CISSP® Study Guide (2023)

Preview (31 of 642 Pages)

100%

CISSP® Study Guide (2023) - Page 1 preview image

Loading page ...

CISSP® Study Guide (2023) - Page 2 preview image

Loading page ...

CISSP®Study Guide

Loading page ...

This page intentionally left blank

CISSP® Study Guide (2023) - Page 5 preview image

Loading page ...

CISSP®Study GuideFourth EditionEric ConradBackshore Communications, Peaks Island, ME, United StatesSeth MisenarContext Security, LLC, Jackson, MS, United StatesJoshua FeldmanSenior Vice President for Security Technology, Radian Group,Wayne, PA, United States

CISSP® Study Guide (2023) - Page 6 preview image

Loading page ...

Syngress is an imprint of Elsevier50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United StatesCopyright © 2023 Elsevier Inc. All rights reserved.CISSP®is a registered certification mark of (ISC)2, IncNo part of this publication may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or any information storage and retrievalsystem, without permission in writing from the publisher. Details on how to seek permission, furtherinformation about the Publisher’s permissions policies and our arrangements with organizationssuch as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at ourwebsite: www.elsevier.com/permissions.This book and the individual contributions contained in it are protected under copyright by thePublisher (other than as may be noted herein).NoticesKnowledge and best practice in this field are constantly changing. As new research and experiencebroaden our understanding, changes in research methods, professional practices, or medicaltreatment may become necessary.Practitioners and researchers must always rely on their own experience and knowledge in evaluatingand using any information, methods, compounds, or experiments described herein. In using suchinformation or methods they should be mindful of their own safety and the safety of others, includingparties for whom they have a professional responsibility.To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assumeany liability for any injury and/or damage to persons or property as a matter of products liability,negligence or otherwise, or from any use or operation of any methods, products, instructions, orideas contained in the material herein.ISBN: 978-0-443-18734-6For information on all Syngress publicationsvisit our website at https://www.elsevier.com/books-and-journalsPublisher:Mara E. ConnerAcquisitions Editor:Chris KatsaropoulosEditorial Project Manager:John LeonardProduction Project Manager:Stalin ViswanathanCover Designer:Greg HarrisTypeset by STRAIVE, India

CISSP® Study Guide (2023) - Page 7 preview image

Loading page ...

ContentsAbout the authors ...................................................................................................xixCHAPTER 1Introduction........................................................... 1How to Prepare for the Exam ....................................................... 2The CISSP®Exam Is a Management Exam............................. 2The 2021 Update ....................................................................... 2The Notes Card Approach......................................................... 3Practice Tests............................................................................. 3Read the Glossary...................................................................... 3Readiness Checklist................................................................... 4How to Take the Exam.................................................................. 4Steps to Becoming a CISSP®.................................................... 4Computer-Based Testing (CBT) ............................................... 5CISSP®CAT ............................................................................. 5Taking the Exam ....................................................................... 6After the Exam .......................................................................... 9Good Luck!.................................................................................... 9References.................................................................................... 10CHAPTER 2Domain 1: Security and Risk Management............. 11Unique Terms and Definitions .................................................... 11Introduction.................................................................................. 12Cornerstone Information Security Concepts............................... 12Confidentiality, Integrity, and Availability............................. 12Identity and Authentication, Authorization, andAccountability (AAA) ......................................................... 15Non-repudiation ....................................................................... 17Least Privilege and Need to Know ......................................... 17Subjects and Objects ............................................................... 18Defense-in-Depth..................................................................... 18Due Care and Due Diligence .................................................. 19Legal and Regulatory Issues ....................................................... 19Compliance With Laws and Regulations................................ 19Major Legal Systems............................................................... 20Criminal, Civil, and Administrative Law ............................... 21Liability.................................................................................... 23Due Care .................................................................................. 23Due Diligence .......................................................................... 24v

CISSP® Study Guide (2023) - Page 8 preview image

Loading page ...

Legal Aspects of Investigations .............................................. 24Intellectual Property ................................................................ 29Privacy ..................................................................................... 33International Cooperation ........................................................ 37Import/Export Restrictions ...................................................... 38Trans-border Data Flow .......................................................... 38Important Laws and Regulations ............................................ 39Ethics ........................................................................................... 42The (ISC)2®Code of Ethics .................................................... 42Computer Ethics Institute........................................................ 44IAB’s Ethics and the Internet.................................................. 45Information Security Governance ............................................... 45Security Policy and Related Documents................................. 45Personnel Security ................................................................... 48Access Control Defensive Categories and Types ....................... 51Preventive ................................................................................ 52Detective .................................................................................. 52Corrective................................................................................. 52Recovery .................................................................................. 53Deterrent .................................................................................. 53Compensating .......................................................................... 53Comparing Access Controls .................................................... 53Risk Analysis ............................................................................... 54Assets ....................................................................................... 55Threats and Vulnerabilities ..................................................... 55Risk = ThreatVulnerability.................................................. 55Impact ...................................................................................... 56Risk Analysis Matrix............................................................... 57Calculating Annualized Loss Expectancy............................... 57Total Cost of Ownership ......................................................... 59Return on Investment .............................................................. 59Budget and Metrics ................................................................. 60Risk Response.......................................................................... 61Quantitative and Qualitative Risk Analysis............................ 63The Risk Management Process ............................................... 64Risk Maturity Modeling .......................................................... 65Security and Third Parties ........................................................... 65Service Provider Contractual Security .................................... 65Minimum Security Requirements ........................................... 65Supply Chain Risk Management............................................. 67viContents

CISSP® Study Guide (2023) - Page 9 preview image

Loading page ...

