CISSP Training Outline

Jul 10, 2024

CISSP Training Outline

ISC Code of Ethics

  • Certification Obligations: ISC members must uphold the ISC code of ethics to maintain certification.
  • Violations: Intentional breach subjected to peer review panel, possible revocation.
  • Reporting: Members must report observed breaches as per Canon 4.
  • Exam Tip: Memorize the preamble and be able to answer questions on the four canons.
    • **Canons: **
      1. Protect society and the infrastructure.
      2. Act honorably, honestly, justly, responsibly, and legally.
      3. Provide competent service to principals.
      4. Advance and protect the profession.

CISSP Exam Types

  • CAT Exam: Computerized Adaptive Testing for English exams.
    • Length: 3 hours.
    • Format: Multiple choice and innovative question types.
    • Passing Grade: 700/1000.
    • Locations: Authorized Pearson centers.
  • Linear Exam: Fixed form for non-English languages.
    • Languages: French, German, Portuguese, Spanish, etc.
    • Length: 6 hours.
    • Passing Grade: 700/1000.
    • Locations: Authorized Pearson centers.

CISSP Exam Domains & Weightings (2021)

  • Domains are similar to those in 2018 with slight weighting changes.
    1. Security and Risk Management: 15%
    2. Asset Security: 10%
    3. Security Architecture and Engineering: 13%
    4. Communication and Network Security: 14%
    5. Identity and Access Management (IAM): 13%
    6. Security Assessment and Testing: 12%
    7. Security Operations: 13%
    8. Software Development Security: 10%

Core Security Goals and Principles

Confidentiality

  • Unauthorized Access: Prevent unauthorized data access.
  • Mechanisms: Use cryptographic methods, compartmentalization, encapsulation.
  • Examples: PII, PHI, intellectual property, classified information.
  • High-Level Controls: Hybrid encryption, post-quantum encryption, homomorphic cryptosystems.

Integrity

  • Unauthorized Modification: Ensure only authorized changes.
  • Mechanisms: Checksums, HMACs, Clark Wilson model, MACs.
  • Examples: Data in transit, hijacking attacks, SQL injection, etc.

Availability

  • Denial of Service: Prevent disruption of access.
  • Mechanisms: High-availability zones, disaster recovery, cloud services.
  • Examples: AWS, Google Cloud, Azure.
  • Opposite: Destruction, non-durability (DAD model).

CIA and Parkerian Hexad

  • CIA Triad: Confidentiality, Integrity, Availability.
  • Parkerian Hexad: Adds authenticity, utility, and possession to CIA triad.
    • Authenticity: Accuracy and identity validation.
    • Utility: Usefulness of data.
    • Possession: Control over assets.

Non-Repudiation

  • Definition: Inability to deny participation in digital transactions.
  • Methods: Digital signatures and certificates.
  • Context: Achieved using public/private key pairs.

OSI and TCP/IP Models

  • OSI Model: Seven layers from physical to application layer.
  • TCP/IP Model: Four layers—network access, internet, transport, and application.
    • Security Considerations: Additional security protocols like IPsec for Layer 3.
    • Reference Models: Essential for understanding security layering.

Secure Design Principles

Least Privilege

  • Access Control: Permissions limited to the minimum required.
  • Implementations: MAC architectures, administrative roles.
  • Documentation: NIST 800-53, ISO/IEC 27001.

Defense In Depth

  • Multi-Layer Defense: Physical, network, endpoint, application, and data security.
  • Example Models: Perimeter firewalls, IPS, WAFs, DLP.
  • Concept: Reducing reliance on a single defense layer.

Separation of Duties

  • Importance: Prevents single points of failure.
  • Techniques: Rotating duties, dual operator principles.
  • Automation: Segregated duties with enforcement tools.

Zero Trust

  • Principles: Trust no one, layer 2-7 security focusing on individual access.
  • Technologies: Port-based NAC, identity providers, ABAC.
  • Management: Implementation needs centralized security policies with adaptive access.

Secure Defaults and Fail Securely

  • Secure Defaults: Applications should be secure out of the box.
  • Fail Securely: Systems revert to a secure state on failure.
  • Real World Examples: Password policies, firewall operations.

Privacy by Design

  • Framework: NIST Privacy Framework.
  • Principle: Privacy concerns integrated from the outset.
  • Documentation: Profiles, implementation tiers, and frameworks (GDPR compliance).

Trust But Verify

  • Dual/Multi-Factor Authentication: Password + tokens/biometrics.
  • Behavioral Analytics: UBA and AI for enhanced verification.

Aligning Security with Business

  • Strategy Coupling: Align all security initiatives with organizational goals.
  • Change Management: Adapt plans to changes like mergers/acquisitions.
  • Stakeholders: Address internal and external stakeholders' needs in security plans.

