All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
INDEX
References to figures are in italics.
*-integrity axiom, 337*-property rule (star property rule),
334, 33610Base2, 51410Base5, 51410Base-T, 5143DES, 703802.11a, 624802.11b, 624802.11e, 625802.11f, 625802.11g, 625802.11h, 625802.11i, 625–626802.11j, 633802.11n, 633802.15, 634802.16, 633802.1X, 627–629
AAabsolute addresses, 303abstraction, 296, 962access, defined, 155access control administration, 222
centralized, 223decentralized, 230
Diameter, 227–229RADIUS, 223–224, 227TACAS, 224–227watchdog timers, 227
access control models, 210discretionary access control, 211identity-based, 212mandatory access control, 212–214role-based access control, 214–217sensitivity labels, 213–214
access controls, 670access control lists (ACLs),
220–221access control matrix, 219–220access criteria, 195–196accountability, 159, 243–246administrative controls, 232–233auditing, 237authentication, 158, 160–161authorization, 158, 195cabling, 234capability tables, 220computer controls, 234constrained user interfaces,
218–219content-dependent access
control, 221context-dependent access control,
221–222
1113
Index.indd 1113Index.indd 1113 10/9/2007 1:56:02 PM10/9/2007 1:56:02 PM
CISSP All-in-One Exam Guide
1114
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
control zone, 234, 250default to no access, 196–197directory services, 209emanation security, 248–250encryption, 237facilities, 447–454groups, 196identification, 158, 160–161, 162intrusion detection systems (IDSs),
250–260intrusion prevention systems (IPSs),
260–263Kerberos, 200–205layers, 231–232logical access controls, 160natural access control, 410–412need-to-know principle,
197–198network access, 236–237network architecture, 235–236network segregation, 233object reuse, 248overview, 155–156perimeter security, 233personnel, 454–455personnel controls, 232physical controls, 233practices, 246–250preventive, 239–240protocols, 237race condition, 159roles, 195rule-based, 217–218security domains, 206–208security-awareness training, 232SESAME, 205–206single sign-on, 198–200supervisory structure, 232system access, 235technical controls, 234–237Tempest, 249
testing, 233thin clients, 209–210threats, 263–269types of, 237–242unauthorized disclosure of
information, 247–248white noise, 249work area separation, 234See also identity management
access points (APs), 621access triple, 339accessing password files, 185account management, 174accountability, 159, 243–244
keystroke monitoring, 245–246
operations security, 1032–1033protecting audit data and log
information, 246review of audit information, 245
accreditation, 371–372ACLs, 220–221active attacks, 753ActiveX, 995ActiveX Data Objects (ADO), 921activity support, 415Address Resolution Protocol (ARP),
529–530administrative controls, 232–233administrative interfaces, 984–985Advanced Encryption Standard
(AES), 697, 703–704advisory policies, 112adware, 645aggregation, 927AIC triad, 59–61ALE. See annualized loss expectancy (ALE)algebraic attacks, 756algorithms, 666, 670analog transmission signals,
505–506, 525
Index.indd 1114Index.indd 1114 10/9/2007 1:56:13 PM10/9/2007 1:56:13 PM
Index
1115
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
analytic attacks, 756annualized loss expectancy (ALE), 95–97annualized rate of occurrence (ARO), 96anti-malware programs, 1005–1006
See also malwareantivirus software, 1001–1004
See also virusesappliances, 559application layer, 487, 494–495application owners, responsibilities, 132application security. See software securityapplication-level proxies, 554, 555–557Arabo, Jason Salah, 25architecture, 281
and access control, 235–236additional storage devices, 317architectural view of network
environments, 45–47central processing unit (CPU),
281–286CPU modes and protection rings,
308–310domains, 312enterprise architecture, 373–381firewalls, 560–563input/output device management,
317–320layered operating system architecture,
311, 312–314multiprocessing, 286–287open network architecture, 484operating systems, 287–294,
310–311process management, 287–292security architecture, 322Sherwood Applied Business Security
Architecture (SABSA), 378software, 966–967system architecture, 321–330terminology, 314–315three-tier, 40–42
two-tier, 40virtual machines, 315Zachman Architecture Framework,
376–378See also memory
arithmetic logic units (ALUs), 282ARO. See annualized rate of
occurrence (ARO)ARP table poisoning, 530artificial neural networks (ANNs),
977–979assembly code, 957asset identification and management,
1036–1037Associate CISSP, 10assurance, 355–356assurance levels, 1034asymmetric algorithms, 679
types of, 706–713asymmetric mode, 286–287Asymmetrical DSL (ADSL), 607asynchronous attacks, 383asynchronous communication,
507, 525asynchronous token device, 189–190Asynchronous Transfer Mode. See ATMATM, 594–596attacks
cramming, 1087data diddling, 885denial-of-service attacks,
1010, 1086distributed denial-of-service,
1013–1014dumpster diving, 886–887emanations capturing, 887evolution of, 842–844excessive privileges, 885fake login screens, 1086file descriptor attacks, 1096fraggle, 1011
Index.indd 1115Index.indd 1115 10/9/2007 1:56:14 PM10/9/2007 1:56:14 PM
CISSP All-in-One Exam Guide
1116
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
IP spoofing, 886mail bombing, 1086man-in-the-middle
attacks, 1086password sniffing, 885–886ping of death, 1086salami attacks, 884slamming, 1087smurf, 1010–1011SYN floods, 1011–1012teardrop, 1012–1013, 1087traffic analysis, 1087wardialing, 1086wiretapping, 887–888See also hacking
attenuation, 512, 522–523audit committee, responsibilities, 130auditing, 237
physical access, 468–469protecting audit data and log
information, 246review of audit information, 245
auditorscompliance auditors, 90responsibilities, 134
authentication, 158, 160–161, 669open system authentication
(OSA), 623protocols, 614–616shared key authentication
(SKA), 623Authentication Header (AH), 750authoritative sources, 175authorization, 158, 195, 669
access criteria, 195–196creep, 197
availability, 59–60and access control, 157
Available Bit Rate (ABR), 595awareness, security-awareness training,
139–142
BBbackdoors, 1085–1087background checks, 137–138backups, 1066–1067
choosing a software backup facility, 806
data backup alternatives, 801–803
differential process, 802electronic backup solutions,
803–806full backup, 802hardware, 796incremental process, 802software, 796–797
bandwidth, 506, 519Bank of America, 27base registers, 297, 298baseband, 507–508, 525Basel II Accord, 858baselines, 113–114
See also security policiesBasic Security Theorem, 335bastion hosts, 560BCP. See business continuity plan (BCP)BEDO DRAM, 300Bell-LaPadula model, 333–336
vs. Biba model, 338Biba model, 336–338
vs. Bell-LaPadula model, 338biometrics, 179–182, 183–184
crossover error rate (CER), 179–180
facial scans, 183fingerprints, 182hand geometry, 182hand topography, 183iris scans, 182keyboard dynamics, 183palm scans, 182
Index.indd 1116Index.indd 1116 10/9/2007 1:56:14 PM10/9/2007 1:56:14 PM
Index
1117
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
processing speed, 181retina scans, 182signature dynamics, 182–183Type I and Type II errors,
179, 180voice prints, 183
blackout, 434block ciphers, 685–687blocked state, 290Blowfish, 704–705Bluejacking, 634blueprints, 78–79Bluetooth, 634board of directors, responsibilities,
123–124, 125–126Boeing, 36bollards, 458Boot Protocol (BOOTP), 531boot sector viruses, 996Border Gateway Protocol (BGP),
534–535botnets, 839, 999Brewer and Nash model,
348–349bridges, 536–538
vs. routers, 540British Standard 7799 (BS7799), 71broadband, 507–508, 525broadcast storms, 537broadcast transmission, 524–525brownout, 434browsing, 1082–1083brute force attacks, 185, 264–265buffer overflows, 384–388, 1096burst EDO DRAM (BEDO
DRAM), 300bus topology, 510business continuity, 770–771
planning, 771steps, 772–774
business continuity coordinator, 776
business continuity plan (BCP), 770business impact analysis (BIA),
778–783business process recovery,
788–789checklist test, 818choosing a software backup
facility, 806continuity planning policy
statement, 777damage assessments, 810data backup alternatives, 801–803data recovery solutions, 807–808development products, 813disk shadowing, 804documentation, 798–799electronic backup solutions,
803–806electronic vaulting, 804–805emergency response, 820–821end-user environment, 800–801facility recovery, 789–795full-interruption test, 819goals, 814–815hardware backups, 796human resources, 799–800implementing strategies,
815–816insurance, 808–809interdependencies, 783–785life cycles, 824maintaining the plan, 821–823maximum tolerable downtime
(MTD), 781–782parallel test, 819as part of the security policy and
program, 774–775preventive measures, 786, 787project initiation, 776–777recovery and restoration, 809–813recovery strategies, 786–788
Index.indd 1117Index.indd 1117 10/9/2007 1:56:14 PM10/9/2007 1:56:14 PM
CISSP All-in-One Exam Guide
1118
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
remote journaling, 805requirements, 778restoration team, 810salvage team, 810simulation test, 819software backups, 796–797storing the BCP, 798structured walk-through test,
818–819supply and technology recovery,
795–800tape vaulting, 805–806testing and revising the plan,
816–821training, 820types of, 817
business enablement, 380business impact analysis (BIA),
778–783
CCCA. See certificate authoritiescable modems, 606–608cabling, 234, 519
attenuation, 522–523bandwidth, 519coaxial, 520crosstalk, 523data throughput rate, 519fiber-optic, 522fire rating, 523–524noise, 522twisted-pair, 520–521
cache memory, 302Caesar ciphers, 677caller ID, 617Canadian Information Processing Society.
