BN.com Gift Guide

Eleventh Hour CISSP: Study Guide / Edition 2

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $18.00
Usually ships in 1-2 business days
(Save 39%)
Other sellers (Paperback)
  • All (13) from $18.00   
  • New (12) from $18.00   
  • Used (1) from $23.64   

Overview

Eleventh Hour CISSP Study Guide serves as a guide for those who want to be information security professionals. The main job of an information security professional is to evaluate the risks involved in securing assets and to find ways to mitigate those risks. Information security jobs include firewall engineers, penetration testers, auditors, and the like.
The book is composed of 10 domains of the Common Body of Knowledge. In each section, it defines each domain. The first domain provides information about risk analysis and mitigation, and it discusses security governance. The second domain discusses techniques of access control, which is the basis for all security disciplines. The third domain explains the concepts behind cryptography, which is a secure way of communicating that is understood only by certain recipients. Domain 5 discusses security system design, which is fundamental in operating the system and software security components. Domain 6 is one of the critical domains in the Common Body of Knowledge, the Business Continuity Planning and Disaster Recovery Planning. It is the final control against extreme events such as injury, loss of life, or failure of an organization. Domain 7, Domain 8 and Domain 9 discuss telecommunications and network security, application development security, and the operations domain, respectively. Domain 10 focuses on the major legal systems that provide a framework for determining laws about information system.
  • The only guide you need for last-minute studying
  • Answers the toughest questions and highlights core topics
  • Can be paired with any other study guide so you are completely prepared
Read More Show Less

Editorial Reviews

From the Publisher

"Eleventh Hour CISSP Study Guide provides an effective and efficient review of the CISSP ten domains by eliminating the fluff that is in most CISSP study guides. For security professionals in a time crunch or those looking for a last-minute refresher, this is a must-read before taking the exam."--Tony Flick, CISSP, Author of Securing the Smart Grid and Principal at FYRM Associates

Read More Show Less

Product Details

  • ISBN-13: 9780124171428
  • Publisher: Elsevier Science
  • Publication date: 11/7/2013
  • Edition description: Study Guid
  • Edition number: 2
  • Pages: 216
  • Sales rank: 117,161
  • Product dimensions: 7.50 (w) x 9.10 (h) x 0.30 (d)

Meet the Author

Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, Security+), is a SANS-certified instructor and President of Backshore Communications, which provides information warfare, penetration testing, incident handling, and intrusion detection consulting services. Eric started his professional career in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare, in positions ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He has taught more than a thousand students in courses such as SANS Management 414: CISSP, Security 560: Network Penetration Testing and Ethical Hacking, Security 504: Hacker Techniques, and Exploits and Incident Handling. Eric graduated from the SANS Technology Institute with a Master of Science degree in Information Security Engineering.

Seth Misenar (CISSP, GPEN, GCIH, GCIA, GCFA, GWAPT, GCWN, GSEC, MCSE, MCDBA), is a certified instructor with the SANS Institute and serves as lead consultant for Context Security, which is based in Jackson, Mississippi. His background includes security research, network and Web application penetration testing, vulnerability assessment, regulatory compliance, security architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and as the HIPAA and information security officer for a state government agency. He teaches a variety of courses for the SANS Institute, including Security Essentials, Web Application Penetration Testing, Hacker Techniques, and the CISSP course.
Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College, Jackson, Mississippi.

Joshua Feldman (CISSP), is currently employed by SAIC, Inc. He has been involved in the Department of Defense Information Systems Agency (DISA) Information Assurance Education, Training, and Awareness program since 2002, where he has contributed to a variety of DoD-wide Information Assurance and Cyber Security policies, specifically the 8500.2 and 8570 series. Joshua has taught more than a thousand DoD students through his "DoD IA Boot Camp" course. He is a subject matter expert for the Web-based DoD Information Assurance Awareness-yearly training of every DoD user is required as part of his or her security awareness curriculum. Also, he is a regular presenter and panel member at the annual Information Assurance Symposium hosted jointly by DISA and NSA. Before joining the support team at DoD/DISA, Joshua spent time as an IT security engineer at the Department of State's Bureau of Diplomatic Security. He got his start in the IT security field with NFR Security Software, a company that manufactures Intrusion Detection Systems. There, he worked as both a trainer and an engineer, implementing IDS technologies and instructing customers how in properly configuring them.

Read More Show Less

Read an Excerpt

Eleventh Hour CISSP

Study Guide
By Eric Conrad

SYNGRESS

Copyright © 2011 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-567-7


Chapter One

Domain 1: Information Security Governance and Risk Management

Exam Objectives in this Chapter

* Risk analysis

* Information security governance

INTRODUCTION

Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate them. We work in various roles as firewall engineers, penetration testers, auditors, management, and the like. The common thread is risk: It is part of our job description.

