Praise for CISSP® All-in-One Exam Guide

A must-have reference for any cyber security practitioner, this book provides invaluable practical
knowledge on the increasingly complex universe of security concepts, controls, and best
practices necessary to do business in today’s world.
Steve Zalewski,
Chief Security Architect,
Levi Strauss & Co.

Shon Harris put the CISSP certification on the map with this golden bible of the CISSP.
Fernando Maymí carries that legacy forward beautifully with clarity, accuracy, and balance. I am
sure that Shon would be proud.
David R. Miller, CISSP; GIAC GISP; PCI QSA;
SME; MCT; MCITPro Enterprise Admin;
MCSE NT 4.0, 2000, 2003, 2008; CEH;
ECSA; LPT; CCNA; CWNA; CNE;
GIAC GISF; CompTIA Security+, etc.…

An excellent reference. Written clearly and concisely, this book is invaluable to students,
educators, and practitioners alike.
Dr. Joe Adams, Founder and Executive
Director, Michigan Cyber Range

A lucid, enlightening, and comprehensive tour de force through the breadth of cyber security.
Maymí and Harris are masters of the craft.
Dr. Greg Conti, Founder,
Kopidion LLC

I wish I found this book earlier in my career. It certainly was the single tool I used to pass the
CISSP exam, but more importantly it has taught me about security from many aspects I did not
even comprehend previously. I think the knowledge that I gained from this book is going to help
me in many years to come. Terrific book and resource!
Janet Robinson,
Chief Security Officer

The “All-in-One Exam Guide” is probably responsible for preventing tens of thousands of
cyberattacks and for providing the strategic, operational, and tactical knowledge to secure vital
government and corporate data centers and networks.
I personally used Shon’s work to achieve my CISSP and I have globally recommended it to
many audiences. I have led many large organizations and one of my fundamental requirements
for any of the budding CISSPs that I have mentored on their path to achieve a CISSP certificate
was that they had to do two things before I would send them to a CISSP training boot camp.
First, they had to prove to me they read Shon’s Gold Book, as I called it, and second they had to
attend a free online CISSP preparation seminar. I had great success with this methodology.
I look forward to all future editions.
Bill Ross, CISSP, CISM, IAM,
SABSA Master Intelligence Officer, ITIL

Shon Harris and the “All-in-One CISSP” book have been the secret to my success. While at RSA
I engaged Shon in getting 90 percent of the worldwide sales engineers CISSP certified, all with
the assistance of this book. I took this same program with me to Symantec, and Shon worked
with me to ensure we had the same type of results with both security engineers and security
executives at Symantec. Her straightforward approach contained in this book gave each
individual the specific information they needed to take the CISSP exam. As a plus, each of them
gained a great deal of knowledge and solid base that is required by today’s security
professionals. I count myself as fortunate to have been introduced to Shon and the “All-in-One
CISSP” early in my security career!
Rick Hanson,
CISSP Symantec Security Business Practice

I have no hesitation in recommending Shon Harris’ “All-in-One Exam Guide”—the consummate

guide to (a) passing the prestigious CISSP examination specifically and (b) more generally—a
great insight into the wider world of information security.
Mike Rabbitt, CISSP,
CISA Information Security Officer

A must-have for anyone serious about becoming a CISSP.

Clément Dupuis, CD,
Owner and Founder of The CCCure
Family of Portals, www.cccure.org

This is the best book to prepare for CISSP exam. Period.

Sabyasachi Hazra, CISSP, CISA,
CISM, PMP, CCSE, ISO 2700 1LA,
CEH, CCSP, CCSA, CCSE, CCSE+,
MCSA, CCNP, Deloitte & Touche

Shon Harris is amazing at explaining the most complicated technologies in very simplified terms.
This is a great book for studying for the CISSP exam, but also the only reference manual needed
for any technical library.
Casey Batz,
Network Security Engineer, VMware

Shon’s “CISSP All-in-One Guide” has been the go-to study guide for the more than 200 new
CISSP holders developed in our region over the last two years. It continues to be a great asset for
both the novice and experienced security practitioner.
Alex Humber, Symantec Corporation

Not coming from a technical background, your guide was exactly what was needed to prepare for
the CISSP exam. The material was presented in a way that allowed for not only grasping the
concepts but also understanding them. The CISSP exam is one of the toughest out there, and
your guide is a great tool for preparing for that rigorous undertaking.
Dr. Kevin Schatzle, CISSP, CFE, CPP

I heard from others for years that Harris’ CISSP book was the gold star and now that I am getting
around to preparing for the exam—I see exactly what they mean. I thought I had a firm grasp on
most items that make up information security, but this book really showed me that there is a lot
more involved than I imagined. This book has broadened my horizons and provided me deep
insight. And by the way, I passed the CISSP exam easily from just studying this one book.
Paul Rose, CEH, CISA, and now
CISSP Security Compliance Officer

Shon Harris really takes a different approach to writing, which helped me tremendously. The
explanations, scenarios, metaphors, and a sprinkle of humor here and there made this book
enjoyable—instead of a dreaded task. Some of the technical concepts I learned ten or more years
ago, but after reading this book I now see how I did not understand these concepts to the
necessary depth and I also understand how these technologies work together in the real world.
The book has made me a much better security professional and allowed me to get my CISSP
certification. Thanks for such a great piece of work!
Mike Peterson, Information Security Officer
Copyright © 2019 by McGraw-Hill Education. All rights reserved. Except as permitted under the
United States Copyright Act of 1976, no part of this publication may be reproduced or
distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be
entered, stored, and executed in a computer system, but they may not be reproduced for
publication.

