ISCCISSPCertifiedInformationSystemsSecurityProfessionalOfficialStudyGuidePDFDrive.com21.pdf

(ISC)2

CISSP® Certified Information
Systems Security Professional

Official Study Guide

Eighth Edition

Mike Chapple
James Michael Stewart

Darril Gibson

Development Editor: Kelly Talbot

Technical Editors: Jeff Parker, Bob Sipes, and David Seidl

Copy Editor: Kim Wimpsett

Editorial Manager: Pete Gaughan

Production Manager: Kathleen Wisor

Executive Editor: Jim Minatel

Proofreader: Amy Schneider

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: @Jeremy Woodhouse/Getty Images, Inc.

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-47593-4

ISBN: 978-1-119-47595-8 (ebk.)

ISBN: 978-1-119-47587-3 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright
Act, without either the prior written permission of the Publisher, or authorization through
payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,
111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no
representations or warranties with respect to the accuracy or completeness of the contents of
this work and specifically disclaim all warranties, including without limitation warranties of
fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for
every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is
required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an
organization or Web site is referred to in this work as a citation and/or a potential source of
further information does not mean that the author or the publisher endorses the information
the organization or Web site may provide or recommendations it may make. Further, readers
should be aware that Internet Web sites listed in this work may have changed or disappeared
between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support,
please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the

http://www.wiley.com/go/permissions

U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some
material included with standard print versions of this book may not be included in e-books or
in print-on-demand. If this book refers to media such as a CD or DVD that is not included in
the version you purchased, you may download this material at http://booksupport.wiley.com.
For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2018933561

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered
trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other
countries, and may not be used without written permission. CISSP is a registered trademark of
(ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley &
Sons, Inc. is not associated with any product or vendor mentioned in this book.

http://booksupport.wiley.com

http://www.wiley.com

To Dewitt Latimer, my mentor, friend, and colleague. I miss you
dearly.
—Mike Chapple

To Cathy, your perspective on the world and life often surprises me,
challenges me, and makes me love you even more.
—James Michael Stewart

To Nimfa, thanks for sharing your life with me for the past 26 years
and letting me share mine with you.
—Darril Gibson

Dear Future (ISC)2 Member,

Congratulations on starting your journey to
CISSP® certification. Earning your CISSP is an
exciting and rewarding milestone in your
cybersecurity career. Not only does it demonstrate
your ability to develop and manage nearly all
aspects of an organization’s cybersecurity
operations, but you also signal to employers your
commitment to life-long learning and taking an
active role in fulfilling the (ISC)² vision of

inspiring a safe and secure cyber world.

The material in this study guide is based upon the (ISC)² CISSP
Common Body of Knowledge. It will help you prepare for the exam
that will assess your competency in the following eight domains:

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

While this study guide will help you prepare, passing the CISSP exam
depends on your mastery of the domains combined with your ability to
apply those concepts using your real-world experience.

I wish you the best of luck as you continue on your path to become a
CISSP and certified member of (ISC)2.

Sincerely,

David Shearer, CISSP
CEO
(ISC)2

Acknowledgments
We’d like to express our thanks to Sybex for continuing to support this
project. Extra thanks to the eighth edition developmental editor, Kelly
Talbot, and technical editors, Jeff Parker, Bob Sipes, and David Seidl,
who performed amazing feats in guiding us to improve this book.
Thanks as well to our agent, Carole Jelen, for continuing to assist in
nailing down these projects.

—Mike, James, and Darril

Special thanks go to the information security team at the University of
Notre Dame, who provided hours of interesting conversation and
debate on security issues that inspired and informed much of the
material in this book.

I would like to thank the team at Wiley who provided invaluable
assistance throughout the book development process. I also owe a debt
of gratitude to my literary agent, Carole Jelen of Waterside
Productions. My coauthors, James Michael Stewart and Darril Gibson,
were great collaborators. Jeff Parker, Bob Sipes, and David Seidl, our
diligent and knowledgeable technical editors, provided valuable in-
sight as we brought this edition to press.