The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. It also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful and those that fail in this realm is usually not tied to dollars or staff size.: It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.

Speaking of leadership, learning to speak the language of leaders is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain also helps you speak this language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).

RISK ANALYSIS

All information security professionals assess risk: We do it so often that it becomes second nature. A patch is released on a Tuesday. Your company normally tests for two weeks before installing, but a network-based worm is spreading on the Internet that infects unpatched systems. If you install the patch now, you risk downtime due to lack of testing. If you wait to test, you risk infection by the worm. What is the bigger risk? What should you do? Risk Analysis (RA) will help you decide.

The average person does a poor job of accurately analyzing risk: If you fear the risk of dying while traveling and, to mitigate that risk, drive from New York to Florida instead of flying, you have done a poor job of analyzing risk. It is far riskier, per mile, to travel by car than by airplane when considering the risk of death while traveling.

Accurate Risk Analysis is a critical skill for an information security professional. We must hold ourselves to a higher standard when judging risk. Our risk decisions dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions result in wasted money or, even worse, compromised data.

Assets

Assets are the valuable resources you are trying to protect. They can be data, systems, people, buildings, property, and so forth. The value or criticality of the asset dictates the safeguards you deploy. People are your most valuable asset.

Threats and Vulnerabilities

A threat is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm like Conficker (aka Downadup or Kido; see www .microsoft.com/security/worms/Conficker.aspx), which began attacking Microsoft Windows operating systems in late 2008. A threat is a negative action that may harm a system.

A vulnerability is a weakness that allows a threat to cause harm. Examples of vulnerabilities (matching our previous threats) are buildings that are not built to withstand earthquakes, a data center without proper backup power, or a Microsoft Windows XP system that has not been patched in a few years.

A networked Microsoft Windows system is vulnerable if it lacks the patch, if it automatically runs software on a USB token when inserted, or if it has a network share with a weak password. If any of those three conditions are true, you have risk. A Linux system has no vulnerability to Conficker and therefore runs no risk from it.

Risk = Threat x Vulnerability

To have risk, a threat must connect to a vulnerability. This relationship is stated by the formula:

Risk = Threat x Vulnerability

You can choose a value to specific risks using this formula. Assign a number to both threats and vulnerabilities. A common range is 1 through 5 (the range is arbitrary; just keep it consistent when comparing different risks).

Impact

The "Risk = Threat x Vulnerability" equation sometimes uses an added variable, impact: "Risk = Threat x Vulnerability x Impact." Impact is the severity of the damage, sometimes expressed in dollars, which is why Risk = Threat x Vulnerability x Cost is sometimes used. A synonym for impact is consequences.

Risk Analysis Matrix

The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that the risk would have. The Australia/New Zealand 4360 Standard on Risk Management (AS/NZS 4360, see www.standards .org.au) describes the Risk Analysis Matrix, which is shown in Table 1.1.

The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (see the section Qualitative and Quantitative Risk Analysis to come) based on likelihood (from rare to almost certain) and consequences, or impact, (from insignificant to catastrophic). The resulting risk scores are Low (L), Medium (M), High (H), and Extreme (E). Low risks are handled via normal processes; moderate risks require management notification; high risks require senior management notification; and extreme risks require immediate action, including a detailed mitigation plan (and senior management notification).

The goal of the matrix is to identify high-likelihood/high-consequence risks (upper right quadrant of Table 1.1) and drive them down to the low-likelihood/ low-consequence level (lower left quadrant).

Calculating Annualized Loss Expectancy

The Annualized Loss Expectancy (ALE) calculation allows you to determine the annual cost of a loss due to a given risk. Once calculated, ALE allows you to make informed decisions to mitigate the risk.

This section uses an example of risk due to lost or stolen unencrypted laptops. Assume that your company has 1000 laptops that contain Personally Identifiable Information (PII). You are the Security Officer, and your concern is the risk of exposure of PII due to the laptops' misplacement or theft.. You want to purchase and deploy a laptop encryption solution. The solution is expensive, so you need to convince management that it is worthwhile.

ASSET VALUE

The Asset Value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2,500, but the real value is in the PII it contains. Theft of unencrypted PII occurred previously and cost the company many times the value of the laptops in regulatory fines, bad publicity, legal fees, staff hours spent investigating, and so forth. The true average Asset Value of a laptop with PII for this example is $25,000 ($2,500 for the hardware and $22,500 for the exposed PII).

