C.I.S.S.P. Cheat Sheet
In the current age of fast-evolving web development and the internet, the information, data, and system security is vital. Information systems security, which is commonly referred to as INFOSEC, is a set of processes and methodologies involved in keeping the important information available, confidential, and ensuring its integrity.
Information systems security is not limited to dealing with computer information. In a wider scope, it is also referred to as data and information protection in all forms. Risk assessments are carried out to determine the vulnerability of information to the biggest risk and setting priorities. For example, one particular system, mostly servers, might have the most important information stored on it and, therefore, will require comparatively stronger security measures to ensure safety.
If you are looking to become an Information Systems Security Professional, a Certified Information Systems Security Professional (C.I.S.S.P.) certification can give your career a huge boost. In this article, we will go through the details of C.I.S.S.P. and a cheat sheet to help you pass the C.I.S.S.P. certification exam.
What is C.I.S.S.P.?
Certified Information Systems Security Professional (C.I.S.S.P.) is defined as an information security certification designed and developed by the International Information Systems Security Certification Consortium, which is also known as (I.S.C.) ². C.I.S.S.P. is widely considered as a quality standard in the field of information and cybersecurity. The certification also meets ISO/IEC Standard 17024:2003.
C.I.S.S.P. was introduced in 1994, and it is considered one of the most sought-after security certifications in the field of internet and technology. Organizations, while hiring, often prefer candidates who have attained the C.I.S.S.P. exam. Given the fact, candidates with the C.I.S.S.P. certification are amply knowledgeable about cybersecurity, have hands-on experience, and potentially, a formal CISSP training.
C.I.S.S.P. is based on eight domains which are as under:
- Security and Risk Management
- Asset Security
- Security Architecture Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
A domain is defined as a broad topic that needs to be mastered to ace the C.I.S.S.P. certification exam. Today, C.I.S.S.P. certification training is preferred by many I.T. security professionals. It provides information security professional a goal to measure his/her competence and a globally recognized standard of accomplishment.
Get CISSP certification prep at QuickStart.com and choose from self-paced courses or virtual instructor led training.
Cheat Sheets for Studying for the C.I.S.S.P. Exam
Passing the C.I.S.S.P. certification exam is not a walk in the park; however, it’s not impossible either. The aspirants usually get overwhelmed easily before even starting the study, given the fact that eight domains need comprehensive studying, each covering a variety of complex topics.
To ease the pressure and psychological barrier, we will go through a comprehensive “Cheat Sheet” for the exam preparation. This article will also help you maximize the effective use of your time and effort being put in the preparation.
Let’s go through each domain separately in detail.
Domain 1: Security and Risk Management
Understanding Concepts of C.I.A. (Confidentiality, Integrity, and Availability)
Confidentiality: Making sure the right people have access to the data. It must be classified in a way that administrators know exactly who should have access. Users must get themselves identified, authenticate, and then be allowed authorization before having access.
- End to end symmetric encryption provides confidentiality because only users with a specific key can access the data
- File permissions only allow authorized users to view the contents
Integrity: No unauthorized modifications; data consistency
- Hashing and data mapping
- Segregation of duties
- Checkpoints approval (SDLC)
- Secure data transmission through R.S.A. (use of H.M.C.)
- Internet Protocol Security (IPsec)
Availability: Availability of information to users as and when required
- Not vulnerable to Denial of Service (DoS) Attack
- Proper backups and assurance of no down-time
Application of Security Governance Principles
These are defined processes for each role to ensure that executive management is informed about all decisions being made. ISO 27000 should be looked at to get the requirements of security frameworks you should implement.
Aligning the security function to business strategy, goals, mission, and objectives
- Have to analyze the cost of information loss/theft, cost of controls implementation, and the benefit to the organization by applying certain controls
Organizational processes (e.g., acquisitions, liquidation, governance committees, etc.)
- If the business is rapidly changing, the security needs to be ensured in that changing process
Security control frameworks
- The security schemes of how security in the organization will be ensured. Certain frameworks need to be applied to the organization based on what they contain
Risk Management Concepts
- Identify threats and vulnerabilities
- Risk assessment and response
- Types of controls (e.g., preventive, detective, or corrective)
- Security Control Assessment (S.C.A.)