See CIPSCanadian Trusted Computer Product
Evaluation Criteria (CTCPEC), 49
CAP, 11Capability Maturity Model (CMM),
955–956capability tables, 220care-of addresses, 228carrier sense multiple access with collision
avoidance. See CSMA/CAcarrier sense multiple access with collision
detection. See CSMA/CDcascading errors, 87CBC-MAC, 717, 718CBK security domains, 5, 6–7
ISO 17799 domains, 71–72See also security domains
CCTA Risk Analysis and Management Method (CRAMM), 89
CCTV, 461–464, 465CD-ROM, accompanying this book, 1109
Final mode, 1111installing test software, 1111navigation, 1111Practice mode, 1111running the QuickTime cryptography
video sample, 1110system requirements, 1112technical support, 1112troubleshooting, 1111
cell phone cloning, 637cell suppression, 929central processing units, 281–286
See also processorsCER. See crossover error rate (CER)certificate authorities, 726–729certificates, 729, 730certification, 370–371
other certification exams, 11reasons for getting, 1–2recertification requirements, 9–10requirements, 2–4, 9
Certification and Accreditation Professional. See CAP
Index.indd 1118Index.indd 1118 10/9/2007 1:56:15 PM10/9/2007 1:56:15 PM
Index
1119
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
Certified Information Systems Security Professional. See CISSP
Challenge Handshake Authentication Protocol (CHAP), 615, 616
change control analysts, responsibilities, 132–133
change control documentation, 1047–1048
change control process, 1045–1047Channel Service Unit/Data Service Unit.
See CSU/DSUChief Executive Officer (CEO),
responsibilities, 124–125Chief Financial Officer (CFO),
responsibilities, 125Chief Information Officer (CIO),
responsibilities, 126–127Chief Information Security
Officer (CISO), responsibilities, 129Chief Privacy Officer (CPO),
responsibilities, 127Chief Security Officer (CSO),
responsibilities, 128–129Chinese Wall model, 348–349Choicepoint, 26–27chosen-ciphertext attacks, 754CIA triad. See AIC triadcipher locks, 451–452cipher-only attacks, 753ciphers, 670
block, 685–687confusion and diffusion,
685–686initialization vectors, 688stream, 687–688, 689types of, 676–679
ciphertext, 665CIPS, 8circuit switching, 590–591circuit-level proxies, 554, 556CISO. See security officer
CISSPcertification requirements,
2–4, 9history of, 8reasons for getting certification, 1–2recertification requirements, 9–10See also Associate CISSP
CISSP exam, 4–7other certification exams, 11registering for, 8–9tips for taking, 10–12
Clark-Wilson model, 338–342classification, 117
controls, 120–122private business vs. military
classifications, 117–120procedures, 121
classless interdomain routing (CIDR), 504
clean power, 433cleanroom, 952client/server model, 908clipping levels, 1033clock speed, 288closed environments, 19–20closed systems, 372–373
See also open systemsclosed-circuit TV, 461–464, 465clustering, 1064–1065coaxial cable, 520CobiT, 69–72cognitive passwords, 160, 187cohesion, 967–968collision domains, 527–528collusion, 136COM, 971commits, 926committed information rate
(CIR), 592Common Criteria, 49, 366–369
components of, 370
Index.indd 1119Index.indd 1119 10/9/2007 1:56:15 PM10/9/2007 1:56:15 PM
CISSP All-in-One Exam Guide
1120
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
compartmented security mode, 352–353
compliance auditors, 90compression viruses, 996Computer Ethics Institute, 889Computer Fraud and Abuse Act,
856–857Computer Security Act of 1987, 859Computer Security Institute. See CSIcomputer-aided software engineering
(CASE), 952concealment ciphers, 674concentrators, 536confidentiality, 60–61, 669
and access control, 157–158configuration management, 954,
986–987, 1045–1048Constant Bit Rate (CBR), 595constrained data items (CDIs), 338constrained user interfaces, 218–219construction, 418–421contact smart cards, 191–192contactless smart cards, 192content-dependent access control,
221, 928context-dependent access control,
221–222, 928contingency planning, 1070Control Objectives for Information and
related Technology. See CobiTcontrol units, 283control zone, 234, 250controlling unauthorized downgrading of
information, 335cookies, 747–748cooperative multitasking, 289copyright, 850CORBA, 969–970corporate ethics programs, 891Corporate Information Security Officer
(CISO). See security officer
corporate security, 29–31management, 35–37
Corporate Security Officer (CSO). See security officer
COSO framework, 69–70cost/benefit analysis, 102–103cost/benefit comparisons, 84countermeasures, 46–47
to brute force attacks, 265to buffer overflow attacks, 388to covert channels, 344defined, 62to dictionary attacks, 264to distributed denial-of-service
attacks, 1014to fraggle attacks, 1011functionality and effectiveness of,
104–105to maintenance hooks, 382–383selection, 102–103to smurf attacks, 1010–1011to SYN floods, 1012to teardrop attacks, 1013to time-of-check/time-of-use attacks,
383–384counter-synchronization, 188–189coupling, 968–969covert channels, 343–344covert timing channel, 344CPTED, 409–414
activity support, 415CPUs, 281–286
modes and protection rings, 308–310
See also processorsCRAMM, 89cramming, 1087crime
common Internet crime schemes, 843
complexities, 839–841
Index.indd 1120Index.indd 1120 10/9/2007 1:56:16 PM10/9/2007 1:56:16 PM
Index
1121
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
computer-assisted crime, 836–838computer-targeted crime, 836–838defining and protecting electronic
assets, 842evolution of attacks, 842–844investigations, 866–872other jurisdictions, 844–846See also laws
Crime Prevention Through Environmental Design (CPTED), 409–414
activity support, 415crossover error rate (CER), 179–180crosstalk, 523cryptanalysis, 664, 670
differential cryptanalysis, 755linear cryptanalysis, 755
cryptographic keys, 190cryptography, 659–660, 670
asymmetric, 681–684attacks, 753–757concealment ciphers, 674digital envelopes, 693government involvement,
675–676hardware vs. software systems, 737history of, 660–665notation, 705out-of-band method, 680quantum cryptography,
741–742running key ciphers, 673–674security through obscurity, 64substitution ciphers, 660symmetric, 679–681terminology, 665–667See also ciphers; encryption;
steganographycryptology, 670cryptosystems, 665, 666, 670
services, 669–670strength, 668–669work factor, 668
CSI, 8CSMA, 526–527CSMA/CA, 527CSMA/CD, 526–527CSO. See security officerCSU/DSU, 589Cyber Czar, 33, 49cybercrime. See crimecyberlaw. See lawscyberterrorism, 28–29
DDDAC, 211, 217data analysts, responsibilities, 133data buses, 285–286data centers, 424–428Data Circuit-Terminating Equipment
(DCE), 592data custodians, responsibilities, 131data definition language (DDL), 921data dictionary, 922data diddling, 885Data Encryption Algorithm (DEA), 696Data Encryption Standard (DES),
696–698Cipher Block Chaining (CBC) mode,
699–700Cipher Feedback mode, 700–701Counter Mode (CTR), 702Electronic Code Book (ECB) mode,
698–699Output Feedback mode, 701–702See also Triple-DES (3DES)
data hiding, 295, 312data inspection, 560data leakage, 1054–1055data link layer, 492–494, 496data manipulation language (DML), 922data mining, 933–935data modeling, 966data origin authentication, 670, 717
Index.indd 1121Index.indd 1121 10/9/2007 1:56:16 PM10/9/2007 1:56:16 PM
CISSP All-in-One Exam Guide
1122
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
data owners, 57responsibilities, 130, 131
Data Processing Management Association. See DPMA
data remanence, 1050data structures, 503, 967Data Terminal Equipment (DTE), 592data throughput rate, 519data warehousing, 932–933data width, 288database management, 912–913
ActiveX Data Objects (ADO), 921data mining, 933–935data warehousing, 932–933Extensible Markup Language
(XML), 921integrity, 924–927Java Database Connectivity
(JDBC), 921models, 914–919Object Linking and Embedding
Database (OLE DB), 920–921Open Database Connectivity
(ODBC), 920programming interfaces, 919–921relational database components,
921–924security issues, 927–932software, 913–914terminology, 918
database views, 929–930databases, roles, 42–44datagrams, 503DCOM, 47, 972DDR SDRAM, 300decipher, 670dedicated security mode, 352degaussing, 1049delayed loss, 88Delphi technique, 100demilitarized zones (DMZs), 549denial-of-service attacks, 1010, 1086
DES. See Data Encryption Standard (DES)device locks, 452dialog management, 489Diameter, 227–229dictionary attacks, 185, 263–264differential cryptanalysis, 755differential power analysis, 193Diffie-Hellman algorithm, 706–708digital envelopes, 693Digital Forensics Science (DFS), 873
See also forensicsdigital identities, 177digital signals, 506, 525Digital Signature Standard (DSS), 725digital signatures, 722–725Digital Subscriber Line. See DSLDirect Access Storage Devices,
1060–1061direct memory access (DMA), I/O
using, 320Direct Sequence Spread Spectrum (DSSS),
620–621directories, 165–167
object organization, 166role in identity management,
167–168directory services, 165, 209, 575–576disaster recovery, 770–771disaster recovery plan, life cycles, 824discretionary access control (DAC),
211, 217ORBs, 970–971
Discretionary Security Property (ds-property), 336
disk shadowing, 804distance-vector routing protocols, 533Distributed Component Object Model.