ISBN: 978-1-26-014264-8
MHID: 1-26-014264-7

The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-014265-
5, MHID: 1-26-014265-5.

eBook conversion by codeMantra

Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol
after every occurrence of a trademarked name, we use names in an editorial fashion only, and to
the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.

McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums
and sales promotions or for use in corporate training programs. To contact a representative,
please visit the Contact Us page at www.mhprofessional.com.

Information has been obtained by McGraw-Hill Education from sources believed to be reliable.
However, because of the possibility of human or mechanical error by our sources, McGraw-Hill
Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results
obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and
to the work. Use of this work is subject to these terms. Except as permitted under the Copyright
Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile,
disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-
Hill Education’s prior consent. You may use the work for your own noncommercial and personal
use; any other use of the work is strictly prohibited. Your right to use the work may be
terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS
MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR
COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK
VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill
Education and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither
McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy,
error or omission, regardless of cause, in the work or for any damages resulting therefrom.
McGraw-Hill Education has no responsibility for the content of any information accessed
through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be
liable for any indirect, incidental, special, punitive, consequential or similar damages that result
from the use of or inability to use the work, even if any of them has been advised of the
possibility of such damages. This limitation of liability shall apply to any claim or cause
whatsoever whether such claim or cause arises in contract, tort or otherwise.
We dedicate this book to all those who have served selflessly.
 ABOUT THE AUTHORS

Shon Harris, CISSP, was the founder and CEO of Shon Harris Security LLC and Logical
Security LLC, a security consultant, a former engineer in the Air Force’s Information Warfare
unit, an instructor, and an author. Shon owned and ran her own training and consulting
companies for 13 years prior to her death in 2014. She consulted with Fortune 100 corporations
and government agencies on extensive security issues. She authored three best-selling CISSP
books, was a contributing author to Gray Hat Hacking: The Ethical Hacker’s Handbook and
Security Information and Event Management (SIEM) Implementation, and a technical editor for
Information Security Magazine.

Fernando Maymí, Ph.D., CISSP, is Lead Scientist in the Cyber and Secure Autonomy division
of Soar Technology, Inc., an artificial intelligence research and development company, a retired
Army officer, and a former West Point faculty member with over 25 years’ experience in the
field. He is currently leading multiple advanced research projects developing autonomous
cyberspace agents for the Department of Defense. Fernando has developed and conducted large-
scale cyber security exercises for major cities in the United States and abroad, and served as
advisor for senior leaders around the world. He worked closely with Shon Harris, advising her on
a multitude of projects, including the sixth edition of the CISSP All-in-One Exam Guide.

About the Contributor/Technical Editor

Bobby E. Rogers is an information security engineer working as a contractor for Department of
Defense agencies, helping to secure, certify, and accredit their information systems. His duties
include information system security engineering, risk management, and certification and
accreditation efforts. He retired after 21 years in the U.S. Air Force, serving as a network
security engineer and instructor, and has secured networks all over the world. Bobby has a
master’s degree in information assurance (IA) and is pursuing a doctoral degree in cyber security
from Capitol Technology University in Maryland. His many certifications include CISSP-ISSEP,
CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+
certifications.
 CONTENTS AT A GLANCE

Chapter 1 Security and Risk Management

Chapter 2 Asset Security
Chapter 3 Security Architecture and Engineering
Chapter 4 Communication and Network Security
Chapter 5 Identity and Access Management
Chapter 6 Security Assessment and Testing
Chapter 7 Security Operations
Chapter 8 Software Development Security
Appendix A Comprehensive Questions
Appendix B About the Online Content
Glossary