Vendor Governance ................................................................. 68Acquisitions ............................................................................. 68Divestitures .............................................................................. 68Third Party Assessment and Monitoring ................................ 68Outsourcing and Offshoring .................................................... 69Types of Attackers....................................................................... 70Hackers .................................................................................... 70Script Kiddies .......................................................................... 71Outsiders .................................................................................. 71Insiders..................................................................................... 71Hacktivist ................................................................................. 73Bots and Botnets...................................................................... 73Phishers and Spear Phishers .................................................... 74Summary of Exam Objectives .................................................... 75Self-Test....................................................................................... 76Self-Test Quick Answer Key ...................................................... 78References.................................................................................... 79CHAPTER 3Domain 2: Asset Security ..................................... 81Unique Terms and Definitions .................................................... 81Introduction.................................................................................. 81Classifying Data .......................................................................... 82Labels....................................................................................... 82Security Compartments ........................................................... 82Clearance ................................................................................. 83Formal Access Approval ......................................................... 83Need to Know.......................................................................... 83Sensitive Information/Media Security .................................... 84Ownership and Inventory ............................................................ 84Asset Inventory........................................................................ 85Asset Retention........................................................................ 85Business or Mission Owners ................................................... 85Data Owners ............................................................................ 86System Owner.......................................................................... 86Custodian ................................................................................. 86Users ........................................................................................ 86Data Controllers and Data Processors..................................... 87Data Location .......................................................................... 87Data Maintenance .................................................................... 88Data Loss Prevention............................................................... 88viiContents

CISSP® Study Guide (2023) - Page 10 preview image

Loading page ...

Digital Rights Management..................................................... 88Cloud Access Security Brokers............................................... 89Data Collection Limitation...................................................... 90Memory and Remanence............................................................. 91Data Remanence ...................................................................... 91Memory.................................................................................... 91Data Destruction .......................................................................... 94Overwriting .............................................................................. 95Degaussing............................................................................... 95Destruction............................................................................... 95Shredding ................................................................................. 96Determining Data Security Controls........................................... 96Certification and Accreditation ............................................... 96Standards and Control Frameworks ........................................ 97Scoping and Tailoring ........................................................... 100Data States ............................................................................. 100Summary of Exam Objectives .................................................. 102Self-Test..................................................................................... 102Self-Test Quick Answer Key .................................................... 104References.................................................................................. 105CHAPTER 4Domain 3: Security Architecture and Engineering .... 107Unique Terms and Definitions .................................................. 107Introduction................................................................................ 108Secure Design Principles........................................................... 108Threat Modeling .................................................................... 108Least Privilege and Defense-in-Depth .................................. 109Secure Defaults...................................................................... 109Privacy by Design.................................................................. 109Fail Securely .......................................................................... 110Separation of Duties (SoD) ................................................... 110Keep It Simple....................................................................... 110Trust, but Verify .................................................................... 111Zero Trust .............................................................................. 111Security Models ......................................................................... 113Reading Down and Writing Up ............................................ 113State Machine Model............................................................. 114Bell-LaPadula Model............................................................. 115Lattice-Based Access Controls.............................................. 115Integrity Models .................................................................... 116viiiContents

CISSP® Study Guide (2023) - Page 11 preview image

Loading page ...

Information Flow Model ....................................................... 118Chinese Wall Model .............................................................. 118Non-interference .................................................................... 118Take-Grant ............................................................................. 119Access Control Matrix........................................................... 119Zachman Framework for Enterprise Architecture ................ 120Graham-Denning Model........................................................ 120Harrison-Ruzzo-Ullman Model............................................. 121Evaluation Methods, Certification, and Accreditation ............. 121The International Common Criteria ...................................... 121Secure System Design Concepts ............................................... 122Layering ................................................................................. 123Abstraction............................................................................. 123Security Domains .................................................................. 123The Ring Model..................................................................... 124Open and Closed Systems ..................................................... 125Secure Hardware Architecture .................................................. 125The System Unit and Motherboard....................................... 125The Computer Bus................................................................. 126The CPU ................................................................................ 127Memory Protection ................................................................ 130Trusted Platform Module ...................................................... 132Data Execution Prevention and Address Space LayoutRandomization ................................................................... 133Secure Operating System and Software Architecture .............. 134The Kernel ............................................................................. 134Users and File Permissions ................................................... 135Virtualization, Cloud, and Distributed Computing................... 137Virtualization ......................................................................... 138Cloud Computing .................................................................. 139Microservices, Containers, and Serverless............................ 141High-Performance Computing (HPC) and GridComputing ......................................................................... 144Peer-to-Peer ........................................................................... 145Thin Clients ........................................................................... 145Embedded Systems and The Internet of Things (IoT) ......... 146Distributed Systems and Edge Computing Systems............. 147Industrial Control Systems (ICS) .......................................... 148System Vulnerabilities, Threats, and Countermeasures ........... 149Emanations............................................................................. 149ixContents

CISSP® Study Guide (2023) - Page 12 preview image

Loading page ...