See DCOMdistributed computing, 969
COM, 971CORBA, 969–970DCOM, 972
Index.indd 1122Index.indd 1122 10/9/2007 1:56:16 PM10/9/2007 1:56:16 PM
Index
1123
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
Distributed Computing Environment (DCE), 974–975
Enterprise JavaBeans (EJB), 972–973
object linking and embedding (OLE), 973
distributed denial-of-service attacks, 1013–1014
DNS, 569–570Internet DNS and domains,
570–571poisoning, 572
dogs, 468Domain Name Service. See DNSdomains, 312doors, 421–423double data rate SDRAM (DDR
SDRAM), 300DPMA, 8DRAM, 299drills, 469–470DSL, 606DSW Shoe Warehouse, 27dual control, 138dual-homed firewalls, 560due care, 57–58, 116, 861, 1028due diligence, 116, 861, 1028dumpster diving, 886–887dynamic analysis, 1002Dynamic Host Configuration Protocol
(DHCP), 530–531dynamic keys, 629–631dynamic link libraries (DLLs), 297dynamic mapping, 578dynamic packet filtering, 557–558dynamic RAM (DRAM), 299dynamic routing protocol, 533
EEEAP, 616Economic Espionage Act of 1996, 859EDO DRAM, 300
education, 51–52security-awareness training,
139–142EEPROM, 301EF. See exposure factor (EF)El Gamal algorithm, 711electric power, 430–436electrically erasable programmable
ROM, 301electromagnetic analysis, 193–194electromagnetic interference (EMI),
432, 433electronic access control (EAC)
tokens, 455electronic monitoring, 185Electronic Registry Systems, 36–37electronic vaulting, 804–805elliptic curve cryptosystems, 712e-mail, 1072–1073
how it works, 1074Message Security Protocol
(MSP), 739Multipurpose Internet Mail Extension
(MIME), 738Pretty Good Privacy (PGP),
739–740Privacy-Enhanced Mail (PEM),
738–739quantum cryptography,
741–742relaying, 1075–1076standards, 737–742
emanation security, 248–250emanations capturing, 887emergency system restart, 1038Emory University, 36employee controls, 138Encapsulating Security Payload
(ESP), 750encapsulation, 295,
484–485, 503encipher, 670
Index.indd 1123Index.indd 1123 10/9/2007 1:56:17 PM10/9/2007 1:56:17 PM
CISSP All-in-One Exam Guide
1124
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
encryption, 237asymmetric and symmetric
algorithms used together, 689–695
defined, 665at different layers, 735Enigma machine, 663–664link vs. end-to-end, 735–736one-time pads, 671–673, 689ROT13, 662session keys, 692–695symmetric vs. asymmetric algorithms,
679–684See also cryptography
end-to-end encryption, vs. link encryption, 735–736
end-user environment, 800–801Enigma machine, 663–664enterprise architecture, 373–381Enterprise JavaBeans (EJB), 972–973enticement, 262, 883entity authentication, 670entity integrity, 925entrapment, 262, 883entry points, 421–423environmental issues, 436–438EPROM, 301erasable and programmable
ROM, 301Ethernet, 513–515ethics, 888–889
Computer Ethics Institute, 889corporate ethics programs, 891Internet Architecture Board (IAB),
890–891European Union Principles on Privacy,
845–846evaluation
accreditation, 371–372certification, 370–371Common Criteria,
366–369, 370
Information Technology Security Evaluation Criteria (ITSEC), 364–366
reasons for evaluation, 356–357
See also Orange BookEvaluation Assurance Levels (EALs), 367exam. See CISSP examexcessive privileges, 885execution domain switching, 325execution domains, 324executive succession planning, 799expert systems, 975–977exposure, defined, 62exposure factor (EF), 96extended data out DRAM (EDO
DRAM), 300Extensible Authentication Protocol.
See EAPExtensible Markup Language. See XMLextranets, 579–580
FFfacial scans, 183
See also biometricsFacilitated Risk Analysis Process (FRAP),
88–89facilities, 416–417
access controls, 447–454cold sites, 790–791hot sites, 790–791multiple processing centers, 794offsite locations, 793reciprocal agreements, 793–794recovery, 789–795redundant sites, 794–795rolling hot sites, 794tertiary sites, 792warm sites, 790–791
Failure Modes and Effect Analysis (FMEA), 89–92
Index.indd 1124Index.indd 1124 10/9/2007 1:56:17 PM10/9/2007 1:56:17 PM
Index
1125
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
failure states, 912fake login screens, 1086Faraday cage, 249Fast Ethernet, 514–515fault generation, 193fault tree analysis, 91–92fax security, 1076–1078FDDI, 517–518Federal Communications Commission
(FCC), 482Federal Privacy Act, 853, 857–858Federal Sentencing Guidelines for
Organizations, 891federated identities, 178fencing, 456–458Fiber Distributed Data Interface.
See FDDIfiber-optic cable, 522file access protection, 45file descriptor attacks, 1096financial fraud, 980fingerprints, 182, 716
See also biometricsfire
detection, 438, 439–442prevention, 438suppression, 439, 442–446testing and drills, 469–470
fire resistant ratings, 439firewalls, 548–550, 563–566
architecture, 560–563best practices, 559packet-filtering, 550–551proxy, 552–557stateful, 551–552web application, 982
flash memory, 301Flury, Kenneth J., 25FMEA, 89–92footprint, 640foreign key, vs. primary key,
922–924
forensics, 872–873best evidence, 881circumstantial evidence, 881conclusive evidence, 881corroborative evidence, 881direct evidence, 881enticement, 883entrapment, 883evidence admissible in court,
880–882exigent circumstances, 883field kits, 878forensics investigation process,
876–879hearsay evidence, 882incident investigators, 875International Organization on
Computer Evidence (IOCE), 873–874
interviewing and interrogating, 884
means, 874motive, 874opinion evidence, 882opportunity, 874search and seizure,
883–884secondary evidence, 881surveillance, 883
forking, 289forwarding tables, 537–538fraggle, 1011frame relay, 592–593frameworks, 69–73FRAP, 88–89frequency analysis, 678Frequency Hopping Spread Spectrum
(FHSS), 619–620, 621frequency-division multiplexing, 588full-duplex, 490fully mapped I/O, 320functional requirements evaluation, 61
Index.indd 1125Index.indd 1125 10/9/2007 1:56:18 PM10/9/2007 1:56:18 PM
CISSP All-in-One Exam Guide
1126
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
GGgap in the WAP, 636gateways, 545–546
H323 gateways, 600–601general registers, 283Generic Security Services Application
Programming Interface (GSS-API), 205governance, 73–75Graham-Denning model, 349Gramm-Leach-Bliley Act (GLBA),
124, 856grid computing, 1065–1066ground, 433ground connectors, 419groups, 196GSS-API, 205guards, 353, 467–468guidelines, 114
See also security policies
HHH323 gateways, 600–601hacker intrusion, liability for,
865–866hacking, 1078–1082
backdoors, 1085–1087browsing, 1082–1083and companies, 29–31evolution of, 23–27, 34–35Loki attacks, 1084–1085and military actions, 27–28password cracking, 1085session hijacking, 1084sniffers, 1083–1084See also attacks; cyberterrorism
half-duplex, 490halon, 443–444hand geometry, 182
See also biometricshand topography
See also biometrics
hardware backups, 796Harrison-Ruzzo-Ulman model, 349hashes, 718hashing algorithms, 716,
718–720hashing values, 716HAVAL, 720HDLC, 597Health Insurance Portability and
Accountability Act (HIPAA), 856heat-activated fire detectors, 441heuristic detection, 1001–1002heuristic IDSs, 254hierarchical data model, 915–916Hierarchical Storage Management (HSM),
1067–1069High-bit-rate DSL (HDSL), 607High-level Data Link Control. See HDLCHigh-Speed Serial Interface. See HSSIhiring practices, 136–138
See also personnelHMAC, 715–717, 718honeypots, 262, 566hops, 736host-based IDSs (HIDSs), 251HSSI, 597HTTP, 743–744HTTP Secure (HTTPS), 744–745hubs, 536
IIIdaho State University, 8identification, 158, 160–161
component requirements, 162identifying threats, 87–88identity management
account management, 174assisted password reset,
172–173biometrics, 179–184cryptographic keys, 190
Index.indd 1126Index.indd 1126 10/9/2007 1:56:18 PM10/9/2007 1:56:18 PM
Index
1127
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
digital identities, 177directories, 165–168federation, 178legacy single sign-on, 173memory cards, 191overview, 162–165passphrases, 190–191password management, 171password synchronization,
171–172passwords, 184–190profile update, 176–177provisioning, 175–176self-service password reset, 172smart cards, 191–194web access management (WAM),
168–171what companies need identity
management, 178identity repository, 175identity theft, 268–269Identity Theft Resource Center, 27illogical processing, 87IMAP, 1075immunizers, 1002i-Mode, 636–637incident response, 866–869
incident investigators, 875procedures, 869–872
inference, 927inference attacks, 345information classification.
