CISSP Cert Guide Certification Guide 4th Edition by Robin Abernathy, Darren Hayes 0137507593 9780137507597

Chapter 1 Security and Risk Management

Security Terms

CIA

Confidentiality

Integrity

Availability

Auditing and Accounting

Non-repudiation

Default Security Posture

Defense in Depth

Abstraction

Data Hiding

Encryption

Security Governance Principles

Security Function Alignment

Organizational Strategies and Goals

Organizational Mission and Objectives

Business Case

Security Budget, Metrics, and Efficacy

Resources

Organizational Processes

Acquisitions and Divestitures

Governance Committees

Organizational Roles and Responsibilities

Board of Directors

Management

Audit Committee

Data Owner

Data Custodian

System Owner

System Administrator

Security Analyst

Application Owner

Supervisor

User

Auditor

Security Control Frameworks

ISO/IEC 27000 Series

Zachman Framework

The Open Group Architecture Framework (TOGAF)

Department of Defense Architecture Framework (DoDAF)

British Ministry of Defence Architecture Framework (MODAF)

Sherwood Applied Business Security Architecture (SABSA)

Control Objectives for Information and Related Technology (COBIT)

National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series

HITRUST CSF

CIS Critical Security Controls

Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework

Computer Crime Concepts

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Information Technology Infrastructure Library (ITIL)

Six Sigma

Capability Maturity Model Integration (CMMI)

CCTA Risk Analysis and Management Method (CRAMM)

Top-Down Versus Bottom-Up Approach

Security Program Life Cycle

Due Care and Due Diligence

Compliance

Contractual, Legal, Industry Standards, and Regulatory Compliance

Privacy Requirements Compliance

Legal and Regulatory Issues

Computer-Assisted Crime

Computer-Targeted Crime

Incidental Computer Crime

Computer Prevalence Crime

Hackers Versus Crackers

Computer Crime Examples

Major Legal Systems

Civil Law

Common Law

Criminal Law

Civil/Tort Law

Administrative/Regulatory Law

Customary Law

Religious Law

Mixed Law

Licensing and Intellectual Property

Patent

Civil

Trade Secret

Trademark

Copyright

Software Piracy and Licensing Issues

Internal Protection

Digital Rights Managements (DRM)

Cyber Crimes and Data Breaches

Import/Export Controls

Trans-Border Data Flow

Privacy

Personally Identifiable Information (PII)

Laws and Regulations

Investigation Types

Operations/Administrative

Criminal

Regulatory

Industry Standards

eDiscovery

Professional Ethics

(ISC)2 Code of Ethics

Computer Ethics Institute

Internet Architecture Board

Organizational Code of Ethics

Security Documentation

Policies

Organizational Security Policy

System-Specific Security Policy

Issue-Specific Security Policy

Policy Categories

Processes

Procedures

Standards

Guidelines

Baselines

Business Continuity

Business Continuity and Disaster Recovery Concepts

Disruptions

Disasters

Disaster Recovery and the Disaster Recovery Plan (DRP)

Continuity Planning and the Business Continuity Plan (BCP)

Business Impact Analysis (BIA)

Contingency Plan

Availability

Reliability

Scope and Plan

Personnel Components

Scope

Business Contingency Planning

BIA Development

Identify Critical Processes and Resources

Identify Outage Impact and Estimate Downtime

Identify Resource Requirements

Identify Recovery Priorities

Implementation

Personnel Security Policies and Procedures

Candidate Screening and Hiring

Employment Agreements and Policies

Employee Onboarding and Offboarding Policies

Vendor, Consultant, and Contractor Agreements and Controls

Compliance Policy Requirements

Privacy Policy Requirements

Job Rotation

Separation of Duties

Risk Management Concepts

Asset and Asset Valuation

Vulnerability

Threat

Threat Agent

Exploit

Risk

Exposure

Countermeasure

Risk Appetite

Attack

Breach

Risk Management Policy

Risk Management Team

Risk Analysis Team

Risk Assessment

Information and Asset (Tangible/Intangible) Value and Costs

Identity Threats and Vulnerabilities

Risk Assessment/Analysis

Countermeasure (Safeguard) Selection

Inherent Risk Versus Residual Risk

Handling Risk and Risk Response

Implementation

Control Categories

Compensative

Corrective

Detective

Deterrent

Directive

Preventive

Recovery

Control Types

Administrative (Management)

