- CISSP is known as a Certified Information System Security Professional. Now it is one of the most globally recognized certifications in information security. So, the certificate is taken by people who are responsible for maintaining the security posture for an enterprise-level.
- It is not at all entry-level certification that requires a minimum of 5 years of experience in information security and two or more eight domains of CISSP.
- You will understand how important this certification is because it has been more than 26 years since CISSP launched in 1994, and since then, there are only 140 thousand people certified across the globe.
Part of CISSP certification: There are eight domains of CISSP Certification:
Domain 1: Security and risk management (15%): It is all about security risk and control. It will give you a complete perspective of security risk, governance risk management, and it also talks about at an enterprise-level, how you can take care of business continuity planning. It also gives you a flavor of understanding the loss that’s is following across the globe. This particular domain has the highest percentage in the examination.
Domain 2: Asset Security (10%): The next part is assets security, a relatively short domain but indeed a significant one. We will talk about various things that we deal with to protect assets (it is about the information assets that are the data).
Domain 3: Security Architecture and engineering (13%): It is one of the humongous domains in CISSP; it includes five different modules and three other parts. It talks about cryptography, security architecture, and engineering, system architecture, and it also talks about physical security. So it is essential for the examination perspective.
Domain 4: Communication and network security (14%): It is one of the most extensive fields in CISSP from a content perspective and indeed important once. Many people do not have a networking background; they have difficulty understanding many of the concepts from this domain.
Domain 5: Identity and access management (ISM) (13%): Indeed, it is one of the binding domain essentials, but there are few concepts in specific parts that are testable from an examination perspective.
Domain 6: Security assessment and testing (12%): In this domain, we look at various aspects that we need to know from an application security perspective: the different things we need to understand while we asset or test an application from a security perspective.
Domain 7: Security operations (13%): Many people have first-hand experience in this domain because it talks about the concepts that everybody follows or sees at their day to day level. So it is going to change management, patch management, or vulnerability management. Many people who have worked in information security have done at least one thing in the security operations section.
Domain 8: Software development security (10%): In this, we will see various ways of developing software (like software development life cycle, life cycle model, and activity of malicious code and their impact on applications, including your software applications).
- CISSP is a CAT (Computer Adaptive Test)
- How exactly CAT format works: When you start the examination, you will give the first question; the question would have four responses; choose one of the right answers. Now the movement, you select a reply and submit the response; the next question will base on the previous question’s response. If someone has done the last question correctly, the next question will be a slight difficulty level. If someone has done the previous question incorrectly, the next question will be a slightly lower difficulty level.
- When the examination gets over, the result will decide based on the three rules.
- Confidence interval rule.
- Minimum length exam rule.
- Run out of time rule.
- 3 hours of duration.
- You can not flag the question and go back to the previous one.
- You will be given a “Wipr Board” and pen with an inbuilt calculator in the testing system.
- Questions are weighted.
Domain:1 Security Risk and governance:
- Understand and apply the concept of confidentiality, integrity, and availability.
- Develop, and implement security policy, standards, procedures, and guidelines.
- Understanding risk management concepts.
- Identify, analyze, and prioritize business continuity requirements.
Confidentiality: Confidentiality means any communication or any information intended for a specific audience; we will only share with those audiences. The best method to protect the confidentiality of the data would be encryption. Now data at any state needs to be protected. So data has typically three different forms:
- 1.DIM (Data in motion)
- 2.DAR (Data at rest)
- 3.DIU (Data in use)
Integrity: Any unauthorized modification of the data by an authorized or unauthorized person called as there is a compromise or breach in the integrity. We need to ensure that any unauthorized modification or alteration of any data by any authorized and unauthorized person will be called a compromise or a breach of integrity—the best method or approach for the examination perspective made through the concept of hashing.
Availability: Availability is going to ensure that the data is available whenever it’s needed. Whenever someone wants to access the information, it should be available to us. The best method to achieve availability is fault-tolerance.
- Develop, and implement security policy, standards, procedures, and guidelines.
What exactly is your policy? Now, these documents are essential for any organization. They need to keep a hold of these documents because if we do not have these documents, it is difficult for any enterprise or organization to create security or drive a security project at any organization.
Policy: It is a mandatory document that precisely the system is going to state. It is a high-level requirement for security for any organization. Some security policies are:
- Access control
- Network security
- Risk management
- Training and awareness
Standards: Standards are also mandatory. Standard suggests that it(policies) is compulsory for every newly hired employee. So whenever someone joins the very first time the organization, they go through the mandatory orientation program.
Guidelines: Policy and standard are mandatory, but guidelines are optional. It is going to suggest the best practice.
Baseline: Just like policy and the standard, the baseline is also mandatory. The baseline is the minimum-security requirement. It suggests to you how the guidelines and measures can implement.
Procedure: Procedure is the step by step process to conduct any business tasks.
- Understanding risk management concepts:
- 1. Asset valuation: Value of an asset.
- 2. Vulnerability: A weakness, a lack of safeguards.
- 3. Threat Has the potential to harm the asset.
- 4. Exploit Instance of compromise.
