Skip to main content

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition

E-Book

$45.99

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition

Mike Chapple, James Michael Stewart, Darril Gibson

ISBN: 978-1-119-47587-3 April 2018 1104 Pages

Description

CISSP Study Guide -  fully updated for the 2018 CISSP Body of Knowledge

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.

Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:

  • Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
  • More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

Coverage of all of the exam topics in the book means you'll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Related Resources

Introduction xxxiii

Assessment Test xlii

Chapter 1 Security Governance Through Principles and Policies 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2

Evaluate and Apply Security Governance Principles 14

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 26

Understand and Apply Threat Modeling Concepts and Methodologies 30

Apply Risk-Based Management Concepts to the Supply Chain 38

Summary 40

Exam Essentials 42

Written Lab 44

Review Questions 45

Chapter 2 Personnel Security and Risk Management Concepts 49

Personnel Security Policies and Procedures 51

Security Governance 62

Understand and Apply Risk Management Concepts 63

Establish and Maintain a Security Awareness, Education, and Training Program 86

Manage the Security Function 87

Summary 88

Exam Essentials 89

Written Lab 92

Review Questions 93

Chapter 3 Business Continuity Planning 97

Planning for Business Continuity 98

Project Scope and Planning 99

Business Impact Assessment 105

Continuity Planning 111

Plan Approval and Implementation 114

Summary 119

Exam Essentials 119

Written Lab 120

Review Questions 121

Chapter 4 Laws, Regulations, and Compliance 125

Categories of Laws 126

Laws 129

Compliance 149

Contracting and Procurement 150

Summary 151

Exam Essentials 152

Written Lab 153

Review Questions 154

Chapter 5 Protecting Security of Assets 159

Identify and Classify Assets 160

Determining Ownership 178

Using Security Baselines 186

Summary 187

Exam Essentials 188

Written Lab 189

Review Questions 190

Chapter 6 Cryptography and Symmetric Key Algorithms 195

Historical Milestones in Cryptography 196

Cryptographic Basics 198

Modern Cryptography 214

Symmetric Cryptography 219

Cryptographic Lifecycle 228

Summary 229

Exam Essentials 229

Written Lab 231

Review Questions 232

Chapter 7 PKI and Cryptographic Applications 237

Asymmetric Cryptography 238

Hash Functions 242

Digital Signatures 246

Public Key Infrastructure 249

Asymmetric Key Management 253

Applied Cryptography 254

Cryptographic Attacks 265

Summary 268

Exam Essentials 269

Written Lab 270

Review Questions 271

Chapter 8 Principles of Security Models, Design, and Capabilities 275

Implement and Manage Engineering Processes Using Secure Design Principles 276

Understand the Fundamental Concepts of Security Models 281

Select Controls Based On Systems Security Requirements 295

Understand Security Capabilities of Information Systems 309

Summary 311

Exam Essentials 312

Written Lab 313

Review Questions 314

Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 319

Assess and Mitigate Security Vulnerabilities 320

Client-Based Systems 342

Server-Based Systems 346

Database Systems Security 347

Distributed Systems and Endpoint Security 350

Internet of Things 358

Industrial Control Systems 359

Assess and Mitigate Vulnerabilities in Web-Based Systems 360

Assess and Mitigate Vulnerabilities in Mobile Systems 365

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 375

Essential Security Protection Mechanisms 379

Common Architecture Flaws and Security Issues 384

Summary 390

Exam Essentials 391

Written Lab 394

Review Questions 395

Chapter 10 Physical Security Requirements 399

Apply Security Principles to Site and Facility Design 400

Implement Site and Facility Security Controls 403

Implement and Manage Physical Security 422

Summary 431

Exam Essentials 432

Written Lab 434

Review Questions 435

Chapter 11 Secure Network Architecture and Securing Network Components 439

OSI Model 440

TCP/IP Model 451

Converged Protocols 470

Wireless Networks 472

Secure Network Components 486

Cabling, Wireless, Topology, Communications, and Transmission Media Technology 495

