CISSP
Certified Information Systems Security Professional
The Certified Information Systems Security Professional (CISSP) is the world's premier cybersecurity certification for experienced security practitioners, managers, and executives. The CISSP validates an information security professional's deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their organization's overall security posture.
This certification covers five consolidated domains: Security and Risk Management, Security Architecture and Engineering, Communication and Network Security, Identity Access and Security Assessment, and Security Operations and Software Development Security. The CISSP body of knowledge spans security governance, risk management, asset security, security architecture, cryptography, network security, identity and access management, security testing, operations, and secure software development.
The CISSP uses Computerized Adaptive Testing (CAT) delivering 100-150 questions with a 3-hour time limit. Five years of cumulative paid work experience in two or more of the eight CISSP domains is required for certification. The CISSP is often required for senior security positions and is recognized globally as the gold standard for security professionals. It is ANSI/ISO/IEC Standard 17024 accredited.
CISSP Practice Exam 1
Comprehensive 50-question practice exam covering all five CISSP domains: Security and Risk Management, Security Architecture and Engineering, Communication and Network Security, Identity Access and Security Assessment, and Security Operations and Software Development Security.
CISSP Practice Exam 2
Advanced 50-question practice exam focusing on compliance frameworks, cryptographic implementations, network defense strategies, and security assessment methodologies across all CISSP domains.
CISSP Practice Exam 3
Expert-level 50-question practice exam covering security models, cryptographic protocols, secure network design, advanced access control, and operational security across all CISSP domains.
CISSP Practice Exam 4
Challenging 50-question practice exam emphasizing supply chain security, cloud architecture, advanced identity management, and DevSecOps practices across all CISSP domains.
CISSP Practice Exam 5
In-depth 50-question practice exam testing advanced security metrics, IoT security, API protection, penetration testing, and secure coding practices across all CISSP domains.
CISSP Practice Exam 6
Final comprehensive 50-question practice exam with advanced integrated scenarios covering emerging threats, data protection, international compliance, and cutting-edge security technologies across all CISSP domains.
Откључајте сав садржај за CISSP
6 Пробни тест(ови) + Флеш картице — 3 месеца приступа
или укључено у месечну претплату / Комплет садржаја
Преглед (10 / 120)
Флеш картице
картица које покривају кључне 120 концепте CISSP
или укључено у месечну претплату / Комплет садржаја
110 још картица доступно након откључавања
Доступни језици
Теме испита
CISSP Cheat Sheet
Брзи референтни водич - 6 секција
CISSP - Certified Information Systems Security Professional
The CISSP is the gold-standard certification for experienced information security professionals. Administered by (ISC)2, it validates deep technical and managerial competence across eight domains of information security. The CISSP is recognized globally and is often required or preferred for senior security roles such as Security Manager, Security Architect, CISO, and Security Consultant. Candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight CISSP domains. A four-year college degree or an approved credential from the (ISC)2 prerequisite pathway satisfies one year of experience. The exam uses Computerized Adaptive Testing (CAT) for English-language candidates, dynamically adjusting question difficulty based on your responses.
Exam Details
| Exam Code | CISSP |
| Duration | 3 hours (CAT format) / 6 hours (linear, non-English) |
| Number of Questions | 100-150 (CAT) / 250 (linear) |
| Passing Score | 700 / 1000 |
| Cost | $749 USD |
| Experience Required | 5 years in 2+ CISSP domains (1-year waiver with degree or approved credential) |
| Question Types | Multiple choice and advanced innovative (drag-and-drop, hotspot) |
| Testing Format | Computerized Adaptive Testing (CAT) for English; linear for other languages |
| Certification Maintenance | 40 CPE credits per year (120 per 3-year cycle), $125 annual maintenance fee |
Domain Weight Breakdown
| Domain | Weight |
|---|---|
| Domain 1: Security and Risk Management | 15% |
| Domain 2: Asset Security | 10% |
| Domain 3: Security Architecture and Engineering | 13% |
| Domain 4: Communication and Network Security | 13% |
| Domain 5: Identity and Access Management (IAM) | 13% |
| Domain 6: Security Assessment and Testing | 12% |
| Domain 7: Security Operations | 13% |
| Domain 8: Software Development Security | 11% |
CAT Exam Strategy
- Adaptive Testing: The CAT engine selects questions based on your demonstrated ability level. Each correct answer raises the difficulty; each incorrect answer lowers it. The exam ends when the engine reaches 95% confidence in your pass/fail status, or at 150 questions.