Covert Channels .................................................................... 149Backdoors .............................................................................. 150Malicious Code (Malware).................................................... 150Server-Side Attacks ............................................................... 152Client-Side Attacks................................................................ 153Web Architecture and Attacks .............................................. 153Database Security .................................................................. 156Countermeasures.................................................................... 158Mobile Device Attacks .......................................................... 158Cornerstone Cryptographic Concepts ....................................... 159Key Terms ............................................................................. 159Confidentiality, Integrity, Authentication, andNon-repudiation ................................................................. 160Confusion, Diffusion, Substitution, and Permutation ........... 160Cryptographic Strength.......................................................... 161Monoalphabetic and Polyalphabetic Ciphers........................ 161Modular Math ........................................................................ 162Exclusive Or (XOR) .............................................................. 162Data at Rest and Data in Motion .......................................... 163Protocol Governance ............................................................. 163Types of Cryptography.............................................................. 163Symmetric Encryption........................................................... 163Asymmetric Encryption......................................................... 171Quantum Encryption.............................................................. 173Hash Functions ...................................................................... 174Cryptographic Attacks ............................................................... 176Brute Force ............................................................................ 176Social Engineering................................................................. 176Rainbow Tables ..................................................................... 176Known Plaintext .................................................................... 178Chosen Plaintext and Adaptive Chosen Plaintext ................ 178Chosen Ciphertext and Adaptive Chosen Ciphertext ........... 178Meet-in-the-Middle Attack.................................................... 178Known Key............................................................................ 179Differential Cryptanalysis...................................................... 179Linear Cryptanalysis.............................................................. 179Implementation Attacks......................................................... 179Side-Channel Attacks ............................................................ 180Fault Injection Attacks .......................................................... 181Ransomware........................................................................... 181xContents

CISSP® Study Guide (2023) - Page 13 preview image

Loading page ...

Birthday Attack...................................................................... 181Key Clustering ....................................................................... 182Implementing Cryptography...................................................... 182Digital Signatures .................................................................. 182Message Authenticate Code .................................................. 183HMAC.................................................................................... 183Public Key Infrastructure ...................................................... 184SSL and TLS ......................................................................... 185IPsec....................................................................................... 186PGP ........................................................................................ 187S/MIME ................................................................................. 187Escrowed Encryption............................................................. 188Steganography ....................................................................... 188Perimeter Defenses .................................................................... 189Fences .................................................................................... 189Gates ...................................................................................... 189Bollards .................................................................................. 190Lights ..................................................................................... 190CCTV..................................................................................... 191Locks...................................................................................... 192Smart Cards and Magnetic Stripe Cards............................... 196Tailgating/Piggybacking........................................................ 198Mantraps and Turnstiles ........................................................ 198Contraband Checks................................................................ 198Motion Detectors and Other Perimeter Alarms .................... 199Doors and Windows .............................................................. 200Walls, Floors, and Ceilings ................................................... 200Guards .................................................................................... 201Dogs ....................................................................................... 201Restricted Work Areas and Escorts ...................................... 202Site Selection, Design, and Configuration................................ 202Site Selection Issues .............................................................. 202Site Design and Configuration Issues ................................... 203System Defenses........................................................................ 205Asset Tracking ....................................................................... 205Port Controls.......................................................................... 205Environmental Controls............................................................. 206Electricity............................................................................... 206HVAC .................................................................................... 208Heat, Flame, and Smoke Detectors....................................... 209xiContents

CISSP® Study Guide (2023) - Page 14 preview image

Loading page ...

Personnel Safety, Training, and Awareness.......................... 210ABCD Fires and Suppression ............................................... 211Types of Fire Suppression Agents ........................................ 212Summary of Exam Objectives .................................................. 217Self-Test..................................................................................... 218Self-Test Quick Answer Key .................................................... 220References.................................................................................. 221CHAPTER 5Domain 4: Communication and NetworkSecurity ............................................................ 225Unique Terms and Definitions .................................................. 225Introduction................................................................................ 225Network Architecture and Design............................................. 226Network Defense-in-Depth.................................................... 226Fundamental Network Concepts ........................................... 226The OSI Model ...................................................................... 228The TCP/IP Model ................................................................ 230Encapsulation......................................................................... 232Network Access, Internet, and Transport LayerProtocols and Concepts ..................................................... 232Application Layer TCP/IP Protocols and Concepts ............. 248Transmission Media .............................................................. 252LAN Technologies and Protocols ......................................... 254LAN Physical Network Topologies ...................................... 256WAN Technologies and Protocols........................................ 257Converged Protocols.............................................................. 259Micro-segmentation ............................................................... 262Wireless Local Area Networks ............................................. 264ZigBee.................................................................................... 267Li-Fi ....................................................................................... 268RFID ...................................................................................... 268Cellular Networks.................................................................. 269Satellite .................................................................................. 269Secure Network Devices and Protocols .................................... 270Repeaters and Hubs ............................................................... 270Bridges ................................................................................... 270Switches ................................................................................. 271Network Taps......................................................................... 273Routers ................................................................................... 274Modem ................................................................................... 278xiiContents

CISSP® Study Guide (2023) - Page 15 preview image

Loading page ...