Logical (Technical)

Physical

Controls Assessment, Monitoring, and Measurement

Reporting and Continuous Improvement

Risk Frameworks

NIST

ISO/IEC 27005:2018

Open Source Security Testing Methodology Manual (OSSTMM)

COSO’s Enterprise Risk Management (ERM) Integrated Framework

A Risk Management Standard by the Federation of European Risk Management Associations (FERMA)

Geographical Threats

Internal Versus External Threats

Natural Threats

Hurricanes/Tropical Storms

Tornadoes

Earthquakes

Floods

Volcanoes

System Threats

Electrical

Communications

Utilities

Human-Caused Threats

Explosions

Fire

Vandalism

Fraud

Theft

Collusion

Politically Motivated Threats

Strikes

Riots

Civil Disobedience

Terrorist Acts

Bombing

Threat Modeling

Threat Modeling Concepts

Threat Modeling Methodologies

STRIDE Model

Process for Attack Simulation and Threat Analysis (PASTA) Methodology

Trike Methodology

Visual, Agile, and Simple Threat (VAST) Model

NIST SP 800-154

Identifying Threats

Potential Attacks

Remediation Technologies and Processes

Security Risks in the Supply Chain

Risks Associated with Hardware, Software, and Services

Third-Party Assessment and Monitoring

Onsite Assessment

Document Exchange/Review

Process/Policy Review

Other Third-Party Governance Issues

Minimum Service-Level and Security Requirements

Service-Level Requirements

Security Education, Training, and Awareness

Levels Required

Methods and Techniques

Periodic Content Reviews

Review All Key Topics

Complete the Tables and Lists from Memory

Define Key Terms

Answers and Explanations

Chapter 2 Asset Security

Asset Security Concepts

Asset and Data Policies

Data Quality

Data Documentation and Organization

Identify and Classify Information and Assets

Data and Asset Classification

Sensitivity and Criticality

PII

PHI

Proprietary Data

Private Sector Data Classifications

Military and Government Data Classifications

Information and Asset Handling Requirements

Marking, Labeling, and Storing

Destruction

Provision Resources Securely

Asset Inventory and Asset Management

Data Life Cycle

Databases

DBMS Architecture and Models

Database Interface Languages

Data Warehouses and Data Mining

Database Maintenance

Database Threats

Database Views

Database Locks

Polyinstantiation

Database ACID Test

Roles and Responsibilities

Data Owner

Data Controller

Data Custodian

System Owners

System Custodians

Business/Mission Owners

Data Processors

Data Users and Subjects

Data Collection and Limitation

Data Location

Data Maintenance

Data Retention

Data Remanence and Destruction

Data Audit

Asset Retention

Data Security Controls

Data Security

Data States

Data at Rest

Data in Transit

Data in Use

Data Access and Sharing

Data Storage and Archiving

Baselines

Scoping and Tailoring

Standards Selection

Data Protection Methods

Cryptography

Digital Rights Management (DRM)

Data Loss Prevention (DLP)

Cloud Access Security Broker (CASB)

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 3 Security Architecture and Engineering

Engineering Processes Using Secure Design Principles

Objects and Subjects

Closed Versus Open Systems

Threat Modeling

Least Privilege

Defense in Depth

Secure Defaults

Fail Securely

Separation of Duties (SoD)

