In the current age of fast-evolving web development and the internet, the information, data, and system security is vital. Information systems security, which is commonly referred to as INFOSEC, is a set of processes and methodologies involved in keeping the important information available, confidential, and ensuring its integrity.

Information systems security is not limited to dealing with computer information. In a wider scope, it is also referred to as data and information protection in all forms. Risk assessments are carried out to determine the vulnerability of information to the biggest risk and setting priorities. For example, one particular system, mostly servers, might have the most important information stored on it and, therefore, will require comparatively stronger security measures to ensure safety.

If you are looking to become an Information Systems Security Professional, a Certified Information Systems Security Professional (C.I.S.S.P.) certification can give your career a huge boost. In this article, we will go through the details of C.I.S.S.P. and a cheat sheet to help you pass the C.I.S.S.P. certification exam.

What is C.I.S.S.P.?

Certified Information Systems Security Professional (C.I.S.S.P.) is defined as an information security certification designed and developed by the International Information Systems Security Certification Consortium, which is also known as (I.S.C.) ². C.I.S.S.P. is widely considered as a quality standard in the field of information and cybersecurity. The certification also meets ISO/IEC Standard 17024:2003.

C.I.S.S.P. was introduced in 1994, and it is considered one of the most sought-after security certifications in the field of internet and technology. Organizations, while hiring, often prefer candidates who have attained the C.I.S.S.P. exam. Given the fact, candidates with the C.I.S.S.P. certification are amply knowledgeable about cybersecurity, have hands-on experience, and potentially, a formal CISSP training.

C.I.S.S.P. is based on eight domains which are as under:

1. Security and Risk Management
2. Asset Security
3. Security Architecture Engineering
4. Communication and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

A domain is defined as a broad topic that needs to be mastered to ace the C.I.S.S.P. certification exam. Today, C.I.S.S.P. certification training is preferred by many I.T. security professionals. It provides information security professional a goal to measure his/her competence and a globally recognized standard of accomplishment.

Get CISSP certification prep at QuickStart.com and choose from self-paced courses or virtual instructor led training.  

Cheat Sheets for Studying for the C.I.S.S.P. Exam

Passing the C.I.S.S.P. certification exam is not a walk in the park; however, it’s not impossible either. The aspirants usually get overwhelmed easily before even starting the study, given the fact that eight domains need comprehensive studying, each covering a variety of complex topics.

To ease the pressure and psychological barrier, we will go through a comprehensive “Cheat Sheet” for the exam preparation. This article will also help you maximize the effective use of your time and effort being put in the preparation.

Let’s go through each domain separately in detail.

Domain 1: Security and Risk Management

Understanding Concepts of C.I.A. (Confidentiality, Integrity, and Availability)

Confidentiality: Making sure the right people have access to the data. It must be classified in a way that administrators know exactly who should have access. Users must get themselves identified, authenticate, and then be allowed authorization before having access.

• End to end symmetric encryption provides confidentiality because only users with a specific key can access the data
• File permissions only allow authorized users to view the contents

Integrity: No unauthorized modifications; data consistency

• Hashing and data mapping
• Segregation of duties
• Checkpoints approval (SDLC)
• Secure data transmission through R.S.A. (use of H.M.C.)
• Internet Protocol Security (IPsec)

Availability: Availability of information to users as and when required

• Not vulnerable to Denial of Service (DoS) Attack
• Proper backups and assurance of no down-time

Application of Security Governance Principles

These are defined processes for each role to ensure that executive management is informed about all decisions being made. ISO 27000 should be looked at to get the requirements of security frameworks you should implement.

Aligning the security function to business strategy, goals, mission, and objectives

• Have to analyze the cost of information loss/theft, cost of controls implementation, and the benefit to the organization by applying certain controls

Organizational processes (e.g., acquisitions, liquidation, governance committees, etc.)

• If the business is rapidly changing, the security needs to be ensured in that changing process

Security control frameworks

• The security schemes of how security in the organization will be ensured. Certain frameworks need to be applied to the organization based on what they contain

Risk Management Concepts

• Identify threats and vulnerabilities
• Risk assessment and response
• Types of controls (e.g., preventive, detective, or corrective)
• Security Control Assessment (S.C.A.)
• Risk monitoring and measurement
• Asset valuation
• Reporting
• Risk frameworks

Risk-Based Management Concepts for Supply Chain

• Risks associated with hardware, software, and other services
• Third-party validation and monitoring
• Minimum security requirements
• Service-level requirements

Security Awareness, Education, and Training Program

• Technical training of employees to react to situations, best practices for Security and Network staff
• Employees need to understand and adhere to policies. Use of presentations and posters etc. to give them awareness

Domain 2: Asset Security

 

Information Classification: Public and Government

Public

• Private data such as SSN, bank accounts, credit cards, etc.
• The company restricted data only available to a subset of employees
• All employees can view confidential data but not for general use.
• Public data, which can be viewed or used by anyone

Government

• Top Secret: Disclosure may cause severe damage to national security
• Secret: Disclosure may cause serious damage. This data is considered less sensitive than a top-secret.
• Confidential: This data is usually exempted from disclosure under laws such as the Freedom of information act but is not classified as top secret.
• Sensitive but Unclassified: SBU data is data that is not considered vital, but its disclosure would do some harm.
• Unclassified: Data that has neither any classification nor is sensitive.

