1、ABOUTTHEAUTHORSShonHarris,CISSP,wasthefounderandCEOofShonHarrisSecurityLLCandLogicalSecurityLLC,asecurityconsultant,aformerengineerintheAirForcesInformationWarfareunit,aninstructor,andanauthor.Shonownedandranherowntrainingandconsultingcompaniesfor13yearspriortoherdeathin2014.SheconsultedwithFortune1
2、00corporationsandgovernmentagenciesonextensivesecurityissues.Sheauthoredthreebest-sellingCISSPbooks,wasacontributingauthortoGrayHatHacking:TheEthicalHackersHandbookandSecurityInformationandEventManagement(SIEM)Implementation,andatechnicaleditorforInformationSecurityMagazine.JonathanHam,CISSP,GSEC,GC
3、IA,GCIH,GMON,isanindependentconsultantwhospecializesinlarge-scaleenterprisesecurityissues,frompolicyandprocedure,throughteamselectionandtraining,toimplementingscalableprevention,detection,andresponsetechnologiesandtechniques.WithakeenunderstandingofROIandTCO(andanemphasisonreal-worldpracticeoverprod
4、ucts),hehashelpedhisclientsachievegreatersuccessforover20years,advisinginboththepublicandprivatesectors,fromsmallstartupstotheFortune50,andtheU.S.DepartmentofDefenseacrossmultipleengagedforces.Mr.HamhasbeencommissionedtoteachinvestigativetechniquestotheNSA,hastrainedNCISinvestigatorshowtouseintrusio
5、ndetectiontechnologies,hasperformedpacketanalysisfromafacilitymorethan2,000feetunderground,andhascharteredandtrainedtheCIRTforoneofthelargestU.S.civilianfederalagencies.Inadditiontohisprofessionalcertifications,Mr.HamisaCertifiedInstructorandAuthorwiththeSANSInstitute,andisamemberoftheGIACAdvisoryBo
6、ard.HehasalsoconsistentlybeenthehighestratedtraineratBlackHatevents,teachinghiscourseonNetworkForensics.Hisgroundbreakingtextbookonthetopicestablishedhimasapioneerinthefield.AformercombatmedicwiththeU.S.Navy/MarineCorps,Mr.Hamhasspentoveradecadepracticingadifferentkindofemergencyresponse,volunteerin
7、gandteachingforboththeNationalSkiPatrolandtheAmericanRedCross,asbothaSeniorPatrollerandInstructorandaProfessionalRescuer.ANotefromJonathanShonandInevermetinperson,thoughmycareerhasbeeninextricablylinkedtohersformorethanadecade.ThefirsttimeIwaseveraskedtoteachaclassfortheSANSInstitutewasbecauseShonwa
8、sscheduledandcouldntmakeit.IwentontoteachSANSextremelypopularCISSPprepcourse(Mgt414)dozensoftimes,andmystudentsroutinelybroughtherbookstomyclassroom.Asaresult,Ivegoneontoteachthousandsofstudentsatboththegraduateandpost-graduatelevel,acrosssixcontinentsandindozensofcountries,andinvolvingcontentrangin
9、gfromhackingtechniquestoforensicinvestigations.ThankstoShon,IamtrulylivingthedreamandgivingitbackineverywaythatIcan.IamalsoextremelyhonoredtohavebeenaskedbyMcGraw-HillEducationtocontinueherwork.WehadsoverymanyfriendsincommonthatnearlyeveryoneIknowprofessionallyencouragedmetodoit.Shewillberememberedw
10、iththerespectofthousandsofCISSPs.Andmine.AbouttheTechnicalEditorDanielCarter,CISSP,CCSP,CISM,CISA,has20yearsofexperienceintheITandsecurityworlds,workinginboththehighereducationandhealthcaresectors,onthestateandfederallevels.HeiscurrentlyaSystemsSecurityOfficerinU.S.FederalHealthcareforHPEnterprise.H
11、ehasworkedextensivelyonbothsecurityandarchitectureforpublicwebsystemsfortheCentersforMedicare&MedicaidServices(CMS),includingofficialwebsitesforMedicareandtheAffordableCareAct.PriortoworkatHPEandCMS,DanielworkedinEnterpriseInformationSystemsfortheUniversityofMarylandonsystemsrangingfromofficialunive
