Errata Sheet for the Official (ISC)² Guide to the CISSP® CBK®

Error #1 - Page 217, Question 15

Q. Which of the following is incorrect when considering privilege management?

a. Privileges associated with each system, service, or application, and the defined roles within
the organization to which they are needed, should be identified and clearly documented.
b. Privileges should be managed based on least privilege. Only rights required to perform a job
should be provided to a user, group, or role.
c. An authorization process and a record of all privileges allocated should be maintained.
Privileges should not be granted until the authorization process is complete and validated.
d. Any privileges that are needed for intermittent job functions should be assigned to multiple
user accounts, as opposed to those for normal system activity related to the job function.

Textbook Answer – B (Referenced on page 727)

Correction to text – After editor review, answer D is the correct answer since "privileges that are needed
for intermittent job functions should be assigned to a different user account, etc." Reference located on
page 123, last bullet on the page.

Error #2 - Page 279, Question 20.

Q. Measures protected by steganography can be transmitted to:

a. Picture files
b. Music files
c. Video files
d. All of the above

Textbook Answer – C (Referenced on page 731)

Correction to text – After editor review, answer D is the correct answer.

Error #3 – Incorrect Diagram

It has been brought to our attention that the figures labeled 3.7 and 3.8 on pages 242-243 are identical.
The correct figure for pg. 243 or Figure 3.8 is below:
 Initialization
Vector
loaded into 64 - s bits s bits
Shift Register

DES
DES Algorithm
Key
Algorithm

Select s bits Discard 64 - s bits Select s bits Discard 64 - s bits

Next s bits
S bits of
XOR of XOR
Plaintext
Plaintext

S bits of Next S bits

ciphertext of ciphertext

Error #4 - Typo

On page 329, following the header of Trusted Computer Security Evaluation. The second line of this
paragraph states, “ITSEC defines four main levels (A, B, C, D)."

Correction to text – This sentence contains a typo and should read, “TCSEC defines four main levels (A,
B, C, D).”

Error #5 - Incorrect Listing of TCSEC

Page 329: The text lists the TCSEC levels as:

A Verified protection
A1 Verified design
B Mandatory protection
B3 Labeled security
B2 Structured protection
B1 Labeled security.
C Discretionary protection
C2 Discretionary protection
C1 Controlled access

Correction to text – It should state (corrections are bolded):

A Verified protection
A1 Verified design
 B Mandatory protection
B3 Security Domains
B2 Structured protection
B1 Labeled security
C Discretionary protection
C2 Controlled Access
C1 Discretionary protection

Error #6 - Typo

Page 442, 2nd paragraph. The text reads, “A multiplexer overlays multiple singles into one signal for
transmission.”

Correction to text – The sentence should read, “A multiplexer overlays multiple signals into one signal
for transmission.”

Error #7 - Typo

Page 472. 4th Paragraph from the bottom of the page. The last sentence reads, “Therefore, the network is
216.12.146 and the host within the network is 40.

Correction to text – The sentence should read, “Therefore, the network is 216.12.146 and the host within
the network is 140.

Error #8 - Correction

Page 135, 2nd paragraph starting with “password crackers...” The second sentence reads, “John the
Ripper is still very popular, and L0pht, once a hacker tool, is now regularly used by Microsoft
system administrators for password auditing and sold as such.

Modification to text: The editors recognize that this is also called L0phtcrack.

Error #9 - Incorrect Figure 3.16

 Sender Receiver

Plaintext Encryption Decryption Plaintext

Encrypted
Large Using Using Message
Message
Message Symmetric Key Symmetric Key

Symmetric Key

Encrypted
Encryption of Symmetric Decryption of
Symmetric Key Key Symmetric Key

Public Key of Private Key of

Receiver Receiver

Error #10 - Typo

Page 262, Last paragraph. The third sentence reads, “The output for RIPEMD-160 is 150 bits,
and it also operates similarly to MD5 on 512-bit blocks.”

Correction to text – The sentence should read, “The output for RIPEMD-160 is 160 bits, and it also
operates similarly to MD5 on 512-bit blocks.”

Error #11 - Typo

Page 447, Third paragraph. The first sentence reads, “Another advantage of WAP is that both the
client and network authenticate each other.”

Correction to text – The sentence should read, “Another advantage of WPA is that both the client and
network authenticate each other.”

Error #12 - Typo

Page 448, 5th paragraph. The header of this paragraph reads, “WEP Protected Access 2 (WPA2).

Correction to text – The text should read, “Wi-Fi Protected Access (WPA2)"

Error #13 - Page 715, Question 1.

Q. Where does the greatest risk of cybercrime come from?

a. Outsiders
b. Nation-states
c. Insiders
d. Script kiddies

Textbook Answer – A (Referenced on page 752)

Correction to text – After editor review, the correct answer is C and is referenced on page 697,
2nd paragraph.

