CISSP Last Minute Review

Domain 1:
Security and Risk Management

The major categories of intellectual property protection

    Y include:
    T
    I
    L
   A
    I
 protect words and symbols.
Trademarks protect
Trademarks
    T
    N
    E
Copyrights  protect creative works.
Copyrights protect
    D
    I
 protect inventions.
Patents protect
Patents
I    
    F
N    
    N
T    
E    
   O
   C
G   
R    
I    
secrets require maintaining secrecy but
Trade secrets require
T    
Y    
don’t expire.
AVAILABILITY

Personnel security principles include:

The three main goals of information security are: know requires a legitimate business need
Need to know requires
 prevents unauthorized
Con�identiality prevents
Con�identiality to access information.
disclosure privilege grants individuals the minimum
Least privilege grants
Integrity prevents unauthorized alteration necessary permissions to perform their jobs.
 ensures authorized access
Availability ensures
Availability duties blocks someone from having
Separation of duties blocks
two sensitive privileges in combination.
Security activities must be aligned with business
with  business control requires two people to
Two-person control requires
strategy, mission, goals, and objectives . This requires perform a sensitive activity.
tactical, and operational
strategic, tactical, and  planning.
operational planning. vacations and job
Mandatory vacations and rotation seek to
 job rotation seek
prevent fraudulent activity by uncovering
Security frameworks  provide templates for security
frameworks provide   malfeasance.
activities. These include COBIT, NIST CSF, and ISO
27001/2. Risks are the combination of a threat
Risks are  and a
threat and
corresponding vulnerability
vulnerability..
care is taking reasonable steps to protect the
Due care is
interest of the organization. Due diligence ensures
diligence ensures Quantitative risk assessment uses the following
those steps are carried out. formulas:
SingleLossExpectancy =
Security governance is carried out through  AssetValue
 AssetValue * ExposureFact
ExposureFactor 
or 
 which state high-level objectives
Policies which
Policies   AnnualizedLossExpectancy =
(mandatory compliance).  AnnualizedRateofOccurence
 AnnualizedRat eofOccurence * SLE
 which state detailed technical
Standards which
Standards
requirements (mandatory compliance). Responses to a risk include:
 which provide step-by-step processes
Procedures which
Procedures  risk by changing business practices
Avoid risk
Avoid
(mandatory compliance). Mitigate  risk by implementing controls
Mitigate risk
 which offer advice and best practices
Guidelines which
Guidelines  risk and continue operations
Accept risk
Accept
(optional compliance). Transfer  risk through insurance or contract
Transfer risk

Organizations are subject to a wide variety of legal and Security controls may be preventive, detective, or
detective, or
regulatory compliance obligations from: corrective..
corrective
laws that may involve prison or �ines.
Criminal laws that
Civil laws that regulate non-criminal disputes. continuity planning conducts a business
Business continuity planning
Administrative laws  set by government agencies.
laws set assessment and then implements controls
impact assessment and
 from industry bodies.
Regulations from
Regulations designed to keep the business running during adverse
circumstances.

© 2018 CertMike.com 1
 CISSP Last Minute Review

Domain 2:
Asset Security

Information should be classi�ied

Information  based upon its
classi�ied based Data should be retained no longer than necessary.
sensitivity to the organization. Use sanitization technology to ensure that no traces
sanitization technology
of data remain on media (data remnance) before
before
Common classes of sensitive information include: discarding it.
(PII)  which
Personally identi�iable information (PII) which
uniquely identi�ies individuals. Erasing performs a delete operation on a �ile but
Erasing performs
(PHI) which
Protected health information (PHI) which the data remains on disk.
includes individual health records.  overwrites the data with random values to
Clearing overwrites
Clearing
information  which contains trade
Proprietary information which ensure that it is sanitized.
secrets.