- Minimum Questions: You must answer at least 100 questions. If the engine determines your result with 95% confidence at question 100, the exam ends. Otherwise, it continues up to 150 questions.
- No Going Back: In CAT format, you cannot return to previous questions. Each answer is final, so read carefully and commit to your best answer before moving on.
- Tip: Focus on understanding WHY an answer is correct at a managerial/architectural level. CISSP tests your ability to think like a security leader, not just a technician. When in doubt, choose the answer that reduces risk to the organization first.
Domain 1: Security and Risk Management (15%)
This is the largest and most foundational domain. It covers security governance, compliance, legal and regulatory issues, professional ethics, business continuity, and risk management. Think of this domain as the strategic and managerial backbone of information security. You must understand how security aligns with business objectives, how policies drive security programs, and how risk frameworks guide decision-making.
CIA Triad and Security Concepts
| Principle | Definition | Threats / Controls |
|---|---|---|
| Confidentiality | Ensuring information is accessible only to authorized individuals | Encryption, access controls, data classification, masking |
| Integrity | Ensuring data is accurate, complete, and unaltered by unauthorized parties | Hashing (SHA-256), digital signatures, checksums, version control |
| Availability | Ensuring systems and data are accessible when needed by authorized users | Redundancy, failover, backups, DDoS protection, BCP/DR |
Additional concepts: Non-repudiation (proof of origin/delivery via digital signatures), Authentication (verifying identity), Authorization (granting permissions), Accountability (actions traced to individuals via audit logs).
Security Governance Principles
- Security Policy Hierarchy: Laws and Regulations → Standards → Policies (mandatory) → Procedures (step-by-step) → Guidelines (recommendations) → Baselines (minimum configurations)
- Due Care: Implementing reasonable security measures (doing the right thing). Failure to exercise due care is negligence.
- Due Diligence: Ongoing research and investigation to understand risks and verify controls are working (knowing the right thing).
- Separation of Duties (SoD): No single person controls an entire critical process. Prevents fraud and errors by requiring collusion for abuse.
- Least Privilege: Users receive only the minimum access rights necessary to perform their duties.
- Need to Know: Access to specific information is restricted to those whose job functions require it, even if they have the clearance level.
- Job Rotation: Periodically moving staff between roles to detect fraud and reduce single points of failure.
Risk Management Frameworks
| Framework | Organization | Focus |
|---|---|---|
| NIST SP 800-37 (RMF) | NIST | Risk Management Framework: Categorize, Select, Implement, Assess, Authorize, Monitor |
| NIST CSF | NIST | Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover |
| ISO 27001 / 27002 | ISO/IEC | Information Security Management System (ISMS) requirements (27001) and controls (27002) |
| COBIT | ISACA | IT governance framework aligning IT with business goals |
| ITIL | Axelos | IT service management best practices (incident, change, problem management) |
| TOGAF | The Open Group | Enterprise architecture framework |
Risk Analysis: Quantitative vs Qualitative
| Concept | Formula / Definition |
|---|---|
| Asset Value (AV) | Dollar value of the asset |
| Exposure Factor (EF) | Percentage of asset loss from a single incident (0-100%) |
| Single Loss Expectancy (SLE) | SLE = AV x EF |
| Annualized Rate of Occurrence (ARO) | Expected frequency of threat per year |
| Annualized Loss Expectancy (ALE) | ALE = SLE x ARO |
| Risk Response Options | Mitigate (reduce), Transfer (insurance/contract), Avoid (eliminate activity), Accept (acknowledge) |
Qualitative: Uses subjective ratings (High/Medium/Low) based on expert judgment. Quantitative: Uses dollar values and formulas (SLE, ALE) for objective cost-benefit analysis. Most organizations use a combination of both approaches.