See classificationinformation flow model, 342–344information gathering, 983–984information owners, 57information risk management (IRM),
80–81policy, 82team, 82–83
Information Sharing and Analysis Centers. See ISACs
Information Systems Audit and Control Association (ISACA), 69
Information Systems Security Association. See ISSA
Information Technology Security Evaluation Criteria (ITSEC), 49, 364–366
information warfare, 23informative policies, 112initialization vectors, 629–631, 688input validation, 987–989input/output device management,
317–320in-rush current, 433–434instant messaging (IM), 645–646insurance, 107, 808–809Integrated Services Digital Network.
See ISDNintegrity, 60, 669
and access control, 157integrity models, goals of, 341–342integrity verification procedures
(IVPs), 339intellectual property laws, 849
copyright, 850internal protection of intellectual
property, 851patent, 851software piracy, 852–853trade secrets, 849–850trademark, 850–851
Interior Gateway Routing Protocol (IGRP), 534
internal compartments, 423International Data Encryption Algorithm
(IDEA), 704International Electrotechnical Commission
(IEC), 73International Information Systems Security
Certification Consortium. See (ISC)2
International Organization on Computer Evidence (IOCE), 873–874
Index.indd 1127Index.indd 1127 10/9/2007 1:56:18 PM10/9/2007 1:56:18 PM
CISSP All-in-One Exam Guide
1128
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
International Standards Organization. See ISO
International Telecommunication Union (ITU), 482
Internet, 37–40architecture, 40–42database roles, 42–44
Internet Architecture Board (IAB), 890–891Internet Assigned Numbers Authority
(IANA), 569Internet Control Message Protocol (ICMP),
531–532Internet Haganah, 29Internet security, 743
cookies, 747–748HTTP, 743–744HTTP Secure, 744–745Internet Security Protocol (IPSec),
749–753Secure Electronic Transaction (SET),
745–747Secure HTTP, 745Secure Shell (SSH), 748–749
Internet Security Association and Key Management Protocol (ISAKMP), 752
internetwork, 538interrupt-driven I/O, 319interrupts, 290–292, 318–319intranets, 579–580intrusion detection systems (IDSs), 250,
464–467characteristics, 467host-based IDSs (HIDSs), 251knowledge- or signature-based IDSs,
251–252network traffic, 259network-based IDSs (NIDSs),
250–251protocol anomaly–based IDSs,
254–255rule-based IDSs, 255–257
sensors, 46, 258–259, 260state-based IDSs, 252–253statistical anomaly–based IDSs,
253–254traffic anomaly–based IDSs, 255types of, 257
intrusion prevention systems (IPSs), 260–261, 982
honeypots, 262network sniffers, 262–263
invocation property, 337, 338I/O device management, 317–320IP, 498IP addressing, 504IP spoofing, 886IP telephony. See Voice over IP (VoIP)IPSec, 46, 610, 749–753IPv6, 505iris scans, 182
See also biometricsIrish Republican Army, 28IRM. See information risk
management (IRM)ISACs, 32(ISC)2, 8, 888
process for earning credential, 4–5
scenario-based exam questions, 4ISDN, 604–606ISDN DSL (IDSL), 607ISO, 482, 483ISO 17799, 71–73ISO/IEC 14443, 194isolation, 567ISSA, 8issue-specific policies, 111–112IT Governance Institute (ITGI), 69iterated tunneling, 610ITSEC. See Information Technology
Security Evaluation Criteria (ITSEC)IVs. See initialization vectors
Index.indd 1128Index.indd 1128 10/9/2007 1:56:19 PM10/9/2007 1:56:19 PM
Index
1129
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
JJJava, 993–994Java Database Connectivity (JDBC), 921Java Virtual Machine (JVM), 316Joint Analysis Development (JAD), 952
KKKerberos, 200–201
Key Distribution Center (KDC), 201and password-guessing attacks, 205principals, 201process, 201–204tickets, 201weaknesses, 204
Kerckhoffs’ Principle, 64, 668kernel flaws, 1095kernel mode, 285kernel proxy firewalls, 558key clustering, 671key management, 732–733
principles of, 733–734rules, 734
keyboard dynamics, 183See also biometrics
keys, 666, 667, 670asymmetric, 681session keys, 692–695
keyspaces, 666, 667, 671keystroke monitoring, 245–246KGB, 28knapsack algorithms, 713knowledge discovery in database (KDD).
See data miningknowledge-based IDSs, 251–252knowledge-based systems, 975–977Kosovo Air Campaign (1999), 28
LLL2TP, 613–614LAN networking, 508
broadcast transmission, 524–525cabling, 519–524collision domains, 527–528CSMA, 526–527Ethernet, 513–515FDDI, 517–518media access technologies,
512–519, 525–529multicast transmission,
524–525polling, 529protocols, 529–532token passing, 526Token Ring, 516topologies, 509–512unicast transmission,
524–525LANs, 46
protocols, 583See also Virtual LANs (VLANs)
laptop theft, 428–429last mile, 506lattice model, 346–347laws
administrative/regulatory laws, 848–849
Basel II Accord, 858civil law, 846, 848common law, 846–847computer crime laws, 836–838Computer Fraud and Abuse Act,
856–857Computer Security Act of
1987, 859criminal law, 848customary law, 847Economic Espionage Act of
1996, 859Federal Privacy Act, 853, 857–858Gramm-Leach-Bliley Act (GLBA), 856Health Insurance Portability and
Accountability Act (HIPAA), 856
Index.indd 1129Index.indd 1129 10/9/2007 1:56:19 PM10/9/2007 1:56:19 PM
CISSP All-in-One Exam Guide
1130
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
intellectual property laws, 849–853
mixed law systems, 847–848overview, 836Payment Card Industry Data Security
Standards (PCI DSS), 858–859and politics, 49–51privacy, 853–861religious law systems, 847Sarbanes-Oxley Act of 2002 (SOX),
855–856See also crime
layered approach to security, 44–45an architectural view, 45–47bringing layers together, 48–49a missed layer, 48
layering, 312–314LDAP. See Lightweight Directory Access
Protocol (LDAP)least privilege, 329–330LexisNexis, 27liability, 861–864
hacker intrusion, 865–866personal information, 864–865
licensing, 1043lighting, 459–460Lightweight Directory Access Protocol
(LDAP), 576–577limit registers, 297, 298line conditioners, 434linear cryptanalysis, 755link encryption, 735–736link-state routing protocols, 533load, 418local area networks. See LANslocal bridges, 537local loop, 506locks, 448–454log scrubbers, 644logic bombs, 1000logical addresses, 303logical location restrictions, 196
logonlimiting logon attempts, 187spoofing at logon, 265
Loki attacks, 532, 1084–1085loss
annualized loss expectancy (ALE), 95–97
delayed, 88exposure factor (EF), 96single loss expectancy (SLE),
95–97loss potential, 88LUC algorithm, 713Lucifer, 644, 696
MMMAC, 212–214, 217machine language, 957macro languages, 997MAID, 1063mail bombing, 1086mainframes, 21, 22, 1070–1072maintenance hooks, 382–383malware, 995–996
anti-malware programs, 1005–1006components, 998
mandatory access control (MAC), 212–214, 217
mandatory vacation policy, 138man-in-the-middle attacks, 1086maskable interrupts, 291–292masquerading, 530, 563massive array of inactive disks. See MAIDmaximum tolerable downtime (MTD),
781–782MD2, 719MD4, 719MD5, 719–720mean time between failures (MTBF), 1057mean time to repair (MTTR), 1058mechanical locks, 449–452
Index.indd 1130Index.indd 1130 10/9/2007 1:56:20 PM10/9/2007 1:56:20 PM
Index
1131
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
media controls, 1048–1053meme viruses, 997memory
burst EDO DRAM (BEDO DRAM), 300
cache, 302double data rate SDRAM (DDR
SDRAM), 300dynamic RAM (DRAM), 299electrically erasable programmable
ROM, 301erasable and programmable
ROM, 301extended data out DRAM (EDO
DRAM), 300flash, 301leaks, 305–306management, 296–298mapping, 302–305programmable ROM, 301protection issues, 298random access memory (RAM),
299–300read-only memory (ROM),
300–301static RAM (SRAM), 299synchronous DRAM
(SDRAM), 300virtual, 306–307
memory cards, 191mesh topology, 510–511message authentication code (MAC),
714–715message digest, 716message integrity, 713–714
CBC-MAC, 717, 718HMAC, 715–717, 718one-way hash, 714–715
message integrity code (MIC), 716Message Security Protocol (MSP), 739messages, 503meta-directories, 167, 168, 575
methods, 960metropolitan area networks (MANs),
581–582microkernel, 311microns, 288MIME, 738MIPS, 288misuse-detection systems, 254mobile code, 992
ActiveX, 995botnets, 999Java, 993–994logic bombs, 1000malware, 995–996Trojan horses, 1000–1001viruses, 996–997worms, 999–1000