DTE/DCE and CSU/DSU...................................................... 278Operation of Hardware .......................................................... 278Secure Communications ............................................................ 279Authentication Protocols and Frameworks ........................... 279VPN........................................................................................ 282Remote Access ...................................................................... 284Summary of Exam Objectives .................................................. 289Self-Test..................................................................................... 289Self-Test Quick Answer Key .................................................... 291References.................................................................................. 292CHAPTER 6Domain 5: Identity and Access Management (IAM) .... 295Unique Terms and Definitions .................................................. 295Introduction................................................................................ 295Authentication Methods ............................................................ 296Type 1 Authentication: Something You Know .................... 296Type 2 Authentication: Something You Have...................... 304Type 3 Authentication: Something You Are ........................ 306Someplace You Are............................................................... 311Access Control Technologies.................................................... 311Centralized Access Control ................................................... 311Decentralized Access Control ............................................... 311Single Sign-On (SSO) ........................................................... 312Federated Identity Management............................................ 313Identity as a Service (IDaaS) ................................................ 314Federated Identity with a Third-Party Service...................... 315Credential Management Systems .......................................... 316LDAP ..................................................................................... 316Kerberos................................................................................. 317Access Control Protocols and Frameworks .......................... 321Access Control Models.............................................................. 323Discretionary Access Controls (DAC).................................. 323Mandatory Access Controls (MAC) ..................................... 324Role-Based Access Control................................................... 324Rule-Based Access Controls ................................................. 325Attribute-Based Access Control (ABAC) ............................. 325Risk-Based Access Control ................................................... 326Identity and Access Provisioning Lifecycle ............................. 327Registration, Proofing, and Establishment of Identity.......... 327Role Definition ...................................................................... 328xiiiContents

CISSP® Study Guide (2023) - Page 16 preview image

Loading page ...

Provisioning and Deprovisioning .......................................... 328Just-In-Time (JIT).................................................................. 329Account Access Review ........................................................ 329Privilege Escalation ............................................................... 330Summary of Exam Objectives .................................................. 331Self-Test..................................................................................... 332Self-Test Quick Answer Key .................................................... 334References.................................................................................. 334CHAPTER 7Domain 6: Security Assessment and Testing........ 337Unique Terms and Definitions .................................................. 337Introduction................................................................................ 337Security Control Testing ........................................................... 338Internal, External, Employee, and Third-Party Testing........ 338Penetration Testing ................................................................ 338Breach Attack Simulations.................................................... 340Vulnerability Assessment ...................................................... 341Security Audits ...................................................................... 341Security Assessments............................................................. 341Log Reviews .......................................................................... 342Compliance Checks ............................................................... 344Synthetic Transactions........................................................... 345Application Security Testing................................................. 345Traceability Matrix ................................................................ 348Misuse Case Testing.............................................................. 349Test Coverage Analysis......................................................... 349Interface Testing .................................................................... 349Analyze and Report Test Outputs ......................................... 350Collecting Security Process Data .............................................. 350Account Management............................................................ 351Management Review and Approval...................................... 351Key Performance and Risk Indicators .................................. 352Backup Verification Data...................................................... 353Tracking Training and Awareness ........................................ 353Summary of Exam Objectives .................................................. 353Self-Test..................................................................................... 354Self-Test Quick Answer Key .................................................... 357References.................................................................................. 358xivContents

CISSP® Study Guide (2023) - Page 17 preview image

Loading page ...

CHAPTER 8Domain 7: Security Operations ........................... 361Unique Terms and Definitions .................................................. 361Introduction................................................................................ 362Administrative Security............................................................. 362Administrative Personnel Controls ....................................... 362Privileged Account Management .......................................... 366Forensics .................................................................................... 366Forensic Process .................................................................... 367Forensic Tools ....................................................................... 369Forensic Artifacts .................................................................. 370Forensic Media Analysis ....................................................... 370Network Forensics ................................................................. 373Forensic Software Analysis................................................... 373Embedded Device Forensics ................................................. 373Electronic Discovery (eDiscovery) ....................................... 374Incident Management ................................................................ 374Managing Security Incidents................................................. 375Methodology .......................................................................... 375Root-Cause Analysis ............................................................. 380Operational Preventive and Detective Controls........................ 380Firewalls................................................................................. 381Web Application Firewall (WAF) ........................................ 387Sandboxing ............................................................................ 388Endpoint Security .................................................................. 388Continuous Monitoring.......................................................... 391Threat Intelligence................................................................. 391Intrusion Detection Systems and Intrusion PreventionSystems .............................................................................. 392Egress Monitoring ................................................................. 395Security Information and Event Management ...................... 396User and Entity Behavior Analytics (UEBA)....................... 396Machine Learning and Artificial Intelligence(AI) Based Tools ............................................................... 397Third-Party Provided Security Services................................ 397Honeypots .............................................................................. 398Honeynets .............................................................................. 398Asset Management .................................................................... 398Configuration Management................................................... 398Change Management ............................................................. 402xvContents

CISSP® Study Guide (2023) - Page 18 preview image

Loading page ...

Continuity of Operations ........................................................... 403Service Level Agreements (SLAs)........................................ 403Fault Tolerance ...................................................................... 404BCP and DRP Overview and Process....................................... 411Business Continuity Planning ............................................... 412Disaster Recovery Planning .................................................. 412Relationship Between BCP and DRP ................................... 413Disasters or Disruptive Events .............................................. 414The Disaster Recovery Process ............................................. 420Developing a BCP/DRP ............................................................ 422Project Initiation .................................................................... 423Scoping the Project................................................................ 426Assessing the Critical State ................................................... 427Conduct Business Impact Analysis (BIA) ............................ 427Identify Preventive Controls ................................................. 432Recovery Strategy.................................................................. 432Related Plans ......................................................................... 436Plan Approval ........................................................................ 441Backups and Availability .......................................................... 441Hardcopy Data ....................................................................... 442Electronic Backups ................................................................ 443Software Escrow.................................................................... 445DRP Testing, Training, and Awareness.................................... 446DRP Testing........................................................................... 446Training.................................................................................. 448Awareness .............................................................................. 449Continued BCP/DRP Maintenance ........................................... 449Change Management ............................................................. 449BCP/DRP Version Control.................................................... 449BCP/DRP Mistakes ............................................................... 450Specific BCP/DRP Frameworks................................................ 450NIST SP 800-34 .................................................................... 450ISO/IEC-27031 ...................................................................... 451BS-25999 and ISO 22301 ..................................................... 451BCI......................................................................................... 452Summary of Exam Objectives .................................................. 452Self-Test..................................................................................... 453Self-Test Quick Answer Key .................................................... 455References.................................................................................. 456xviContents

CISSP® Study Guide (2023) - Page 19 preview image

Loading page ...