- 5. Risk: Likelihood that a threat will exploit a vulnerability in an asset.
- 6. Controls: Protective mechanism to a security vulnerability.
- Identify, analyze, and prioritize business continuity requirements:
Business continuity is going to help you to prepare for any disaster.
- Understand legal and regulatory issues that pertain to information security in a global context:
- 1. Laws apply to all organizations that collect data from EU residents or process that information on behalf of someone who manages it.
- 2. General data protection regulation:
- 3. Breaches informed within 72 hours.
- 4. Centralized data protection authorities.
- 5. Individuals will have access to their data.
- 6. Right to be forgotten: Delete information if it’s no longer required.
Domain:2 Asset security
- Identify and classify information and assets.
- Determine and maintain information and asset ownership.
- Determine data security controls.
- Establish information and asset handling requirements.
- Identify and classify information and asset:
- PII (Personally identifiable information):
- Date of birth
- Phone number
- PHI (Protected health information):
- Medical history
- Chronic Ailment
- Medical records
- Proprietary information:
- Intellectual property
- Organizational sensitive information
- Data classification:
Data classification is essential because any security control you want to implement in any system determined through data classification.
Determine and Maintain information and asset ownership:
- Data owner: Ultimately responsible for the data.
- Data Custodian: Take efforts to protect the data, backup.
- System owner: Person who owns the system, which processes the sensitive data.
- Business owners: Sales department head will be responsible for the sales dept. However, the system used in the sales department will own by the IT department.
- Data controller: Person or entity who controls the processing of data.
- Data processor: Person or entity who processes personal data on behalf of the data controller.
- Establish information and asset handling requirements:
- Marking: Labelling (protection mechanism assigned based on data labels).
- Handling sensitive data: Secure transportation of data through the entire lifecycle.
- Storing sensitive data:
- Proper encryption (AES 256)
- Store in a temperature-controlled place.
- Destroying sensitive data: Deleting, clearing, purging, sanitization, degaussing, and destruction.
Domain:3 Security Architecture and engineering
- Cryptography and symmetric key algorithm
- PKI and cryptographic applications.
- Principles and Security Models, design, and capabilities.
- Security Vulnerabilities, Threats, and countermeasures.
- Physical Security Requirements.
- Cryptography and symmetric key algorithm:
- Cryptography: Cryptography is an art of transforming readable messages (plain text) to the unreadable message(ciphertext) and vice versa.
- Symmetric key algorithm: In the symmetric key algorithm, we use a single key for encryption and decryption. Symmetric key algorithms are:
- 1. Stream cipher
- 2. block cipher
- 3. Data encryption standard (DES)
- 4. 3DES
- PKI and Cryptographic Applications.
Public Key Infrastructure is a set of software and protocols used to manage and control public-key cryptography. It is also used for confidentiality, message integrity, authentication, and non-repudiation.
- Principles and Security Models, design, and capabilities.
A security model is used to deal with security policies and provide rules for securing operating systems.
- Bell-LaPadula Model
- Biba Model
- Security Vulnerabilities, Threats, and countermeasures:
- Vulnerabilities: Security vulnerabilities are the weakness of the system that can be exploited.IT components, such as operating system application software and network, have many vulnerabilities. These vulnerabilities are open to compromise.
- Threat: The threat is an action performed by an attacker to exploit vulnerabilities in the system.
- Countermeasures: Security countermeasures used to protect the confidentiality, integrity, and availability of the system.
- Virus scanner
- Pretty Good Privacy (PGP)
- Secure Multipurpose Internet Mail Extensions (S/MIME)
- Secure Shell (SSH)
- Physical Security Requirements:
Physical security can affect the confidentiality of the data and business processes, the integrity of the assets and environment, the availability of company resources.
Domain 4: Communication and network security
- Secure network architecture and secure network components.
- Secure communication and network attacks.
- Secure network architecture and secure network components:
- OSI model: OSI model stands for open system interconnection; it provides us a set of protocols and frameworks on how to communicate with protocols over the network. It has seven different layers:
- Physical layer
- Data Link layer
- Network layer
- Transport layer
- Session layer
- Presentation layer
- Application layer
- Network topology: Network topology is a physical layout of a network. It defines the way different nodes are placed and interconnected with each other.
Types of network topology:
- 1. No central point of connection.
- 2. Difficult to troubleshoot
- 3. One break in cable takes down the whole network.
- 1. No central point of connection.
- 2. Implemented with MAU (Media Access Unit) for fault tolerance- It listens to the faulty node, and the broken circuit is closed.
- 1. Offer fault tolerance.
- 2. The switch is a single point of failure.
- 1. Most fault tolerance.
- 2. Fully redundant.
- 3. The partial mesh is used to spare costs as it’s very costly.
- Secure communication and network attacks
- Hub: Sends all data to all ports. No addressing and less expansion.
- Modem: Modulator Demodulator. Converts digital to analog signals.
- Routers: Connects two similar networks.
- Bridge: Connects two different networks within the LAN.
- Gateways: Connect networks using different protocols.
- Switch: Uses MAC address to direct traffic. Act as a police officer directing traffic to respective parts. Reduce collision.