Keep It Simple

Zero Trust

Privacy by Design

Trust but Verify

Shared Responsibility

Security Model Concepts

Confidentiality, Integrity, and Availability

Confinement

Bounds

Isolation

Security Modes

Dedicated Security Mode

System High Security Mode

Compartmented Security Mode

Multilevel Security Mode

Assurance and Trust

Security Model Types

State Machine Models

Multilevel Lattice Models

Matrix-Based Models

Noninterference Models

Information Flow Models

Take-Grant Model

Security Models

Bell-LaPadula Model

Biba Model

Clark-Wilson Integrity Model

Lipner Model

Brewer-Nash (Chinese Wall) Model

Graham-Denning Model

Harrison-Ruzzo-Ullman Model

Goguen-Meseguer Model

Sutherland Model

System Architecture Steps

ISO/IEC 42010:2011

Computing Platforms

Mainframe/Thin Clients

Distributed Systems

Middleware

Embedded Systems

Mobile Computing

Virtual Computing

Security Services

Boundary Control Services

Access Control Services

Integrity Services

Cryptography Services

Auditing and Monitoring Services

System Components

CPU

Memory and Storage

Input/Output Devices

Input/Output Structures

Firmware

Operating Systems

Memory Management

System Security Evaluation Models

TCSEC

Rainbow Series

ITSEC

Common Criteria

Security Implementation Standards

ISO/IEC 27001

ISO/IEC 27002

Payment Card Industry Data Security Standard (PCI DSS)

Controls and Countermeasures

Certification and Accreditation

Control Selection Based on Systems Security Requirements

Security Capabilities of Information Systems

Memory Protection

Trusted Platform Module

Interfaces

Fault Tolerance

Policy Mechanisms

Separation of Privilege

Accountability

Encryption/Decryption

Data Mining Warehouse

Security Architecture Maintenance

Vulnerabilities of Security Architectures, Designs, and Solution Elements

Client-Based Systems

Server-Based Systems

Data Flow Control

Database Systems

Inference

Aggregation

Contamination

Data Mining Warehouse

Cryptographic Systems

Industrial Control Systems

Cloud-Based Systems

Large-Scale Parallel Data Systems

Distributed Systems

Grid Computing

Peer-to-Peer Computing

Internet of Things

Cryptography History

IoT Examples

Methods of Securing IoT Devices

NIST Framework for Cyber-Physical Systems

Microservices

Containerization

Serverless Systems

High-Performance Computing Systems

Edge Computing Systems

Virtualized Systems

Vulnerabilities in Web-Based Systems

Maintenance Hooks

Time-of-Check/Time-of-Use Attacks

Web-Based Attacks

XML

SAML

OWASP

Vulnerabilities in Mobile Systems

Device Security

Application Security

Mobile Device Concerns

NIST SP 800-164

Vulnerabilities in Embedded Systems

Cryptographic Solutions

Cryptography Concepts

Cryptography History

Julius Caesar and the Caesar Cipher

Vigenere Cipher

Kerckhoffs’s Principle

World War II Enigma

Lucifer by IBM

Cryptosystem Features

Authentication

Confidentiality

Integrity

Authorization

Non-repudiation

NIST SP 800-175A and B

Cryptographic Mathematics

Boolean

Logical Operations (And, Or, Not, Exclusive Or)

Modulo Function

One-Way Function

Nonce

Split Knowledge

Cryptographic Life Cycle

Key Management

Algorithm Selection

Cryptographic Types

Running Key and Concealment Ciphers

Substitution Ciphers

One-Time Pads

Steganography

Transposition Ciphers

Symmetric Algorithms

Stream-Based Ciphers

Block Ciphers

Initialization Vectors (IVs)