I’d also like to thank the many people who participated in the
production of this book but whom I never had the chance to meet: the
graphics team, the production staff, and all of those involved in
bringing this book to press.

—Mike Chapple

Thanks to Mike Chapple and Darril Gibson for continuing to
contribute to this project. Thanks also to all my CISSP course students
who have provided their insight and input to improve my training
courseware and ultimately this tome. To my adoring wife, Cathy:
Building a life and a family together has been more wonderful than I
could have ever imagined. To Slayde and Remi: You are growing up so
fast and learning at an outstanding pace, and you continue to delight
and impress me daily. You are both growing into amazing individuals.

To my mom, Johnnie: It is wonderful to have you close by. To Mark:
No matter how much time has passed or how little we see each other, I
have been and always will be your friend. And finally, as always, to
Elvis: You were way ahead of the current bacon obsession with your
peanut butter/banana/bacon sandwich; I think that’s proof you
traveled through time!

—James Michael Stewart

Thanks to Jim Minatel and Carole Jelen for helping get this update in
place before (ISC)2 released the objectives. This helped us get a head
start on this new edition, and we appreciate your efforts. It’s been a
pleasure working with talented people like James Michael Stewart and
Mike Chapple. Thanks to both of you for all your work and
collaborative efforts on this project. The technical editors, Jeff Parker,
Bob Sipes, and David Seidl, provided us with some outstanding
feedback, and this book is better because of their efforts. Thanks to the
team at Sybex (including project managers, editors, and graphics
artists) for all the work you did helping us get this book to print. Last,
thanks to my wife, Nimfa, for putting up with my odd hours as I
worked on this book.

—Darril Gibson

About the Authors
Mike Chapple, CISSP, PhD, Security+, CISA, CySA+, is an associate
teaching professor of IT, analytics, and operations at the University of
Notre Dame. In the past, he was chief information officer of Brand
Institute and an information security researcher with the National
Security Agency and the U.S. Air Force. His primary areas of expertise
include network intrusion detection and access controls. Mike is a
frequent contributor to TechTarget’s SearchSecurity site and the
author of more than 25 books including the companion book to this
study guide: CISSP Official (ISC)2 Practice Tests, the CompTIA CSA+
Study Guide, and Cyberwarfare: Information Operations in a
Connected World. Mike offers study groups for the CISSP, SSCP,
Security+, and CSA+ certifications on his website at
www.certmike.com.

James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+,
Network+, has been writing and training for more than 20 years, with
a current focus on security. He has been teaching CISSP training
courses since 2002, not to mention other courses on Internet security
and ethical hacking/penetration testing. He is the author of and
contributor to more than 75 books and numerous courseware sets on
security certification, Microsoft topics, and network administration,
including the Security+ (SY0-501) Review Guide. More information
about Michael can be found at his website at www.impactonline.com.

Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short
for You Can Do Anything), and he has authored or coauthored more
than 40 books. Darril regularly writes, consults, and teaches on a wide
variety of technical and security topics and holds several certifications.
He regularly posts blog articles at
http://blogs.getcertifiedgetahead.com/ about certification topics and
uses that site to help people stay abreast of changes in certification
exams. He loves hearing from readers, especially when they pass an
exam after using one of his books, and you can contact him through
the blogging site.

Home

http://www.impactonline.com

http://blogs.getcertifiedgetahead.com/

About the Technical Editors
Jeff T. Parker, CISSP, is a technical editor and reviewer across many
focuses of information security. Jeff regularly contributes to books,
adding experience and practical know-how where needed. Jeff’s
experience comes from 10 years of consulting with Hewlett-Packard in
Boston and from 4 years with Deutsche-Post in Prague, Czech
Republic. Now residing in Canada, Jeff teaches his and other middle-
school kids about building (and destroying) a home lab. He recently
coauthored Wireshark for Security Professionals and is now
authoring CySA+ Practice Exams. Keep learning!

Bob Sipes, CISSP, is an enterprise security architect and account
security officer at DXC Technology providing tactical and strategic
leadership for DXC clients. He holds several certifications, is actively
involved in security organizations including ISSA and Infragard, and is
an experienced public speaker on topics including cybersecurity,
communications, and leadership. In his spare time, Bob is an avid
antiquarian book collector with an extensive library of 19th and early
20th century boys’ literature. You can follow Bob on Twitter at
@bobsipes.

