective4.04 Perimeter Security 125

Lock Types 126

Facility Access 127

Entrance Protection 128

Fencing 129

Surveillance Devices 130

Lighting 130

Intrusion Detection Systems 131

CHECKPOINT 133

Review Questions 134

Review Answers 136

5 Telecommunications and Networking Security 139

Objective5.01 TCP/IP Suite 140

Internet Protocol (IP) 143

Networks 143

Intranets and Extra.nets 144

Objective5.02 Cabling and Data Transmission Types 145

Coaxial Cable 145

Twisted-Pair Cable 146

Fiber 147

Cable Issues 148

Broadband and Baseband 149

Fire Ratings 149

Signals 150

Asynchronous and Synchronous 151

Transmission Methods 151

Objective5.03 LAN Technologies 152

Network Topologies 152

Media Access Technologies 154

Ethernet 154

Token Passing 155

Polling 156

Protocols 156

Address Resolution Protocol (ARP) 156

Reverse Address Resolution Protocol (RARP) 157

Boot Protocol 158

Other TCP/IP Protocols 159

Internet Control Message Protocol (ICMP) 159

Objective5.04 Networking Devices and Services 160

Repeater 160

Bridge 161

Switches 161

VLAN 162

Router 162

Brouters 164

Gateway 164

Summary of Devices 165

Firewalls 166

Packet Filtering 166

Proxy Firewalls 167

Stateful Firewalls 169

Firewall Architecture 170

Firewall Administration 173

Remote Connectivity 174

PPP 174

SLIP 174

PAP 175

CHAP 175

EAP 175

VPN 176

PPTP 177

L2TP 177

IPSec 177

Network Services 178

DNS 178

NAT 179

Objective5.05 Telecommunications Protocols and Devices 180

FDDI 181

SONET 181

Dedicated Link 182

CSU/DSU 184

S/WAN 184

ISDN 184

DSL 185

Cable Modems 186

WAN Switching 186

Frame Relay 187

X.25 188

ATM 188

Quality of Service 189

SMDS 189

Multiservice Access Technologies 190

SDLC 190

HDLC 190

Objective5.06 Remote Access Methods and Technologies 191

Remote Access 191

Wireless Technology 193

Spread Spectrum 193

WAP 194

Access Points 195

SSID 196

OSA and SKA 196

Cell Phone Cloning 198

PBX Threats 198

Objective5.07 Fault Tolerance Mechanisms 199

Backing Up 200

Clustering 200

RAID 200

CHECKPOINT 201

Review Questions 202

Review Answers 205

6 Cryptography 209

Objective6.01 Cryptography Definitions 210

Definitions 210

Keys and Text 211

Keyspace 212

Strength of Cryptosystem 213

Attacks 214

Spy-Like Ciphers 215

Steganography 215

Objective6.02 Cipher Types 216

Kerckhoff's Principle 217

Key Escrow 218

Substitution Cipher 218

Transposition Cipher 219

Block Cipher 220

Stream Cipher 221

Symmetric Cryptography 223

Asymmetric Cryptography 225

Objective6.03 Hybrid Approach 227

Key Management 228

Data Encryption 229

Security Goals 230

Types of Symmetric Algorithms 231

DES 231

Advanced Encryption Standard (AES) 233

Triple-DES (3DES) 233

Other Symmetric Algorithms 234

Asymmetrical Algorithms 234

Diffie-Hellman Key Exchange 235

El Gamal 236

Elliptic Curve Cryptosystems (ECC) 236

Objective6.04 Message Integrity and Digital Signatures 236

Message Integrity 236

One-Way Hash 237

Attacks on Hashing Functions 238

Hashing Algorithms 240

Message Authentication Code 240

Electronic Signing 242

DSS 243

Certificate Authority (CA) 244

Public Key Infrastructure 244

Objective6.05 Cryptography Applications 244

Registration Authority 245

Certificate Revocation List (CRL) 245

Components of PKI 246

PKI Steps 247

0ne-Time Pad 248

Encryption at Different Layers 250

Objective6.06 Cryptographic Protocols 251

Privacy-Enhanced Mail (PEM) 252

Message Security Protocol (MSP) 252

Pretty Good Privacy (PGP) 252

Internet Security 253

Secure Hypertext Transfer Protocol (S-HTTP) 253

Secure Sockets Layer (SSL) 254

HTTPS 254

S/MIME 255

SSH2 255

SET 256

IPSec 257

Other Security Technologies 261

Objective6.07 Attacks 261

Ciphertext-Only Attack 262

Known-Plaintext Attack 262

Chosen-Plaintext Attack 262

Adaptive Chosen-Plaintext Attack 263

Chosen-Ciphertext Attack 263

Adaptive Chosen-Ciphertext Attack 263

Man-in-the-Middle Attack 263

CHECKPOINT 264

Algebraic Attack 264

Analytic Attack 264

Review Questions 266

Review Answers 268

7 Disaster Recovery and Business Continuity 271

Objective7.01 Disaster Recovery versus Business Continuity 272

Objective7.02 Project Initiation Phase 274

Objective7.03 Business Impact Analysis 275

Objective7.04 Possible Threats 279

Objective7.05 Backups and Off-Site Facilities 280

Employees and the Working Environment 280

Choosing a Software Backup Storage Facility 282

Backup Facility Alternatives 283