Index
 CONTENTS

In Memory of Shon Harris

Foreword
From the Author
Acknowledgments
Why Become a CISSP?
Chapter 1 Security and Risk Management
Fundamental Principles of Security
Availability
Integrity
Confidentiality
Balanced Security
Security Definitions
Control Types
Security Frameworks
ISO/IEC 27000 Series
Enterprise Architecture Development
Security Controls Development
Process Management Development
Functionality vs. Security
The Crux of Computer Crime Laws
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
International Issues
Types of Legal Systems
Intellectual Property Laws
Trade Secret
Copyright
Trademark
Patent
 Internal Protection of Intellectual Property
Software Piracy
Privacy
The Increasing Need for Privacy Laws
Laws, Directives, and Regulations
Employee Privacy Issues
Data Breaches
U.S. Laws Pertaining to Data Breaches
Other Nations’ Laws Pertaining to Data Breaches
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Risk Management
Holistic Risk Management
Information Systems Risk Management Policy
The Risk Management Team
The Risk Management Process
Threat Modeling
Threat Modeling Concepts
Threat Modeling Methodologies
Risk Assessment and Analysis
Risk Assessment Team
The Value of Information and Assets
Costs That Make Up the Value
Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
Risk Analysis Approaches
Qualitative Risk Analysis
Protection Mechanisms
 Total Risk vs. Residual Risk
Handling Risk
Supply Chain Risk Management
Upstream and Downstream Suppliers
Service Level Agreements
Risk Management Frameworks
Categorize Information System
Select Security Controls
Implement Security Controls
Assess Security Controls
Authorize Information System
Monitor Security Controls
Business Continuity and Disaster Recovery
Standards and Best Practices
Making BCM Part of the Enterprise Security Program
BCP Project Components
Personnel Security
Hiring Practices
Onboarding
Termination
Security Awareness Training
Degree or Certification?
Security Governance
Metrics
Ethics
The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 2 Asset Security
Information Life Cycle
Acquisition
Use
Archival
Disposal
Classification
Classifications Levels
Classification Controls
Layers of Responsibility
Executive Management
Data Owner
Data Custodian
System Owner
Security Administrator
Supervisor
Change Control Analyst
Data Analyst
User
Auditor
Why So Many Roles?
Retention Policies
Developing a Retention Policy
Protecting Privacy
Data Owners
Data Processers
Data Remanence
Limits on Collection
Protecting Assets
Data Security Controls
Media Controls
Protecting Mobile Devices
Paper Records
Safes
 Selecting Standards
Data Leakage
Data Leak Prevention
Summary
Quick Tips
Questions
Answers
Chapter 3 Security Architecture and Engineering
System Architecture
Computer Architecture
The Central Processing Unit
Multiprocessing
Memory Types
Operating Systems
Process Management
Memory Management
Input/Output Device Management
CPU Architecture Integration
Operating System Architectures
Virtual Machines
System Security Architecture
Security Policy
Security Architecture Requirements
Security Models
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Noninterference Model
Brewer and Nash Model
Graham-Denning Model
Harrison-Ruzzo-Ullman Model
Systems Evaluation
Common Criteria
 Why Put a Product Through Evaluation?
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
Systems Security
Client-Based Systems
Client-Server Systems
Distributed Systems
Cloud Computing
Parallel Computing
Database Systems
Web-Based Systems
Mobile Systems
Cyber-Physical Systems
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Cryptography in Context
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
 Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems
Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD4
MD5
SHA
Attacks Against One-Way Hash Functions
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Applying Cryptography
Services of Cryptosystems
 Digital Signatures
Digital Signature Standard
Key Management
Trusted Platform Module
Digital Rights Management
Attacks on Cryptography
Ciphertext-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks
Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Social Engineering Attacks
Meet-in-the-Middle Attacks
Site and Facility Security
The Site Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Internal Support Systems
Electric Power
Environmental Issues
Fire Prevention, Detection, and Suppression
Summary
Quick Tips
Questions
Answers
Chapter 4 Communication and Network Security
Principles of Network Architectures
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
Multilayer Protocols
TCP/IP Model
TCP
IP Addressing
IPv6
Layer 2 Security Standards
Converged Protocols
Transmission Media
Types of Transmission
Cabling
Wireless Networks
Wireless Communications Techniques
WLAN Components
Evolution of WLAN Security
Wireless Standards
Best Practices for Securing WLANs
Satellites
Mobile Wireless Communication
Networking Foundations
Network Topology
Media Access Technologies
Transmission Methods
Network Protocols and Services
Address Resolution Protocol
Dynamic Host Configuration Protocol
Internet Control Message Protocol
Simple Network Management Protocol
Domain Name Service
E-mail Services
Network Address Translation
Routing Protocols
Network Components
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Proxy Servers
Unified Threat Management
Content Distribution Networks
Software Defined Networking
Endpoints
Honeypot
Network Access Control
Virtualized Networks
Intranets and Extranets
Metropolitan Area Networks
Metro Ethernet
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Communications Channels