Data Ownership

Data Owner: Data owner is usually a member of Senior Management. After all, senior management is responsible for the asset. If data is compromised, they can be held responsible. The data owner can delegate duties but cannot delegate total responsibility.

Data Custodian: This is usually some employee in I.T. The data custodian does not have any say in which controls are needed, but he/she implements controls on behalf of the data owner. Other responsibilities include the management of the asset. Controlling access, adding and removing privileges for users, and ensuring that the proper controls have been implemented are such duties.

Data Remanence

Sanitizing: Chain of processes that completely removes data

Degaussing: Erasing data from magnetic tapes etc.

Erasing: Complete deletion of files or media

Overwriting: Writing over files in layers, shredding

Zero fill: Overwrite all data with zeros

Destruction: Physical destruction of hardware devices containing data

Encryption: Making data unreadable without special keys

Security Policies, Standards & Guidelines

Regulatory: Obligatory by law and industrial standards

Advisory: Worthwhile but not compulsory

Informative: As a source of guidance to others

Information Policy: Best practices for information management and usage. Security policies: Technical specifications of the policies, i.e., System security policy: list of hardware/software being used and guidelines for using policies

Standards: Define different usage levels

Guidelines: Non-compulsory standards to follow

Procedures: Steps for carrying out tasks under policies

Baseline: Minimum level of security to be implemented

Domain 3: Security Architecture Engineering

Types of Security Models

State Machine Models: Check every one of the conceivable framework states and guarantee the best possible security connection.

Multilevel Lattice Models: Assign every security subject a security name characterizing the maximum and minimum limits of the subject's entrance to the framework. Authorize controls to all articles by partitioning them into levels known as grids.

Matrix Based Models: Organize tables known as the framework which incorporates subjects and items characterizing what moves subjects can make upon another article.

Noninterference Models: Contemplate the condition of the framework at any time for a subject; it considers averting the activities that occur at one level, which can change the condition of another level.

Information Flow Models: Attempt to inhibit the transmission from one unit to another that can which can infringe the security strategy.

Security Modes:

Dedicated Security Mode: Utilize a distinct categorization level. All subjects are available subject to prior approval for access for the need to know and sign-in an N.D.A.

System High-Security Mode: All users get the same access level, but all of them do not get the need-to-know clearance for all the information in the system.

Compartmented Security Mode: All users get a similar access level; however, every one of them doesn't get the need-to-know authorization for all the data in the system.

Multilevel Security Mode: Utilize two organization levels as Assurance levels and System Evaluation

Web Security

O.W.A.S.P.: Open-source application security venture. O.W.A.S.P. makes rules, testing systems, and devices to use with web security.

SQL Injections: Assailants attempt to misuse by permitting user input to change the back-end/server of the web application or implement destructive code that incorporates unique characters inside SQL database codes brings about erasing database tables and so forth.

SQL Injection prevention: Authenticate the parameters and inputs.

Cross-Site Scripting (XSS): Attacks carried out by entering invalidated scripts in webpages.

Cross-Request Forgery: Attackers use POST/GET requirements of the HTTP:// web pages with HTML forms to carry out a mischievous activity with user accounts.

Cryptography

Non-repudiation – can’t deny it came from you when you digitally sign a message.

Private Key encryption, symmetric, uses the same key for both encryption and decryption (faster) D.E.S. – WinZip file with a password

Public key encryption (slower) R.S.A. – asymmetric, uses the two keys, private to encrypt, public to decrypt

Cryptography Goals (P.A.I.N.)

• P – Privacy
• A – Authentication
• I – Integrity
• N - Non-Repudiation

Use of Cryptography

• Non-repudiation
• Concealment
• Reliability
• Proof of origin
• Protect data at rest
• Protect data in transit

Mobile Security

• Inner locks (voice, face recognition, pattern, pin, and password)
• Remote wiping
• Device Encryption
• Remote lockout
• Application installation control
• Asset tracking (I.M.I.E. number)
• Mobile Device Management
• Removable storage (SD CARD, Micro SD, etc.)