Mobile IP, 228mobile phone security, 637–638mobile technology generations, 643modems, 606–608modes. See security modes of operationmodification detection code (MDC), 716monolithic kernel, 314Moore’s Law, 320multicast transmission, 524–525multihomed firewalls, 553,
560–561multilayered switches, 542multilevel security mode, 353multilevel security policies, 329multipart viruses, 997multiplexing, 583
frequency-division multiplexing, 588statistical time-division multiplexing
(STDM), 588multiprocessing, 286–287, 293multiprogramming, 288–289, 293Multiprotocol Label Switching
(MPLS), 542Multipurpose Internet Mail Extension
(MIME), 738
Index.indd 1131Index.indd 1131 10/9/2007 1:56:20 PM10/9/2007 1:56:20 PM
CISSP All-in-One Exam Guide
1132
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
multiservice access technologies, 597–600Multistation Access Units (MAUs), 516multitasking, 289, 293multithreaded applications, 293multithreading, 293MyDoom virus, 25–26
NNnamespaces, 165naming distinctions, 295NAT. See network address translation (NAT)National Institute of Standards and
Technology (NIST), 772natural access control, 410–412natural surveillance, 413network access, 236–237network address translation (NAT),
46, 577–579network database model, 916Network Information System (NIS),
573–575network layer, 491–492, 495network operating systems (NOS),
567–568network segregation, 233, 567network sniffers, 262–263, 1083–1084network-based IDSs (NIDSs), 250–251
and switched environments, 258Next-Generation Secure Computing Base
(NGSCB), 324nexus, 324NIS. See Network Information
System (NIS)NIS+. See Network Information
System (NIS)NIST SP 800-30 and 800-66, 88noise, 433, 434–435, 522noise and perturbation, 929nondisclosure agreements, 136
nondiscretionary access control. See role-based access control (RBAC)
noninterference model, 345nonkeyed message digests, 716non-maskable interrupts, 292nonplenum cables, 523nonrepudiation, 669
OOObject Linking and Embedding Database
(OLE DB), 920–921object linking and embedding (OLE), 973object organization in directories, 166object reuse, 248object-oriented analysis (OOA), 966object-oriented database model,
917–918object-oriented design (OOD), 966object-oriented programming (OOP),
958–964object-relational database model,
918–919objects, defined, 155obscurity, security through, 63–64OCTAVE, 89Office of Homeland Security. See ISACsone-time pads, 671–673
vs. stream ciphers, 689one-time passwords, 187–190one-way functions, 710–711one-way hash, 714–715
attacks against, 721–722Online Certificate Status Protocol
(OCSP), 729online encryption. See link encryptiononline transaction processing (OLTP),
931–932OOP. See object-oriented
programming (OOP)
Index.indd 1132Index.indd 1132 10/9/2007 1:56:21 PM10/9/2007 1:56:21 PM
Index
1133
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
Open Database Connectivity (ODBC), 920open network architecture, 484Open Shortest Path First (OSPF), 534open system authentication (OSA), 623open systems, 372
See also closed systemsOpen Systems Interconnection reference
model. See OSI modeloperating system fingerprinting, 1080operating systems, architecture,
287–294, 310–311Operation French Fry, 26operational goals, 66operations security, 1027–1028
accountability, 1032–1033administrative management,
1028–1031asset identification and management,
1036–1037assurance levels, 1034clipping levels, 1033clustering, 1064–1065configuration management,
1045–1048contingency planning, 1070data leakage, 1054–1055deviations from standards,
1035–1036Direct Access Storage Devices,
1060–1061environmental controls, 1070grid computing, 1065–1066Hierarchical Storage Management
(HSM), 1067–1069input and output controls,
1040–1041licensing, 1043MAID, 1063mainframes, 1070–1072mean time between failures
(MTBF), 1057
mean time to repair (MTTR), 1058media controls, 1048–1053network and resource availability,
1056–1070RAID, 1061–1062RAIT, 1063remote access security, 1044security and network personnel,
1031–1032single points of failure,
1058–1060Storage Area Networks (SANs),
1063–1064system controls, 1037–1038system hardening, 1042–1044trusted recovery, 1038–1040unexplained or unusual
occurrences, 1035unscheduled initial program loads
(rebooting), 1036See also backups
Orange Book, 49, 355–356, 357–358
Division A, 361Division B, 360–361Division C, 359Division D, 359and the Rainbow Series, 361–362Red Book, 362–364
ORBs, 970–971order of concepts, 63Organisation for Economic Co-operation
and Development (OECD), 50–51guidelines and transborder
information flow rules, 128, 845
organizational security model, 65–67CobiT, 69–72COSO framework, 69–70frameworks, 69–73operational planning, 66
Index.indd 1133Index.indd 1133 10/9/2007 1:56:21 PM10/9/2007 1:56:21 PM
CISSP All-in-One Exam Guide
1134
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
private industry requirements vs. military requirements, 80
security governance, 73–75security program components,
67–69security program development,
76–79strategic planning, 66tactical planning, 66
organizational security policy, 110–112Orthogonal Frequency-Division
Multiplexing (OFDM), 621, 624OSI model, 483
application layer, 487, 494–495data link layer, 492–494, 496functions and protocols, 494–496network layer, 491–492, 495physical layer, 494, 496presentation layer, 487–489, 495protocol, 483–486session layer, 489–490, 495transport layer, 490–491, 495tying the layers together, 496where devices and protocols appear
within, 47
PPpacket switching, 590–591packet-filtering firewalls, 550–551page frames, 306paging, 306palm scans, 182
See also biometricsPAP, 614–615, 616parameter validation, 989–992partitioning, 929passive attacks, 753passphrases, 190–191Password Authentication Protocol. See PAPpassword sniffing, 885–886passwords, 184
accessing password files, 185aging, 187assisted password reset,
172–173cognitive, 160, 187cracking, 1085hashing and encryption,
186–187limiting logon attempts, 187management, 171, 184–185one-time, 187–190password checkers, 186password-guessing attacks, 205self-service password reset, 172synchronization, 171–172
patch management, 1006–1007best practices, 1009limitations to patching,
1008–1009steps, 1007–1008
patent, 851patrol force, 467–468Payment Card Industry Data Security
Standards (PCI DSS), 858–859PBXs, 547–548penetration testing, 1090–1094perimeter security, 233, 446–447
dogs, 468external boundary protection
mechanisms, 455–464facility access control, 447–454locks, 448–454patrol force and guards,
467–468personnel access controls,
454–455See also intrusion detection
systems (IDSs)permanent virtual circuits (PVCs), 593permissions, 1097Persian Gulf War, 28
Index.indd 1134Index.indd 1134 10/9/2007 1:56:21 PM10/9/2007 1:56:21 PM
Index
1135
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
personnelaccess controls, 454–455employee controls, 138hiring practices, 136–138privacy issues, 859–861responsibilities, 135termination, 138–139See also responsibility
pharming, 267–268phisher scams, 27phishing, 265–267phreakers, 548physical layer, 494, 496physical location restrictions, 196physical security, 401–404
activity support, 415auditing physical access,
468–469computer and equipment rooms,
424–428construction, 418–421Crime Prevention Through
Environmental Design (CPTED), 409–414
designing a physical security program, 414–428
doors and windows, 421–423, 424electric power, 430–436environmental issues, 436–438facilities, 416–417fire prevention, detection and
suppression, 438–446internal compartments, 423natural access control, 410–412natural surveillance, 413planning, 404–408protecting assets, 428–429safes, 429security zones, 411–412territorial reinforcement,
413–414
testing and drills, 469–470ventilation, 438See also perimeter security
piggybacking, 455ping of death, 1086piracy, 852–853PKI. See public key infrastructureplaintext, 665, 671
chosen-plaintext attacks, 754known-plaintext attacks,