 Multiservice Access Technologies
H.323 Gateways
Digging Deeper into SIP
IP Telephony Issues
Remote Access
Dial-up Connections
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Network Encryption
Link Encryption vs. End-to-End Encryption
E-mail Encryption Standards
Internet Security
Network Attacks
Denial of Service
Sniffing
DNS Hijacking
Drive-by Download
Summary
Quick Tips
Questions
Answers
Chapter 5 Identity and Access Management
Access Controls Overview
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability
Identification and Authentication
Authentication Methods
 Authorization
Accountability
Session Management
Federation
Integrating Identity as a Service
On-premise
Cloud
Integration Issues
Access Control Mechanisms
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Attribute-Based Access Control
Access Control Techniques and Technologies
Constrained User Interfaces
Remote Access Control Technologies
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Managing the Identity and Access Provisioning Life Cycle
Provisioning
User Access Review
System Account Access Review
Deprovisioning
Controlling Physical and Logical Access
Access Control Layers
Administrative Controls
Physical Controls
Technical Controls
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
 Intrusion Detection Systems
Intrusion Prevention Systems
Threats to Access Control
Dictionary Attack
Brute-Force Attacks
Spoofing at Logon
Phishing and Pharming
Summary
Quick Tips
Questions
Answers
Chapter 6 Security Assessment and Testing
Assessment, Test, and Audit Strategies
Internal Audits
External Audits
Third-Party Audits
Test Coverage
Auditing Technical Controls
Vulnerability Testing
Penetration Testing
War Dialing
Other Vulnerability Types
Postmortem
Log Reviews
Synthetic Transactions
Misuse Case Testing
Code Reviews
Code Testing
Interface Testing
Auditing Administrative Controls
Account Management
Backup Verification
Disaster Recovery and Business Continuity
 Security Training and Security Awareness Training
Key Performance and Risk Indicators
Reporting
Analyzing Results
Writing Technical Reports
Executive Summaries
Management Review and Approval
Before the Management Review
Reviewing Inputs
Management Approval
Summary
Quick Tips
Questions
Answers
Chapter 7 Security Operations
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Physical Security
Facility Access Control
Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Internal Security Controls
Secure Resource Provisioning
Asset Inventory
Asset Management
Configuration Management
 Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Provisioning Cloud Assets
Network and Resource Availability
Mean Time Between Failures
Mean Time to Repair
Single Points of Failure
Backups
Contingency Planning
Preventing and Detecting
Continuous Monitoring
Firewalls
Intrusion Detection and Prevention Systems
Whitelisting and Blacklisting
Antimalware
Vulnerability Management
Patch Management
Sandboxing
Honeypots and Honeynets
Egress Monitoring
Security Information and Event Management
Outsourced Services
The Incident Management Process
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Investigations
Computer Forensics and Proper Collection of Evidence
 Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
Types of Investigations
The Forensic Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Disaster Recovery
Business Process Recovery
Recovery Site Strategies
Supply and Technology Recovery
Backup Storage Strategies
End-User Environment
Availability
Liability and Its Ramifications
Liability Scenarios
Third-Party Risk
Contractual Agreements
Procurement and Vendor Processes
Insurance
Implementing Disaster Recovery
Personnel
Assessment
Restoration
Communications
Training
Personal Safety Concerns
Emergency Management
Duress
Travel
Training
Summary
Quick Tips
 Questions
Answers
Chapter 8 Software Development Security
Building Good Code
Where Do We Place Security?
Different Environments Demand Different Security
Environment vs. Application
Functionality vs. Security
Implementation and Default Issues
Software Development Life Cycle
Project Management
Requirements Gathering Phase
Design Phase
Development Phase
Testing Phase
Operations and Maintenance Phase
Software Development Methodologies
Waterfall Methodology
V-Shaped Methodology
Prototyping
Incremental Methodology
Spiral Methodology
Rapid Application Development
Agile Methodologies
Integrated Product Team
DevOps
Capability Maturity Model Integration
Change Management
Change Control
Security of Development Environments
Security of Development Platforms
Security of Code Repositories
Software Configuration Management
Secure Coding
Source Code Vulnerabilities
Secure Coding Practices
Programming Languages and Concepts
Assemblers, Compilers, Interpreters
Object-Oriented Concepts
Other Software Development Concepts
Application Programming Interfaces
Distributed Computing
Distributed Computing Environment
CORBA and ORBs
COM and DCOM
Java Platform, Enterprise Edition
Service-Oriented Architecture
Mobile Code
Java Applets
ActiveX Controls
Web Security
Specific Threats for Web Environments
Web Application Security Principles
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
Malicious Software (Malware)
Viruses
Worms
Rootkit
Spyware and Adware
 Botnets
Logic Bombs
Trojan Horses
Antimalware Software
Spam Detection
Antimalware Programs
Assessing the Security of Acquired Software
Summary
Quick Tips
Questions
Answers
Appendix A Comprehensive Questions
Answers
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Single User License Terms and Conditions
TotalTester Online
Hotspot and Drag-and-Drop Questions
Online Flash Cards
Single User License Terms and Conditions
Technical Support