Business Continuity Planning (BCP) / Disaster Recovery (DR)
| Metric | Definition |
|---|---|
| RPO (Recovery Point Objective) | Maximum acceptable data loss measured in time (how far back you can recover) |
| RTO (Recovery Time Objective) | Maximum acceptable downtime to restore service after a disaster |
| MTD (Maximum Tolerable Downtime) | Longest time a business function can be unavailable before causing irreversible harm |
| MTBF (Mean Time Between Failures) | Average time between system failures (reliability measure) |
| MTTR (Mean Time To Repair) | Average time to restore a failed system |
| DR Site Type | Description | Recovery Time |
|---|---|---|
| Hot Site | Fully equipped, real-time data replication, ready immediately | Minutes to hours |
| Warm Site | Partially equipped, hardware available but needs data restoration | Hours to days |
| Cold Site | Empty facility with power/connectivity only, no hardware pre-installed | Days to weeks |
Domain 2: Asset Security (10%)
Asset Security covers the protection of information and assets throughout their lifecycle. This includes data classification, ownership roles, privacy protection, retention requirements, and secure handling of data at rest, in transit, and in use.
Data Classification Levels
| Government / Military | Commercial / Private Sector | Description |
|---|---|---|
| Top Secret | Confidential / Restricted | Exceptionally grave damage if disclosed; strictest controls |
| Secret | Private | Serious damage if disclosed; significant access restrictions |
| Confidential | Sensitive | Damage if disclosed; limited access controls |
| Unclassified | Public | No damage if disclosed; freely available |
Data Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Data Owner | Senior management; classifies data; determines access policies; ultimately accountable for data protection |
| Data Custodian | IT operations; implements and maintains security controls as directed by the owner (backups, encryption, patching) |
| Data Steward | Ensures data quality, accuracy, and proper use; manages metadata and data governance processes |
| Data Processor | Third party that processes data on behalf of the data controller (GDPR term) |
| Data Controller | Determines the purposes and means of processing personal data (GDPR term) |
Privacy Regulations
| Regulation | Scope | Key Provisions |
|---|---|---|
| GDPR | EU / EEA residents | Right to erasure, data portability, 72-hour breach notification, consent required, fines up to 4% global revenue |
| HIPAA | US healthcare | Protected Health Information (PHI) safeguards, Privacy Rule, Security Rule, Breach Notification Rule |
| PCI DSS | Payment card data | 12 requirements for cardholder data protection, network segmentation, encryption, access controls |
| SOX | US public companies | Financial reporting integrity, internal controls, CEO/CFO certification of financial statements |
Data Handling: States and Protections
| Data State | Description | Protection Methods |
|---|---|---|
| At Rest | Stored on disk, database, backup media | AES-256, full-disk encryption (BitLocker, LUKS), database TDE |
| In Transit | Moving across a network | TLS 1.3, IPsec VPN, SSH tunnels, HTTPS |
| In Use | Being processed in memory/CPU | Secure enclaves (SGX, TEE), memory encryption, process isolation |
Data Destruction Methods
| Method | Media Type | Description |
|---|---|---|
| Overwriting | HDD | Writing patterns over entire disk surface; multiple passes for higher assurance |
| Degaussing | Magnetic media (HDD, tape) | Strong magnetic field erases all data; renders drive unusable |
| Crypto-shredding | SSD, cloud storage | Destroying encryption keys making encrypted data irrecoverable |
| Physical Destruction | All media types | Shredding, incineration, pulverizing; most certain method |
Tip: Degaussing does NOT work on SSDs or flash media because they use electronic storage, not magnetic. Use crypto-shredding or physical destruction for SSDs.
Domain 3: Security Architecture and Engineering (13%)
This domain covers the design and implementation of secure architectures, security models, cryptography, and the security of physical facilities. You must understand how to apply security design principles, evaluate security models, implement cryptographic solutions, and assess vulnerabilities in systems and architectures.
Security Models
| Model | Focus | Key Rules |
|---|---|---|
| Bell-LaPadula | Confidentiality | No Read Up (Simple Security): Subject cannot read data at a higher classification. No Write Down (*-Property): Subject cannot write data to a lower classification. Prevents information leakage downward. |
| Biba | Integrity | No Read Down (Simple Integrity): Subject cannot read data at a lower integrity level. No Write Up (*-Integrity): Subject cannot write data to a higher integrity level. Prevents corruption of higher-integrity data. |
| Clark-Wilson | Integrity (commercial) | Uses well-formed transactions and separation of duties. Subjects access objects only through authorized programs (access triple: subject, program, object). Ensures integrity through constrained data items (CDIs) and transformation procedures (TPs). |
| Brewer-Nash (Chinese Wall) | Conflict of Interest | Dynamically prevents access to data that could create a conflict of interest. Once a subject accesses one dataset in a conflict class, access to competing datasets is blocked. |
Tip: Remember Bell-LaPadula = Confidentiality ("no read UP, no write DOWN" = data flows UP only). Biba = Integrity (exact opposite: "no read DOWN, no write UP" = data flows DOWN only).