753–754planning horizon, 67plenum areas, 442plenum space, 523point of presence (PoP), 611Point-to-Point Protocol. See PPPpolitics and laws, 49–51polling, 529polyinstantiation, 930–931polymorphic viruses, 997polymorphism, 964–965POP, 1075port address translation (PAT), 578port scanning, 1081–1082ports, well-known, 501, 557positive drains, 436postmortem review, 1097PPP, 610–611PPTP, 612–613preemptive multitasking, 289premapped I/O, 320presentation layer, 487–489, 495President’s Commission on Critical
Infrastructure Protection (PCCIP), 32, 406
Pretty Good Privacy (PGP), 739–740
primary key, vs. foreign key, 922–924
privacy, 853–854Basel II Accord, 858
Index.indd 1135Index.indd 1135 10/9/2007 1:56:22 PM10/9/2007 1:56:22 PM
CISSP All-in-One Exam Guide
1136
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
Computer Fraud and Abuse Act, 856–857
Computer Security Act of 1987, 859Economic Espionage Act of
1996, 859employee issues, 859–861Federal Privacy Act, 853, 857–858Gramm-Leach-Bliley Act (GLBA), 856Health Insurance Portability and
Accountability Act (HIPAA), 856laws, directives and regulations,
854–855Payment Card Industry Data Security
Standards (PCI DSS), 858–859Sarbanes-Oxley Act of 2002 (SOX),
855–856Privacy-Enhanced Mail (PEM), 738–739Private Branch Exchange. See PBXsprivate keys, 190, 681Privileged Attribute Certificates
(PACs), 205privileged mode, 285problem state, 285procedures, 114–115
for classification, 121See also security policies
process activation, 324–325process activity, 294–296process enhancement, 380process isolation, 294–295process management, 287–292process owners, responsibilities, 133process scheduling, 293–294processors, 288product line managers,
responsibilities, 134profile update, 176–177profile-based systems, 254program counter registers, 283program status word (PSW), 285programmable I/O, 319programmable ROM, 301
project sizing, 84PROM, 301protection profiles, 367–368protection rings, 308–310protocol anomaly–based IDSs, 254–255protocols, 237, 483–486
authentication, 614–616LAN networking, 529–532routing, 532–536tunneling, 609–614
prototyping, 953provisioning, 175–176proxy firewalls, 552–557public algorithms, vs. secret
algorithms, 754public key cryptography, 683, 689, 709public key infrastructure, 709, 725–726
certificate authorities, 726–729certificates, 729, 730Registration Authority (RA), 729steps, 730–732
public keys, 190, 681public-switched telephone network
(PSTN), 598purging, 1049
QQqualitative risk analysis, 98–101
vs. quantitative risk analysis, 100–101
Quality of Service (QoS), 595–596quantitative risk analysis, 92–93
vs. qualitative risk analysis, 100–101quantum cryptography, 741–742query language (QL), 922
RRrace condition, 159, 383, 1096–1097radio frequency interference (RFI),
432, 433RADIUS, 223–224, 227
Index.indd 1136Index.indd 1136 10/9/2007 1:56:22 PM10/9/2007 1:56:22 PM
Index
1137
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
RAID, 1061–1062rainbow tables, 185RAIT, 1063RAM, 299–300random access memory (RAM),
299–300Rapid Application Development
(RAD), 952RBAC, 214–215, 217
core, 215hierarchical, 215–216
RC4, 705RC5, 705RC6, 705read-only memory (ROM),
300–301ready state, 290rebooting, 1038receipt, 671recertification, requirements, 9–10Red Book, 362–364redundant array of independent tapes.
See RAITreference monitor, 327–328references, checking as part of hiring
practices, 136–137referential integrity, 925Registration Authority (RA), 729regulatory policies, 112relational data model, 915relative addresses, 303remote access, 603
administration, 1044cable modems, 606–608DSL, 606guidelines, 616–617ISDN, 604–606Remote Access Service (RAS),
603–604security, 1044xDSL, 607
Remote Access Trojans (RATs), 1001
Remote Authentication Dial-In User Service (RADIUS), 223–224, 227
remote bridges, 537remote journaling, 805repeaters, 536replay attacks, 185, 756residual risk, 106responsibility, 122–123, 134–135
application owners, 132audit committee, 130auditors, 134board of directors, 123–124,
125–126change control analysts, 132–133Chief Executive Officer (CEO),
124–125Chief Financial Officer (CFO), 125Chief Information Officer (CIO),
126–127Chief Information Security Officer
(CISO), 129Chief Privacy Officer (CPO), 127Chief Security Officer (CSO),
128–129data analysts, 133data custodians, 131data owners, 130, 131international requirements, 128personnel, 135process owners, 133product line managers, 134security administrators,
131–132security analysts, 132security steering committee, 129solution providers, 133structure, 135–136supervisors, 132system owners, 131users, 134
retina scans, 182See also biometrics
Index.indd 1137Index.indd 1137 10/9/2007 1:56:23 PM10/9/2007 1:56:23 PM
CISSP All-in-One Exam Guide
1138
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
Reverse Address Resolution Protocol (RARP), 531
ring topology, 509RISC chips, 281risk
accepting, 96, 107–108defined, 62handling, 107–108See also information risk
management (IRM)risk analysis, 83–84, 938–940
annualized loss expectancy (ALE), 95–97
annualized rate of occurrence (ARO), 96
automated methods, 93–94costs that make up the value of
information and assets, 86–87countermeasure selection,
102–103Delphi technique, 100exposure factor (EF), 96Failure Modes and Effect Analysis
(FMEA), 89–92fault tree analysis, 91–92functionality and effectiveness of
countermeasures, 104–105handling risk, 107–108identifying threats, 87–88methodologies, 88–89ownership of risk, 85protection mechanisms, 102–105qualitative risk analysis, 98–101quantitative risk analysis, 92–93,
100–101results, 97single loss expectancy (SLE), 95–97steps of, 94–97, 105–106team, 84–85total vs. residual risk, 106uncertainty, 98
value of information and assets, 85–86
See also risk assessmentrisk assessment
CRAMM, 89FRAP, 88–89NIST SP 800-30 and 800-66, 88OCTAVE, 89Spanning Tree Analysis, 89See also risk analysis
risk avoidance, 107risk mitigation, 107risk ownership, 85Roaming Operations (ROAMOPS), 228role-based access control (RBAC),
214–215, 217core, 215hierarchical, 215–216
roles, 195rollback, 925–926ROM, 300–301rootkits, 643–644ROT13, 662rotation of duties, 138route flapping, 533routers, 539–540Routing Information Protocol (RIP), 534routing protocols, 532–536RSA, 708–711rule-based access control, 217–218rule-based IDSs, 255–257rule-based programming, 976running key ciphers, 673–674running state, 290
SSSABSA, 378safe harbor requirements, 128, 845safeguards
defined, 62See also countermeasures
Index.indd 1138Index.indd 1138 10/9/2007 1:56:23 PM10/9/2007 1:56:23 PM
Index
1139
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
safes, 429salami attacks, 884salts, 186SAM databases, 186–187sandboxes, 316, 993Sarbanes-Oxley Act of 2002 (SOX), 51,
124, 855–856satellites, 640–641savepoints, 926screened hosts, 561screened subnets, 561–563, 564script kiddies, 842script viruses, 998scrubbing, 246SDLC, 596–597SDRAM, 300secondary storage, 306secret algorithms, vs. public
algorithms, 754Secure Electronic Transaction (SET),
745–747Secure European System for Applications
in a Multi-vendor Environment. See SESAME
Secure HTTP, 745secure message format, 682Secure MIME (S/MIME), 738Secure Shell (SSH), 748–749Secure Socket Layer. See SSLSecureID, 188security
areas of, 22–23availability, 59–60and companies, 29–31confidentiality, 60–61education, 51–52history of, 19–22integrity, 60layered approach to, 44–45politics and laws, 49–51principles of, 59–61, 156–158
relationships among security components, 63
terminology, 61–62through obscurity, 63–64and the U.S. government, 31–33See also corporate security; physical
security; software securitySecurity Accounts Management (SAM)
databases, 186–187security administration, 56–59security administrators, responsibilities,
131–132security analysts, responsibilities, 132security architecture, 322security domains, 206–208
See also CBK security domainssecurity effectiveness, 380security evaluation. See evaluationsecurity governance, 73–75security kernel, 327–328security management, 53–54
administrative controls, 57example, 58physical controls, 57responsibilities, 54–55technical controls, 57top-down approach to building a
security program, 55–56See also organizational security model
security model, 279–280, 330–331Bell-LaPadula model,