Organizational Roles and Responsibilities

  • Owner: Creator of data/resource, sets initial permissions.
  • Steward: Business perspective, compliance and data quality management.
  • Custodian: Technical perspective, ensures CIA of data.
  • Officers: Executives ultimately accountable for data security.

Governance, Due Diligence, and Due Care

  • Governance: Framework for decision making, structure, and accountability.
  • Due Diligence: Thorough research and evaluation before action.
  • Due Care: Ongoing, reasonable maintenance and precautions.

Compliance and Legal Issues

  • Regulations: GDPR, HIPAA, PCI DSS, SOX, EAR/ITAR.
  • Compliance Tasks: Auditing, application of standards, and vendor assessments.
  • Breach Consequences: Primary vs. secondary losses (reputational damage, financial penalties).

Investigations and Employment Practices

  • Background Checks: Screening of new hires and periodic reviews.
  • Exit Interviews: Gather information, remind of legal obligations.
  • Fraud Detection: Techniques to detect insider threats and compliance violations.

Security Policy Development

  • Components: Sanctioned, realistic, flexible, comprehensive.
  • Implementation: Regular updates, audits, and adherence enforcement.
  • AUP: Proper use of systems, data, and applications by employees.

Third-Party Management

  • SLAs: Service Level Agreements for vendor/client expectations.
  • MOUs: Memorandums of Understanding for inter-organizational cooperation.
  • Risk Evaluation: Assess third-party risks continually.

Security Awareness and Training

  • Tailored Training: From general users to executive management (role-based).
  • Ongoing Education: Periodic refreshers, latest threat awareness.
  • Training Methods: CBTs, posters, newsletters, interactive sessions.

Data and Asset Classification

Data States

  • At Rest: Stored information (HDD, SSD, backups).
  • In Transit: Data moving across networks (wired, wireless).
  • In Use: Active processing data (RAM, caches).

Asset Management

  • CMDB: Configuration Management Database for tracking assets.
  • Asset Lifecycle: Collection, location, maintenance, remnants, retention, destruction.
  • Disposition Types: Clearing, purging, destruction, encryption.

Risk Management

Risk Assessment

  • Documentation: Description, mapping of it, and proposal of actions.
  • Vulnerability Scanning: Regular tools and databases (CVE, NVD).
  • Risk Matrix: Likelihood vs. impact ratings.

Risk Analysis Models

  • Qualitative: Relative scales with categories.
  • Quantitative: Annual Loss Expectancy (ALE) calculations.
  • FAIR: Factor Analysis of Information Risk model.

Control Types

  • Administrative: Policies, guidelines (training).
  • Technical: Firewalls, encryption.
  • Physical: Locks, cameras.
  • Operational: Combination of technical and physical.

Continual Improvement

  • Plan-Do-Check-Act: Iterative cycle for security enhancement.
  • Models: Capability Maturity Model, Seven Steps.
  • Threat Monitoring: Tools, indicators of compromise (IOC).
  • Machine Learning: AI and predictive analytics.

Cryptography Principles

Symmetric Encryption

  • Basics: Same key for encryption and decryption.
  • Modes: ECB, CBC, GCM, etc.
  • Strengths: Speed and efficiency.

Asymmetric Encryption

  • Basics: Pair of public and private keys.
  • Key exchange: RSA, Diffie-Hellman.
  • Use Cases: Digital signatures, encryption for small data sets.

Digital Signatures and Certificates

  • Purpose: To verify authenticity and integrity without requiring confidentiality.
  • Process: Data -> hash -> digital signature.
  • Formats: X.509 v3 standards.

Elliptic Curve, Homomorphic Encryption, Quantum Computing

  • Elliptic Curve: Smaller key size provides higher security.
  • Homomorphic: Operations on ciphertext without decrypting.
  • Quantum: Future secure algorithms against quantum computers.

Key Management

  • Lifecycle: Generation, distribution, usage, storage, archival, disposal.
  • Backup & Recovery: Secure backup solutions (HSMs, etc.).
  • PKI: Trusted CA issuing digital certificates.

Identity and Access Management

Physical and Logical Controls

  • Physical: Locks, sensors, guards.
  • Logical: Authentication (MFA, IAM tools).
  • Integration: Combining access methods for better security.

Identity Models

  • Cloud & Third-Party: Understanding service models (IaaS, PaaS, SaaS).
  • Virtualization: Security concerns with hypervisors (VM escape, VM sprawl.

Access Control Models

  • Role-Based Access Control (RBAC): Based on organizational roles.
  • Rule-Based Access Control: Based on pre-defined rules and criteria.
  • Mandatory Access Control (MAC): Strict access based on classification.
  • Discretionary Access Control (DAC): Data owners decide on access permissions.
  • Attribute Based Access Control (ABAC): Evaluation of user, objects, and environmental attributes.
  • Risk-Based Access Control: Dynamic access decisions based on real-time risk assessments.