Secure Design Principles
- Defense in Depth: Multiple layers of security controls (network, host, application, data) so that failure of one layer does not compromise the system
- Fail Secure / Fail Safe: System defaults to a secure state upon failure (e.g., firewall blocks all traffic if it crashes)
- Zero Trust: Never trust, always verify. Every access request is fully authenticated and authorized regardless of network location. Microsegmentation and continuous verification.
- Security by Design: Incorporate security from the earliest stages of system development, not bolted on after
- Open Design: Security should not depend on secrecy of the design (Kerckhoffs' principle); only the key should be secret
- Complete Mediation: Every access to every object must be checked for authorization (no caching of access decisions)
- Economy of Mechanism: Keep security mechanisms as simple as possible to reduce the attack surface and ease verification
Cryptography Essentials
| Type | Algorithm | Key Size | Notes |
|---|---|---|---|
| Symmetric (shared key) | AES | 128/192/256-bit | Current standard; block cipher; fast for bulk data encryption |
| 3DES | 168-bit (112 effective) | Legacy; deprecated by NIST in 2023; three rounds of DES | |
| Blowfish / Twofish | Up to 448-bit | Open-source alternatives; Blowfish has 64-bit block size limitation | |
| Asymmetric (public/private key pair) | RSA | 2048/4096-bit | Encryption, digital signatures, key exchange; based on factoring large primes |
| ECC | 256/384-bit | Smaller keys with equivalent security to RSA; efficient for mobile/IoT | |
| Diffie-Hellman (DH) | 2048+ bit | Key exchange only (not encryption); enables shared secret over insecure channel | |
| Hashing (one-way) | SHA-256 / SHA-3 | 256-bit output | Integrity verification; current standard; collision-resistant |
| MD5 | 128-bit output | Broken; collision vulnerabilities; do NOT use for security purposes | |
| HMAC | Varies | Hash-based Message Authentication Code; combines hash with secret key for integrity + authentication |
Digital Signatures: Hash the message, then encrypt the hash with sender's private key. Recipient decrypts with sender's public key and compares hashes. Provides integrity, authentication, and non-repudiation.
PKI (Public Key Infrastructure)
- Certificate Authority (CA): Trusted entity that issues, signs, and revokes digital certificates
- Registration Authority (RA): Verifies identity of certificate requesters on behalf of the CA
- CRL (Certificate Revocation List): Periodic list of revoked certificates published by the CA
- OCSP (Online Certificate Status Protocol): Real-time certificate validation; more efficient than CRL
- X.509: Standard format for digital certificates containing public key, subject, issuer, validity period, and digital signature
- Certificate Pinning: Associating a host with a specific certificate or public key to prevent MitM attacks using rogue certificates
Domain 4: Communication and Network Security (13%)
This domain covers the design and protection of network architectures, secure communication channels, and network components. You must understand the OSI and TCP/IP models, network attacks, secure protocols, and network defense mechanisms.