Data State Description Data Role Responsibilities

Data at Rest Data stored on a system or media device Data Owner Senior-level executive who establishes rules
Data in Motion Data in transit over a network and determines controls

Data in Use Data being actively processed in memory System Owner Individual responsible for overseeing secure
operation of systems

Data Processor Individual with access to personal or sensitive

TOP SECRET HIGHLY SENSITIVE
information

   T     Y
P      
   N     T
    I
R      
SECRET I V            SENSITIVE
   E     V
    I
   M Security baselines, such as NIST SP 800�53,
800�53, provide a
    T A      
    I
   N     S
T      
   R     N
E      
   E     E S       standardized set of controls that an organization may
   V     S E      
CONFIDENTIAL    O     G
C      
T       INTERNAL use as a benchmark.
   G     N
    I
    S
O      
R      
    A
    E
    R
    C
Typically, organization’s don’t adopt a baseline standard
    N
UNCLASSIFIED     I PUBLIC wholesale, but instead tailor a baseline to meet their
speci�ic security requirements
requirements..
INFORMATION CLASSIFICATION

Information should be labeled with its classi�ication and

Information
security controls should be de�ined and appropriate for
each classi�ication level.

Collect only data that is necessary for legitimate

business purposes. This is known as data minimization.
minimization.

© 2018 CertMike.com 2
 CISSP Last Minute Review

Domain 3:
Security Architecture
Architecture and Engineering

The two basic cryptographic operations are CPUs support two modes of operation: user mode
 which modi�ies characters and
substitution which
substitution for standard applications and privileged mode for
mode for
transposition,, which moves them around.
transposition processes that require direct access to core resources.

Model Bell-LaPadula Biba

encryption uses the same shared secret
Symmetric encryption uses
key for encryption and decryption. Goal Con�identiality Integrity

Simple Property No read up No read down

In asymmetric encryption,
encryption, users each have their own
*-Property No write down No write up
public/private keypair. Keys are used as follows:
follows:

Con�identiality Digital Signature

Certi�ication is the process of evaluating and assigning
Certi�ication is
a security rating to a product. Accreditation  is the
Accreditation is
Sender Encrypts with… Recipient’ss public key
Recipient’ Sender’s private key approval
approv al of a speci�ic con�iguration for a speci�ic use.
Recipient Decrypts with… Recipient’ss private key Sender’s public key
Recipient’
Dedicated System High Compartmented Multilevel

Anything encrypted with one key from a pair may only Users must be cleared
be decrypted with the other key from that same pair. for highest level of info Yes Yes Yes No
processed by system.

Symmetric Cryptography Asymmetric Cryptography Users must have

Requires Requires access approval for Yes Yes No No
all info processed.
n(n-1)
keys  2 n keys Users must have
 2
know all info
need to know all Yes No No No
processed by system.

Secure symmetric algorithms include 3DES, AES, IDEA,

and Blow�ish. DES is not secure.
Two serious issues can occur when users are granted
Two
Secure asymmetric algorithms include RSA, El Gamal, limited access to information in databases or other
and elliptic curve (ECC). repositories. Aggregation  attacks occur when a user
Aggregation attacks
is able to summarize individual records to detect
The Diffie-Hellman algorithm may be used for secure
Diffie-Hellman algorithm trends that are con�idential. Inference  attacks occur
Inference attacks
exchange of symmetric keys. when a user is able to use several innocuous facts in
combination to determine, or infer
infer,, more sensitive
Hashes are one-way functions that
Hashes are functions that produce a unique information.
value for every input and cannot be reversed
reversed..

certi�icates use the X.509

Digital certi�icates use  standard and
X.509 standard Mantraps use a set of double doors to restrict physical
Mantraps use
contain a copy of an entity’s public key. They are access to a facility.
digitally signed by a certi�icate authority (CA).

(TLS)  is the replacement

Transport Layer Security (TLS) is
for Secure Sockets Layer (SSL) and uses public key
cryptography to exchange a shared secret key used to
secure web tra�ic and other network communications.

The Trusted Computing Base (TCB) is

(TCB)  is the secure core
of a system that has a secure perimeter with
perimeter with access
enforced by a reference monitor.
monitor.