Summary 513

Exam Essentials 514

Written Lab 516

Review Questions 517

Chapter 12 Secure Communications and Network Attacks 521

Network and Protocol Security Mechanisms 522

Secure Voice Communications 525

Multimedia Collaboration 529

Manage Email Security 530

Remote Access Security Management 536

Virtual Private Network 540

Virtualization 546

Network Address Translation 549

Switching Technologies 553

WAN Technologies 556

Miscellaneous Security Control Characteristics 561

Security Boundaries 563

Prevent or Mitigate Network Attacks 564

Summary 569

Exam Essentials 571

Written Lab 573

Review Questions 574

Chapter 13 Managing Identity and Authentication 579

Controlling Access to Assets 580

Comparing Identification and Authentication 584

Implementing Identity Management 602

Managing the Identity and Access Provisioning Lifecycle 611

Summary 614

Exam Essentials 615

Written Lab 617

Review Questions 618

Chapter 14 Controlling and Monitoring Access 623

Comparing Access Control Models 624

Understanding Access Control Attacks 635

Summary 653

Exam Essentials 654

Written Lab 656

Review Questions 657

Chapter 15 Security Assessment and Testing 661

Building a Security Assessment and Testing Program 662

Performing Vulnerability Assessments 668

Testing Your Software 681

Implementing Security Management Processes 688

Summary 690

Exam Essentials 691

Written Lab 692

Review Questions 693

Chapter 16 Managing Security Operations 697

Applying Security Operations Concepts 698

Securely Provisioning Resources 710

Managing Configuration 718

Managing Change 719

Managing Patches and Reducing Vulnerabilities 723

Summary 728

Exam Essentials 729

Written Lab 731

Review Questions 732

Chapter 17 Preventing and Responding to Incidents 737

Managing Incident Response 738

Implementing Detective and Preventive Measures 745

Logging, Monitoring, and Auditing 773

Summary 790

Exam Essentials 792

Written Lab 795

Review Questions 796

Chapter 18 Disaster Recovery Planning 801

The Nature of Disaster 802

Understand System Resilience and Fault Tolerance 812

Recovery Strategy 818

Recovery Plan Development 827

Training, Awareness, and Documentation 835

Testing and Maintenance 836

Summary 838

Exam Essentials 838

Written Lab 839

Review Questions 840

Chapter 19 Investigations and Ethics 845

Investigations 846

Major Categories of Computer Crime 857

Ethics 861

Summary 864

Exam Essentials 864

Written Lab 865

Review Questions 866

Chapter 20 Software Development Security 871

Introducing Systems Development Controls 872

Establishing Databases and Data Warehousing 895

Storing Data and Information 904

Understanding Knowledge-Based Systems 906

Summary 909

Exam Essentials 909

Written Lab 910

Review Questions 911

Chapter 21 Malicious Code and Application Attacks 915

Malicious Code 916

Password Attacks 929

Application Attacks 933

Web Application Security 935

Reconnaissance Attacks 940

Masquerading Attacks 941

Summary 942

Exam Essentials 943

Written Lab 944

Review Questions 945

Appendix A Answers to Review Questions 949

Chapter 1: Security Governance Through Principles and Policies 950

Chapter 2: Personnel Security and Risk Management Concepts 951

Chapter 3: Business Continuity Planning 952

Chapter 4: Laws, Regulations, and Compliance 954

Chapter 5: Protecting Security of Assets 956

Chapter 6: Cryptography and Symmetric Key Algorithms 958

Chapter 7: PKI and Cryptographic Applications 960

Chapter 8: Principles of Security Models, Design, and Capabilities 961

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 963

Chapter 10: Physical Security Requirements 965

Chapter 11: Secure Network Architecture and Securing Network Components 966

Chapter 12: Secure Communications and Network Attacks 968

Chapter 13: Managing Identity and Authentication 969