Domain 4: Communication and Network Security

Start Your 7-Day FREE TRIAL with QuickStart

Seven layers (Permit changes between layers)

• Application
• Presentation
• Session
• Transport
• Network
• Datalink
• Physical

TCP/IP Model

Layers	Actions	Example protocols
Network access	Used for Data transfer	Token ring • Frame Relay      • FDDI • Ethernet • X.25
Internet	Creation of small data portions called datagrams	I.P. • R.A.R.P. • A.R.P. • I.G.M.P. • ICMP
Transport	Integrity and Flow control	TCP • U.D.P.
Application	Conversion of data into a readable format	Telnet • S.S.H. • DNS • HTTP • FTP • SNMP • DHCP

 

Types of Digital Subscriber Lines (DSL)

Asymmetric Digital Subscriber Line (ADSL)	·         Higher download speed as compared to upload. ·         Range of max 5500 meters length through telephone lines. ·         Maximum download 8Mbps, upload 800Kbps.
Rate Adaptive DSL (R.A.D.S.L.)	·         Upload speed tuned based upon the quality of the transmission line. ·         Maximum 7Mbps download speed, 1Mbps upload over 5500 meters.
Symmetric Digital Subscriber Line (SDSL)	·         The identical rate for upstream and downstream transmission. ·         The distance of 6700 meters via copper telephone cables. ·         Maximum 2.3Mbps download, 2.3Mbps upload.
Very-high-bit-rate DSL (VDSL)	·         Higher speeds than standard ADSL ·         Maximum 52Mbps download, 16 Mbps upload up to 1200 Meters
High-bit-rate DSL (H.D.S.L.)	T1 speed for two copper cables for 3650 meters
Committed Information Rate (C.I.R.)	Minimum guaranteed bandwidth provided by the service provider

 

LAN Packet Transmission

Unicast	Single source transmission to a single destination
Multicast	Single source transmission to multiple destinations
Broadcast	Source pack transmission to all the destinations.
Carrier-sense Multiple Access (CSMA)	One system re-transmits frames until the destination work station receives it
CSMA with Collision Detection (CSMA/CD)	Dismisses transmission on collision detection. Used by Ethernet.
CSMA with Collision Avoidance (CSMA/CA)	Upon identifying a busy transmission system, pauses and then re-transmits delayed transmission at an arbitrary interval to minimize two nodes re-sending simultaneously.
Polling	The sender sends only if the polling system is free for the destination.
Token-passing	The sender can send only when a token is received, representing free to send.
Broadcast Domain	Set of devices that get broadcasts.
Collision Domain	Set of devices that can create impacts during an instantaneous transfer of data.

 

Domain 5: Identity and Access Management

3 Factor Authentication

Knowledge factor: A parameter/anything known by the handler/user.

Ownership factor: An entity that the client has, similar to a token or a key

Characteristic factor: A distinctive user parameter, such as fingerprints, face scan, signatures, initials, or biometrics.

Knowledge factor - Anything is known to you

Salted hash	Irregular information added to a secret key before hashing and putting away in a database on a server. Utilized rather than plaintext capacity that can be checked without uncovering secret key
ComplEg. password	Alphanumeric, over ten characters. Incorporates a mix of upper and lower case letters, numbers and images
One-time password (OTP)	Animatedly created to be used for a single transaction or one session
Static password	Password unchangeable
Password Hacking	Unauthorized password access

 

Ownership – Something in your procession

Synchronous toke	Generate password at fixed time intermissions
Asynchronous token	Create a password centered upon a technique called challenge-response.
Memory card	A jab card is inclosing user data.
Smart Cards or Integrated Circuit Card (I.C.C.)	A dongle or a card including a memory chip like A.T.M./Credit cards.
Contactless Cards or Proximity	Easily readable when in the proximity of the reader device.
Challenge/response token	A challenge/equation/puzzle/challenge has to be solved by the user response.

 

Characteristic – Something you do

Biometric technology permits the handler to be validated based on physiological conduct or characteristics.

• Physiological, i.e., Iris, retina, and fingerprints.
• Behavioral, i.e., Voice pattern

Terminology

• Access: Action mandatory to permit information movement among objects.
• Control: Security measures booked to control or allow access to systems.
• Subject: An object which needs access to an object or multiple objects.
• Object: Object which comprises data.

 

Authorization Concepts

Security domain: Set of assets having a similar security arrangement.

Federated Identity: Association having a typical arrangement of strategies and guidelines inside the organization.

Access Control Models

Implicit Deny: Naturally, access to an item is denied except if unequivocally allowed.

Access Control Matrix:  Table which included subjects, items, and access controls/benefits.

Capability Tables: Rundown get to controls and benefits doled out to a subject.

• A.C.L.s center on objects though capacity records center around subjects.

Permissions: Access approved for an object.