Objective7.06 DRP and BCP Planning Objectives 285

Emergency Response 288

Documentation 289

Recovery and Restoration 289

Testing and Drills 290

Maintenance 291

Phase Breakdown 292

Prevention 292

CHECKPOINT 293

Review Questions 294

Review Answers 297

8 Law,Investigation, and Ethics 299

Objective8.01 Ethics 300

(ISC)2 300

Computer Ethics Institute 301

Internet Activities Board 301

Characteristics of an Attacker 302

Objective8.02 Hacking Methods 302

Problems with Prosecuting Attackers 303

Types of Attacks 304

Salami 304

Data Diddling 304

Excessive Privileges 304

Password Sniffing 305

IP Spoofing 305

Dumpster Diving 305

Wiretapping 305

Social Engineering 306

More Attack Types 306

Attack Categories 307

Phone Fraud 307

Security Principles 308

Objective8.03 Organization Liabilities and Ramifications 308

Legal Liability 309

PrivacyIssues 309

Privacy Act of 1974 309

Electronic Communications Privacy Act of 1986 310

Health Insurance Portability and Accountability Act (HIPAA) 310

Gramm Leach Bliley Act of 1999 310

Employee Monitoring 311

Transborder Information Flow 312

International Issues 312

Objective8.04 Types of Law 313

Civil Law 313

Criminal Law 313

Computer Fraud and Abuse Act of 1986 314

Economic Espionage Act of 1996 314

Federal Policies 314

Administrative Law 314

Federal Sentencing Guidelines of 1991 315

Intellectual Property Laws 315

Trade Secret 315

Copyright 316

Trademark 317

Patent 317

Software Piracy 317

Objective8.05 Computer Crime Investigation 318

Who Should Investigate? 318

Incident Response Plan 319

Incident Response Team 319

Collecting Evidence 320

Incident Handling 320

Search and Seizure 322

Forensics 323

Admissibility of Evidence 324

Evidence Types 324

Best Evidence 324

Secondary Evidence 325

Hearsay Evidence 325

Enticement and Entrapment 325

Trial 326

CHECKPOINT 327

Review Questions 328

Review Answers 331

9 Applications and Systems Development 333

Objective9.01 Project Development 334

Software Lifecycle 335

Project Initiation 336

Functional Design Analysis and Planning 336

Software Development Models 336

System Design Specifications 337

Software Development 338

Acceptance Testing/Implementation 338

Operations/Maintenance 339

Disposal 339

Software Development Methods 339

Change Control 340

Administrative Controls 341

Program Language Evolution 342

Objective9.02 Object-Oriented Programming 342

Classes and Objects 343

Polyinstantiation 344

Abstraction 344

Polymorphism 344

Application Threats 345

Objective9.03 Distributed Computing 347

ORB and CORBA 347

COM and DCOM 348

Enterprise Java Bean 349

OLE 349

ActiveX 350

Java Applets 350

CGI 351

Cookies 351

Objective9.04 Databases 352

Relational Data Model 353

Data Dictionary 354

Database Jargon 355

Structured Query Language 356

Hierarchical Database Model 356

Network Database Management System 356

Distributed Data Model 356

Object-Oriented Database 357

Database Interface Languages 357

Concurrency Issues 358

Aggregation and Inference 359

Data Warehousing 361

Data Mining 361

Objective9.05 Artificial Intelligence 362

Expert Systems 362

Artificial Neural Network 363

Virus 364

Objective9.06 Malware 364

Worms 365

Logic Bomb 365

Trojan Horse 365

Denial of Service 366

DDoS 366

Smurf Attacks 366

Timing Attacks 367

CHECKPOINT 368

Review Questions 369

Review Answers 371

10 Operations Security 373

Objective10.01 Operations Controls 374

Due Care 375

Administrative Control 375

Job Rotation 376

Separation of Duties 376

Least Privilege and Need-to-Know 377

Mandatory Vacations 377

Clipping Levels 378

Control Categories 378

Objective10.02 Configuration Management and Media Control 380

Media Controls 381

Input/Output Data Controls 383

Objective10.03 Reacting to Failures and Recovering 383

Trusted Recovery 384

Facsimile Security 385

Operational Responsibilities 386

Unusual or Unexplained Occurrences 386

Deviations from Standards 387

Unscheduled Initial Program Loads 387

Personnel Operators 388

Objective10.04 Software Backups 389

Network Availability 389

RAID 389

Backups 391

Contingency Management 393

CHECKPOINT 393

Review Questions 394

Review Answers 396

A About the Free Online Practice Exam 397

Mike Meyers' Certification Passport FREE Online Practice Exam Instructions 397

System Requirements 397

Technical Support 398

B Career Flight Path 399

Career Paths in Security 399

Index 403