Chapter 14: Controlling and Monitoring Access 971

Chapter 15: Security Assessment and Testing 973

Chapter 16: Managing Security Operations 975

Chapter 17: Preventing and Responding to Incidents 977

Chapter 18: Disaster Recovery Planning 980

Chapter 19: Investigations and Ethics 981

Chapter 20: Software Development Security 983

Chapter 21: Malicious Code and Application Attacks 984

Appendix B Answers to Written Labs 987

Chapter 1: Security Governance Through Principles and Policies 988

Chapter 2: Personnel Security and Risk Management Concepts 988

Chapter 3: Business Continuity Planning 989

Chapter 4: Laws, Regulations, and Compliance 990

Chapter 5: Protecting Security of Assets 991

Chapter 6: Cryptography and Symmetric Key Algorithms 991

Chapter 7: PKI and Cryptographic Applications 992

Chapter 8: Principles of Security Models, Design, and Capabilities 992

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures 993

Chapter 10: Physical Security Requirements 994

Chapter 11: Secure Network Architecture and Securing Network Components 994

Chapter 12: Secure Communications and Network Attacks 995

Chapter 13: Managing Identity and Authentication 996

Chapter 14: Controlling and Monitoring Access 996

Chapter 15: Security Assessment and Testing 997

Chapter 16: Managing Security Operations 997

Chapter 17: Preventing and Responding to Incidents 998

Chapter 18: Disaster Recovery Planning 999

Chapter 19: Investigations and Ethics 999

Chapter 20: Software Development Security 1000

Chapter 21: Malicious Code and Application Attacks 1000

Index 1001

ChapterPageDetailsDatePrint Run
IntroductionxxxivErrata in text
Under Prequalifications, second sentence,
Change
recent IT or IS degree.

To
recent IT or IS degree or an approved security certification (see www.isc2.org for details).
12-7-18

IntroductionxxxviErrata in text
First paragraph, final sentence
Change
CISSP-CAT format.

To
CISSP-CAT format in English.
12-7-18

IntroductionxxxviErrata in text
Second paragraph,
Change
The refreshed CISSP exam will be available

To
The refreshed CISSP exam is available
12-7-18

IntroductionxxxviiErrata in text
Replace the paragraph beginning with ?If English is not your first language?? with the following.
If English is not your first language, you may register for one of several other language versions of the exam (when applicable). Or, if you choose to use the English version of the exam you may reference the translated (ISC)? Certification Acronym and (ISC)? Certification Terms glossaries, a complete list of acronyms and terms you may encounter during your (ISC)? exam which is available from www.isc2.org.
Finally, (ISC)? exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam.
26-11-18

IntroductionxxxviiiErrata in text
Under "Completing the Certification Process", change 90 days to 9 months.
7-Dec-2018

IntroductionxliErrata in text
Under Bonus Practice Exams, the URL at the end of the paragraph should be www.wiley.com/go/cissptestprep
12-7-18

IntroductionxlErrata in text
Under The Elements of This Study Guide.
Move “Chapter Review Questions” paragraph to below that of the “Summaries” paragraph.
12-7-18

128Errata in text
Add the following sentence as the new third sentence in the second
paragraph under "Security Standards, Baselines, and Guidelines":

"A baseline is a more operationally focused form of a standard. It
takes the goals of a security policy and the requirements of the
standards and defines them specifically in the baseline as a rule
against which to implement and compare IT systems."
5-6-18

280 Errata in text
From the Preventative section, delete "presence of security cameras or closed-circuit television (CCTV),"
20-Nov-18

282Errata in text
In second paragraph
Change
Note that the discussion of qualitative versus quantitative risk
analysis in the next section may clarify this issue.