Error #14 – Typo

Page 568, 4th paragraph, under Object-Oriented security, 3rd sentence.

Correction to text - Change “distant” to “distinct”.

Error #15 – Typo

Page 45; last sentence of paragraph titled “Reference Checks”.

Correction to text – Change “collaborating” to “corroborating”.

Error #16 – Typo

Page 61; first sentence of last paragraph.

Correction to text – Change “SLE” to “ALE”.

Error #17 – Typo

Page 69; Figure 1.5 – bottom 2 rows “D & E” under second column “Minor”.

Correction to text – Change to darker shade to match the “L” category in the key.

Error #18 - Typo

Page 69; Figure 1.5 – Key.

Correction to text – Change “I” in key to “E”.

Error #19 – Typo

Page 93; sentence 3 in paragraph 2.

Correction to text – Change “understated” to “overstated”.

Error #20 - Correction

Page 108; list of access control categories.

Correction to text – Delete “Directive”. And delete paragraph on Directive Controls on page
647.

Error #21 – Typo

Page 152; end of sentence 3 of first complete paragraph.

Correction to text – Remove superscript question mark.

Error #22 – Correction

Page 155; last complete sentence on page.

Correction to text – Change “least of which” to “one of which”.

Error #23 – Typo

Page 205; sentence 2 of paragraph 3 under title “Audit Trail Monitoring”.

Correction to text - Change “advisory” to “adversary”.

Error #24 – Correction

Page 219; last sentence.

Correction to text – Delete “…cryptography does not support the standard of availability”.

Error #25 – Typo

Page 257; sentence 1 of paragraph 3 under title: “Key Exchange Using Diffie-Hellman”

Correction to text – delete the apostrophe preceding the 97.

Error #26 – Correction

Page 261; formula under Simple Hash Functions.

Correction to text – Change “Hash = block 1 block 2 block 3 … end of message” to “Hash =
block 1 XOR block 2 XOR block 3 … end of message”.

Error #27 – Typo

Page 290; last sentence of paragraph 3 under title: “Infrastructure Support Systems”.

Correction to text – insert “suppressors” at end of sentence.

Error #28 - Typo

Page 323; last title on page.

Correction to text – Change “Trusted Computer Base” to “Trusted Computing Base”.

Error #29 – Correction

Page 329; third complete sentence on page.

Correction to text – Change end to “user behavior changes the access control rules.”

Error #30 – Correction

Page 340; sentence 3 of paragraph titled “Internal and External Audit Oversight”.

Correction to text – Delete all after “directives”.

Error # 31 – Correction

Page 350; last sentence of paragraph titled “Formalizing Continuity Planning Policy”.

Correction to text – Delete “(see sample continuity planning policy statement)”.

Error #32 – Typo

Page 386; last sentence of paragraph 2 under title “Developing Continuity and Crisis
Management Process Training and Awareness Strategies”.
Correction to text – Change “reasonability” to “responsibility”.

Error #33 – Typo

Page 403; first sentence under paragraph titled: “Section 216”.

Correction to text – Change “include” to “including”.

Error #34 – Typo

Page 405 – entire page.

Correction to text – Remove italics”.

Error #35 – Typo

Page 647; last sentence of paragraph titled “Deterrent Controls”.

Correction to text – Change sentence to read “ …that prescribe penalties for violators and
misuse of detection systems as well as require video cameras, intrusion detection systems and
auditing.”

Error #36 – Typo

Page 675; sentence 1 of paragraph 3.

Correction to text – Change “tenacity” to “tendency”.

Error #37 - Correction

Page 732; question 6. Question listed in answers section doesn’t match question listed at end
of chapter.

Correction to text – Change “for an ITC system” to “for a system”.

Error #38 – Typo

Page 758; sentence 1 of paragraph 1 under title “Overview”.

Correction to text – Change “organization” to “organization’s”

Error # 39 – Typo

Page 758; sentence 1 of paragraph 3 under title “Overview”

Correction to text – Change “organization” to “organization’s”.

Error #40 – Correction

Page 760; first bullet item under “Key Areas of Knowledge”.

Correction to text – Delete “following”.

Error #41 – Correction

Page 764; bullet item 4 under “Key Areas of Knowledge” of “Application Security”
Correction to text – Change to read “Understand application and system development
controls for security of knowledge-based systems (e.g., expert systems)”.

Error #42 – Correction

Pages 89 and 721; question 10, answer D.

Correction to text – On pages 89 and 721, change answer D to read “All of the above”.

Error #43 – Correction

Page 120; bullet item 3 under “Logging Events”

Correction to text – Change “message authentication code” to “media access control”.

Error #44 – Correction

Page 729; question 8. answer B.

Correction to text – Change answer B to A. 160 bits.

Error #45 - Correction

Pages 334 and 736; question 12, stem

Correction to text – Change “fails to address” in question to “addresses”.

Hal

If you have further questions/comments regarding this errata sheet, please direct
them to [email protected].