© 2018 CertMike.com 3
 CISSP Last Minute Review

Domain 4:
Communication and Network Security

OSI Model Port(s) Service

Layer Description 20, 21 FTP
Application Serves as the point of integration for user 22 SSH
applications with the network
23 Telnet
Presentation Transforms user-friendly data into machine-friendly
data; encryption 25 SMTP
Session Establishes, maintains, and terminates sessions 53 DNS
Transport Manages connection integrity; TCP, UDP, SSL, TLS 80 HTTP
Network Routing packets over the network; IP, ICMP, BGP, 110 POP3
IPsec, NAT
123 NTP
Data Link Formats packets for transmission; Ethernet, ARP,
MAC addresses 135, 137�139, 445 Windows File Sharing
Physical Encodes data into bits for transmission over wire,
�iber, or radio 143 IMAP
161/162 SNMP
TCP is a connection-oriented protocol, while UDP
TCP is  is
UDP is
a connectionless protocol that does not guarantee 443 HTTPS
delivery. 1433/1434 SQL Server

TCP Three-Way Handshake 1521 Oracle

1720 H.323
SYN
1723 PPTP
SYN/ACK
3389 RDP
ACK 9100 HP JetDirect Printing

DNS converts between IP addresses and domain

DNS converts TLS should be used to secure network
TLS should
names. ARP  converts between MAC addresses and IP
ARP converts communications. SSL  is no longer secure.
SSL is
addresses. NAT  converts between public and private IP
NAT converts
addresses. Most Virtual Private Networks (VPN) use
(VPN)  use either TLS
or IPsec.
IPsec. IPsec uses Authentication Headers (AH) to
(AH) to
Wireless networks should be secured using WPA or
WPA or provide
provid e authentication, integrity and nonrepudiation
WPA2 encryption, not WEP
WEP.. and Encapsulating Security Payload (ESP) to
(ESP)  to provide
con�identiality.
switches generally work at layer 2 and
Network switches generally
connect directly to endpoints or other switches.
Switches may also create virtual LANs (VLANs) to
(VLANs) to
further segment internal networks at layer 2.
 generally work at layer 3 and connect
Routers generally
Routers
networks to each other. Firewalls  are the primary
Firewalls are
network security control used to separate networks of
differing security levels.

© 2018 CertMike.com 4
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

The core activities of identity and access management are: Organizations often use centralized access control
 where a user makes a claim of
Identi�ication where
Identi�ication systems to streamline authentication and authorization
identity. and to provide users with a single sign on (SSO)
 where the user proves the claim of
Authentication where
Authentication experience. These solutions often leverage Kerberos
identity. which uses a multi step logon process:
 where the system con�irms that the
Authorization where
Authorization
user is permitted to perform the requested action. 1. User authenticates to a client on his or her device.
2. Client sends
sends the authentication
authentication credentials to the
In access control systems, we seek to limit the access Key Distribution Center (KDC).
that subjects  (e.g. users, applications, processes) have
subjects (e.g. 3. KDC veri�ies
veri�ies the credentials
credentials and creates a ticket
to objects (e.g. information resources, systems)
objects (e.g. granting ticket (TGT) and sends it to the user.
4. Client makes
makes a service access request to the KDC
Access controls work in three different fashions: using the TGT
TGT..
controls use hardware
Technical (or logical) controls use 5. KDC veri�ies the TGT
TGT, creates a service ticket (ST)
and software mechanisms, such as �irewalls and for the user to use with the service, and sends the
intrusion prevention systems, to limit access. ST to the user.
controls, such as locks and keys, limit
Physical controls, 6. User sends the ST ST to the service.
service.
physical access to controlled spaces. 7. Service veri�ies the ST
ST with the KDC and grants
Administrative
Administrativ controls,, such as account reviews,
e controls access.
provide management of personnel and business
practices.

Multifactor authentication systems combine

authentication technologies from two or more of the
following categories:
know (Type 1 factors) rely upon
Something you know (Type
secret information, such as a password.
have (Type 2 factors) rely
Something you have (Type
upon physical possession of an object, such as a
FAR
smartphone. FRR
are  (Type 3 factors) rely upon
Something you are (Type
   e
biometric characteristics of a person, such    t
as a face scan or �ingerprint.    a
    R
   r
Authentication technologies may experience two types    o CER
of errors. False positive errors
positive errors occur when a system    r
   r
accepts an invalid user as correct.
correct. It is measured using     E
the false acceptance rate (FAR). False negative errors
negative errors
occur when a system rejects a valid user, measured
using the false rejection rate (FRR).
(FRR). We evaluate
evaluate the
effectiveness of an authentication technology using the
(CER), as shown in the diagram to
crossover error rate (CER),
the right: Sensitivity

© 2018 CertMike.com 5
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

RADIUS is an authentication protocol commonly

RADIUS is
used for backend services. TACACS+  serves a similar
TACACS+ serves
purpose and is the only protocol from the TACACS
family that is still commonly used.