To
Note that the discussion of qualitative versus quantitative risk
analysis earlier in this chapter may clarify this issue.
12-7-18

294 Errata in text
Question 10, change answer D to "Vulnerabilities".
20-Nov-18

3121Errata in text
question 3, change answer B to "Review and validation of the business organization analysis"
20-Nov-18

3122Errata in text
Martin recently completed a thorough quantitative risk assessment for his organization. Which one of the following risks is least likely to be adequately addressed by his assessment?
1. Downtime from data center flooding
2. Cost of recovery from denial of service attack
3. Reputational damage from data breach
4. Remediation costs from ransomware attack
6/12/18

4137Errata in text
They provide a period of 20 years during which the inventor is granted
exclusive rights to use the invention (whether directly or via licensing
agreements).
to
They provide a period of 20 years (from the date of initial application)
during which the inventor is granted exclusive rights to use the
invention (whether directly or via licensing agreements).
15-Jun-18

4148Errata in text
Chapter 4, page 148, the first bullet under the GDPR section,
Incorrect
A data breach notification requirement that mandates that companies
inform authorities of serious data breaches within 24 hours

Correction
24 hours should be changed to 72 hours.
7/1/19

201Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle".
3-May-18

6222Errata in text
Change the sentence DES-EEE3 has an effective key length of 168 bits.
to
Mathematically, DES-EEE3 should have an effective key length of 168 bits. However, known attacks against this algorithm reduce the effective strength to 112 bits.
After the next sentence (ending in "with a decryption operation.")
add
This mode is vulnerable to the same type of attack as DES-EEE3 and, therefore, has an effective key strength of 112 bits.
After the sentence Both the third and fourth....112 bits
add
If an attacker is able to conduct a known plaintext attack against these two variants, the effective strength may be reduced to as low as 80 bits, depending upon the number of ciphertext/plaintext pairs available.
Strike the paragraph "These four variants...equally secure."
26-11-18

234Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18

7257Errata in text
Incorrect
As with SSL, TLS uses TCP port 443.

Correct
As with HTTPS over SSL, HTTPS over TLS uses TCP port 443.
25-6-18

7271Errata in text
Question 1 should be,

Brian computes the digest of a single sentence of text using a SHA-2
hash function. He then changes a single character of the sentence and
computes the hash value again. Which one of the following
statements is true about the new hash value?

A. The new hash value will be one character different from the old hash value.
B. The new hash value will share at least 50% of the characters of the old hash value.
C. The new hash value will be unchanged.
D. The new hash value will be completely different from the old hash value.
25-6-18

8289Errata in text
In the - Real World Scenario- titled -Lattice-Based Access Control-
change this original sentence from:
Thus, a subject that falls between the private and sensitive labels
in a commercial scheme that reads bottom up as public, sensitive,
private, proprietary, and confidential can access only public and
sensitive data but not private, proprietary, or confidential data.
To the following:
Thus, a subject using a computer labeled as private and sensitive in
a commercial scheme (that reads bottom up as public, sensitive, private,
proprietary, and confidential) can access only private and
sensitive data but not public, proprietary, or confidential data.
In this example, the computer has a LUB as the division between
private and proprietary and a GLB as the division between public
and sensitive.
18-Sep 2018

8301Errata in text
Under ITSEC Classes and Required Assurance and Functionality heading, change the first ITSEC to "Information Technology Security Evaluation Criteria (ITSEC)".
20-Nov-18

9350Errata in text
Change "A variation of AMP is massive parallel processing (MPP), where numerous SMP systems..." to "A variation of AMP is massive parallel processing (MPP), where numerous AMP systems..."
20-Nov-18

9355Errata in text
Delete the 3rd paragraph from the last paragraph, starting out with,
“Cloud computing is a natural extension and evolution of virtualization, the internet”
12-7-18

9389Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18

9397Errata in text
Q16. The final statement of this question is missing. Please include
(Select all that apply) after the end of the question.
Please find the below for reference:
....in order to prevent or protect against XSS?(Select all that apply)
22-Jun-18

10417Errata in text
Chapter 10, page 417 Under the Fire Prevention, Detection, and Suppression section, second paragraph, the three corners of the fire triangle

fire, heat and oxygen.
Should be
fuel, heat and oxygen.
16/1/19

10427Errata in text
Under "Motion Detectors" replace first two sub-sentences with:
"A motion detector monitors for significant or meaningful changes
in the digital pattern of a monitored area."