Privileges: Blend of privileges and approvals.

 

 

Domain 6: Security Assessment and Testing

Assessment and Test strategies

Pen Test

• War dialing
• Sniffing: monitoring the network traffic
• Eavesdropping: secret listening
• Dumpster diving: scrutinizing through waste documents, etc.
• Social engineering: Human being manipulation

Security process data

Employment practices and policies: termination procedures and background checks

Roles and responsibilities: management sets the standard and articulates the policy

Security awareness training: inhibits social engineering

Control Models – M.A.C.

Mandatory set of rules

Access control based on rules

Data owners have less freedom

Access is granted on rules or security labels

Every resource owns a label. Every user has clearance

Represents the concept of the need to know

Control Models – D.A.C.

Identity-based Access Control

Access levels specified by the owner

UNIX and Windows Operating Systems

Most commonly used access control

Control Types

Centralized

All objects are controlled at the central point

Strict access controls

Comfort of administration

QuickStart's LITE subscription offers dozens of IT certification training and courses, learning analytics and expert community access free of charge. 

Types:

RADIUS: Serves dial-in users. Incorporates dynamic password and authentication server

T.A.C.A.C.S.: Static nature of the password

TACACS+: Supports and back token authentication

            Decentralized

Remote authentication

The decision is nearer to the objects

More overhead administration

Different user rights over the network

            Hybrid model

A combination of centralized and decentralized

Single Sign-on – Kerberos

Symmetric key cryptography

Components

• D.C.: have the cryptographic keys
• Tickets
• G.S.

Process

• Subject requests access to an object
• The request goes through the KDC
• KDC generates a ticket for both subject and the object
• Subject validates the ticket
• Subject sends the ticket to object
• Object validates the ticket
• Object grants access to the subject

 

Domain 7: Security Operations

Crime investigation – Evidence

          Problems

• Intangible information
• Investigation interferes with business operations
• Difficulty gathering evidence
• Experts are needed

Gathering, controlling, and preserving

Computer evidence can easily be modified

Chain of evidence

Crime investigation – Life Cycle

• Discovery and recognition
• Protection
• Recording
• Collection
• Identification – tagging
• Preservation – store in a proper environment
• Transportation
• Presentation in court
• Return to evidence owner

Crime investigation – Admissibility

• Evidence must meet strict requirements
• Must be relevant – related to the crime
• Legally permissible
• Identified without changing evidence
• Preservation

Incident Management

Incident management is a term defined as the activities of an organization to identify, analyze, and correct dangers to prevent their happening in the future. These incidents within an organization are normally dealt with an I.R.T. or I.M.T.

D.R.P. – Data Processing Continuity

Providing backup systems

Mutual aid agreements

Hot site

• Configured with HVAC
• Servers loaded with apps
• Allows walk-in
• Short time
• High cost

Business Continuity Planning

• BCPs are shaped to prevent disruptions to normal business
• Protect critical business processes from disasters
• Strategy to allow the recommencement of business activity
• Examine critical information areas
  • LAN/WAN
  • Telecommunications
  • Apps and Data
• Disruptive events
  • Staff duties
  • Man-made events, e.g., strikes
• Top priority is to preserve life

 

Domain 8: Software Development Security

Software Development Lifecycle (SDLC): Understand and implement security protocols throughout the software development lifecycle (SDLC).

Development Methodologies

Build and fix

• No architecture design
• Problems fixed as soon as they occur
• No formal feedback cycle
• Reactive, not proactive

Waterfall

• Linear and sequential lifecycle
• Each phase is completed before moving to the next
• No formal method to make changes during a cycle

V-shaped

• Based on the waterfall model
• Each cycle is completed before moving on
• Verification and validation after each phase
• No risk analysis phase

Prototyping

• Rapid prototyping
• Evolutionary prototyping
• Operational prototypes

Incremental

• Multiple cycles
• Restart at any time
• Easy to introduce new requirements
• Delivers incremental updates

Spiral

• Iterative
• Risk analyzing during development
• Future information and requirements for risk analysis
• Testing early in development

Rapid Application Development (R.A.D.)

• Fast prototyping
• Designed for abrupt development
• Designs are quickly demonstrated
• Testing and requirements are revisited

Agile

• Multiple methods
• Highlights efficiency
• User activity describes what user behaviors
• Prototypes are filtered down to discrete features

Programming Language Types

• Machine Languages
• Assembly Language
• High-Level Language

Database Architecture and Models

• Relational Model
• Hierarchical Model
• Network Model
• Object-Oriented Model
• Object-Relational Model

Data Warehousing and Data Mining

• Data Warehousing: Collect data from different sources.
• Data Mining: Arrangement of the data into a simple way to make business decisions based on the content.

For more information on the CISSP certification talk to our experts!