CHAPTER 9Domain 8: Software Development Security .......... 459Unique Terms and Definitions .................................................. 459Introduction................................................................................ 459Programming Concepts ............................................................. 460Machine Code, Source Code, and Assemblers ..................... 460Compilers, Interpreters, and Bytecode.................................. 461Procedural and Object-Oriented Languages ......................... 461Fourth-Generation Programming Language ......................... 463Integrated Development Environment .................................. 463Computer-Aided Software Engineering (CASE).................. 463Top-Down vs. Bottom-Up Programming.............................. 464Types of Publicly Released Software ................................... 465Application Development Methods........................................... 466Waterfall Model..................................................................... 467Sashimi Model ....................................................................... 470Agile Software Development ................................................ 471Spiral ...................................................................................... 472Rapid Application Development (RAD)............................... 473Prototyping............................................................................. 474DevOps .................................................................................. 474DevSecOps............................................................................. 474Security Orchestration, Automation, and Response ............. 476Software Configuration Management ................................... 476SDLC ..................................................................................... 476Integrated Product Teams...................................................... 480Software Escrow.................................................................... 480Code Repository Security...................................................... 480Security of Application Programming Interfaces(APIs)................................................................................. 481Software Change and Configuration Management............... 482Databases ................................................................................... 483Types of Databases................................................................ 483Database Integrity.................................................................. 487Database Replication and Shadowing................................... 488Data Warehousing and Data Mining..................................... 488Object-Oriented Design and Programming............................... 489Object-Oriented Programming (OOP) .................................. 489Object Request Brokers......................................................... 492Object-Oriented Analysis (OOA) and Object-OrientedDesign (OOD).................................................................... 493xviiContents

CISSP® Study Guide (2023) - Page 20 preview image

Loading page ...

Assessing the Effectiveness of Software Security.................... 494Software Vulnerabilities ........................................................ 494Software Capability Maturity Model Integration(CMMI).............................................................................. 498Acceptance Testing................................................................ 498Assessing the Security Impact of Acquired Software .......... 499Artificial Intelligence................................................................. 500Expert Systems ...................................................................... 500Artificial Neural Networks .................................................... 501Bayesian Filtering.................................................................. 502Genetic Algorithms and Programming ................................. 503Summary of Exam Objectives .................................................. 504Self-Test..................................................................................... 504Self-Test Quick Answer Key .................................................... 506References.................................................................................. 507Appendix: Self-Test...............................................................................................509Glossary .................................................................................................................551Index ......................................................................................................................597xviiiContents

CISSP® Study Guide (2023) - Page 21 preview image

Loading page ...

About the authorsEric Conrad(CISSP®, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC,GMON, GISP) is a SANS Institute Fellow and Chief Technology Officer of Back-shore Communications, which provides threat hunting, penetration testing, incidenthandling, and intrusion detection consulting services. Eric started his professionalcareer in 1991 as a UNIX systems administrator for a small oceanographic commu-nications company. He gained information security experience in a variety of indus-tries, including research, education, power, Internet, and healthcare, in positionsranging from systems programmer to security engineer to HIPAA security officerand ISSO. He is coauthor of MGT414: SANS Training Program for the CISSP Cer-tification, SEC511: Continuous Monitoring and Security Operations, and SEC542:Web App Penetration Testing and Ethical Hacking. Eric graduated from the SANSTechnology Institute with a Master of Science degree in Information SecurityEngineering.Seth Misenar(CISSP®, GSE, GDSA, GDAT, GMON, GCDA, GCIH, GCIA,GCFA) serves as Faculty Fellow with the SANS Institute and Principal Consultantfor Jackson, Mississippi-based Context Security, LLC. He is numbered among theelite security experts worldwide to have achieved the GIAC GSE (#28) credential.Seth’s focus areas include security research, cyber defense and security operations,security architecture, and cloud security. Seth previously served as a physicaland network security consultant for Fortune 100 companies and as the HIPAAand information security officer for a state government agency. Seth teaches variouscybersecurity courses for the SANS Institute, including two popular courses forwhich he is a coauthor: the bestselling SEC511: Continuous Monitoring and SecurityOperations and MGT414: SANS Training Program for the CISSP Certification. Sethholds a Bachelor of Science degree from Millsaps College.Joshua Feldman(CISSP®) is Senior Vice President for Security Technology at theRadian Group (NYSE: RDN, a real estate and mortgage insurance conglomerate).His mission is focused on protecting over 10 million US consumer financial records.He is the executive responsible for all aspects of Radian’s technical security pro-gram. Previous security roles included work at Moody’s Credit Ratings, CorningInc., and the US Department of Defense and Department of State. In 2008, Joshuawas Eric’s student when studying for the CISSP®exam and was so impressed withEric’s mastery of the materials that he invited Eric to work with him at the DoD.Quickly after starting work, Eric invited Seth. That project ran successfully for over8 years—a testament to the value brought for US military cyber professionals. Joshuagot his start in the cyber security field when he left his public-school science teachingposition in 1997 and began working for Network Flight Recorder (NFR, Inc.), a smallxix

CISSP® Study Guide (2023) - Page 22 preview image

Loading page ...