"An infrared (PIR (passive infra-red)) or heat-based motion detector
monitors for significant or meaningful changes in the heat levels and
patterns in a monitored area."
7/1/19

10437Errata in text
Q17. Replace with the below content:
Which of the following statements are not true in regards to static electricity?
A. Electrostatic discharge can damage most computing components.
B. Static charge accumulation is more prevalent when there is high humidity.
C. Static discharge from a person to a metal object can be over 1,000 volts.
D. Static electricity is not managed by the deployment of a UPS.
22-Jun-18

10437Errata in text
Q14 - change must to may.
22-Jun-18

11448Errata in text
In the last sentence under routing protocols
common examples of link state routing protocols are Open Shortest Path First (OSPF) and Interior Gateway Routing Protocol (IGRP)
Should be changed to:
common examples of link state routing protocols are Open Shortest Path First (OSPF) and OSI's Intermediate System - Intermediate System (IS-IS).
26-11-18

11462Errata in text
On the line for "File Transfer Protocol (FTP)" change bold from "TCP Ports 20 (Passive Data)/Ephemeral (Active Data) and 21 (Control Connection)" to "TCP Ports 20 (Active Data)/Ephemeral (Passive Data) and 21 (Control Connection)"
20-Nov-18

465Errata in text
on page 465,
Incorrect
Packet sniffing and other attacks are discussed in more detail in Chapter 13.

Correct
Eavesdropping and other attacks are discussed in more detail at the end of Chapter 12.
1-Feb-19

11483Errata in text
Under War Chalking. Last sentence,
replace
war dialing

with
war driving
12-7-18

11517Errata in text
Question 2, option B change to

Adding a header and possibly a footer to data as it moves down the OSI stack
7/1/19

11518Errata in text
Question 12, change to
A(n) _________________ firewall is able to make access control decisions based around the content of communications as well as the parameters of the associated protocol and software.
7/1/19

11519Errata in text
Question 16, change answer A from WAP to "802.1x".
20-Nov-18

12523Errata in text
3rd paragraph under “Secure Communications Protocols”
Kerberos is discussed further in Chapter 13, “Cryptography and Symmetric Key Algorithms.”

Should be
Kerberos is discussed further in Chapter 13, “Managing Identity and Authentication”

12533Errata in text
Under the heading Email Security Solutions:
The last sentence of first paragraph, please delete, We'll
22-Jun-18

12535Errata in text
First full paragraph, First sentence
Please change email repudiation filtering. to email reputation filtering.
22-Jun-18

12560Errata in text
Change "...Synchronous Transport Signals (STS) of SDH and/or the
Synchronous Transport Modules (STM) of SONET." to "...Synchronous
Transport Signals (STS) of SONET and/or the Synchronous Transport
Modules (STM) of SDH."
20-Nov-18

13587Errata in text
In the sentence "duplicate fingerprint on a gummi bear", Gummy is spelled wrongly (Gummi)
8-6-18

14655Errata in text
Salts add additional bits to a password before salting it and help thwart rainbow table attacks.
should be
Salting adds additional bits to a password before hashing it and helps thwart rainbow table attacks.
26-11-18

15675Errata in text
Please replace the below text which are in lower case with the
mentioned text in upper case.
Replace lpr with LPR/LPD
22-Jun-18

15696Errata in text
In question no. 19, Fagin inspection should be Fagan inspection
8-6-18

15 and Answers appendix696 & 974Errata in text
Question 19, change "Fagin" to "Fagan".
20-Nov-18

17782Errata in text
Under heading: Network-Based DLP, Second Sentence:
edge of the negative to scan
should be changed to
edge of the network to scan
26-11-18

17786Errata in text
2nd paragraph following the heading High-Level Administrator Groups
Please change the first sentence from this
Some groups have such high privileges that even in organizations with
tens of thousands of users, their membership is limited to a very few people.