OSI Model Security Relevance
| Layer | Name | Security Controls |
|---|---|---|
| 7 | Application | WAF, input validation, authentication, HTTPS |
| 6 | Presentation | SSL/TLS encryption, data format validation |
| 5 | Session | Session management, token handling, timeout controls |
| 4 | Transport | TLS, port filtering, TCP sequence number validation |
| 3 | Network | IPsec, firewalls, routers with ACLs, IDS/IPS |
| 2 | Data Link | 802.1X, MAC filtering, VLAN segmentation, ARP inspection |
| 1 | Physical | Physical access controls, cable locks, shielding (TEMPEST) |
Common Network Attacks
| Attack | Description | Countermeasure |
|---|---|---|
| ARP Spoofing | Forged ARP replies redirect traffic through attacker | Dynamic ARP Inspection (DAI), static ARP entries |
| DNS Poisoning | Corrupting DNS cache to redirect users to malicious sites | DNSSEC, DNS over HTTPS (DoH), split-horizon DNS |
| Man-in-the-Middle (MitM) | Intercepting communication between two parties | TLS mutual authentication, certificate pinning, strong encryption |
| DDoS | Overwhelming resources with traffic from distributed sources | CDN, rate limiting, traffic scrubbing, blackholing, anycast |
| VLAN Hopping | Double-tagging or switch spoofing to access other VLANs | Disable DTP, set native VLAN to unused ID, prune VLANs |
| SYN Flood | Sending many SYN packets without completing handshake | SYN cookies, rate limiting, firewall half-open connection limits |
Secure Network Protocols
| Insecure Protocol | Secure Alternative | Protection |
|---|---|---|
| Telnet (23) | SSH (22) | Encrypted remote access + tunneling |
| HTTP (80) | HTTPS (443) | TLS encryption for web traffic |
| FTP (20/21) | SFTP (22) / FTPS (990) | Encrypted file transfer (SFTP via SSH, FTPS via TLS) |
| SNMPv1/v2c | SNMPv3 | Authentication + encryption for network management |
| DNS (53) | DNSSEC / DoH / DoT | Signed DNS responses / encrypted DNS queries |
Firewall Types
| Type | OSI Layer | Description |
|---|---|---|
| Packet Filtering | Layer 3-4 | Inspects headers only (IP, port, protocol); stateless; fast but limited |
| Stateful Inspection | Layer 3-4 | Tracks connection state; allows return traffic for established sessions |
| Application Proxy | Layer 7 | Terminates and re-initiates connections; deepest inspection; highest latency |
| Next-Gen Firewall (NGFW) | Layer 3-7 | Deep packet inspection, IPS, application awareness, user identity integration |
| WAF | Layer 7 | Protects web applications from OWASP Top 10 (SQLi, XSS, CSRF) |
Domain 5: Identity and Access Management (13%)
This domain covers how users and systems are identified, authenticated, and authorized to access resources. It includes physical and logical access controls, identity management lifecycle, federated identity, and access control models. IAM is a critical domain because identity is the new security perimeter in modern environments.
Identification, Authentication, Authorization (AAA)
| Concept | Definition | Examples |
|---|---|---|
| Identification | Claiming an identity (who are you?) | Username, email address, employee ID, smart card insertion |
| Authentication | Proving the claimed identity (prove it) | Password, biometric scan, OTP token, certificate |
| Authorization | Granting access based on verified identity (what can you do?) | ACLs, RBAC policies, file permissions, capability tables |
| Accountability | Tracking actions to individuals (what did you do?) | Audit logs, SIEM, session recording, transaction logs |
Authentication Factors
| Factor | Category | Examples |
|---|---|---|
| Something You Know | Knowledge factor | Password, PIN, security question, passphrase |
| Something You Have | Possession factor | Smart card, hardware token (YubiKey), OTP app, phone |
| Something You Are | Biometric factor | Fingerprint, iris scan, facial recognition, voice pattern |
| Somewhere You Are | Location factor | GPS coordinates, IP geolocation, network segment |
| Something You Do | Behavioral factor | Typing pattern, gait analysis, signature dynamics |
MFA: Multi-Factor Authentication requires two or more different factor categories. Using a password + PIN is NOT MFA (both are knowledge). Password + OTP token IS MFA (knowledge + possession).
Access Control Models
| Model | Description | Use Case |
|---|---|---|
| DAC (Discretionary) | Resource owner decides who has access; identity-based; uses ACLs | File systems (Windows NTFS, Linux chmod); most common in commercial systems |
| MAC (Mandatory) | System enforces access based on labels/clearances; administrator-controlled | Military/government (SELinux, classified systems); most restrictive |
| RBAC (Role-Based) | Access based on assigned roles; users are assigned to roles, roles have permissions | Enterprise systems, Active Directory groups; most scalable for organizations |
| ABAC (Attribute-Based) | Access decisions based on attributes of user, resource, environment, and action | Cloud platforms (AWS IAM policies), fine-grained context-aware access |
| Rule-Based | Access determined by predefined rules (e.g., time of day, IP range) | Firewall rules, router ACLs, conditional access policies |
Identity Federation and SSO
| Protocol / Standard | Description |
|---|---|
| SAML 2.0 | XML-based standard for exchanging authentication and authorization data between Identity Provider (IdP) and Service Provider (SP); widely used for enterprise SSO; browser-based federation |
| OAuth 2.0 | Authorization framework for delegated access; issues access tokens; used by APIs and mobile apps; does NOT handle authentication by itself |
| OpenID Connect (OIDC) | Authentication layer built on top of OAuth 2.0; adds ID tokens for identity verification; used by Google, Microsoft, etc. |
| Kerberos | Ticket-based authentication protocol; uses Key Distribution Center (KDC) with Authentication Service (AS) and Ticket Granting Service (TGS); default in Active Directory; symmetric key-based |
| LDAP / LDAPS | Lightweight Directory Access Protocol for querying directory services; LDAPS adds TLS encryption; port 389 (LDAP) / 636 (LDAPS) |
Domain 6: Security Assessment and Testing (12%)
This domain covers designing and performing security assessments, testing security controls, analyzing results, and conducting audits. It includes vulnerability assessments, penetration testing, log analysis, and compliance verification.