Asymmetric Algorithms

Hybrid Ciphers

Elliptic Curves

Quantum Cryptography

Symmetric Algorithms

DES and 3DES

DES Modes

3DES and Modes

AES

IDEA

Skipjack

Blowfish

Twofish

RC4/RC5/RC6/RC7

CAST

Asymmetric Algorithms

Diffie-Hellman

RSA

El Gamal

ECC

Knapsack

Zero-Knowledge Proof

Public Key Infrastructure and Digital Certificates

Certificate Authority and Registration Authority

Certificates

Certificate Life Cycle

Enrollment

Verification

Revocation

Renewal and Modification

Certificate Revocation List

OCSP

PKI Steps

Cross-Certification

Key Management Practices

Message Integrity

Hashing

One-Way Hash

MD2/MD4/MD5/MD6

SHA/SHA-2/SHA-3

HAVAL

RIPEMD-160

Tiger

Message Authentication Code

HMAC

CBC-MAC

CMAC

Salting

Digital Signatures and Non-repudiation

DSS

Non-repudiation

Applied Cryptography

Link Encryption Versus End-to-End Encryption

Email Security

Internet Security

Cryptanalytic Attacks

Ciphertext-Only Attack

Known Plaintext Attack

Chosen Plaintext Attack

Chosen Ciphertext Attack

Social Engineering

Brute Force

Differential Cryptanalysis

Linear Cryptanalysis

Algebraic Attack

Frequency Analysis

Birthday Attack

Dictionary Attack

Replay Attack

Analytic Attack

Statistical Attack

Factoring Attack

Reverse Engineering

Meet-in-the-Middle Attack

Ransomware Attack

Side-Channel Attack

Implementation Attack

Fault Injection

Timing Attack

Pass-the-Hash Attack

Digital Rights Management

Document DRM

Music DRM

Movie DRM

Video Game DRM

E-book DRM

Site and Facility Design

Layered Defense Model

CPTED

Natural Access Control

Natural Surveillance

Natural Territorials Reinforcement

Physical Security Plan

Deter Criminal Activity

Delay Intruders

Detect Intruders

Assess Situation

Respond to Intrusions and Disruptions

Facility Selection Issues

Visibility

Surrounding Area and External Entities

Accessibility

Construction

Internal Compartments

Computer and Equipment Rooms

Site and Facility Security Controls

Doors

Door Lock Types

Turnstiles and Mantraps

Locks

Biometrics

Type of Glass Used for Entrances

Visitor Control

Wiring Closets/Intermediate Distribution Facilities

Restricted and Work Areas

Secure Data Center

Restricted Work Area

Server Room

Media Storage Facilities

Evidence Storage

Environmental Security and Issues

Fire Protection

Power Supply

HVAC

Water Leakage and Flooding

Environmental Alarms

Equipment Physical Security

Corporate Procedures

Safes, Vaults, and Locking

Review All Key Topics

Complete the Tables and Lists from Memory

Define Key Terms

Answers and Explanations

Chapter 4 Communication and Network Security

Secure Network Design Principles

OSI Model

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

TCP/IP Model

Application Layer

Transport Layer

Internet Layer

Link Layer

Encapsulation and De-encapsulation

IP Networking

Common TCP/UDP Ports

Logical and Physical Addressing

IPv4

IP Classes

Public Versus Private IP Addresses

NAT

MAC Addressing

Network Transmission

Analog Versus Digital

Asynchronous Versus Synchronous

Broadband Versus Baseband

Unicast, Multicast, and Broadcast

Wired Versus Wireless

IPv6

NIST SP 800-119

IPv6 Major Features

IPv4 Versus IPv6 Threat Comparison

IPv6 Addressing

Shorthand for Writing IPv6 Addresses

IPv6 Address Types

IPv6 Address Scope

Network Types

Local-Area Network (LAN)

Intranet

Extranet

MAN

WAN

WLAN

SAN

CAN

PAN

Protocols and Services

ARP/RARP

DHCP/BOOTP

DNS

FTP, FTPS, SFTP, and TFTP

HTTP, HTTPS, and S-HTTP

ICMP

IGMP

IMAP

LDAP

LDP

NAT

NetBIOS

NFS

PAT

POP

CIFS/SMB

SMTP

SNMP

SSL/TLS

Multilayer Protocols

Converged Protocols

FCoE

MPLS

VoIP

iSCSI

Wireless Networks

FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM

802.11 Techniques

Cellular or Mobile Wireless Techniques

5G

Satellites

WLAN Structure

Access Point

Service Set Identifier (SSID)

Infrastructure Mode Versus Ad Hoc Mode

WLAN Standards

802.11

802.11a

802.11b

802.11g

802.11n (Wi-Fi 4)

802.11ac (Wi-Fi 5)

802.11ax (Wi-Fi 6)