The implicit deny principle
The implicit deny  principle says that any action that is
not explicitly authorized for a subject should be denied.

(ACLs) form the basis of many

Access control lists (ACLs) form
access management systems and provide a listing of
subjects and their permissions on objects and groups
of objects.

Discretionary access control (DAC)  systems allow

(DAC) systems
the owners of objects to modify the permissions that
other users have on those objects. Mandatory access
(MAC) systems enforce prede�ined policies
control (MAC) systems
that users may not modify.

control assigns permissions to
Role-based access control assigns
individual users based upon their assigned role(s) in
the organization. For example,
example, backup administrators
administrators
might have one set of permissions while sales
representatives
representativ es have an entirely different set.

attacks against password systems try

Brute force attacks against
to guess all possible passwords.
passwords. Dictionary attacks
re�ine this approach by testing combinations and
permutations of dictionary words. Rainbow table
 precompute hash values for use in comparison.
attacks precompute
attacks
 passwords with a random value prior to
Salting passwords
Salting
hashing them reduces the effectiveness of rainbow
table attacks.

attacks intercept a client’
Man-in-the-middle attacks intercept client’ss initial
request for a connection to a server and proxy that
connection to the real service.
service. The client is unaware
unaware
that they are communicating through a proxy and the
attacker can eavesdrop on the communication and
inject commands.

© 2018 CertMike.com 6
 CISSP Last Minute Review

Domain 6:
Security Assessment and Testing

tests verify that a control is functioning

Security tests verify Common Platform Enumeration (CPE)
properly. Security assessments are
assessments are comprehensiv
comprehensive
e Extensible Con�iguration Checklist Description
reviews of the security of a system, application, or Format (XCCDF)
other tested environment. Open Vulnerability and Assessment Language (OV
(OVAL)
AL)

audits use testing and assessment techniques

Security audits use scanning uses tools like nmap to
Network discovery scanning uses
but are performed
performed by independent auditors.
auditors. There are check for active
active systems and open ports. Common
three types of security audits: scanning techniques include:

audits are performed by an organization’s

Internal audits are SYN scans send a single packet with the SYN
TCP SYN scans
internal audit staff, normally led by a Chief Audit �lag set.
Executive who reports directly to the CEO. Connect scans attempt to complete the three
TCP Connect scans
audits are performed by an outside
External audits are way handshake.
auditing �irm. ACK scans seek to impersonate an established
TCP ACK scans
audits  are conducted by, or on behalf
Third-party audits are connection.
of, another organization, such as a regulator.  scans set the FIN, PSH, and URG �lags.
Xmas scans
Xmas

Organizations that provide services to other scanning  �irst discovers

organizations may conduct audits under SSAE 16.
These engagements produce two different types of
reports:
reports provide a description of the controls
Type I reports provide
in place, as described by th e audited organization,
and the auditor’s opinion whether the controls
described are su�icient. The auditor does not test
the controls.
Type II reports results when the auditor actually
tests the controls and provides an opinion on their
effectiveness.
Network vulnerability scanning �irst
active services on the network and then probes those
services for known vulnerabilities. Web application
scans use tools that specialize in probing
vulnerability scans use
for web application weaknesses.
The vulnerability management work�low includes three
basic steps: detection, remediation, and
remediation, and validation
validation..
testing goes beyond vulnerability scanning
Penetration testing goes
and attempts to exploit vulnerabilities. It includes �ive steps:
Planning

27001 , and ISO 27002 are

COBIT, ISO 27001, 27002 are commonly used
standards for cybersecurity audits.
Information
Vulnerability assessments
Vulnerability  seek to identify known
asse ssments seek Reporting Gathering &
Discovery
de�iciencies in systems and applications.