Assessment Types
| Type | Description | Examples |
|---|---|---|
| Vulnerability Assessment | Identifies and prioritizes vulnerabilities; does NOT exploit them | Nessus, Qualys, OpenVAS, Rapid7 InsightVM |
| Penetration Testing | Actively exploits vulnerabilities to demonstrate impact; requires written authorization | Metasploit, Burp Suite, Kali Linux tools |
| Red Team | Simulates real-world adversary TTPs; broader scope than pen test; tests detection and response | MITRE ATT&CK-based campaigns, social engineering, physical intrusion |
| Blue Team | Defensive team; detects, responds to, and mitigates attacks | SIEM monitoring, incident response, threat hunting |
| Purple Team | Collaborative approach combining red and blue team activities for maximum improvement | Joint exercises, shared findings, control tuning |
Penetration Testing Phases
- 1. Planning / Scoping: Define rules of engagement, scope, authorization (written permission is mandatory), and objectives
- 2. Reconnaissance: Passive (OSINT, DNS lookups, public records) and active (port scanning, service enumeration) information gathering
- 3. Exploitation: Attempt to exploit discovered vulnerabilities to gain access and demonstrate impact
- 4. Post-Exploitation: Lateral movement, privilege escalation, persistence, data exfiltration (within scope)
- 5. Reporting: Document findings, risk ratings, evidence, and remediation recommendations; executive summary + technical details
Testing knowledge levels: Black Box (zero knowledge), Gray Box (partial knowledge, e.g., credentials), White Box (full knowledge including source code and architecture).
Security Audits
| Audit Type | Description |
|---|---|
| Internal Audit | Conducted by the organization's own audit team; first-party assessment; evaluates compliance with internal policies |
| External Audit | Conducted by independent third-party auditors; provides objective assurance; often required for regulatory compliance |
| SOC 1 (Type I / II) | Financial reporting controls; relevant for service organizations affecting customer financial statements |
| SOC 2 (Type I / II) | Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy; Type I = point in time, Type II = over a period |
| SOC 3 | Simplified public version of SOC 2; general use report without detailed controls; suitable for marketing purposes |
Domain 7: Security Operations (13%)
This domain covers the day-to-day operational security activities including incident management, digital forensics, logging and monitoring, disaster recovery, physical security, and change management. Security operations ensures that security controls are functioning, incidents are detected and responded to, and the organization can recover from disruptions.
Incident Response Lifecycle (NIST SP 800-61)
| Phase | Activities |
|---|---|
| 1. Preparation | Build IR team, create policies/procedures, deploy tools (SIEM, IDS), conduct training and exercises, establish communication plans |
| 2. Detection & Analysis | Identify indicators of compromise (IoCs), triage alerts, determine scope and impact, classify severity, document findings |
| 3. Containment, Eradication & Recovery | Short-term containment (isolate affected systems), long-term containment (apply patches), eradicate root cause, restore systems, verify clean state |
| 4. Post-Incident Activity | Lessons learned review, update procedures, share indicators with community, root cause analysis, metrics reporting |
Digital Forensics Principles
- Order of Volatility: Collect most volatile evidence first: CPU registers → Cache → RAM → Swap/pagefile → Disk → Remote logs → Archival media
- Chain of Custody: Documented trail showing who handled evidence, when, where, and what was done; critical for legal admissibility
- Forensic Imaging: Create a bit-for-bit copy of the original media using write-blockers; work only on the copy, never the original
- Hashing: Calculate MD5/SHA-256 hash of evidence at collection and verify at every transfer to prove integrity (no tampering)
- Legal Hold: Preservation order requiring an organization to retain all relevant data and suspend destruction policies for potential litigation
- Tip: Never boot or alter the original evidence. Always use write-blockers and work from forensic images. Document everything meticulously.
