Eleventh Hour CISSP: Study Guide, Third Edition provides readers with a study guide on the most current version of the Certified Information Systems Security Professional exam. This book is streamlined to include only core certification information, and is presented for ease of last-minute studying. Main objectives of the exam are covered concisely with key concepts highlighted.
The CISSP certification is the most prestigious, globally-recognized, vendor neutral exam for information security professionals. Over 100,000 professionals are certified worldwide, with many more joining their ranks. This new third edition is aligned to cover all of the material in the most current version of the exam’s Common Body of Knowledge. All domains are covered as completely and concisely as possible, giving users the best possible chance of acing the exam.
- Completely updated for the most current version of the exam’s Common Body of Knowledge
- Provides the only guide you need for last-minute studying
- Answers the toughest questions and highlights core topics
- Streamlined for maximum efficiency of study, making it ideal for professionals updating their certification or for those taking the test for the first time
|Edition description:||Study Guid|
|Product dimensions:||7.40(w) x 9.20(h) x 0.70(d)|
About the Author
Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, Security+), is a SANS-certified instructor and President of Backshore Communications, which provides information warfare, penetration testing, incident handling, and intrusion detection consulting services. Eric started his professional career in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare, in positions ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He has taught more than a thousand students in courses such as SANS Management 414: CISSP, Security 560: Network Penetration Testing and Ethical Hacking, Security 504: Hacker Techniques, and Exploits and Incident Handling. Eric graduated from the SANS Technology Institute with a Master of Science degree in Information Security Engineering.
Seth Misenar (CISSP, GPEN, GCIH, GCIA, GCFA, GWAPT, GCWN, GSEC, MCSE, MCDBA), is a certified instructor with the SANS Institute and serves as lead consultant for Context Security, which is based in Jackson, Mississippi. His background includes security research, network and Web application penetration testing, vulnerability assessment, regulatory compliance, security architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and as the HIPAA and information security officer for a state government agency. He teaches a variety of courses for the SANS Institute, including Security Essentials, Web Application Penetration Testing, Hacker Techniques, and the CISSP course.
Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College, Jackson, Mississippi.
Joshua Feldman (CISSP), is currently employed by SAIC, Inc. He has been involved in the Department of Defense Information Systems Agency (DISA) Information Assurance Education, Training, and Awareness program since 2002, where he has contributed to a variety of DoD-wide Information Assurance and Cyber Security policies, specifically the 8500.2 and 8570 series. Joshua has taught more than a thousand DoD students through his "DoD IA Boot Camp" course. He is a subject matter expert for the Web-based DoD Information Assurance Awareness-yearly training of every DoD user is required as part of his or her security awareness curriculum. Also, he is a regular presenter and panel member at the annual Information Assurance Symposium hosted jointly by DISA and NSA. Before joining the support team at DoD/DISA, Joshua spent time as an IT security engineer at the Department of State's Bureau of Diplomatic Security. He got his start in the IT security field with NFR Security Software, a company that manufactures Intrusion Detection Systems. There, he worked as both a trainer and an engineer, implementing IDS technologies and instructing customers how in properly configuring them.
Read an Excerpt
Eleventh Hour CISSPStudy Guide
By Eric Conrad
SYNGRESSCopyright © 2011 Elsevier Inc.
All right reserved.
Chapter OneDomain 1: Information Security Governance and Risk Management
Exam Objectives in this Chapter
* Risk analysis
* Information security governance
Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate them. We work in various roles as firewall engineers, penetration testers, auditors, management, and the like. The common thread is risk: It is part of our job description.
The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. It also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful and those that fail in this realm is usually not tied to dollars or staff size.: It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.
Speaking of leadership, learning to speak the language of leaders is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain also helps you speak this language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).
All information security professionals assess risk: We do it so often that it becomes second nature. A patch is released on a Tuesday. Your company normally tests for two weeks before installing, but a network-based worm is spreading on the Internet that infects unpatched systems. If you install the patch now, you risk downtime due to lack of testing. If you wait to test, you risk infection by the worm. What is the bigger risk? What should you do? Risk Analysis (RA) will help you decide.