802.11be (Wi-Fi 7)

Bluetooth

Infrared

Near Field Communication (NFC)

Zigbee

WLAN Security

Open System Authentication

Shared Key Authentication

WEP

WPA

WPA2

Personal Versus Enterprise

WPA3

802.1X

SSID Broadcast

MAC Filter

Wireless Site Surveys

Antenna Placement and Power Levels

Antenna Types

Communications Cryptography

Link Encryption

End-to-End Encryption

Email Security

PGP

MIME and S/MIME

Quantum Cryptography

Internet Security

Remote Access

HTTP, HTTPS, and S-HTTP

Secure Electronic Transaction (SET)

Cookies

SSH

IPsec

Secure Network Components

Hardware

Network Devices

Network Routing

Transmission Media

Cabling

Network Topologies

Network Technologies

WAN Technologies

Network Access Control Devices

Quarantine/Remediation

Firewalls/Proxies

Endpoint Security

Content-Distribution Networks

Secure Communication Channels

Voice

Multimedia Collaboration

Remote Meeting Technology

Instant Messaging

Remote Access

Remote Connection Technologies

VPN Screen Scraper

Virtual Application/Desktop

Telecommuting/Teleworking

Data Communications

Virtualized Networks

SDN

Virtual SAN

Guest Operating Systems

Federated Identity with a Third-Party

Network Attacks

Cabling

Noise

Attenuation

Crosstalk

Eavesdropping

Network Component Attacks

Non-Blind Spoofing

Blind Spoofing

Man-in-the-Middle Attack

MAC Flooding Attack

802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack

Double-Encapsulated 802.1Q/Nested VLAN Attack

ARP Attack

ICMP Attacks

Ping of Death

Smurf

Fraggle

ICMP Redirect

Ping Scanning

Traceroute Exploitation

DNS Attacks

DNS Cache Poisoning

DoS

DDoS

DNSSEC

URL Hiding

Domain Grabbing

Cybersquatting

Email Attacks

Email Spoofing

Spear Phishing

Whaling

Spam

Wireless Attacks

Wardriving

Warchalking

Remote Attacks

Other Attacks

SYN ACK Attacks

Session Hijacking

Port Scanning

Teardrop

IP Address Spoofing

Zero-Day

Ransomware

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 5 Identity and Access Management (IAM)

Access Control Process

Identify Resources

Identify Users

Identify the Relationships Between Resources and Users

Physical and Logical Access to Assets

Access Control Administration

Centralized

Decentralized

Information

Systems

Devices

Facilities

Applications

Identification and Authentication Concepts

NIST SP 800-63

Five Factors for Authentication

Knowledge Factors

Ownership Factors

Characteristic Factors

Location Factors

Time Factors

Single-Factor Versus Multifactor Authentication

Device Authentication

Identification and Authentication Implementation

Separation of Duties

Least Privilege/Need-to-Know

Default to No Access

Directory Services

Single Sign-on

Kerberos

SESAME

OpenID Connect (OIDC)/Open Authorization (Oauth)

Security Assertion Markup Language (SAML)

Federated Identity Management (IdM)

Security Domains

Session Management

Registration, Proof, and Establishment of Identity

Credential Management Systems

Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System

Accountability

Auditing and Reporting

Just-In-Time (JIT)

Identity as a Service (IDaaS) Implementation

Third-Party Identity Services Integration

Authorization Mechanisms

Permissions, Rights, and Privileges

Access Control Models

Discretionary Access Control

Mandatory Access Control

Role-Based Access Control

Rule-Based Access Control

Attribute-Based Access Control

Content-Dependent Versus Context-Dependent

Risk-Based Access Control

Access Control Matrix

Access Control Policies

Provisioning Life Cycle

Provisioning

Identity and Account Management

User, System, and Service Account Access Review

Account Transfers

Account Revocation

Role Definition

Privilege Escalation

Access Control Threats

Password Threats

Dictionary Attack

Brute-Force Attack

Birthday Attack

Rainbow Table Attack

Sniffer Attack

Social Engineering Threats

Phishing/Pharming

Shoulder Surfing

Identity Theft

Dumpster Diving

DoS/DDoS

Buffer Overflow

Mobile Code

Malicious Software

Spoofing

Sniffing and Eavesdropping

Emanating

Backdoor/Trapdoor

Access Aggregation

Advanced Persistent Threat

Prevent or Mitigate Access Control Threats

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 6 Security Assessment and Testing