Logging and Monitoring
| Tool / Concept | Description |
|---|---|
| SIEM | Security Information and Event Management; aggregates logs from multiple sources, correlates events, generates alerts, provides dashboards (Splunk, QRadar, Sentinel) |
| SOAR | Security Orchestration, Automation, and Response; automates repetitive IR tasks via playbooks; integrates with SIEM and ticketing systems |
| IDS / IPS | Intrusion Detection (passive, alerts only) vs Intrusion Prevention (active, blocks traffic); signature-based or anomaly-based detection |
| DLP | Data Loss Prevention; monitors, detects, and blocks sensitive data exfiltration via network, endpoint, or cloud channels |
| EDR / XDR | Endpoint Detection and Response / Extended Detection and Response; continuous monitoring, threat detection, and automated response at endpoint and cross-platform levels |
Change and Configuration Management
- Change Management: Formal process to request, review, approve, test, implement, and document changes to systems. Includes Change Advisory Board (CAB) review for significant changes.
- Configuration Management: Maintaining a known-good baseline configuration for all systems. Detect and remediate configuration drift. Tools: Ansible, Puppet, Chef, SCCM.
- Patch Management: Systematic process to identify, test, approve, and deploy patches. Prioritize by CVSS score and exploitability. Test in staging before production deployment.
- CMDB: Configuration Management Database; central repository of all IT assets, their configurations, and relationships; foundation for change and incident management.
Physical Security Controls
| Control Category | Examples |
|---|---|
| Deterrent | Fencing, lighting, warning signs, security guards, CCTV (visible) |
| Preventive | Locks, mantraps/vestibules, badge readers, bollards, biometric access |
| Detective | Motion sensors, CCTV recording, intrusion alarms, log review |
| Environmental | HVAC systems, fire suppression (FM-200, dry pipe), UPS, generators, humidity controls |
Domain 8: Software Development Security (11%)
This domain covers security in the software development lifecycle (SDLC), secure coding practices, software testing, and the security of development environments. Understanding how vulnerabilities are introduced and prevented at the code level is essential for any security professional.
Secure SDLC Models
| Model | Approach | Security Integration |
|---|---|---|
| Waterfall | Sequential, linear phases (Requirements → Design → Implementation → Testing → Deployment → Maintenance) | Security review at each phase gate; changes are costly in later phases |
| Agile / Scrum | Iterative sprints (2-4 weeks), continuous delivery, adaptive planning | Security stories in backlog, security sprint tasks, automated testing per sprint |
| DevSecOps | Security integrated into CI/CD pipelines from the start (shift left) | SAST, DAST, SCA in pipelines; infrastructure as code security scanning; automated compliance |
OWASP Top 10 Web Vulnerabilities
| Vulnerability | Description | Mitigation |
|---|---|---|
| Injection (SQLi, XSS) | Untrusted data sent to interpreter as part of a command or query | Parameterized queries, input validation, output encoding, WAF |
| Broken Authentication | Weak session management, credential stuffing, brute force | MFA, strong password policies, account lockout, session timeout |
| Broken Access Control | Users acting beyond intended permissions (IDOR, privilege escalation) | Deny by default, server-side validation, principle of least privilege |
| Security Misconfiguration | Default credentials, unnecessary features enabled, verbose error messages | Hardening guides, automated configuration audits, remove defaults |
| CSRF | Forging requests that execute actions on behalf of authenticated users | Anti-CSRF tokens, SameSite cookies, re-authentication for sensitive actions |
Software Testing Methods
| Method | Description |
|---|---|
| SAST (Static) | Analyzes source code without executing it; finds vulnerabilities early in SDLC; white-box approach |
| DAST (Dynamic) | Tests running application by sending requests; finds runtime vulnerabilities; black-box approach |
| IAST (Interactive) | Combines SAST and DAST; instruments the application during testing; identifies vulnerabilities with code context |
| SCA (Software Composition) | Identifies known vulnerabilities in third-party libraries and open-source dependencies |
| Fuzzing | Sends random/malformed input to find unexpected behavior, crashes, and security flaws |
CISSP Key Comparisons Quick Reference
The CISSP exam frequently tests your ability to distinguish between similar concepts. This section consolidates the most commonly confused topics across all eight domains into comparison tables for rapid review.