To this
Some groups have such high privileges that even in organizations with
tens of thousands of users, their membership is limited.
7/1/19

17786Errata in text
2nd paragraph following the heading High-Level Administrator Groups
Please change the sentence from
This group has so much power that membership is often restricted to
only two or three high-level administrators.

To this
This group has so much power that Microsoft recommends it contains no
users on a day-to-day basis. Administrators are only added to the group when the privileges are needed.
7/1/19

18817Errata in text
Chapter 18, page 817
Under the heading of Quality of Service.
Quality of service (QoS) controls protect the integrity of data networks under load.

should be
Quality of service (QoS) controls protect the availability of data networks under load.
21/1/19

19868Errata in text
Question 14: Change "Parole" to "Parol"
20-Nov-18

20887Errata in text
First line of list in SW-CMM and IDEAL Model Memorization sidebar
Initiating should be Initial
7/1/19

20897-898Errata in text
under the section for Primary Keys, the last sentence referring to Figure 20.8
"Customer ID" should be "Company ID" in this sentence.
7/1/19

904Errata in text
Under heading "NoSQL", 3rd bullet, last sentence. "JavaSsript" misspelled, should be "JavaScript".
3-May-18

21919Errata in text
In the paragraph beginning File Infector Viruses, change the end of the second sentence to

For Windows-based systems, file infector viruses commonly affect
executable files and scripts, such as those ending with .exe, .com, and .msc extensions.
7/1/19

21919Errata in text
2nd full paragraph
If you then open a Command tool and simply type GAME,

Should read
If you then open a Command prompt and simply type GAME,
7/1/19

21934Errata in text
In the sentence, The time of check to time of use (TOCTOU or TOC/TOU)
issue is a timing vulnerability that occurs when a program checks
access permissions too far in advance of a resource request.

Change TOCTOU to TOCTTOU
12-6-18

21934Errata in text
In the sentence, For example, if an operating system builds a
comprehensive list of access permissions for a user upon logon and
then consults that list throughout the logon session, a TOCTOU
vulnerability exists.

Change TOCTOU to TOCTTOU
12-6-18

21945Errata in text
In question 3B, change TOCTOU to TOCTTOU
12-6-18

Appendix A 953Errata in text
Answer for Ch 3, question 10
Please replace the final sentence with - This yields an ALE of $750,000.
22-Jun-18

Appendix A953Errata in text
Chapter 3 answers, question 9 answer, final sentence, change to "This
yields an ALE of $135,000."
20-Nov-18

Appendix A960Errata in text
Answers to chapter 7 questions, question 1 new answer,

Answer: D. It is not possible to determine the degree of difference
between two inputs by comparing their hash values. Changing even a
single character in the input to a hash function will result in
completely different output.
25-6-18

Appendix A 966Errata in text
Answer key for Ch 10, Q17, replace with:
B. Static charge accumulation is more prevalent when there is low humidity. High humidity is the cause of condensation, not static charge accumulation.
22-Jun-18

Appendix 1966Errata in text
Answers appendix, pg 996, Ch 11, Question 2, change explanation to

B. Encapsulation is adding a header and possibly a footer to data as it moves down the OSI stack.
7/1/19

Appendix A967Errata in text
Chapter 11 answers: question answer 16, change to: A. 802.1x is an IEEE
standard for authentication which is not strictly related to wireless use.
20-Nov-18

Appendix 1967Errata in text
Answers appendix, pg 967, Ch 11, Answer 12, change to

A. An application-level firewall is able to make access control
decisions based around the content of communications as well as the
parameters of the associated protocol and software.
7/1/19