The Security Content Automation Protocol (SCAP)

provides a standard framework for vulnerability
assessment. It includes the following
following components:
components:

Common Vulnerabili
Vulnerabilities
ties and Exposures (CVE) Exploitation
Vulnerability
Scanning
Common Vulnerabilit
Vulnerabilityy Scoring System (CVSS)
Common Con�iguration Enumeration (CCE)

© 2018 CertMike.com 7

Domain 6:
Security Assessment and Testing
There are three different types of penetration tests:
  During white box penetration
box penetration tests, testers have
full access to information about the target systems.
  During black box penetration
box penetration tests, testers conduct
their work without any knowledge of the target
environment.
box tests reside in the middle, providing
Gray box tests
testers with partial knowledge about the
  environment.
review provides an important software assurance
Code review provides
tool that allows peer review by fellow developers for
security,, performance
security performance,, and reliability issues.
inspections are a formal code review process
Fagan inspections are
that follows a rigorous six-step process with formalized
entry and exit parameters for each step:
Planning
Overview
Preparation
Inspection
Rework
Follow UP
© 2018 CertMike.com
CISSP Last Minute Review
testing evaluates software code without
Static testing evaluates
executing it, while dynamic testing executes
testing executes the code
during the test. Fuzz testing supplies
testing supplies invalid input to
applications in an attempt to trigger an error state.
testing evaluates the connections between
Interface testing evaluates
different system components.
testing evaluates known avenues of
Misuse case testing evaluates
attack in an application.
analysis  metrics evaluate the
Test coverage analysis metrics
completeness of testing efforts using the formula:
(use cases tested)
test coverage =
(all use cases)
Common criteria for test coverag
coverage e analysis include:
coverage (if statements tested under all
Branch coverage (if
conditions)
Condition covera
coverage  (logical tests evaluated under
ge (logical
all inputs)
coverage (each function tested).
Function coverage (each
coverage (every loop executed multiple
Loop coverage (every
times, once, and not at all)
coverage (every line of code executed)
Statement coverage (every
8
 CISSP Last Minute Review

Domain 7:
Security Operations

Security professionals
professionals are often called upon to Cybersecurity incident response efforts follow this
participate in a variety of investigations: process:
Criminal investiga tions look into the violation of
investigations
a criminal law and use the beyond a
Detection
reasonable
reasonabl e doubt standard of proof.
Civil investiga
investigations  examine potential violations of
tions examine
civil law and use the preponderance of the
evidence standard. Lessons
investigations examine the violation of
Regulatory investigations examine Response
Learned
a private or public regulatory standard.
Administrative investigations are internal to an
organization, supporting administrative activities.
Remediation Mitigation
Investigations may use several different types of
evidence:
evidence consists of tangible objects that
Real evidence consists
may be brought into court. Recovery Reporting
evidence consists of records and
Documentary evidence consists
other written items and must be authenticated
by testimo
testimony.
ny.
Testimonial evidence  is evidence given by a
evidence is
witness, either verbally or in writing. Tool Description

Intrusion Detection Monitor a host or network for signs of intrusion and

The best evidence rule states
rule states that, when using a System report to administrators.
document as evidence, the original document must be Intrusion Prevention Monitor a host or network for signs of intrusion and
used unless there
there are exceptional
exceptional circumstances. The System attempt to block malicious tra�ic automatically.
rule states that a written agreement is
parol evidence rule states Security Information Aggregate and correlate security information
assumed to be the complete agreement. & Event Management received from other systems.
System

Forensic investigators must take steps to ensure that

Forensic th at Firewall Restricts network tra�ic to authorized connections.

they do not accidentally tamper with evidence and Application Limits applications to those on an approved list.
that they preserve the chain of custody documenting
custody documenting Whitelisting
evidence handling from collection until use in court. Application Blocks applications on an unapproved list.
Blacklisting

The disaster recovery process begins when operations Sandbox Provides a safe space to run potentially malicious code.
are disrupted at the primary site and shifted to an Honeypot System that serves as a decoy to attract attackers.
alternate capability.
capability. The process only concludes when
normal operations are restored. Honeynet Unused network designed to capture probing tra�ic