Glossary
Index
 IN MEMORY OF SHON HARRIS

In the summer of 2014, Shon asked me to write a foreword for the new edition of her CISSP All-
in-One Exam Guide. I was honored to do that, and the following two paragraphs are that original
foreword. Following that, I will say more about my friend, the late Shon Harris.
The cyber security field is still relatively new and has been evolving as technology advances.
Every decade or so, we have an advance or two that seems to change the game. For example, in
the 1990s we were focused primarily on “perimeter defense.” Lots of money was spent on
perimeter devices like firewalls to keep the bad guys out. Around 2000, recognizing that
perimeter defense alone was insufficient, the “defense in depth” approach became popular, and
we spent another decade trying to build layers of defense and detect the bad guys who were able
to get past our perimeter defenses. Again, lots of money was spent, this time on intrusion
detection, intrusion prevention, and end-point solutions. Then, around 2010, following the lead
of the U.S. government in particular, we began to focus on “continuous monitoring,” the goal
being to catch the bad guys inside the network if they get past the perimeter defense and the
defense in depth. Security information and event management (SIEM) technology has emerged
as the best way to handle this continuous monitoring requirement. The latest buzz phrase is
“active defense,” which refers to the ability to respond in real time through a dynamic and
changing defense that works to contain the attacker and allow the organization to recover quickly
and get back to business. We are starting to see the re-emergence of honeypots combined with
sandbox technology to bait and trap attackers for further analysis of their activity. One thing is
common throughout this brief historical survey: the bad guys keep getting in and we keep
responding to try and keep up, if not prevent them in the first place. This cat-and-mouse game
will continue for the foreseeable future.
As the cyber security field continuously evolves to meet the latest emerging threats, each new
strategy and tactic brings with it a new set of terminology and concepts for the security
professional to master. The sheer bulk of the body of knowledge can be overwhelming,
particularly to newcomers. As a security practitioner, consultant, and business leader, I am often
asked by aspiring security practitioners where to start when trying to get into the field. I often
refer them to Shon’s CISSP All-in-One Exam Guide, not necessarily for the purpose of becoming
a CISSP, but so that they may have in one resource the body of knowledge in the field. I am also
often asked by experienced security practitioners how to advance in the field. I encourage them
to pursue CISSP certification and, once again, I refer them to Shon’s book. Some are destined to
become leaders in the field, and the CISSP is a solid certificate for managers. Other security
professionals I encounter are just looking for more breadth of knowledge, and I recommend
Shon’s book to them too as a good one-stop reference for that. This book has stood the test of
time. It has evolved as the field has evolved and stands as the single most important book in the
cyber security field, period. I have personally referred to it several times throughout my career
and keep a copy near me at all times on my Kindle. Simply put, if you are in the cyber security
field, you need a copy of this book.
On a personal note, little did I know that within months of writing the preceding foreword,
Shon would no longer be with us. I counted Shon as a good friend and still admire her for her
contribution to the field. I met Shon at a CISSP boot camp in 2002. I had just learned of the
CISSP and within weeks found myself in her class. I had no clue that she had already written
several books by that time and was a true leader in the field. I must have chattered away during
our lunch sessions, because a few months after the class, she reached out to me and said, “Hey, I
remember you were interested in writing. I have a new project that I need help on. Would you
like to help?” After an awkward pause, as I picked myself up from the floor, I told her that I felt
underqualified, but yes! That started a journey that has blessed me many times over. The book
was called Gray Hat Hacking and is now in the fourth edition. From the book came many
consulting, writing, and teaching opportunities, such as Black Hat. Then, as I retired from the
Marine Corps, in 2008, there was Shon, right on cue: “Hey, I have an opportunity to provide
services to a large company. Would you like to help?” Just like that, I had my first large client,
launching my company, which I was able to grow, with Shon’s help, and then sell a couple of
years ago. During the 12 years I knew her, Shon continued to give me opportunities to become
much more than I could have dreamed. She never asked for a thing in return, simply saying,
“You take it and run with it, I am too busy doing other things.” As I think back over my career
after the Marine Corps, I owe most of my success to Shon. I have shared this story with others
and found that I am not the only one; Shon blessed so many people with her giving spirit. I am
convinced there are many “Shon” stories like this one out there. She touched so many people in
the security field and more than lived up to the nickname I had for her, Miss CISSP.
Without a doubt, Shon was the most kindhearted, generous, and humble person in the field. If
you knew Shon, I know you would echo that sentiment. If you did not know Shon, I hope that
through these few words, you understand why she was so special and why there had to be
another edition of this book. I have been asked several times over the last year, “Do you think
there will be another edition? The security field and CISSP certification have both changed so
much, we need another edition.” For this reason, I am excited this new edition came to be. Shon
would have wanted the book to go on helping people to be the best they can be. I believe we, as a
profession, need this book to continue. So, I am thankful that the team from McGraw-Hill and
Fernando are honoring Shon in this way and continuing her legacy. She truly deserves it. Shon,
you are missed and loved by so many. Through this book, your generous spirit lives on, helping
others.

Dr. Allen Harper, CISSP (thanks to Shon)

Executive Director, Center for Cyber Excellence, Liberty University
 FOREWORD

I’m excited and honored to introduce the eighth edition of CISSP All-in-One Exam Guide to
cyber security experts worldwide. This study guide is essential for those pursuing CISSP
certification and should be part of every cyber security professional’s library.
After 39 years of service in the Profession of Arms, I know well what it means to be a
member of a profession and the importance of shared values, common language, and identity. At
the same time, expert knowledge gained through training, education, and experience is critical to
a profession, but formal certifications based on clearly articulated standards are the coin of the
realm for cyber security professionals.
In every operational assignment, I sought ways to leverage technology and increase
digitization, while assuming our freedom to operate was not at risk. Today’s threats coupled with
our vulnerabilities and the potential consequences create a new operational reality—national
security is at risk. When we enter any network, we must fight to ensure we maintain our security,
and cyber security experts are the professionals we will call on to out-think and out-maneuver
the threats we face from cyberspace.
As our world becomes more interconnected, we can expect cyber threats to continue to grow
exponentially. While our cyber workforce enabled by technology must focus on preventing
threats and reducing vulnerabilities, we will not eliminate either. This demands professionals
who understand risk management and security—experts who are trusted and committed to
creating and providing a wide range of security measures tailored to mitigate enterprise risk and
assure all missions, public and private.
Current, relevant domain expertise is the key, and the CISSP All-in-One Exam Guide is the
king of the hill. In this edition, Shon’s quality content is present and is being stewarded forward
by Fernando Maymí. You’re in good hands, and you will grow personally and professionally
from your study. As competent, trusted professionals of character, this book is essential to you,
your organization, and our national security.