Washington, DC-based startup making the first generation of Network IntrusionDetection Systems. He has a Bachelor of Science degree from the University ofMaryland and a Master of Science degree in Cyber Operations from NationalDefense University. He currently resides in Philadelphia with his little dog,Jacky-boy.xxAbout the authors

CISSP® Study Guide (2023) - Page 23 preview image

Loading page ...

CHAPTERIntroduction1Exam objectives in this chapter•How to Prepare for the Exam•How to Take the Exam•Good Luck!This book is born out of real-world information security industry experience. Theauthors of this book have held the titles of systems administrator, systems program-mer, network engineer/security engineer, security director, HIPAA security officer,senior vice president, ISSO, security consultant, instructor, and others.This book is also born out of real-world instruction. We have logged countlessroad miles teaching information security classes to professionals around the world.We have taught thousands of students in hundreds of classes: both physically on mostof the continents, as well as online. Classes include CISSP®, of course, but also con-tinuous monitoring, threat hunting, penetration testing, security essentials, hackertechniques, information assurance boot camps, and others.Good instructors know that students have spent time and money to be with them,and time can be the most precious. We respect our students and their time: we do notwaste it. We teach our students what they need to know, and we do so as efficiently aspossible.This book is also a reaction to other books on the same subject. As the years havepassed, other books’ page counts have grown, often past 1000 pages. As Larry Wallonce said, “There is more than one way to do it” [1]. Our experience tells us that thereis another way. If we can teach someone with the proper experience how to pass theCISSP®exam in a 6-day boot camp, is a 1000+ page CISSP®book really necessary?We asked ourselves: what can we do that has not been done before? What can wedo better or differently? Can we write a shorter book that gets to the point, respectsour student’s time, and allows them to pass the exam?We believe the answer is yes; you are reading the result. We know what is impor-tant, and we will not waste your time. We have taken Strunk and White’s advice to“omit needless words” [2] to heart: it is our mantra.This book will teach you what you need to know and do so as concisely aspossible.CISSP®Study Guide. https://doi.org/10.1016/B978-0-443-18734-6.00004-0Copyright#2023 Elsevier Inc. All rights reserved.1

CISSP® Study Guide (2023) - Page 24 preview image

Loading page ...

How to Prepare for the ExamRead this book and understand it: all of it. If we cover a subject in this book, we aredoing so because it is testable (unless noted otherwise). The exam is designed totest your understanding of the Common Body of Knowledge, which may bethought of as the universal language of information security professionals. It is saidto be “a mile wide and two inches deep.” Formal terminology is critical: pay atten-tion to it.The Common Body of Knowledge is updated occasionally, most recently in April2015. This book has been updated to fully reflect the 2021 CISSP®CertificationExam Outline. Downloading and reading the exam outline is a great preparation step.You may download it here: https://www.isc2.org/CISSP-Exam-Outline.Learn the acronyms in this book and the words they represent, backwards andforwards. Though you can generally expect acronyms on the exam to include theirexpanded form students comfortable with the acronyms will be able to progressthrough the exam more quickly.Much of the exam question language can appear unclear at times: formal termsfrom the Common Body of Knowledge can act as a beacon to lead you through themore difficult questions, highlighting the words in the question that really matter.The CISSP®Exam Is a Management ExamNever forget that the CISSP®exam is a management exam: answer all questions asan information security manager would. Many questions are fuzzy and provide lim-ited background: when asked for the best answer, you may think: “it depends.”Think and answer like a manager. For example: the exam states you are concernedwith network exploitation. If you are a professional penetration tester, you may won-der: am I trying to launch an exploit, or mitigate one? What does “concerned” mean?Your CSO is probably trying to mitigate network exploitation, and that is howyou should answer on the exam.The 2021 UpdateThe 2015 update represented a large change that moved to 8 domains of knowledge(down from 10). Lots of content was moved. The domain content can seem jumbledat times: the concepts do not always flow logically from one to the next. Somedomains are large, while others are smaller. In the end this is a non-issue: you willbe faced with questions from the 8 domains, and the questions will not overtly statethe domain they are based on.The updates since then (2018 and 2021) kept the same design of 8 domains. The2021 update focused on adding more up-to-date technical content, including anemphasis on supply chain security, Zero Trust, microservices, containers, serverless,quantum cryptography, as well as other modern technical topics.2CHAPTER 1Introduction

CISSP® Study Guide (2023) - Page 25 preview image

Loading page ...