David Seidl, CISSP, is the senior director for Campus Technology
Services at the University of Notre Dame, where he has also taught
cybersecurity and networking in the Mendoza College of Business.
David has written multiple books on cybersecurity certification and
cyberwarfare, and he has served as the technical editor for the sixth,
seventh, and eighth editions of CISSP Study Guide. David holds a
master’s degree in information security and a bachelor’s degree in
communication technology from Eastern Michigan University, as well
as CISSP, GPEN, GCIH, and CySA+ certifications.

Contents
Introduction

Overview of the CISSP Exam
Notes on This Book’s Organization

Assessment Test
Answers to Assessment Test
Chapter 1 Security Governance Through Principles and Policies

Understand and Apply Concepts of Confidentiality, Integrity,
and Availability
Evaluate and Apply Security Governance Principles
Develop, Document, and Implement Security Policy, Standards,
Procedures, and Guidelines
Understand and Apply Threat Modeling Concepts and
Methodologies
Apply Risk-Based Management Concepts to the Supply Chain
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 2 Personnel Security and Risk Management Concepts
Personnel Security Policies and Procedures
Security Governance
Understand and Apply Risk Management Concepts
Establish and Maintain a Security Awareness, Education, and
Training Program
Manage the Security Function
Summary
Exam Essentials
Written Lab

Review Questions
Chapter 3 Business Continuity Planning

Planning for Business Continuity
Project Scope and Planning
Business Impact Assessment
Continuity Planning
Plan Approval and Implementation
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 4 Laws, Regulations, and Compliance
Categories of Laws
Laws
Compliance
Contracting and Procurement
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 5 Protecting Security of Assets
Identify and Classify Assets
Determining Ownership
Using Security Baselines
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 6 Cryptography and Symmetric Key Algorithms

Historical Milestones in Cryptography
Cryptographic Basics
Modern Cryptography
Symmetric Cryptography
Cryptographic Lifecycle
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 7 PKI and Cryptographic Applications
Asymmetric Cryptography
Hash Functions
Digital Signatures
Public Key Infrastructure
Asymmetric Key Management
Applied Cryptography
Cryptographic Attacks
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 8 Principles of Security Models, Design, and Capabilities
Implement and Manage Engineering Processes Using Secure
Design Principles
Understand the Fundamental Concepts of Security Models
Select Controls Based On Systems Security Requirements
Understand Security Capabilities of Information Systems
Summary
Exam Essentials

Written Lab
Review Questions

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures
Assess and Mitigate Security Vulnerabilities
Client-Based Systems
Server-Based Systems
Database Systems Security
Distributed Systems and Endpoint Security
Internet of Things
Industrial Control Systems
Assess and Mitigate Vulnerabilities in Web-Based Systems
Assess and Mitigate Vulnerabilities in Mobile Systems
Assess and Mitigate Vulnerabilities in Embedded Devices and
Cyber-Physical Systems
Essential Security Protection Mechanisms
Common Architecture Flaws and Security Issues
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 10 Physical Security Requirements
Apply Security Principles to Site and Facility Design
Implement Site and Facility Security Controls
Implement and Manage Physical Security
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 11 Secure Network Architecture and Securing Network
Components

OSI Model
TCP/IP Model
Converged Protocols
Wireless Networks
Secure Network Components
Cabling, Wireless, Topology, Communications, and
Transmission Media Technology
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 12 Secure Communications and Network Attacks
Network and Protocol Security Mechanisms
Secure Voice Communications
Multimedia Collaboration
Manage Email Security
Remote Access Security Management
Virtual Private Network
Virtualization
Network Address Translation
Switching Technologies
WAN Technologies
Miscellaneous Security Control Characteristics
Security Boundaries
Prevent or Mitigate Network Attacks
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 13 Managing Identity and Authentication
Controlling Access to Assets
Comparing Identification and Authentication
Implementing Identity Management
Managing the Identity and Access Provisioning Lifecycle
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 14 Controlling and Monitoring Access
Comparing Access Control Models
Understanding Access Control Attacks
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 15 Security Assessment and Testing
Building a Security Assessment and Testing Program
Performing Vulnerability Assessments
Testing Your Software
Implementing Security Management Processes
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 16 Managing Security Operations
Applying Security Operations Concepts
Securely Provisioning Resources
Managing Configuration