The average person does a poor job of accurately analyzing risk: If you fear the risk of dying while traveling and, to mitigate that risk, drive from New York to Florida instead of flying, you have done a poor job of analyzing risk. It is far riskier, per mile, to travel by car than by airplane when considering the risk of death while traveling.
Accurate Risk Analysis is a critical skill for an information security professional. We must hold ourselves to a higher standard when judging risk. Our risk decisions dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions result in wasted money or, even worse, compromised data.
Assets are the valuable resources you are trying to protect. They can be data, systems, people, buildings, property, and so forth. The value or criticality of the asset dictates the safeguards you deploy. People are your most valuable asset.
Threats and Vulnerabilities
A threat is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm like Conficker (aka Downadup or Kido; see www .microsoft.com/security/worms/Conficker.aspx), which began attacking Microsoft Windows operating systems in late 2008. A threat is a negative action that may harm a system.
A vulnerability is a weakness that allows a threat to cause harm. Examples of vulnerabilities (matching our previous threats) are buildings that are not built to withstand earthquakes, a data center without proper backup power, or a Microsoft Windows XP system that has not been patched in a few years.
A networked Microsoft Windows system is vulnerable if it lacks the patch, if it automatically runs software on a USB token when inserted, or if it has a network share with a weak password. If any of those three conditions are true, you have risk. A Linux system has no vulnerability to Conficker and therefore runs no risk from it.
Risk = Threat x Vulnerability
To have risk, a threat must connect to a vulnerability. This relationship is stated by the formula:
Risk = Threat x Vulnerability
You can choose a value to specific risks using this formula. Assign a number to both threats and vulnerabilities. A common range is 1 through 5 (the range is arbitrary; just keep it consistent when comparing different risks).
The "Risk = Threat x Vulnerability" equation sometimes uses an added variable, impact: "Risk = Threat x Vulnerability x Impact." Impact is the severity of the damage, sometimes expressed in dollars, which is why Risk = Threat x Vulnerability x Cost is sometimes used. A synonym for impact is consequences.
Risk Analysis Matrix
The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that the risk would have. The Australia/New Zealand 4360 Standard on Risk Management (AS/NZS 4360, see www.standards .org.au) describes the Risk Analysis Matrix, which is shown in Table 1.1.
The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (see the section Qualitative and Quantitative Risk Analysis to come) based on likelihood (from rare to almost certain) and consequences, or impact, (from insignificant to catastrophic). The resulting risk scores are Low (L), Medium (M), High (H), and Extreme (E). Low risks are handled via normal processes; moderate risks require management notification; high risks require senior management notification; and extreme risks require immediate action, including a detailed mitigation plan (and senior management notification).
The goal of the matrix is to identify high-likelihood/high-consequence risks (upper right quadrant of Table 1.1) and drive them down to the low-likelihood/ low-consequence level (lower left quadrant).
Calculating Annualized Loss Expectancy
The Annualized Loss Expectancy (ALE) calculation allows you to determine the annual cost of a loss due to a given risk. Once calculated, ALE allows you to make informed decisions to mitigate the risk.
This section uses an example of risk due to lost or stolen unencrypted laptops. Assume that your company has 1000 laptops that contain Personally Identifiable Information (PII). You are the Security Officer, and your concern is the risk of exposure of PII due to the laptops' misplacement or theft.. You want to purchase and deploy a laptop encryption solution. The solution is expensive, so you need to convince management that it is worthwhile.
The Asset Value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2,500, but the real value is in the PII it contains. Theft of unencrypted PII occurred previously and cost the company many times the value of the laptops in regulatory fines, bad publicity, legal fees, staff hours spent investigating, and so forth. The true average Asset Value of a laptop with PII for this example is $25,000 ($2,500 for the hardware and $22,500 for the exposed PII).
The Exposure Factor (EF) is the percentage of value lost by an asset because of an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: The laptop and all the data are gone.
SINGLE LOSS EXPECTANCY
The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000.
ANNUAL RATE OF OCCURRENCE
The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average, so your ARO is 11.