The Notes Card ApproachAs you are studying, keep a “notes card” file for highly specific information that doesnot lend itself to immediate retention. A notes card is simply a text file (you can cre-ate it with a simple editor like WordPad) that contains a condensed list of detailedinformation.Populate your notes card with any detailed information (which you do not alreadyknow from previous experience) which is important for the exam, like the five levelsof the Software Capability Maturity Model Integration (CMMI; covered in Chapter9, Domain 8: Software Development Security), or the Common Criteria Levels (cov-ered in Chapter 4, Domain 3: Security Architecture and Engineering), for example.The goal of the notes card is to avoid getting lost in the “weeds”: drowning inspecific information that is difficult to retain at first sight. Keep your studies focusedon core concepts and copy specific details to the notes card. When you are done, printthe file. As your exam date nears, study your notes card more closely. In the daysbefore your exam, really focus on those details.Practice TestsQuizzing can be the best way to gauge your understanding of this material, and ofyour readiness to take the exam. A wrong answer on a test question acts as a laserbeam: showing you what you know, and more importantly, what you do not know.Each chapter in this book has 15 practice test questions at the end, ranging from easyto medium to hard. The Self-Test Appendix includes explanations for all correct andincorrect answers; these explanations are designed to help you understand why theanswers you chose were marked correct or incorrect.You should aim for 80% or greater correct answers on any practice test. The realexam requires a scaled score of at least 700 out of 1000 points, but achieving 80% ormore on practice tests will give you some margin for error. Take these quizzes closedbook, just as you will take the real exam. Pay careful attention to any wrong answersand be sure to reread the relevant section of this book. Identify any weaker domains(we all have them): domains where you consistently get more wrong answers thanothers. Then focus your studies on those weak areas.Time yourself while taking any practice exam. Aim to answer at a rate faster thanone question per minute. You need to move faster than true exam pace because theactual exam questions may be more difficult and therefore take more time. If you aretaking longer than that, practice more to improve your speed. Time management iscritical on the exam: running out of time usually equals failure.Read the GlossaryAs you wrap up your studies, quickly read through the glossary towards the back ofthis book. It has over 1000 entries and is highly detailed by design. The glossary def-initions should all be familiar concepts to you at this point.3How to Prepare for the Exam

CISSP® Study Guide (2023) - Page 26 preview image

Loading page ...

If you see a glossary definition that is not clear or obvious to you, go back to thechapter it is based on, and reread that material. Ask yourself: do I understand thisconcept enough to answer a question about it?Readiness ChecklistThese steps will serve as a “readiness checklist” as you near the exam day. If youremember to think like a manager, consistently score over 80% on practice tests,answer practice questions quickly, understand all glossary terms, and perform a finalthorough read through of your notes card, you are ready to go.How to Take the ExamAs of book publication: the CISSP®exam is available in eight languages: English,Chinese, Japanese, Korean, German, Spanish-Modern, Brazilian Portuguese, andFrench. The English exam uses CISSP®CAT (Computerized Adaptive Testing,see below), while the other languages, “are administered as linear, fixed-formexams” [3].The English exam now has between 125 and 175 questions, with a 4-hourtime limit. Four hours may sound like a long time, until you do the math:175 questions in 240 minutes leaves 82 seconds to answer each question. Theexam is long and can be grueling; it is also a race against time. Preparationis the key to success.Note that the content on the CISSP®exam is normally updated every 3 years (themost recentupdate as of this book’s publication was April 2021). Note that (ISC)2®occasionally changes the number of questions on the exam and the time limit (whileleaving the testable content unchanged). The most recent change (as of this book’spublication) was June 1, 2022, when the exam changed from 100–150 questions to125–175. Always check https://www.isc2.org/Certifications/CISSP for the mostrecent information regarding the CISSP®exam.Steps to Becoming a CISSP®Becoming a CISSP®requires four steps:•Proper professional information security experience•Agreeing to the (ISC)2®code of ethics•Passing the CISSP®exam•Endorsement by another CISSP®Additional details are available on the examination registration form available athttps://www.isc2.org.The exam currently requires 5 years of professional experience in 2 or more of the8 domains of knowledge. Those domains are covered in Chapters 2–9 of this book.4CHAPTER 1Introduction

CISSP® Study Guide (2023) - Page 27 preview image

Loading page ...

You may waive 1 year with a college degree or approved certification; see the exam-ination registration form for more information.You may pass the exam before you have enough professional experience andbecome an “Associate of (ISC)2®.” Once you meet the experience requirement,you can then complete the process and become a CISSP®.The (ISC)2®code of ethics is discussed in Chapter 2, Domain 1: Security andRisk Management.Passing the exam is discussed in the section “How to take the exam,” and we dis-cuss endorsement in the section “After the exam” below.Computer-Based Testing (CBT)(ISC)2®has partnered with Pearson VUE (http://www.pearsonvue.com/) to providecomputer-based testing (CBT). Pearson VUE has testing centers located in over 160countries around the world; go to their website to schedule your exam. Note that theinformation regarding CBT is subject to change: please check the (ISC)2®’s examregistration site (https://www.isc2.org/Register-for-Exam) for any updates to theCBT process.According to (ISC)2®, “Candidates will receive their unofficial test result atthe test center.” The results will be handed out by the Test Administrator duringthe checkout process. (ISC)2®will then follow up with an official result via email.In some instances, real-time results may not be available: “(ISC)2conducts a thor-ough statistical and psychometric analysis of the score data to establish the pass/fail score before releasing scores. We need a minimum number of test takersbefore this analysis can be completed” [4]. This normally occurs when the examchanges: students have reported a 6-week wait before they received their resultsin the weeks following a major exam update. Immediate results followed shortlyafter that time.CISSP®CAT(ISC)2®describes CAT (Computerized Adaptive Testing): “CAT is the computer-ized delivery of exam items uniquely tailored to the ability of an individual candi-date. Unlike fixed-form, linear exams, adaptive testing delivers items based on thedemonstrated ability of a candidate during the exam. With CAT, the difficulty ofeach item a candidate receives is optimized to measure their ability with the greatestdegree of efficiency possible” [5].Adaptive testing can be stressful. The exam engine is designed to present ques-tions that a candidate has a 50/50 chance of answering: “After each item is answered,the item selection algorithm determines the next item to present to the candidate withthe expectation that a candidate should have approximately a 50% chance of answer-ing that item correctly” [5]. This means the better a candidate does: the harder theexam gets. Remember that the exam score is scaled, and 50 questions are pre-test(research) questions that don’t count towards the final score.5How to Take the Exam

CISSP® Study Guide (2023) - Page 28 preview image

Loading page ...