12、rsitywebsites,identityandauthenticationsystems,e-mailandcalendaring,andtheuniversitysPKIinfrastructure.Copyright2016byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadat
13、abaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher.ISBN:978-1-25-958508-1MHID:1-25-958508-5ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-1-25-958596-8,MHID:1-25-958596-4.eBookconversionbycodeMantraVersion1.0Alltrademarksaretrademarksoftheirrespectiveowners
14、.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.McGraw-HillEducationeBooksareavailableatspec
15、ialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactU.InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEduc
16、ation,orothers,McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.TERMSOFUSEThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofth
17、isworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGra
18、w-HillEducationspriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQU
19、ACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditsl
20、icensorsdonotwarrantorguaranteethatthefunctionscontainedintheworkwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtheref
21、rom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemh
22、asbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.IthasbeenattheexpenseofmytribethatIhavemanagedtocontinueShonswork.Ihonorthembynamehere,aselsewhere:436861726C6965204D617269652048616D0D0A56
23、696F6C65742044616E67657220576573740D0A5468756E646572204772657920576573740D0A50616F6C6120436563696C696120476172636961204A756172657A0D0ATheyarebeautifulandbrillianteach,andlovedmorethantheymayeverknow.JonathanHam,April13,2016CONTENTSPrefaceIntroductionChapter1SecurityandRiskManagementChapter2AssetSecu
24、rityChapter3SecurityEngineeringChapter4CommunicationandNetworkSecurityChapter5IdentityandAccessManagementChapter6SecurityAssessmentandTestingChapter7SecurityOperationsChapter8SoftwareDevelopmentSecurityAppendixAbouttheDownloadIndexPREFACEComputer,information,andphysicalsecurityarebecomingmoreimporta
25、ntatanexponentialrate.Overthelastfewyears,thenecessityforcomputerandinformationsecurityhasgrownrapidlyascyberattackshaveincreased,financialinformationisbeingstolenatarapidpace,cyberwarfareisaffectingcountriesaroundtheworld,andtodaysmalwareisgrowingexponentiallyinitssophisticationanddominatingourthre
26、atlandscape.Theworldscontinuousdependencyupontechnologyandtherapidincreaseinthecomplexitiesofthesetechnologiesmakesecuringthemachallengingandimportanttask.Companieshavehadtospendmillionsofdollarstocleanuptheeffectsoftheseissuesandmillionsofdollarsmoretosecuretheirperimeterandinternalnetworkswithequi
27、pment,software,consultants,andeducation.Ournetworkedenvironmentsnolongerhavetrueboundaries;theintegrationofmobiledeviceshasintroducedmoreattacksurfaces;andtheattackersarecommonlywellfunded,organized,andfocusedontheirintendedvictims.Thenecessityandurgencyforsecurityhaveledtoanewparadigmemerging.Itiss
28、lowlybecomingapparentthatgovernments,nations,andsocietiesarevulnerabletomanydifferenttypesofattacksthatcanhappenoverthenetworkwireandairwaves.Societiesdependheavilyonalltypesofcomputingpowerandfunctionality,mostlyprovidedbythepublicandprivatesectors.Thismeansthatalthoughgovernmentsareresponsibleforp