Appendix A974Errata in text
In 19C, Fagan inspection is spelled wrongly as Fagin inspection
12-6-18

Appendix A985Errata in text
Answer 3B, change TOCTOU to TOCTTOU
12-6-18

Index1002Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18

Index1004Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18

1013Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18

1024Errata in text
"The Kerchoff Principle" should be "The Kerckhoffs's Principle"
3-May-18

Index1046Errata in text
TOCTTOU is spelled wrongly as TOCTOU
12-6-18

261Errata in text
Chapter 2, Page: 61, paragraph after the note

LC internet

Should be
internet
7-Feb-19

9344Errata in text
Chapter 9, Change Page 344, under Local Caches
Incorrect
If the false reply is received by the client before the valid reply,
then the false reply is used to populate the ARP cache and the valid
reply is discarded as being outside an open query.

Should be
ARP cache is updated each time an ARP reply is received. The attacker
will time their attack to ensure the false or poisoned ARP response/reply
will update the targeted system's ARP cache with the invalid and mis-directing
ARP mapping of the valid IP address and the incorrect/invalid MAC address.
14-Feb-19

Answers to Assessment TestliErrata in text
Answer #37

Add "The key element in this question is the term 'or' which focuses your attention on the one-way nature of a turnstile, as opposed to the bi-directional nature of a man-trap."
14/3/2019

116Errata in text
chief information security officer (CISO)" needs italics
14/3/2019

3113Errata in text
At the "Alternate Sites" section, Add to end

"Typically an alternate site associated with disaster recovery planning (DRP) rather than BCP. Being aware of the potential need for an alternate site can occur during BCP development, but the triggering of use of an alternate site is often due to the full interruption of mission critical processes which is categorized as a disaster and thus falls under the DRP."
14/3/2019

4152Errata in text
Exam Essentials, in the paragraph starting with
"Understand the various types of software license agreements."
change "Click-wrap" to "click-through".
14/3/2019

5166Errata in text
4th line down, "Public" in parentheses should be removed
14/3/2019

5179Errata in text
2nd line down, "(CEO)" conflicts with "chief operating officer".
14/3/2019

5182Errata in text
3rd line down, " uploading" should be "upholding".
14/3/2019

6224Errata in text
second line from top of page part of the paragraph following Skipjack heading on the previous page, remove word "four" so the statement reads as: "...supports the same modes of operation supported by DES..."
14/3/2019

8304Errata in text
Table 8.3 section listed as EAL6 the description reads: ?...probability of cover channels...?. should read ?...probability of covert channels...?
14/3/2019

8307Errata in text
Under Accreditation, after DAA add "(The RMF now defines the DAA as the Authorization Official (AO) for internal accreditation and as the Security Control Assessor (SCA) for external accreditation. The old or new means of addressing this function may be present on the CISSP exam.)"
14/3/2019

9359Errata in text
Under "Industrial Control Systems", second paragraph, first sentence, replace "plans" with "plants".
14/3/2019

11462Errata in text
on SSL line, change "HTTP Encryption" to "HTTPS SSL/TLS Encryption".
14/3/2019

11518Errata in text
Q 12, change question to: "What type of firewall evaluates the context of network traffic to make allow and deny decisions?"
14/3/2019

20906Errata in text
in the paragraph starting on page 905 under Storage Threats and continuing on page 906, this sentence:

Furthermore, systems that operate in a multilevel security environment should provide adequate controls to ensure that shared memory and storage resources are set up with fail-safe controls so that data from one classification level is not readable at a lower classification level.

the word "fail-safe" should be "appropriate"
14/3/2019

11967Errata in text
Q 12, change answer to: "B. Statefull inspection firewalls evaluate the state or the context of network traffic. By examining source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities."
14/3/2019

Index1017Errata in text
In the index for Due Care and Due Diligence, it lists the page number as page 25, Due Care and Due Diligence are on the top of page 26.
14/3/2019