- Wireless Access Point: Provides wireless devices a point of connection to the wired network.
- Proxy: Mediates between two networks. (NAT, PAT).
- Network attacks: Unauthorized access, men in the middle, Distributed Denial of Service (DDoS), Code and SQL injection, etc.
Domain 5: Identity and access management (ISM)
- Managing Identity and authentication.
- Controlling and monitoring Access.
- Controlling Access to assets: Assets could be anything; it could be either your information like data, file servers, and your system, which holds the data that needs to be protected from unauthorized access.
- Subject and object:
- Subject: It is an active entity that approaches a passive object to receive information about an object. The subject can be users, programs, services, computers, or anything else that can access resources. When authorized, subjects can modify objects.
- Objects: It is a passive entity that gives information to active subjects. Some examples of objects are files, databases, computers, programs, services, printers, and storage media.
- Identification: It is a process of any subject (an entity which wants to access any data), they need to provide some identity to access the data like user id.
- Authentication: Authentication is verifying that claim. A common form of authentication is passwords that you use to get into the system.
- Authorization: Authorization means, once you are inside the system, it does not mean that you can go ahead and do anything. Only authorized people can perform their tasks in the system.
- Auditing: Any activity in the application should be audited(identify technical issues/breaches).
- Accountability: Tracing an action to a subject.
- Authentication types:
Type 1: Something you know (passwords and pin).
Type 2: Something you have (smart card, token).
Type 3: Something you are(biometric).
Type 4: Somewhere you are(location)
Domain 6: Security assessment and testing
- Design and validate assessment, test, and audit strategies.
- Conduct security control testing.
- Collect security process data.
- Conduct or facilitate security audits.
- Security tests verify that control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
- Security Assessment is a global review of the security of a system, application, or the tested environment, performs risk assessment, finds vulnerabilities, and makes remediation recommendations.
- Security Audit: Security Audits are similar to security assessment, but it’s performed by independent auditors.
- Internal audits: Internal audits are typically performed by your internal team or audit staff. This audit staff is someone who functions independently.
- External audits: External audits are something which is actually conducted by the external auditors
- Vulnerability assessment:
- Vulnerability Scans: Automatically probe systems weakness, which can be exploited by attackers.
- Network discovery:
- 1. Discover ports and services
- 2. NMAP is used for network discovery:
Open: Port is open, and the application is actively accepting connections.
Closed: Port is accessible; no application is accepting a connection on that port.
Filtered: Unable to determine if the port is open or closed.
- Network vulnerability scanning:
- Go deeper than discovery scans (Nessus); by default, unauthenticated scans are done.
- To avoid FPs (false positive) and FNs (false negative), authenticated scans are done.
- Web scanning: Finding vulnerabilities in the running application
- Not infringe vulnerabilities from static code analysis.
- Find vulnerabilities that static code scans miss.
Domain 7: Security operations
- Managing security operations
- Preventing and responding to incidents.
- Disaster Recovery planning.
- Investigation and Ethics
- Applying Security operations concepts:
The primary purpose is to safeguard information assets:
- Permission: Am I allowed to access the object?
- Rights: What action can I take on these objects?
- Privilege: Privilege is the combination of your rights and permissions.
- Need to know: Access granted only to data resources they need to perform.
- Least Privilege: Access given to the privileges necessary to perform an assigned task.
- Security operations concepts:
- Entitlement: Amount of privileges granted to users.
- Aggregation: Amount of privileges that users collect overtime.
- Transitive trust: A trust B and B trust C, then A trust C.
- SoD: No single person is allowed to perform end to end critical tasks alone.
Exam Tips: Least privilege and SoD helps in preventing the violation.
The monitor helps in detecting violations.
- Service level agreement:
- Service level agreement: It is something between an organization and an outside entity such as a vendor. Service level agreement stipulates performance expectations and often includes penalties if the vendor does not meet these expectations.
- Memorandum of understanding: No financial stipulation is involved.
Domain 8: Software development security
- Software development security.
- Malicious codes and application attacks.
Security considers at every level of system development. Here are two forms of languages that computer understand;
- Machine level language: Machine level language that is understood by the machines. The computer does not understand anything apart from the binaries (zeros and ones).
- High-level languages: High-level languages are the programming languages that we have developed to create applications, e.g., c, c++, java, .net, etc.
- System development life cycle:
- Conceptual Definition: High-level statement agreed by all stakeholders.
- Functional Requirement: The system’s specific functionalities are listed down, and think about how the system’s port should interoperate to meet the applicable requirements.
- Control Specification Development: Security in the system is designed (access control, ensuring CIA).
- Design review: How various parts of the system will interoperate.
- Code review: Once the code is written, peer review should happen with different individuals.
- UAT: End-user tests if the product meets the given requirements.
- Maintenance and change management: Any further change in the system should go through the change management process.
InfosecTrain is one of the best consulting organizations, focusing on a range of IT security training and information security services and providing all the necessary CISSP certification exam preparation. Certified instructors deliver all training with years of industry experience. You can check and enroll in our CISSP-certification-training to prepare for the certification exam.