333–336, 338Biba model, 336–338Brewer and Nash model, 348–349Chinese Wall model, 348–349Clark-Wilson model, 338–342formal models, 331Graham-Denning model, 349Harrison-Ruzzo-Ulman model, 349information flow model,
342–344
Index.indd 1139Index.indd 1139 10/9/2007 1:56:23 PM10/9/2007 1:56:23 PM
CISSP All-in-One Exam Guide
1140
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
lattice model, 346–347noninterference model, 345and security policies, 330state machine models, 331–333See also organizational security model
security modes of operation, 351compartmented security mode,
352–353dedicated security mode, 352multilevel security mode, 353system high-security mode, 352
security officer, 56, 67–68security parameter index (SPI), 751security perimeter, 326–327security policies, 110–112, 279–280,
328–329baselines, 113–114due care and due diligence, 116guidelines, 114implementation, 115–116procedures, 114–115and security models, 330standards, 112–113
security program development, 76–79security standards, 112–113
See also security policiessecurity zones, 381, 411–412security-awareness training,
139–140, 232evaluating programs, 141–142specialized security training, 142types of, 140–141
segments, 503self-garbling viruses, 997semantic integrity, 925sensitivity labels, 213–214separation of duties, 135–136
and the Clark-Wilson model, 340–341
dynamic separation of duties (DSD) relations through RBAC, 216
static separation of duty (SSD) relations through RBAC, 216
system development, 945Service Set ID (SSID), 622, 623SESAME, 205–206session hijacking, 1084session keys, 692–695session layer, 489–490, 495session management, 992SET, 745–747SHA, 720shared key authentication (SKA), 623Sherwood Applied Business Security
Architecture (SABSA), 378shielded twisted pair (STP) cabling,
46, 520shoulder surfing, 61S-HTTP, 745side-channel attacks, 193–194,
755–756SIG-CS, 8signature dynamics, 182–183
See also biometricssignature-based detection, 1001signature-based IDSs, 251–252simple integrity axiom, 337simple security rule, 334, 336simplex, 490single loss expectancy (SLE), 95–97single sign-on technologies, 198–200
legacy single sign-on, 173Six Sigma, 92slamming, 1087SLE. See single loss expectancy (SLE)smart cards, 191–193
attacks, 193–194interoperability, 194
SMDS, 596smoke-activated fire detectors,
440–441SMTP, 1074
Index.indd 1140Index.indd 1140 10/9/2007 1:56:24 PM10/9/2007 1:56:24 PM
Index
1141
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
smurf attacks, 1010–1011sniffers, 262–263, 1083–1084social engineering, 61, 185SOCKS, 555–556software, importance of, 905–906software architecture, 966–967software attacks, 194software backups, 796–797software development, 944–946
Capability Maturity Model (CMM), 955–956
change control, 953–955computer-aided software engineering
(CASE), 952configuration management, 954methodologies, 957–969methods, 950–952prototyping, 953
software escrow, 957software piracy, 852–853Software Protection Association (SPA), 852software security, 906–907
complexity of functionality, 909data types, format and length, 910in different environments, 908environment vs. application,
908–909failure states, 912implementation and default issues,
910–912See also database management; patch
managementsolution providers, responsibilities, 133SONET, 581–582, 585source routing, 538, 565SOX. See Sarbanes-Oxley Act of
2002 (SOX)spam detection, 1004–1005Spanning Tree Algorithm (STA), 538Spanning Tree Analysis, 89SPARC processors, 281
Special Interest Group for Computer Security. See SIG-CS
special registers, 283Spectrum, Information Technologies and
Telecommunications (SITT), 482spiral development method, 952split knowledge, 138spoofing, 563spoofing at logon, 265spread spectrum, 619
Direct Sequence Spread Spectrum (DSSS), 620–621
Frequency Hopping Spread Spectrum (FHSS), 619–620, 621
Orthogonal Frequency-Division Multiplexing (OFDM), 621
spyware, 645SRAM, 299SSL, 47SSO. See single sign-on technologiesstacks, 284, 386standards, 112–113
See also security policiesstar topology, 510state machine models, 331–333state-based IDSs, 252–253stateful firewalls, 551–552static analysis, 1002static electricity, preventing, 437static mapping, 578static RAM (SRAM), 299static routing protocol, 533statistical anomaly–based IDSs,
253–254statistical attacks, 757statistical time-division multiplexing
(STDM), 588stealth viruses, 997steering committee, responsibilities, 129steganography, 674–675Storage Area Networks (SANs), 1063–1064
Index.indd 1141Index.indd 1141 10/9/2007 1:56:24 PM10/9/2007 1:56:24 PM
CISSP All-in-One Exam Guide
1142
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
storage devices, 317star integrity axiom (*-integrity
axiom), 337star property rule (*-property rule),
334, 336strategic alignment, 379strategic goals, 66stream ciphers, 687–688
vs. one-time pads, 689strong authentication, 161strong star property rule, 334, 336subjects, defined, 155substitution ciphers, 660, 676, 677subsystems, 311supercomputers, 1072
See also mainframessupervisor mode, 285supervisors, responsibilities, 132surge, 434surveillance devices, 460swap space, 306switched environments, 258Switched Multimegabit Data Service.
See SMDSswitched virtual circuits (SVCs), 593switches, 541–542
Layer 3 and 4 switches, 542–543
switching, 590–591symbolic links, 1096symmetric algorithms, 679
types of, 695–705symmetric mode, 286–287Symmetrical DSL (SDSL), 607SYN floods, 1011–1012SYN proxies, 982synchronous communication,
507, 525Synchronous Data Link Control.
See SDLCsynchronous DRAM (SDRAM), 300
Synchronous Optical Networks. See SONETsynchronous token device, 188–189system architecture, 321–330system authentication, 717system development, 935–936
design specifications, 942–944disposal, 947functional design analysis and
planning, 940–942garbage collection, 949installation/implementation, 946life-cycle phases, 936–950managing development, 936operation and maintenance, 947postmortem review, 949project initiation, 937–938risk analysis, 938–940risk management, 938separation of duties, 945software development, 944–946testing types, 947–949verification vs. validation, 945
system hardening, 1042–1044system high-security mode, 352system owners, responsibilities, 131system-specific policies, 112
TTTACAS, 224–227TACAS+. See TACAStactical goals, 66tape vaulting, 805–806T-carriers, 586–587TCP, 498–502
TCP handshake, 502TCP/IP, 497–498teardrop attacks, 1012–1013, 1087telecommunications
defined, 482evolution of, 583–586
Tempest, 249
Index.indd 1142Index.indd 1142 10/9/2007 1:56:24 PM10/9/2007 1:56:24 PM
Index
1143
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
temporal isolation (time-of-day restrictions), 196
Terminal Access Controller Access Control System (TACAS), 224–227
termination, 138–139terminology, 61–62, 918
evolution of, 314–315territorial reinforcement, 413–414terrorism, 28–29testing, physical security, 469–470testing schedule, 1098theft, 428–429thin clients, 209–210thrashing, 300thread management, 292–293threat agents, defined, 62threats
defined, 61–62identifying, 87–88relationship of threats and
vulnerabilities, 87thunking, 316Tiger, 720time multiplexing, 295time-of-day restrictions (temporal
isolation), 196time-of-check/time-of-use attacks,
383–384TKIP, 630–631token device, 187–188
asynchronous, 189–190synchronous, 188–189
token passing, 526, 527Token Ring, 516topologies
bus topology, 510mesh topology, 510–511ring topology, 509star topology, 510
Total Quality Management (TQM), 92total risk, 106
trade secrets, 849–850trademark, 850–851traffic analysis, 1087traffic anomaly–based IDSs, 255traffic-flow security, 735training, security-awareness,
139–142tranquility principle, 335transaction-type restrictions, 196transformation procedures (TPs), 338transient noise, 433translation bridges, 537transmission
analog and digital, 505–506asynchronous and synchronous, 507broadband and baseband,
507–508transparent bridging, 537–538transport adjacency, 610transport layer, 490–491, 495transposition ciphers, 676–679Triple-DES (3DES), 703Trojan horses, 1000–1001trust, 355–356Trusted Computer System Evaluation
Criteria (TCSEC). See Orange Booktrusted computing base (TCB), 322,
323–326, 327Trusted Network Interpretation (TNI).