The inclusion of pre-test questions adds to exam-day stress: assuming a minimumexam length of 125 questions; 40% (50) are unscored. That leaves 75 questions thatare scored, and the adaptive engine attempts to choose questions that a candidate hasa 50/50 chance of answering. A candidate who is doing well on the exam can literallybe missing (well) over half the questions. Most passing students report that they wereconvinced they failed or were completely unsure of how they did until they receivedtheir results. This includes students who passed with 125 questions (meaning they didextremely well).Studies have shown that doing well on the first 5–10 questions is critical: “spend-ing more time and attention on the first five or ten items on a computer adaptive testwill improve an examinee’s final ability estimate” [6]. Doing well in the beginningmeans the exam will become more difficult as the exam engine attempts to presentquestions that a candidate will get correct 50% of the time. This can add to exam-daystress: the better a candidate does, the harder it gets.If the exam ends in 125 questions; it means one of two things: the candidate eitheraced the exam or failed. The candidate is somewhere in between if the exam con-tinues past 125 questions. The exam may end at any point after that, and will endby question 175.Taking the ExamThe English exam has between 125 and 175 questions comprised of four types:•Multiple choice•Scenario•Drag/drop•HotspotMultiple-choice questions have four possible answers, lettered A, B, C, or D. Eachmultiple-choice question has exactly one correct answer. A blank answer is a wronganswer: guessing does not hurt you.Scenario questions contain a long paragraph of information, followed by severalmultiple-choice questions based on the scenario. The questions themselves are mul-tiple choice, with one correct answer only, as with other multiple-choice questions.The scenario is often quite long and contains unnecessary information. It is oftenhelpful to read the scenario questions first: this method will provide guidance on key-words to look for in the scenario.Drag and drop questions are visual multiple-choice questions that may have mul-tiple correct answers. Fig. 1.1 is an example from Chapter 2, Domain 1: Security andRisk Management.Drag and drop: Identify all objects listed below. Drag and drop all objects fromleft to right.As we will learn in Chapter 2, Domain 1: Security and Risk Management, passivedata such as physical files, electronic files, and database tables are objects. Subjectsare active, such as users and running processes. Therefore, you would drag theobjects to the right, and submit the answers, as shown in Fig. 1.2.6CHAPTER 1Introduction

CISSP® Study Guide (2023) - Page 29 preview image

Loading page ...

FIG. 1.1Sample drag and drop question.FIG. 1.2Sample drag and drop answer.7How to Take the Exam

CISSP® Study Guide (2023) - Page 30 preview image

Loading page ...

Hotspot questions are visual multiple-choice questions with one answer. Theywill ask you to click on an area on an image; network maps are a common example.Fig. 1.3 shows a sample hotspot question.You plan to implement a single firewall that can filter trusted, untrusted, andDMZ traffic. Where is the best location to place this firewall?As we will learn in Chapter 5, the single firewall DMZ design requires a firewallthat can filter traffic on three interfaces: untrusted, (the Internet), trusted, and DMZ.It is best placed as shown in Fig. 1.4.FIG. 1.3Sample hotspot question.FIG. 1.4Sample hotspot answer.8CHAPTER 1Introduction

CISSP® Study Guide (2023) - Page 31 preview image

Loading page ...

The questions will be mixed from the 8 domains; the questions do not (overtly)state the domain they are based on. There are 50 pre-test (research) questions that donot count towards your final score. These questions are not marked: you must answerall questions as if they count.Scan all questions for the keywords, including formal Common Body of Knowl-edge terms. Acronyms are your friend: you can identify them quickly, and they areoften important (if they are formal terms). Many words may be “junk” words, placedthere to potentially confuse you: ignore them. Pay careful attention to small wordsthat may be important, such as “not.” And remember to really focus on the first 10questions.After the Exam(ISC)2®no longer releases the numeric score of students who fail the exam (as theyonce did). Pass or fail, you will not know your numeric score: “(ISC)2does notreport to candidates the number of questions they answered correctly or the overallpercentage of questions they answered correctly; however; failing candidates areprovided with the rank ordering of domains based on their percentage of questionsanswered correctly in each domain of the examination” [7]. If you do fail, use thatlist to hone your studies, focusing on your weak domains. Then retake the exam. Donot let a setback like this prevent you from reaching your goal. We all suffer adver-sity in our lives: how we respond is what is important. The exam’s current retakepolicy is:Test-free days between retake attempts:•If you don’t pass the exam on your first attempt, you may retest after 30 test-freedays.•If you don’t pass the exam on your second attempt, you may retest after 60 test-free days from your most recent exam attempt.•If you don’t pass the exam on your third attempt and for all subsequent retakes,you may retest after 90 test-free days from your most recent exam attempt.Per certification program, at a maximum you may attempt an (ISC)2exam up to 4times within a 12-month period[8].Once you pass the exam, you will need to be endorsed by another CISSP®beforeearning the title “CISSP®”; (ISC)2®will explain this process to you in the email theysend with your passing results.Good Luck!We live in an increasingly certified world, and information security is growing into afull profession. Becoming a CISSP®can provide tremendous career benefits, as it hasfor the authors’ team.9Good luck!

Preview Mode

This document has 642 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024)

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024)

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024)

The Official ISC2 CISSP CBK Reference (2021)

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

CISSP Official Practice Tests (2021)

CISSP All-in-One Exam Guide (2021)

All in One CISSP Exam Guide (2022)

CISSP Official Study Guide (2021)

Official ISC2 Guide to the CISSP CBK (2019)

Company

Explore

Study Tools