Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

32 Appendix B: Answers to Written LabsChapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks

33 Index

34 End User License Agreement

1 Chapter 2 TABLE 2.1 Comparison of quantitative and qualitative risk analysis TABLE 2.2 Quantitative risk analysis formulas

2 Chapter 5 TABLE 5.1 Securing email dataTABLE 5.2 Unmodified data within a databaseTABLE 5.3 Masked data

3 Chapter 6TABLE 6.1 AND operation truth tableTABLE 6.2 OR operation truth tableTABLE 6.3 NOT operation truth tableTABLE 6.4 Exclusive OR operation truth tableTABLE 6.5 Using the Vigenère systemTABLE 6.6 The encryption operationTABLE 6.7 Symmetric and asymmetric key comparisonTABLE 6.8 Comparison of symmetric and asymmetric cryptography systemsTABLE 6.9 Symmetric encryption memorization chart

4 Chapter 7TABLE 7.1 Hash algorithm memorization chartTABLE 7.2 Digital certificate formats

5 Chapter 8TABLE 8.1 Subjects and objectsTABLE 8.2 Fail terms definitions related to physical and digital productsTABLE 8.3 An access control matrixTABLE 8.4 Common Criteria evaluation assurance levels

6 Chapter 10TABLE 10.1 Static voltage and damageTABLE 10.2 Fire extinguisher classes

7 Chapter 11TABLE 11.1 IP classesTABLE 11.2 IP classes' default subnet masksTABLE 11.3 802.11 wireless networking amendmentsTABLE 11.4 UTP categories

8 Chapter 12TABLE 12.1 Common load-balancing scheduling techniquesTABLE 12.2 Circuit switching vs. packet switchingTABLE 12.3 Bandwidth levels of SDH and SONET

1 Chapter 1 FIGURE 1.1 The CIA Triad FIGURE 1.2 The five elements of AAA services FIGURE 1.3 Strategic, tactical, and operational plan timeline comparison FIGURE 1.4 An example of diagramming to reveal threat concerns FIGURE 1.5 A risk matrix or risk heat map

2 Chapter 2 FIGURE 2.1 Ex-employees must return all company property. FIGURE 2.2 The cyclical relationships of risk elements FIGURE 2.3 The six major elements of quantitative risk analysis FIGURE 2.4 The categories of security controls in a defense-in-depth impleme... FIGURE 2.5 The elements of the risk management framework (RMF) (from NIST SP...

3 Chapter 3 FIGURE 3.1 Earthquake hazard map of the United States

4 Chapter 5 FIGURE 5.1 Data classifications FIGURE 5.2 Clearing a hard drive

5 Chapter 6FIGURE 6.1 Challenge-response authentication protocolFIGURE 6.2 The magic doorFIGURE 6.3 Symmetric key cryptographyFIGURE 6.4 Asymmetric key cryptography

6 Chapter 7FIGURE 7.1 Asymmetric key cryptographyFIGURE 7.2 Steganography toolFIGURE 7.3 Image with embedded message

7 Chapter 8FIGURE 8.1 Transitive trustFIGURE 8.2 The TCB, security perimeter, and reference monitorFIGURE 8.3 The take-grant model's directed graphFIGURE 8.4 The Bell–LaPadula modelFIGURE 8.5 The Biba modelFIGURE 8.6 Memorizing Bell–LaPadula and BibaFIGURE 8.7 The Clark–Wilson model

8 Chapter 9FIGURE 9.1 The four-layer protection ring modelFIGURE 9.2 The lifecycle of an executed processFIGURE 9.3 Types of hypervisorsFIGURE 9.4 Application containers versus a hypervisor

9 Chapter 10FIGURE 10.1 A smartcard's ISO 7816 interfaceFIGURE 10.2 Hot and cold aislesFIGURE 10.3 The fire triangleFIGURE 10.4 The four primary stages of fireFIGURE 10.5 A secure physical boundary with an access control vestibule and ...