Managing Change
Managing Patches and Reducing Vulnerabilities
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 17 Preventing and Responding to Incidents
Managing Incident Response
Implementing Detective and Preventive Measures
Logging, Monitoring, and Auditing
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 18 Disaster Recovery Planning
The Nature of Disaster
Understand System Resilience and Fault Tolerance
Recovery Strategy
Recovery Plan Development
Training, Awareness, and Documentation
Testing and Maintenance
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 19 Investigations and Ethics
Investigations
Major Categories of Computer Crime
Ethics

Summary
Exam Essentials
Written Lab
Review Questions

Chapter 20 Software Development Security
Introducing Systems Development Controls
Establishing Databases and Data Warehousing
Storing Data and Information
Understanding Knowledge-Based Systems
Summary
Exam Essentials
Written Lab
Review Questions

Chapter 21 Malicious Code and Application Attacks
Malicious Code
Password Attacks
Application Attacks
Web Application Security
Reconnaissance Attacks
Masquerading Attacks
Summary
Exam Essentials
Written Lab
Review Questions

Appendix A Answers to Review Questions
Chapter 1: Security Governance Through Principles and Policies
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning
Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets
Chapter 6: Cryptography and Symmetric Key Algorithms
Chapter 7: PKI and Cryptographic Applications
Chapter 8: Principles of Security Models, Design, and
Capabilities
Chapter 9: Security Vulnerabilities, Threats, and
Countermeasures
Chapter 10: Physical Security Requirements
Chapter 11: Secure Network Architecture and Securing Network
Components
Chapter 12: Secure Communications and Network Attacks
Chapter 13: Managing Identity and Authentication
Chapter 14: Controlling and Monitoring Access
Chapter 15: Security Assessment and Testing
Chapter 16: Managing Security Operations
Chapter 17: Preventing and Responding to Incidents
Chapter 18: Disaster Recovery Planning
Chapter 19: Investigations and Ethics
Chapter 20: Software Development Security
Chapter 21: Malicious Code and Application Attacks

Appendix B Answers to Written Labs
Chapter 1: Security Governance Through Principles and Policies
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning
Chapter 4: Laws, Regulations, and Compliance
Chapter 5: Protecting Security of Assets
Chapter 6: Cryptography and Symmetric Key Algorithms
Chapter 7: PKI and Cryptographic Applications
Chapter 8: Principles of Security Models, Design, and
Capabilities

Chapter 9: Security Vulnerabilities, Threats, and
Countermeasures
Chapter 10: Physical Security Requirements
Chapter 11: Secure Network Architecture and Securing Network
Components
Chapter 12: Secure Communications and Network Attacks
Chapter 13: Managing Identity and Authentication
Chapter 14: Controlling and Monitoring Access
Chapter 15: Security Assessment and Testing
Chapter 16: Managing Security Operations
Chapter 17: Preventing and Responding to Incidents
Chapter 18: Disaster Recovery Planning
Chapter 19: Investigations and Ethics
Chapter 20: Software Development Security
Chapter 21: Malicious Code and Application Attacks