Symmetric vs Asymmetric Encryption
| Feature | Symmetric | Asymmetric |
|---|---|---|
| Keys | Single shared key | Public/private key pair |
| Speed | Fast (1000x faster) | Slow (computationally intensive) |
| Key Distribution | Challenge (key must be shared securely) | Easier (public key can be shared openly) |
| Scalability | Poor (n(n-1)/2 keys for n users) | Good (2n keys for n users) |
| Use Case | Bulk data encryption, disk encryption | Key exchange, digital signatures, certificates |
| Examples | AES, 3DES, Blowfish, RC4 | RSA, ECC, Diffie-Hellman, DSA, ElGamal |
Bell-LaPadula vs Biba vs Clark-Wilson
| Feature | Bell-LaPadula | Biba | Clark-Wilson |
|---|---|---|---|
| Focus | Confidentiality | Integrity | Integrity (commercial) |
| Read Rule | No Read Up | No Read Down | Access via authorized programs only |
| Write Rule | No Write Down | No Write Up | Well-formed transactions only |
| Environment | Military / Government | Military / Government | Commercial / Business |
DAC vs MAC vs RBAC vs ABAC
| Feature | DAC | MAC | RBAC | ABAC |
|---|---|---|---|---|
| Control | Owner | System/Admin | Admin (roles) | Policy engine |
| Flexibility | High | Low | Medium | Very High |
| Security | Least strict | Most strict | Moderate | Context-dependent |
| Scalability | Poor | Poor | Good | Excellent |
IDS vs IPS
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Mode | Passive (monitors copies of traffic) | Inline (traffic flows through it) |
| Action | Detects and alerts only | Detects, alerts, AND blocks |
| Network Impact | No latency (out-of-band) | May add latency (inline) |
| Failure Mode | Traffic continues unaffected | Can disrupt traffic if misconfigured (fail-open vs fail-closed) |
BCP vs DR
| Feature | BCP (Business Continuity) | DR (Disaster Recovery) |
|---|---|---|
| Focus | Keeping the entire business operational | Restoring IT systems and data after a disaster |
| Scope | Broad (people, processes, technology, facilities) | Narrow (technology recovery) |
| Timing | Proactive (before, during, and after disruption) | Reactive (after disaster occurs) |
| Key Analysis | Business Impact Analysis (BIA) | Recovery strategies (hot/warm/cold site) |
Vulnerability Assessment vs Penetration Test
| Feature | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Goal | Identify and list all vulnerabilities | Exploit vulnerabilities to prove impact |
| Approach | Automated scanning + manual validation | Manual exploitation with tool assistance |
| Frequency | Regular (weekly/monthly/quarterly) | Periodic (annually or after major changes) |
| Risk Level | Low (non-intrusive scanning) | Higher (active exploitation may cause disruption) |
SAML vs OAuth vs OpenID Connect
| Feature | SAML 2.0 | OAuth 2.0 | OpenID Connect |
|---|---|---|---|
| Purpose | Authentication + Authorization | Authorization only | Authentication (on top of OAuth) |
| Format | XML-based assertions | JSON access tokens | JSON ID tokens (JWT) |
| Best For | Enterprise SSO (web browser) | API access delegation | Modern web/mobile SSO |
Control Types Matrix
| Function | Administrative | Technical (Logical) | Physical |
|---|---|---|---|
| Preventive | Policies, hiring practices, training | Firewalls, encryption, access controls | Fences, locks, mantraps |
| Detective | Audits, reviews, job rotation | IDS, SIEM, log monitoring | CCTV, motion sensors, alarms |
| Corrective | Incident response procedures | Patching, IPS blocking, antivirus quarantine | Fire suppression, backup power |
| Deterrent | Acceptable use policy, warnings | Login banners, monitoring notices | Warning signs, security guards |
| Compensating | Supervision when SoD not possible | Extra logging when MFA unavailable | Extra guards when cameras are down |
| Recovery | DR plan, BCP execution | Backups, failover, system restore | Alternate site activation, rebuilding |
Tip: The exam loves questions about control categories. Remember: Administrative = people/process, Technical = technology, Physical = tangible barriers. Each can serve any function (preventive, detective, corrective, deterrent, compensating, recovery).