See Red Booktrusted path, 323trusted recovery, 1038–1040trusted shell, 323tumbler locks, 449–451tunneling protocols, 609–614tunneling viruses, 998twisted-pair cable, 520–521two-factor authentication, 161two-phase commits, 926–927Type I and Type II errors, 179, 180
Index.indd 1143Index.indd 1143 10/9/2007 1:56:24 PM10/9/2007 1:56:24 PM
CISSP All-in-One Exam Guide
1144
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
UUUDP, 498–502unauthorized disclosure of information,
247–248uncertainty, 98unconstrained data items (UDIs), 339unicast transmission, 524–525uninterruptible power supplies. See UPSsUnited States v. Jeansonne, 26unshielded twisted pair (UTP) cabling,
520, 521Unspecified Bit Rate (UBR), 595UPSs
online UPS systems, 430–431standby, 431
U.S. government, and security, 31–33user errors, 88user managers, responsibilities, 132user mode, 285user provisioning, 175users, 338
responsibilities, 134
VVvalue of information and assets, 85–86
costs that make up the value, 86–87value-added networks (VAN), 580vandalism, 980Variable Bit Rate (VBR), 595ventilation, 438verification 1:1, 160–161video cards, RAM, 318virtual circuits, 593virtual directories, 167Virtual LANs (VLANs), 543, 544–545virtual machines, 315
Java Virtual Machine (JVM), 316virtual mapping, 295–296virtual memory, 306–307virtual private networks. See VPNs
viruses, 996–997antivirus software, 1001–1004immunizers, 1002
visual recording devices, 461–464Voice over IP (VoIP), 598–599, 600voice prints, 183
See also biometricsvoltage regulators, 434VPNs, 608–609vulnerabilities
buffer overflows, 1096defined, 61file and directory permissions, 1097file descriptor attacks, 1096kernel flaws, 1095race conditions, 1096–1097relationship of threats and
vulnerabilities, 87symbolic links, 1096
vulnerability testing, 1087–1090penetration testing, 1090–1094schedule, 1098
WWWAM. See web access management (WAM)WANs, 46, 583
CSU/DSU, 589dedicated links, 586–587protocols, 583T-carriers, 586–587telecommunications evolution,
583–586WAP, 635–636
gap in the WAP, 636war driving for WLANs, 639–640wardialing, 264, 603–604, 1086,
1094–1095watchdog timers, 227, 292water sprinklers, 445–446waterfall development method, 952
Index.indd 1144Index.indd 1144 10/9/2007 1:56:25 PM10/9/2007 1:56:25 PM
Index
1145
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0
The Web, 37, 38vulnerabilities, 43–44See also Internet
web access management (WAM), 168–171Web security, 979–980
administrative interfaces, 984–985authentication and access control,
985–986configuration management,
986–987denial-of-service attacks, 981financial fraud, 980firewalls, 982information gathering,
983–984input validation, 987–989intrusion prevention systems
(IPSs), 982parameter validation, 989–992privileged access, 980–981quality assurance process, 982session management, 992SYN proxies, 982theft of intellectual property, 981theft of transaction information, 981vandalism, 980
Weisburd, Aaron, 29well-known ports, 501, 557Wells Fargo Bank, 36white noise, 249wide area networks. See WANswindows, 421–423, 424Wired Equivalent Privacy (WEP), 623, 695Wireless Application Protocol. See WAPwireless communications, 618
Bluetooth, 634current implementations, 626–627Direct Sequence Spread Spectrum
(DSSS), 620–621dynamic keys, 629–631Frequency Hopping Spread Spectrum
(FHSS), 619–620, 621
i-Mode, 636–637initialization vectors, 629–631spread spectrum, 619standards, 623–634third generation, 641–642Wireless Application Protocol (WAP),
635–636See also mobile phone security;
satellites; WLANswireless LANs. See WLANsWireless Transport Layer Security
(WTLS), 635wiretapping, 887–888WLANs
ad hoc WLANs, 622components, 621–623infrastructure WLANs, 622war driving for, 639–640
work area separation, 234work factor, 671wormhole attacks, 535worms, 999–1000
XXX.25, 594xDSL, 607XML, 47, 921
YYYahoo, 27
ZZZachman Architecture Framework,
376–378zero knowledge proof, 713zeroization, 1049zombies, 563, 839zone transfers, 570zones, 569
Index.indd 1145Index.indd 1145 10/9/2007 1:56:25 PM10/9/2007 1:56:25 PM
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0/ blind folio: 1146
Index.indd 1146Index.indd 1146 10/9/2007 1:56:25 PM10/9/2007 1:56:25 PM
[ ]
VISIT MHPROFESSIONAL.COM TO READ SAMPLE CHAPTERS AND LEARN MORE.
THE BEST in Microsoft Certification Prep
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0/ blind folio: 1147
Index.indd 1147Index.indd 1147 10/9/2007 1:56:25 PM10/9/2007 1:56:25 PM
LICENSE AGREEMENT
THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDINGDOCUMENTATION) OWNED BY THE McGRAW-HILL COMPANIES, INC. (“McGRAW-HILL”) AND ITS LICENSORS. YOURRIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
LICENSE: Throughout this License Agreement, “you” shall mean either the individual or the entity whose agent opens this package. Youare granted a non-exclusive and non-transferable license to use the Product subject to the following terms:(i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU). If youlicensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of thefollowing subparagraph (ii).(ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single buildingselected by you that is served by such local area network. If you have licensed a wide area network version, you may use the Product onunlimited workstations located in multiple buildings on the same site selected by you that is served by such wide area network; provided,however, that any building will not be considered located in the same site if it is more than five (5) miles away from any building included insuch site. In addition, you may only use a local area or wide area network version of the Product on one single server. If you wish to use theProduct on more than one server, you must obtain written authorization from McGraw-Hill and pay additional fees.(iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of theback-up at all times.
COPYRIGHT; RESTRICTIONS ON USE AND TRANSFER: All rights (including copyright) in and to the Product are owned byMcGraw-Hill and its licensors. You are the owner of the enclosed disc on which the Product is recorded. You may not use, copy, decompile,disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrievalsystem of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise)except as expressly provided for in this License Agreement. You must reproduce the copyright notices, trademark notices, legends and logosof McGraw-Hill and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder.All rights in the Product not expressly granted herein are reserved by McGraw-Hill and its licensors.
TERM: This License Agreement is effective until terminated. It will terminate if you fail to comply with any term or condition of thisLicense Agreement. Upon termination, you are obligated to return to McGraw-Hill the Product together with all copies thereof and to purgeall copies of the Product included in any and all servers and computer facilities.
DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY ARE LICENSED “AS IS.” McGRAW-HILL, ITSLICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE RESULTS TO BE OBTAINEDBY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT, ANY INFORMATION OR DATA INCLUDED THEREIN AND/ORANY TECHNICAL SUPPORT SERVICES PROVIDED HEREUNDER, IF ANY (“TECHNICAL SUPPORT SERVICES”).McGRAW-HILL, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT.McGRAW-HILL, ITS LICENSORS, AND THE AUTHORS MAKE NO GUARANTEE THAT YOU WILL PASS ANYCERTIFICATION EXAM WHATSOEVER BY USING THIS PRODUCT. NEITHER McGRAW-HILL, ANY OF ITS LICENSORS NORTHE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS ORTHAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE. YOU ASSUME THE ENTIRE RISKWITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT.
LIMITED WARRANTY FOR DISC: To the original licensee only, McGraw-Hill warrants that the enclosed disc on which the Product isrecorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date ofpurchase. In the event of a defect in the disc covered by the foregoing warranty, McGraw-Hill will replace the disc.
LIMITATION OF LIABILITY: NEITHER McGRAW-HILL, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANYINDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITSOR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEENADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM ORCAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT, TORT, OR OTHERWISE. Some states donot allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you.
U.S. GOVERNMENT RESTRICTED RIGHTS: Any software included in the Product is provided with restricted rights subject tosubparagraphs (c), (1) and (2) of the Commercial Computer Software-Restricted Rights clause at 48 C.F.R. 52.227-19. The terms of thisAgreement applicable to the use of the data in the Product are those under which the data are generally made available to the general publicby McGraw-Hill. Except as provided herein, no reproduction, use, or disclosure rights are granted with respect to the data included in theProduct and no right to modify or create derivative works from any such data is hereby granted.
GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product. The terms of any PurchaseOrder shall have no effect on the terms of this License Agreement. Failure of McGraw-Hill to insist at any time on strict compliance withthis License Agreement shall not constitute a waiver of any rights under this License Agreement. This License Agreement shall be construedand governed in accordance with the laws of the State of New York. If any provision of this License Agreement is held to be contrary to law,that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect.
All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0/ blind folio: 1148
Index.indd 1148Index.indd 1148 10/9/2007 1:56:27 PM10/9/2007 1:56:27 PM