10 Chapter 11FIGURE 11.1 The OSI modelFIGURE 11.2 OSI model encapsulationFIGURE 11.3 The OSI model peer layer logical channelsFIGURE 11.4 OSI model layer-based network container namesFIGURE 11.5 Comparing the OSI model with the TCP/IP modelFIGURE 11.6 The TCP three-way handshakeFIGURE 11.7 An RFID antennaFIGURE 11.8 The configuration dialog boxes for a transparent (left) vs. a no...FIGURE 11.9 A ring topologyFIGURE 11.10 A linear bus topology and a tree bus topologyFIGURE 11.11 A star topologyFIGURE 11.12 A mesh topology

11 Chapter 12FIGURE 12.1 IPsec's encryption of a packet in transport modeFIGURE 12.2 IPsec's encryption of a packet in tunnel modeFIGURE 12.3 Two LANs being connected using a tunnel-mode VPN across the inte...FIGURE 12.4 A client connecting to a network via a remote-access/tunnel VPN ...

12 Chapter 13FIGURE 13.1 Graph of FRR and FAR errors indicating the CER point

13 Chapter 14FIGURE 14.1 Role-Based Access ControlFIGURE 14.2 A representation of the boundaries provided by lattice-based acc...FIGURE 14.3 Wireshark capture

14 Chapter 15FIGURE 15.1 Nmap scan of a web server run from a Linux systemFIGURE 15.2 Default Apache server page running on the server scanned in Figu...FIGURE 15.3 Nmap scan of a large network run from a Mac system using the Ter...FIGURE 15.4 Network vulnerability scan of the same web server that was port ...FIGURE 15.5 Web application vulnerability scan of the same web server that w...FIGURE 15.6 Scanning a database-backed application with sqlmapFIGURE 15.7 Penetration testing processFIGURE 15.8 The Metasploit Framework automated system exploitation tool allo...FIGURE 15.9 Fagan inspections follow a rigid formal process, with defined en...FIGURE 15.10 Prefuzzing input file containing a series of 1sFIGURE 15.11 The input file from Figure 15.10 after being run through the zz...

15 Chapter 16FIGURE 16.1 Cloud shared responsibility modelFIGURE 16.2 Creating and deploying imagesFIGURE 16.3 Web server and database server

16 Chapter 17FIGURE 17.1 Incident managementFIGURE 17.2 SYN flood attackFIGURE 17.3 A man-in-the-middle attackFIGURE 17.4 Intrusion prevention systemFIGURE 17.5 Viewing a log entry

17 Chapter 18FIGURE 18.1 Seismic hazard mapFIGURE 18.2 Flood hazard map for Miami–Dade County, FloridaFIGURE 18.3 Failover cluster with network load balancing

18 Chapter 20FIGURE 20.1 RStudio Desktop IDEFIGURE 20.2 Security vs. user-friendliness vs. functionalityFIGURE 20.3 The iterative lifecycle model with feedback loopFIGURE 20.4 The spiral lifecycle modeFIGURE 20.5 Software Assurance Maturity ModelFIGURE 20.6 The IDEAL modelFIGURE 20.7 Gantt chartFIGURE 20.8 The DevOps modelFIGURE 20.9 Hierarchical data modelFIGURE 20.10 Customers table from a relational databaseFIGURE 20.11 ODBC as the interface between applications and a back-end datab...

19 Chapter 21FIGURE 21.1 Account number input pageFIGURE 21.2 Account information pageFIGURE 21.3 Account information page after blind SQL injectionFIGURE 21.4 Account creation pageFIGURE 21.5 Example web server directory structureFIGURE 21.6 Message board post rendered in a browserFIGURE 21.7 XSS attack rendered in a browserFIGURE 21.8 Web application firewallFIGURE 21.9 SQL error disclosure

1 Cover

2 Table of Contents

3 Begin Reading

1 iii

2 iv

3 v

4 vii

5 ix

6 xi

7 xxxv

8 xxxvii

9 xxxviii

10 xxxix

11 xl

12 xli

13 xlii

14 xliii

15 xliv