© 2018 CertMike.com 9
 CISSP Last Minute Review

Domain 7:
Security Operations

Backups provide an important disaster recovery When managing the physical environment, you should
control. Remember that there are three major be familiar with common power issues:
categories of backup:

Backup Type Description Power Issue Brief Duration Prolonged Duration

Full Backup Copies all �iles on a system. Loss of power Fault Blackout

Low voltage Sag Brownout

Differential Backup Copies all �iles on a system that have
changed since the most recent full backup. High voltage Spike Surge

Incremental Backup Copies all �iles on a system that have Disturbance Transient Noise
changed since the most recent full or
incremental backup.
Fires require the combination of heat, oxygen, and
oxygen, and
fuel.. They may be fought with �ire
fuel �ire extinguishers:
extinguishers:
Disaster recovery sites �it into three major categories: Class A: common combustible �ires
Class B: liquid �ires
Site Type Support Systems Con�igured Servers Real-time Data
Class C: electrical �ires
Cold Site Yess
Ye No No Class D: metal �ires
Warn Site Ye
Yess Yes No

Hot Site Yess

Ye Yes Yes
Organizations may use wet pipe �ire
pipe �ire suppression
systems that always contain water, dry pipe systems
pipe systems
Disaster recovery
recovery plans require testing. There are �ive
�ive that only �ill with water when activated, or preaction
major test types: systems that �ill the pipes at the �irst sign of �ire
detection.
DR Test Type Description

Read-through/tabletop Plan participants review the plan and

their speci�ic role, either as a group or
individually.

Walkthrough The DR team gathers to walk through the

steps in the DR plan and verify that it is
current and matches expectations
expectations..

Simulation DR team participates in a scenario-based

exercise that uses the DR plan without im-
plementing technical recovery controls.

Parallel DR team activates alternate processing

capabilities without taking down the
primary site.

Full interruption DR team takes down the primary site to

simulate a disaster.

© 2018 CertMike.com 10
 CISSP Last Minute Review

Domain 8:
Software Development Security

The waterfall model of

model  of software development
development is While the agile approach eschews
approach eschews this rigidity for
fairly rigid, allowing the process to return only to the a series of incremental deliverables created using a
previous step: process that values:
interactions instead of processes
Individuals and interactions instead
System
Requirements and tools
software  instead of comprehensiv
Working software instead comprehensivee
Software documentation
Requirements
collaboration instead of contract
Customer collaboration instead
negotiation
Preliminary
Design change  instead of following a plan
Responding to change instead

Detailed Software testing follows

follows two primary
primary approaches. In
Design
testing, testers analyze the source code without
static testing,
executing it. Dynamic testing executes
testing executes the source
Code and
Debug code against test datasets.

Testing
Software testers can have varying degrees of
knowledge about the software they are are testing. In
Operations
a white box test,
test, they have full knowledge of the
and software. In a black box test,
test , they have no knowledge,
Maintenance
while grey box tests reside
tests  reside in the middle, providing
providing
The spiral model uses
model uses a more iterative approach: testers with partial knowledge.

Cumulative cost The top ten security vulnerabilities in web applications,

1. Determine Progress 2. Identity and according to OWASP are:
objectives resolve risks 1. Injection attacks
2. Broken authentication
3. Sensitive data exposure
4. XML external entities
5. Broken access control
6. Security miscon�iguration
7. Cross-site scriptin
scriptingg
Requirements Operational
8. Insecure deserialization
plan Prototype 1 Prototype 2 prototype
9. Using components with known vulnerabilities.
Concept of Concept of
operation Requirements
Requirements Draft
Detailed
design
10. Insu�icient logging and monitoring
Development
 plan
Verification
& Validation
Code In addition to maintaining current and patched
platforms,, one of the most effective application
platforms
Integration
Test plan Verification security techniques is input validation which
validation which ensures
& Validation
Test that user input matches the expected pattern before
Implementation using it in code.
4. Plan the Release 3. Development
next iteration and Test

© 2018 CertMike.com 11