ANNUALIZED LOSS EXPECTANCY
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case it is $25,000 (SLE) times 11 (ARO), or $275,000.
Table 1.2 summarizes the equations used to determine Annualized Loss Expectancy.
Total Cost of Ownership
The Total Cost of Ownership (TCO) is the total cost of a mitigating safeguard. It combines upfront costs (often one-time capital expenses) and annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, and so forth. These ongoing costs are usually considered operational expenses.
Using our laptop encryption example, the upfront cost of laptop encryption software is $100/laptop, or $100,000 for 1,000 laptops. The vendor charges a 10% annual support fee, or $10,000/year. You estimate that it will take 4 staff hours per laptop to install the software, or 4,000 staff hours in total. The staff that performs this work makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70 times 4,000 hours, or $280,000.
Your company uses a three-year technology refresh cycle, so you calculate the Total Cost of Ownership over three years:
* Software cost: $100,000
* Three years of vendor support: $10,000 x 3 = $30,000
* Hourly staff cost: $280,000
* Total Cost of Ownership over three years: $410,000
* Total Cost of Ownership per year: $410,000/3 = $136,667/year
Your Annual Total Cost of Ownership for the laptop encryption project is $136,667 per year.
Return on Investment
The Return on Investment (ROI) is the amount of money saved by implementing a safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If your TCO is higher than your ALE, you have made a poor choice.
The annual TCO of laptop encryption is $136,667; the Annualized Loss Expectancy for lost or stolen unencrypted laptops is $275,000. The math is summarized in Table 1.3.
Implementing laptop encryption will change the Exposure Factor. The laptop hardware is worth $2,500, and the exposed PII costs an additional $22,500, for a $25,000 Asset Value. If an unencrypted laptop is lost or stolen, the EF is 100% (the hardware and all data are exposed). Laptop encryption mitigates the PII exposure risk, lowering the exposure factor from 100% (the laptop and all data) to 10% (just the laptop hardware).
The lower Exposure Factor lowers the Annualized Loss Expectancy from $275,000 to $27,500, as shown in Table 1.4.
You will save $247,500/year (the old ALE, $275,000, minus the new ALE, $27,500) by making an investment of $136,667. Your ROI is $110,833 per year ($247,500 minus $136,667). The laptop encryption project has a positive ROI and is a wise investment.
Once we have assessed risk, we must decide what to do. Options include accepting the risk, mitigating or eliminating it, transferring it, and avoiding it.
ACCEPT THE RISK
Some risks may be accepted: In certain cases, it is cheaper to leave an asset unprotected from a specific risk rather than make the effort (and spend the money) required to protect it. This cannot be an ignorant decision: The risk, and all options, must be considered before you can accept it.
Risk Acceptance Criteria
Low-likelihood/low-consequence risks are candidates for risk acceptance. High and Extreme risks are not . There are cases, such as data protected by laws or regulations or risk to human life or safety, where accepting the risk is not an option.
MITIGATE THE RISK
Mitigating the risk means lowering it to an acceptable level. The laptop encryption example given previously in the Annualized Loss Expectancy section is an example of risk mitigation. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on them. It was not eliminated entirely: A weak or exposed encryption password could expose the PII, but the risk was reduced to an acceptable level.
In some cases it is possible to remove the risk entirely: this is called eliminating it.
TRANSFER THE RISK
Risk transfer is the "insurance model." Most people do not assume the risk of fire to their house: They pay an insurance company to assume that risk for them.
AVOID THE RISK
A thorough Risk Analysis should be completed before taking on a new project. If it discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.
Excerpted from Eleventh Hour CISSP by Eric Conrad Copyright © 2011 by Elsevier Inc. . Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Chapter 1: Domain 1: Security risk management
Chapter 2: Domain 2: Asset security
Chapter 3: Domain 3: Security engineering
Chapter 4: Domain 4: Communication and network security
Chapter 5: Domain 5: Identity and access management (controlling access and managing identity)
Chapter 6: Domain 6: Security assessment and testing
Chapter 7: Domain 7: Security operations
Chapter 8: Domain 8: Software development security