Design and Validate Assessment and Testing Strategies

Security Testing

Security Assessments

Red Team versus Blue Team

Security Auditing

Internal, External, and Third-party Security Assessment, Testing, and Auditing

Conduct Security Control Testing

Vulnerability Assessment

Network Discovery Scan

Network Vulnerability Scan

Web Application Vulnerability Scan

Penetration Testing

Log Reviews

NIST SP 800-92

Synthetic Transactions

Code Review and Testing

Code Review Process

Static Testing

Dynamic Testing

Fuzz Testing

Misuse Case Testing

Test Coverage Analysis

Interface Testing

Collect Security Process Data

NIST SP 800-137

Account Management

Management Review and Approval

Key Performance and Risk Indicators

Backup Verification Data

Training and Awareness

Disaster Recovery and Business Continuity

Analyze Test Outputs and Generate a Report

Conduct or Facilitate Security Audits

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 7 Security Operations

Investigations

Forensic and Digital Investigations

Identify Evidence

Preserve and Collect Evidence

Examine and Analyze Evidence

Present Findings

Decide

Forensic Procedures

Reporting and Documentation

IOCE/SWGDE and NIST

Crime Scene

MOM

Chain of Custody

Interviewing

Investigative Techniques

Evidence Collection and Handling

Five Rules of Evidence

Types of Evidence

Surveillance, Search, and Seizure

Media Analysis

Software Analysis

Network Analysis

Hardware/Embedded Device Analysis

Digital Forensic Tools, Tactics, and Procedures

Logging and Monitoring Activities

Audit and Review

Log Types

Audit Types

Intrusion Detection and Prevention

Security Information and Event Management (SIEM)

Continuous Monitoring

Egress Monitoring

Log Management

Threat Intelligence

User and Entity Behavior Analytics (UEBA)