Advert
EULA

List of Tables
Chapter 2

Table 2.1

Table 2.2

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Chapter 6

Table 6.1

Table 6.2

Chapter 7

Table 7.1

Chapter 8

Table 8.1

Table 8.2

Table 8.3

Table 8.4

Chapter 9

Table 9.1

Chapter 10

Table 10.1

Table 10.2

Chapter 11

Table 11.1

Table 11.2

Table 11.3

Table 11.4

Table 11.5

Table 11.6

Table 11.7

Table 11.8

Table 11.9

Table 11.10

Table 11.11

Chapter 12

Table 12.1

Table 12.2

Table 12.3

Table 12.4

Chapter 18

Table 18.1

List of Illustrations
Chapter 1

FIGURE 1.1 The CIA Triad

FIGURE 1.2 The five elements of AAA services

FIGURE 1.3 Strategic, tactical, and operational plan timeline
comparison

FIGURE 1.4 Levels of government/military classification

FIGURE 1.5 Commercial business/private sector classification
levels

FIGURE 1.6 The comparative relationships of security policy
components

FIGURE 1.7 An example of diagramming to reveal threat
concerns

FIGURE 1.8 An example of diagramming to reveal threat
concerns

Chapter 2

FIGURE 2.1 An example of separation of duties related to five
admin tasks and seven administrators

FIGURE 2.2 An example of job rotation among management
positions

FIGURE 2.3 Ex-employees must return all company property

FIGURE 2.4 The elements of risk

FIGURE 2.5 The six major elements of quantitative risk
analysis

FIGURE 2.6 The categories of security controls in a defense-
in-depth implementation

FIGURE 2.7 The six steps of the risk management framework

Chapter 3

FIGURE 3.1 Earthquake hazard map of the United States

Chapter 5

FIGURE 5.1 Data classifications

FIGURE 5.2 Clearing a hard drive

Chapter 6

FIGURE 6.1 Challenge-response authentication protocol

FIGURE 6.2 The magic door

FIGURE 6.3 Symmetric key cryptography

FIGURE 6.4 Asymmetric key cryptography

Chapter 7

FIGURE 7.1 Asymmetric key cryptography

FIGURE 7.2 Steganography tool

FIGURE 7.3 Image with embedded message

Chapter 8

FIGURE 8.1 The TCB, security perimeter, and reference
monitor

FIGURE 8.2 The Take-Grant model’s directed graph

FIGURE 8.3 The Bell-LaPadula model

FIGURE 8.4 The Biba model

FIGURE 8.5 The Clark-Wilson model

FIGURE 8.6 The levels of TCSEC

Chapter 9

FIGURE 9.1 In the commonly used four-ring model,
protection rings segregate the operating system into kernel,
components, and drivers in rings 0 through 2 and applications
and programs run at ring 3.

FIGURE 9.2 The process scheduler

Chapter 10

FIGURE 10.1 A typical wiring closet

FIGURE 10.2 The fire triangle

FIGURE 10.3 The four primary stages of fire

FIGURE 10.4 A secure physical boundary with a mantrap and
a turnstile

Chapter 11

FIGURE 11.1 Representation of the OSI model

FIGURE 11.2 Representation of OSI model encapsulation

FIGURE 11.3 Representation of the OSI model peer layer
logical channels

FIGURE 11.4 OSI model data names

FIGURE 11.5 Comparing the OSI model with the TCP/IP
model

FIGURE 11.6 The four layers of TCP/IP and its component
protocols

FIGURE 11.7 The TCP three-way handshake

FIGURE 11.8 Single-, two-, and three-tier firewall deployment
architectures

FIGURE 11.9 A ring topology

FIGURE 11.10 A linear bus topology and a tree bus topology

FIGURE 11.11 A star topology

FIGURE 11.12 A mesh topology

Chapter 13

FIGURE 13.1 Graph of FRR and FAR errors indicating the
CER point

Chapter 14

FIGURE 14.1 Defense in depth with layered security

FIGURE 14.2 Role Based Access Control

FIGURE 14.3 A representation of the boundaries provided by
lattice-based access controls

FIGURE 14.4 Wireshark capture

Chapter 15

FIGURE 15.1 Nmap scan of a web server run from a Linux
system

FIGURE 15.2 Default Apache server page running on the
server scanned in Figure 15.1

FIGURE 15.3 Nmap scan of a large network run from a Mac
system using the Terminal utility

FIGURE 15.4 Network vulnerability scan of the same web
server that was port scanned in Figure 15.1

FIGURE 15.5 Web application vulnerability scan of the same
web server that was port scanned in Figure 15.1 and network
vulnerability scanned in Figure 15.2.