Rhett Hernandez
Lieutenant General, U.S. Army Retired
Former Commander, U.S. Army Cyber Command
Current West Point Cyber Chair, Army Cyber Institute
 FROM THE AUTHOR

In April 2018, (ISC)2 released a revised version of the CISSP Common Body of Knowledge
(CBK). After reviewing the changes, and in light of an ever-changing information security
landscape, we felt compelled to update the CISSP All-in-One Exam Guide and publish its eighth
edition. What are the big changes in the CBK? None, really. What this revision did was shuffle
some topics around and make some adjustments to the emphasis that previous topics receive.
Some notable changes are listed here:

• Secure coding This is probably the biggest winner. (ISC)2 is placing increased emphasis
on this critical topic. The seventh edition of this book already placed a fair amount of
emphasis on secure coding, but we updated our coverage to ensure you have the
information you need whether or not you have a background in software development.
• IoT It is noteworthy that, while the 2015 CBK included the more general terms “embedded
devices” and “cyber-physical systems,” the Internet of Things (IoT) is now being singled
out as an area of increased attention. We had already included a section on IoT security in
the previous edition and just call this out to help you prepare.
• Supply chain (ISC)2 has broadened the scope of acquisition practices to look at the entire
supply chain and has integrated this new topic with risk management. It all makes sense,
particularly in the wake of multiple incidents that have come to light in the last couple of
years highlighting the vulnerabilities that the supply chain poses to many organizations.
• Audits Whereas in the last version of the CBK this was a single topic, we now see it
broken down into internal, external, and third-party audit issues. We already covered
internal and third-party audits in the previous edition of this book, so we freshened those up
and added coverage of external audits.

The goal of this book is not just to get you to pass the CISSP exam, but to provide you the
bedrock of knowledge that will allow you to flourish as an information systems security
professional before and after you pass the certification exam. If you strive for excellence in your
own development, the CISSP certification will follow as a natural byproduct. This approach will
demand that you devote time and energy to topics and issues that may seem to have no direct or
immediate return on investment. That is OK. We each have our own areas of strength and
weakness, and many of us tend to reinforce the former while ignoring the latter. This leads to
individuals who have tremendous depth in a very specific topic, but who lack the breadth to
understand context or thrive in new and unexpected conditions. What we propose is an inversion
of this natural tendency, so that we devote appropriate amounts of effort to those areas in which
we are weakest. What we propose is that we balance the urge to be specialists with the need to be
well-rounded professionals. This is what our organizations and societies need from us.
The very definition of a profession describes a group of trusted, well-trained individuals that
performs a critical service that societies cannot do for themselves. In the case of the CISSP, this
professional ensures the availability, integrity, and confidentiality of our information systems.
This cannot be done simply by being the best firewall administrator, or the best forensic
examiner, or the best reverse engineer. Instead, our service requires a breadth of knowledge that
will allow us to choose the right tool for the job. This relevant knowledge, in turn, requires a
foundation of (apparently less relevant) knowledge upon which we can build our expertise. This
is why, in order to be competent professionals, we all need to devote ourselves to learning topics
that may not be immediately useful.
This book provides an encyclopedic treatment of both directly applicable and foundational
knowledge. It is designed, as it always was, to be both a study guide and an enduring reference.
Our hope is that, long after you obtain your CISSP certification, you will turn to this tome time
and again to brush up on your areas of weakness as well as to guide you in a lifelong pursuit of
self-learning and excellence.

Acknowledgments
We would like to thank all the people who work in the information security industry who are
driven by their passion, dedication, and a true sense of doing right. The best security people are
the ones who are driven toward an ethical outcome.
In this eighth edition, we would also like to thank the following:

• David Miller, whose work ethic, loyalty, and friendship have continuously inspired us.
• All the teammates from Logical Security.
• The men and women of our armed forces, who selflessly defend our way of life.
• Kathy Conlon, who, more than anyone else, set the conditions that led to eight editions of
this book.
• David Harris.
• Carol Remicci.
• Chris Gramling.

Most especially, we thank you, our readers, for standing on the frontlines of our digital
conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.
 WHY BECOME A CISSP?