29、rotectingtheircitizens,itisbecomingapparentthatthecitizensandtheirbusinessesmustbecomemoresecuretoprotectthenationasawhole.Thistypeofprotectioncanreallyonlybeginthroughpropereducationandunderstanding,andmustcontinuewiththededicatedexecutionofthisknowledge.Thisbookiswrittentoprovideafoundationinthema
30、nydifferentareasthatmakeupeffectivesecurity.Weneedtounderstandallofthethreatsanddangerswearevulnerabletoandthestepsthatmustbetakentomitigatethesevulnerabilities.INTRODUCTIONTheobjectiveofthisbookistoprepareyoufortheCISSPexambyfamiliarizingyouwiththemoredifficulttypesofquestionsthatmaycomeupontheexam
31、.ThequestionsinthisbookdelveintothemorecomplextopicsoftheCISSPCommonBodyofKnowledge(CBK)thatyoumaybefacedwithwhenyoutaketheexam.ThisbookhasbeendevelopedtobeusedintandemwiththeCISSPAll-in-OneExamGuide,SeventhEdition.Thebestapproachtopreparefortheexamusingallofthematerialavailabletoyouisoutlinedhere:1
32、.Reviewthequestionsandanswerexplanationsineachchapter.2.Iffurtherreviewisrequired,readthecorrespondingchapter(s)intheCISSPAll-in-OneExamGuide,SeventhEdition.3.Reviewalloftheadditionalquestionsthatareavailable.Seethe“AdditionalQuestionsAvailable”sectionattheendofthisintroduction.Becausetheprimaryfocu
33、softhisbookistohelpyoupasstheexam,thequestionsincludedcoveralleightCISSPexamdomains.Eachquestionfeaturesadetailedexplanationastowhyoneanswerchoiceisthecorrectanswerandwhyeachoftheotherchoicesisincorrect.Becauseofthis,webelievethisbookwillserveasavaluableprofessionalresourceafteryourexam.InThisBookTh
34、isbookhasbeenorganizedsothateachchapterconsistsofabatteryofpracticeexamquestionsrepresentingasingleCISSPexamdomain,appropriateforexperiencedinformationsecurityprofessionals.Eachpracticeexamquestionfeaturesanswerexplanationsthatprovidetheemphasisonthe“why”aswellasthe“how-to”ofworkingwithandsupporting
35、thetechnologyandconcepts.InEveryChapterIncludedineachchapterarefeaturesthatcallyourattentiontothekeystepsofthetestingandreviewprocessandthatprovidehelpfulexam-takinghints.Takealookatwhatyoullfindineverychapter:EverychapterincludespracticeexamquestionsfromoneCISSPCBKSecurityDomain.Drilldownonthequest
36、ionsfromeachdomainthatyouwillneedtoknowhowtoanswerinordertopasstheexam.ThePracticeExamQuestionsaresimilartothosefoundontheactualCISSPexamandaremeanttopresentyouwithsomeofthemostcommonandconfusingproblemsthatyoumayencounterwhentakingtheactualexam.Thesequestionsaredesignedtohelpyouanticipatewhattheexa
37、mwillemphasize.Gettinginsidetheexamwithgoodpracticequestionswillhelpensureyouknowwhatyouneedtoknowtopasstheexam.EachchapterincludesaQuickAnswerKey,whichprovidesthequestionnumberandthecorrespondingletterforthecorrectanswerchoice.Thisallowsyoutoscoreyouranswersquicklybeforeyoubeginyourreview.Eachquest
38、ionincludesanIn-DepthAnswerExplanationexplanationsareprovidedforboththecorrectandincorrectanswerchoicesandcanbefoundattheendofeachchapter.Byreadingtheanswerexplanations,youllreinforcewhatyouvelearnedfromansweringthequestionsinthatchapter,whilealsobecomingfamiliarwiththestructureoftheexamquestions.Ad
39、ditionalQuestionsAvailableInadditiontothequestionsineachchapter,therearemorethan1,000multiple-choicepracticeexamquestionsavailabletoyou.Alsoavailablearesimulatedhotspotanddrag-and-droptypequestions.Formoreinformationonthesequestiontypesandhowtoaccessthem,pleaserefertotheappendix.CHAPTER1SecurityandR