EXPOSURE FACTOR

The Exposure Factor (EF) is the percentage of value lost by an asset because of an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: The laptop and all the data are gone.

SINGLE LOSS EXPECTANCY

The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000.

ANNUAL RATE OF OCCURRENCE

The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average, so your ARO is 11.

ANNUALIZED LOSS EXPECTANCY

The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case it is $25,000 (SLE) times 11 (ARO), or $275,000.

Table 1.2 summarizes the equations used to determine Annualized Loss Expectancy.

Total Cost of Ownership

The Total Cost of Ownership (TCO) is the total cost of a mitigating safeguard. It combines upfront costs (often one-time capital expenses) and annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, and so forth. These ongoing costs are usually considered operational expenses.

Using our laptop encryption example, the upfront cost of laptop encryption software is $100/laptop, or $100,000 for 1,000 laptops. The vendor charges a 10% annual support fee, or $10,000/year. You estimate that it will take 4 staff hours per laptop to install the software, or 4,000 staff hours in total. The staff that performs this work makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70 times 4,000 hours, or $280,000.

Your company uses a three-year technology refresh cycle, so you calculate the Total Cost of Ownership over three years:

* Software cost: $100,000

* Three years of vendor support: $10,000 x 3 = $30,000

* Hourly staff cost: $280,000

* Total Cost of Ownership over three years: $410,000

* Total Cost of Ownership per year: $410,000/3 = $136,667/year

Your Annual Total Cost of Ownership for the laptop encryption project is $136,667 per year.

Return on Investment

The Return on Investment (ROI) is the amount of money saved by implementing a safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If your TCO is higher than your ALE, you have made a poor choice.

The annual TCO of laptop encryption is $136,667; the Annualized Loss Expectancy for lost or stolen unencrypted laptops is $275,000. The math is summarized in Table 1.3.

Implementing laptop encryption will change the Exposure Factor. The laptop hardware is worth $2,500, and the exposed PII costs an additional $22,500, for a $25,000 Asset Value. If an unencrypted laptop is lost or stolen, the EF is 100% (the hardware and all data are exposed). Laptop encryption mitigates the PII exposure risk, lowering the exposure factor from 100% (the laptop and all data) to 10% (just the laptop hardware).

The lower Exposure Factor lowers the Annualized Loss Expectancy from $275,000 to $27,500, as shown in Table 1.4.

You will save $247,500/year (the old ALE, $275,000, minus the new ALE, $27,500) by making an investment of $136,667. Your ROI is $110,833 per year ($247,500 minus $136,667). The laptop encryption project has a positive ROI and is a wise investment.

Risk Choices

Once we have assessed risk, we must decide what to do. Options include accepting the risk, mitigating or eliminating it, transferring it, and avoiding it.

ACCEPT THE RISK

Some risks may be accepted: In certain cases, it is cheaper to leave an asset unprotected from a specific risk rather than make the effort (and spend the money) required to protect it. This cannot be an ignorant decision: The risk, and all options, must be considered before you can accept it.

Risk Acceptance Criteria

Low-likelihood/low-consequence risks are candidates for risk acceptance. High and Extreme risks are not . There are cases, such as data protected by laws or regulations or risk to human life or safety, where accepting the risk is not an option.

MITIGATE THE RISK

Mitigating the risk means lowering it to an acceptable level. The laptop encryption example given previously in the Annualized Loss Expectancy section is an example of risk mitigation. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on them. It was not eliminated entirely: A weak or exposed encryption password could expose the PII, but the risk was reduced to an acceptable level.

In some cases it is possible to remove the risk entirely: this is called eliminating it.

TRANSFER THE RISK

Risk transfer is the "insurance model." Most people do not assume the risk of fire to their house: They pay an insurance company to assume that risk for them.

AVOID THE RISK

A thorough Risk Analysis should be completed before taking on a new project. If it discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.

(Continues...)



Excerpted from Eleventh Hour CISSP by Eric Conrad Copyright © 2011 by Elsevier Inc. . Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Chapter 1: Domain 1: Information Security Governance and Risk Management Chapter 2: Domain 2: Access Control Chapter 3: Domain 3: Cryptography Chapter 4: Domain 4: Physical (Environmental) Security Chapter 5: Domain 5: Security Architecture and Design Chapter 6: Domain 6: Business Continuity and Disaster Recovery Planning Chapter 7: Domain 7: Telecommunications and Network Security Chapter 8: Domain 8: Application Development Security Chapter 9: Domain 9: Operations Security Chapter 10: Domain 10: Legal, Regulations, Investigations, and Compliance

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)