As our world changes, the need for improvements in security and technology continues to grow.
Corporations and other organizations are desperate to identify and recruit talented and
experienced security professionals to help protect the resources on which they depend to run
their businesses and remain competitive. As a Certified Information Systems Security
Professional (CISSP), you will be seen as a security professional of proven ability who has
successfully met a predefined standard of knowledge and experience that is well understood and
respected throughout the industry. By keeping this certification current, you will demonstrate
your dedication to staying abreast of security developments.
Consider some of the reasons for attaining a CISSP certification:

• To broaden your current knowledge of security concepts and practices

• To demonstrate your expertise as a seasoned security professional
• To become more marketable in a competitive workforce
• To increase your salary and be eligible for more employment opportunities
• To bring improved security expertise to your current occupation
• To show a dedication to the security discipline

The CISSP certification helps companies identify which individuals have the ability,
knowledge, and experience necessary to implement solid security practices; perform risk
analysis; identify necessary countermeasures; and help the organization as a whole protect its
facility, network, systems, and information. The CISSP certification also shows potential
employers you have achieved a level of proficiency and expertise in skill sets and knowledge
required by the security industry. The increasing importance placed on security in corporate
success will only continue in the future, leading to even greater demands for highly skilled
security professionals. The CISSP certification shows that a respected third-party organization
has recognized an individual’s technical and theoretical knowledge and expertise, and
distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good
network administrator, programmer, or engineer. Job descriptions that do not specifically target
security professionals still often require that a potential candidate have a good understanding of
security concepts as well as how to implement them. Due to staff size and budget restraints,
many organizations can’t afford separate network and security staffs. But they still believe
security is vital to their organization. Thus, they often try to combine knowledge of technology
and security into a single role. With a CISSP designation, you can put yourself head and
shoulders above other individuals in this regard.

The CISSP Exam

Because the CISSP exam covers the eight domains making up the CISSP CBK, it is often
described as being “an inch deep and a mile wide,” a reference to the fact that many questions on
the exam are not very detailed and do not require you to be an expert in every subject. However,
the questions do require you to be familiar with many different security subjects.
As of 18 December 2017, the CISSP exam comes in two versions depending on the language
in which the test is written. The English version is now a Computer Adaptive Test (CAT) in
which the number of questions you are asked depends on your measured level of knowledge but
ranges from 100 to 150. Of these, 25 questions will not count toward your score, as they are
being evaluated for inclusion in future exams (this is why they are sometimes called pre-test
questions). Essentially, the easier it is for the test software to determine your level of proficiency,
the fewer questions you’ll get. Regardless of how many questions you are presented, though, you
will have no more than three hours to complete the test. When the system has successfully
assessed your level of knowledge, the test will end regardless of how long you’ve been at it.

EXAM TIP CAT questions are intentionally designed to “feel” hard (based on the system’s
estimate of your knowledge), so don’t be discouraged. Just don’t get bogged down, because
you must answer at least 100 questions in three hours.

The non-English version of the CISSP exam is also computer-based but not adaptive and
comprises 250 questions, which must be answered in no more than six hours. Like the CAT
version, 25 questions are pre-test (unscored), so you will be graded on the other 225 questions.
The 25 research questions are integrated into the exam, so you won’t know which go toward
your final grade. To pass the exam, you need a scale score of 700 points out of 1,000.
Regardless of which version of the exam you take, you can expect multiple choice and
innovative questions. Innovative questions incorporate drag-and-drop (i.e., take a term or item
and drag it to the correct position in the frame) or hotspot (i.e., click the item or term that
correctly answers the question) interfaces, but are otherwise weighed and scored just like any
other question. The questions are pulled from a much larger question bank to ensure the exam is
as unique as possible for each examinee. In addition, the test bank constantly changes and
evolves to more accurately reflect the real world of security. The exam questions are continually
rotated and replaced in the bank as necessary. Questions are weighted based on their difficulty;
not all questions are worth the same number of points. The exam is not product or vendor
oriented, meaning no questions will be specific to certain products or vendors (for instance,
Windows, Unix, or Cisco). Instead, you will be tested on the security models and methodologies
used by these types of systems.

EXAM TIP There is no penalty for guessing. If you can’t come up with the right answer in a
reasonable amount of time, then you should guess and move on to the next question.
 (ISC)2, which stands for International Information Systems Security Certification Consortium,
also includes scenario-based questions in the CISSP exam. These questions present a short
scenario to the test taker rather than asking the test taker to identify terms and/or concepts. The
goal of the scenario-based questions is to ensure that test takers not only know and understand
the concepts within the CBK but also can apply this knowledge to real-life situations. This is
more practical because in the real world, you won’t be challenged by having someone asking
you, “What is the definition of collusion?” You need to know how to detect and prevent
collusion from taking place, in addition to knowing the definition of the term.
After passing the exam, you will be asked to supply documentation, supported by a sponsor,
proving that you indeed have the type of experience required to obtain this certification. The
sponsor must sign a document vouching for the security experience you are submitting. So, make
sure you have this sponsor lined up prior to registering for the exam and providing payment. You
don’t want to pay for and pass the exam, only to find you can’t find a sponsor for the final step
needed to achieve your certification.
The reason behind the sponsorship requirement is to ensure that those who achieve the
certification have real-world experience to offer organizations. Book knowledge is extremely
important for understanding theory, concepts, standards, and regulations, but it can never replace
hands-on experience. Proving your practical experience supports the relevance of the
certification.
A small sample group of individuals selected at random will be audited after passing the
exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’ sponsors
and contacts to verify the test taker’s related experience.
One of the factors that makes the CISSP exam challenging is that most candidates, although
they work in the security field, are not necessarily familiar with all eight CBK domains. If a
security professional is considered an expert in vulnerability testing or application security, for
example, she may not be familiar with physical security, cryptography, or forensics. Thus,
studying for this exam will broaden your knowledge of the security field.
The exam questions address the eight CBK security domains, which are described in Table 1.
Table 1 Security Domains That Make Up the CISSP CBK

(ISC)2 attempts to keep up with changes in technology and methodologies in the security field
by adding numerous new questions to the test question bank each year. These questions are
based on current technologies, practices, approaches, and standards. For example, the CISSP
exam given in 1998 did not have questions pertaining to wireless security, cross-site scripting
attacks, or IPv6.