40、iskManagementThisdomainincludesquestionsfromthefollowingtopics:SecurityterminologyandprinciplesProtectioncontroltypesSecurityframeworks,models,standards,andbestpracticesComputerlawsandcrimesIntellectualpropertyDatabreachesRiskmanagementThreatmodelingBusinesscontinuityanddisasterrecoveryPersonnelsecu
41、ritySecuritygovernanceAsecurityprofessionalsresponsibilitiesextendwellbeyondreactingtothelatestnewsheadlinesofanewexploitorsecuritybreach.Theday-to-dayresponsibilitiesofsecurityprofessionalsarefarlessexcitingonthesurfacebutarevitaltokeepingorganizationsprotectedagainstintrusionssothattheydontbecomet
42、henextheadline.Theroleofsecuritywithinanorganizationisacomplexone,asittoucheseveryemployeeandmustbemanagedcompanywide.Itisimportantthatyouhaveanunderstandingofsecuritybeyondthetechnicaldetailstoincludemanagementandbusinessissues,bothfortheCISSPexamandforyourroleinthefield.QQUESTIONS1.Whichofthefollo
43、wingbestdescribestherelationshipbetweenCOBITandITIL?A.COBITisamodelforITgovernance,whereasITILisamodelforcorporategovernance.B.COBITprovidesacorporategovernanceroadmap,whereasITILisacustomizableframeworkforITservicemanagement.C.COBITdefinesITgoals,whereasITILprovidestheprocess-levelstepsonhowtoachie
44、vethem.D.COBITprovidesaframeworkforachievingbusinessgoals,whereasITILdefinesaframeworkforachievingITservice-levelgoals.2.Globalorganizationsthattransferdataacrossinternationalboundariesmustabidebyguidelinesandtransborderinformationflowrulesdevelopedbyaninternationalorganizationthathelpsdifferentgove
45、rnmentscometogetherandtackletheeconomic,social,andgovernancechallengesofaglobalizedeconomy.Whatorganizationisthis?A.CommitteeofSponsoringOrganizationsoftheTreadwayCommissionB.TheOrganisationforEconomicCo-operationandDevelopmentC.COBITD.InternationalOrganizationforStandardization3.Steve,adepartmentma
46、nager,hasbeenaskedtojoinacommitteethatisresponsiblefordefininganacceptablelevelofriskfortheorganization,reviewingriskassessmentandauditreports,andapprovingsignificantchangestosecuritypoliciesandprograms.Whatcommitteeishejoining?A.SecuritypolicycommitteeB.AuditcommitteeC.RiskmanagementcommitteeD.Secu
47、ritysteeringcommittee4.Whichofthefollowingisnotincludedinariskassessment?A.DiscontinuingactivitiesthatintroduceriskB.IdentifyingassetsC.IdentifyingthreatsD.Analyzingriskinorderofcostorcriticality5.Theintegrityofdataisnotrelatedtowhichofthefollowing?A.UnauthorizedmanipulationorchangestodataB.Themodif
48、icationofdatawithoutauthorizationC.TheintentionaloraccidentalsubstitutionofdataD.Theextractionofdatatosharewithunauthorizedentities6.AshiscompanysCISO,Georgeneedstodemonstratetotheboardofdirectorsthenecessityofastrongriskmanagementprogram.WhichofthefollowingshouldGeorgeusetocalculatethecompanysresid
49、ualrisk?A.threatsvulnerabilityassetvalue=residualriskB.SLEfrequency=ALE,whichisequaltoresidualriskC.(threatsvulnerabilityassetvalue)controlsgap=residualriskD.(totalriskassetvalue)countermeasures=residualrisk7.CapabilityMaturityModelIntegration(CMMI)camefromthesoftwareengineeringworldandisusedwithino
50、rganizationstohelplayoutapathwayofhowincrementalimprovementcantakeplace.Thismodelisusedbyorganizationsinself-assessmentandtodevelopstructuredstepsthatcanbefollowedsoanorganizationcanevolvefromoneleveltothenextandconstantlyimproveitsprocesses.IntheCMMImodelgraphicshown,whatisthepropersequenceofthelev