FIGURE 15.6 Scanning a database-backed application with
sqlmap

FIGURE 15.7 Penetration testing process

FIGURE 15.8 The Metasploit automated system exploitation
tool allows attackers to quickly execute common attacks against
target systems.

FIGURE 15.9 Fagan inspections follow a rigid formal process,
with defined entry and exit criteria that must be met before
transitioning between stages.

FIGURE 15.10 Prefuzzing input file containing a series of 1s

FIGURE 15.11 The input file from Figure 15.10 after being run
through the zzuf mutation fuzzing tool

Chapter 16

FIGURE 16.1 A segregation of duties control matrix

FIGURE 16.2 Creating and deploying images

FIGURE 16.3 Web server and database server

Chapter 17

FIGURE 17.1 Incident response

FIGURE 17.2 SYN flood attack

FIGURE 17.3 A man-in-the-middle attack

FIGURE 17.4 Intrusion prevention system

FIGURE 17.5 Viewing a log entry

Chapter 18

FIGURE 18.1 Flood hazard map for Miami–Dade County,
Florida

FIGURE 18.2 Failover cluster with network load balancing

Chapter 20

FIGURE 20.1 Security vs. user-friendliness vs. functionality

FIGURE 20.2 The waterfall lifecycle model

FIGURE 20.3 The spiral lifecycle mode

FIGURE 20.4 The IDEAL model

FIGURE 20.5 Gantt chart

FIGURE 20.6 The DevOps model

FIGURE 20.7 Hierarchical data model

FIGURE 20.8 Customers table from a relational database

FIGURE 20.9 ODBC as the interface between applications
and a backend database system

Chapter 21

FIGURE 21.1 Social Security phishing message

FIGURE 21.2 Typical database-driven website architecture

kindle:embed:0007?mime=image/jpg

Introduction
The (ISC)2 CISSP: Certified Information Systems Security
Professional Official Study Guide, Eighth Edition, offers you a solid
foundation for the Certified Information Systems Security Professional
(CISSP) exam. By purchasing this book, you’ve shown a willingness to
learn and a desire to develop the skills you need to achieve this
certification. This introduction provides you with a basic overview of
this book and the CISSP exam.

This book is designed for readers and students who want to study for
the CISSP certification exam. If your goal is to become a certified
security professional, then the CISSP certification and this study guide
are for you. The purpose of this book is to adequately prepare you to
take the CISSP exam.

Before you dive into this book, you need to have accomplished a few
tasks on your own. You need to have a general understanding of IT
and of security. You should have the necessary five years of full-time
paid work experience (or four years if you have a college degree) in two
or more of the eight domains covered by the CISSP exam. If you are
qualified to take the CISSP exam according to (ISC)2, then you are
sufficiently prepared to use this book to study for it. For more
information on (ISC)2, see the next section.

(ISC)2 also allows for a one-year reduction of the five-year experience
requirement if you have earned one of the approved certifications from
the (ISC)2 prerequisite pathway. These include certifications such as
CAP, CISM, CISA, CCNA Security, Security+, MCSA, MCSE, and many
of the GIAC certifications. For a complete list of qualifying
certifications, visit
https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway.
Note: You can use only one of the experience reduction measures,
either a college degree or a certification, not both.

(ISC)2

https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway

The CISSP exam is governed by the International Information Systems
Security Certification Consortium (ISC)2. (ISC)2 is a global not-for-
profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of
information systems security.

Provide certification for information systems security professionals
and practitioners.

Conduct certification training and administer the certification
exams.

Oversee the ongoing accreditation of qualified certification
candidates through continued education.

The (ISC)2 is operated by a board of directors elected from the ranks of
its certified practitioners.

(ISC)2 supports and provides a wide variety of certifications, including
CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, and CCSP. These
certifications are designed to verify the knowledge and skills of IT
security professionals across all industries. You can obtain more
information about (ISC)2 and its other certifications from its website
at www.isc2.org.

The Certified Information Systems Security Professional (CISSP)
credential is for security professionals responsible for designing and
maintaining security infrastructure within an organization.

Topical Domains
The CISSP certification covers material from the eight topical
domains. These eight domains are as follows:

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

…