Configuration and Change Management

Resource Provisioning

Asset Inventory and Management

Baselining

Automation

Security Operations Concepts

Need to Know/Least Privilege

Managing Accounts, Groups, and Roles

Separation of Duties and Responsibilities

Privilege Account Management

Job Rotation and Mandatory Vacation

Two-Person Control

Sensitive Information Procedures

Record Retention

Information Life Cycle

Service-Level Agreements

Resource Protection

Protecting Tangible and Intangible Assets

Facilities

Hardware

Software

Information Assets

Asset Management

Redundancy and Fault Tolerance

Backup and Recovery Systems

Identity and Access Management

Media Management

Media History

Media Labeling and Storage

Sanitizing and Disposing of Media

Network and Resource Management

Incident Management

Event Versus Incident

Incident Response Team and Incident Investigations

Rules of Engagement, Authorization, and Scope

Incident Response Procedures

Incident Response Management

Detect

Respond

Mitigate

Report

Recover

Remediate

Review and Lessons Learned

Detective and Preventive Measures

IDS/IPS

Firewalls

Whitelisting/Blacklisting

Third-Party Security Services

Sandboxing

Honeypots/Honeynets

Anti-malware/Antivirus

Clipping Levels

Deviations from Standards

Unusual or Unexplained Events

Unscheduled Reboots

Unauthorized Disclosure

Trusted Recovery

Trusted Paths

Input/Output Controls

System Hardening

Vulnerability Management Systems

Machine Learning and Artificial Intelligence (AI)-Based Tools

Patch and Vulnerability Management

Recovery Strategies

Create Recovery Strategies

Categorize Asset Recovery Priorities

Business Process Recovery

Supply and Technology Recovery

User Environment Recovery

Data Recovery

Training Personnel

Backup Storage Strategies

Recovery and Multiple Site Strategies

Hot Site

Cold Site

Warm Site

Tertiary Site

Reciprocal Agreements

Redundant Sites

Redundant Systems, Facilities, and Power

Fault-Tolerance Technologies

Insurance

Data Backup

Fire Detection and Suppression

High Availability

Quality of Service

System Resilience

Disaster Recovery

Response

Personnel

Damage Assessment Team

Legal Team

Media Relations Team

Recovery Team

Relocation Team

Restoration Team

Salvage Team

Security Team

Communications

Assessment

Restoration

Training and Awareness

Lessons Learned

Testing Disaster Recovery Plans

Read-Through Test

Checklist Test

Table-Top Exercise

Structured Walk-Through Test

Simulation Test

Parallel Test

Full-Interruption Test

Functional Drill

Evacuation Drill

Business Continuity Planning and Exercises

Physical Security

Perimeter Security Controls

Gates and Fences

Perimeter Intrusion Detection

Lighting

Patrol Force

Access Control

Building and Internal Security Controls

Personnel Safety and Security

Duress

Travel

Monitoring

Emergency Management

Security Training and Awareness

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 8 Software Development Security

Software Development Concepts

Machine Languages

Assembly Languages and Assemblers

High-Level Languages, Compilers, and Interpreters

Object-Oriented Programming

Polymorphism

Polyinstantiation

Encapsulation

Cohesion

Coupling

Data Structures

Distributed Object-Oriented Systems

CORBA

COM and DCOM

OLE

Java

SOA

Mobile Code

Java Applets

ActiveX

NIST SP 800-163

Security in the System and Software Development Life Cycle

System Development Life Cycle

Initiate

Acquire/Develop

Implement

Operate/Maintain

Dispose

Software Development Life Cycle

Plan/Initiate Project

Gather Requirements

Design

Develop

Test/Validate

Release/Maintenance

Certify/Accredit

Change Management and Configuration Management/Replacement

DevSecOps

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)

Security Orchestration and Automated Response (SOAR)

Software Development Methods and Maturity Models

Build and Fix Model

Waterfall Model

V-Shaped Model

Prototyping

Modified Prototype Model (MPM)

Incremental Model

Spiral Model

Agile Model

Continuous Integration and Continuous Delivery (CI/CD)

Rapid Application Development (RAD)

Joint Analysis Development (JAD)

Cleanroom Model

Structured Programming Development Model

Exploratory Model

Computer-Aided Software Engineering (CASE)

Component-Based Development

CMMI

ISO 9001:2015/90003:2014

IDEAL Model

Operation and Maintenance

Integrated Product Team

Security Controls in Development

Software Development Security Best Practices

WASC

OWASP

BSI

ISO/IEC 27000

Software Environment Security

Source Code Analysis Tools

Code Repository Security

Software Threats

Malware

Malware Protection

Scanning Types

Security Policies

Software Protection Mechanisms

Assess Software Security Effectiveness

Auditing and Logging

Risk Analysis and Mitigation

Regression and Acceptance Testing

Security Impact of Acquired Software

Secure Coding Guidelines and Standards

Security Weaknesses and Vulnerabilities at the Source Code Level

Buffer Overflow

Escalation of Privileges

Backdoor

Rogue Programmers

Covert Channel

Object Reuse

Mobile Code

Time of Check/Time of Use (TOC/TOU)

Security of Application Programming Interfaces

Secure Coding Practices

Validate Input

Heed Compiler Warnings

Design for Security Policies

Implement Default Deny

Adhere to the Principle of Least Privilege, and Practice Defense in Depth

Sanitize Data Prior to Transmission to Other Systems

Review All Key Topics

Define Key Terms

Answers and Explanations

Chapter 9 Final Preparation

Tools for Final Preparation

Pearson Test Prep Practice Test Engine and Questions on the Website

Accessing the Pearson Test Prep Practice Test Software Online

Accessing the Pearson Test Prep Practice Test Software Offline

Customizing Your Exams

Updating Your Exams

Premium Edition

Memory Tables

Chapter-Ending Review Tools

Suggested Plan for Final Review/Study