What Does This Book Cover?

This book covers everything you need to know to become an (ISC)2-certified CISSP. It teaches
you the hows and whys behind organizations’ development and implementation of policies,
procedures, guidelines, and standards. It covers network, application, and system vulnerabilities;
what exploits them; and how to counter these threats. The book explains physical security,
operational security, and why systems implement the security mechanisms they do. It also
reviews the U.S. and international security criteria and evaluations performed on systems for
assurance ratings, what these criteria mean, and why they are used. This book also explains the
legal and liability issues that surround computer systems and the data they hold, including such
subjects as computer crimes, forensics, and what should be done to properly prepare computer
evidence associated with these topics for court.
While this book is mainly intended to be used as a study guide for the CISSP exam, it is also a
handy reference guide for use after your certification.

Tips for Taking the CISSP Exam

Many people feel as though the exam questions are tricky. Make sure to read each question and
its answer choices thoroughly instead of reading a few words and immediately assuming you
know what the question is asking. Some of the answer choices may have only subtle differences,
so be patient and devote time to reading through the question more than once.
A common complaint heard about the CISSP exam is that some questions seem a bit
subjective. For example, whereas it might be easy to answer a technical question that asks for the
exact mechanism used in Transport Layer Security (TLS) that protects against man-in-the-middle
attacks, it’s not quite as easy to answer a question that asks whether an eight-foot perimeter fence
provides low, medium, or high security. Many questions ask the test taker to choose the “best”
approach, which some people find confusing and subjective. These complaints are mentioned
here not to criticize (ISC)2 and the exam writers, but to help you better prepare for the exam.
This book covers all the necessary material for the exam and contains many questions and self-
practice tests. Most of the questions are formatted in such a way as to better prepare you for what
you will encounter on the actual exam. So, make sure to read all the material in the book, and
pay close attention to the questions and their formats. Even if you know the subject well, you
may still get some answers wrong—it is just part of learning how to take tests.
In answering many questions, it is important to keep in mind that some things are inherently
more valuable than others. For example, the protection of human lives and welfare will almost
always trump all other responses. Similarly, if all other factors are equal and you are given a
choice between an expensive and complex solution and a simpler and cheaper one, the second
will win most of the time. Expert advice (e.g., from an attorney) is more valuable than that
offered by someone with lesser credentials. If one of the possible responses to a question is to
seek or obtain advice from an expert, pay close attention to that question. The correct response
may very well be to seek out that expert.
Familiarize yourself with industry standards and expand your technical knowledge and
methodologies outside the boundaries of what you use today. We cannot stress enough that just
because you are the top dog in your particular field, it doesn’t mean you are properly prepared
for every domain the exam covers.
When you take the CISSP exam at the Pearson VUE test center, other certification exams may
be taking place simultaneously in the same room. Don’t feel rushed if you see others leaving the
room early; they may be taking a shorter exam.

How to Use This Book

Much effort has gone into putting all the necessary information into this book. Now it’s up to
you to study and understand the material and its various concepts. To best benefit from this book,
you might want to use the following study method:

• Study each chapter carefully and make sure you understand each concept presented. Many
concepts must be fully understood, and glossing over a couple here and there could be
detrimental to you. The CISSP CBK contains hundreds of individual topics, so take the
time needed to understand them all.
• Make sure to study and answer all of the questions. If any questions confuse you, go back
and study those sections again. Remember, some of the questions on the actual exam are a
bit confusing because they do not seem straightforward. Do not ignore the confusing
questions, thinking they’re not well worded. Instead, pay even closer attention to them
because they are there for a reason.
• If you are not familiar with specific topics, such as firewalls, laws, physical security, or
protocol functionality, use other sources of information (books, articles, and so on) to attain
a more in-depth understanding of those subjects. Don’t just rely on what you think you
need to know to pass the CISSP exam.
• After reading this book, study the questions and answers, and take the practice tests. Then
review the (ISC)2 exam outline and make sure you are comfortable with each bullet item
presented. If you are not comfortable with some items, revisit those chapters.
• If you have taken other certification exams—such as Cisco, Novell, or Microsoft—you
might be used to having to memorize details and configuration parameters. But remember,
the CISSP test is “an inch deep and a mile wide,” so make sure you understand the
concepts of each subject before trying to memorize the small, specific details.
• Remember that the exam is looking for the “best” answer. On some questions test takers do
not agree with any or many of the answers. You are being asked to choose the best answer
out of the four being offered to you.