- Risk monitoring and measurement
- Asset valuation
- Reporting
- Risk frameworks
Risk-Based Management Concepts for Supply Chain
- Risks associated with hardware, software, and other services
- Third-party validation and monitoring
- Minimum security requirements
- Service-level requirements
Security Awareness, Education, and Training Program
- Technical training of employees to react to situations, best practices for Security and Network staff
- Employees need to understand and adhere to policies. Use of presentations and posters etc. to give them awareness
Domain 2: Asset Security
Information Classification: Public and Government
Public
- Private data such as SSN, bank accounts, credit cards, etc.
- The company restricted data only available to a subset of employees
- All employees can view confidential data but not for general use.
- Public data, which can be viewed or used by anyone
Government
- Top Secret: Disclosure may cause severe damage to national security
- Secret: Disclosure may cause serious damage. This data is considered less sensitive than a top-secret.
- Confidential: This data is usually exempted from disclosure under laws such as the Freedom of information act but is not classified as top secret.
- Sensitive but Unclassified: SBU data is data that is not considered vital, but its disclosure would do some harm.
- Unclassified: Data that has neither any classification nor is sensitive.
Data Ownership
Data Owner: Data owner is usually a member of Senior Management. After all, senior management is responsible for the asset. If data is compromised, they can be held responsible. The data owner can delegate duties but cannot delegate total responsibility.
Data Custodian: This is usually some employee in I.T. The data custodian does not have any say in which controls are needed, but he/she implements controls on behalf of the data owner. Other responsibilities include the management of the asset. Controlling access, adding and removing privileges for users, and ensuring that the proper controls have been implemented are such duties.
Data Remanence
Sanitizing: Chain of processes that completely removes data
Degaussing: Erasing data from magnetic tapes etc.
Erasing: Complete deletion of files or media
Overwriting: Writing over files in layers, shredding
Zero fill: Overwrite all data with zeros
Destruction: Physical destruction of hardware devices containing data
Encryption: Making data unreadable without special keys
Security Policies, Standards & Guidelines
Regulatory: Obligatory by law and industrial standards
Advisory: Worthwhile but not compulsory
Informative: As a source of guidance to others
Information Policy: Best practices for information management and usage. Security policies: Technical specifications of the policies, i.e., System security policy: list of hardware/software being used and guidelines for using policies
Standards: Define different usage levels
Guidelines: Non-compulsory standards to follow
Procedures: Steps for carrying out tasks under policies
Baseline: Minimum level of security to be implemented
Domain 3: Security Architecture Engineering
Types of Security Models
State Machine Models: Check every one of the conceivable framework states and guarantee the best possible security connection.
Multilevel Lattice Models: Assign every security subject a security name characterizing the maximum and minimum limits of the subject's entrance to the framework. Authorize controls to all articles by partitioning them into levels known as grids.
Matrix Based Models: Organize tables known as the framework which incorporates subjects and items characterizing what moves subjects can make upon another article.
Noninterference Models: Contemplate the condition of the framework at any time for a subject; it considers averting the activities that occur at one level, which can change the condition of another level.
Information Flow Models: Attempt to inhibit the transmission from one unit to another that can which can infringe the security strategy.
Security Modes:
Dedicated Security Mode: Utilize a distinct categorization level. All subjects are available subject to prior approval for access for the need to know and sign-in an N.D.A.
System High-Security Mode: All users get the same access level, but all of them do not get the need-to-know clearance for all the information in the system.
Compartmented Security Mode: All users get a similar access level; however, every one of them doesn't get the need-to-know authorization for all the data in the system.
Multilevel Security Mode: Utilize two organization levels as Assurance levels and System Evaluation
Web Security
O.W.A.S.P.: Open-source application security venture. O.W.A.S.P. makes rules, testing systems, and devices to use with web security.
SQL Injections: Assailants attempt to misuse by permitting user input to change the back-end/server of the web application or implement destructive code that incorporates unique characters inside SQL database codes brings about erasing database tables and so forth.
SQL Injection prevention: Authenticate the parameters and inputs.
Cross-Site Scripting (XSS): Attacks carried out by entering invalidated scripts in webpages.
Cross-Request Forgery: Attackers use POST/GET requirements of the HTTP:// web pages with HTML forms to carry out a mischievous activity with user accounts.
Cryptography
Non-repudiation – can’t deny it came from you when you digitally sign a message.
Private Key encryption, symmetric, uses the same key for both encryption and decryption (faster) D.E.S. – WinZip file with a password
Public key encryption (slower) R.S.A. – asymmetric, uses the two keys, private to encrypt, public to decrypt
Cryptography Goals (P.A.I.N.)
- P – Privacy
- A – Authentication
- I – Integrity
- N - Non-Repudiation
Use of Cryptography
- Non-repudiation
- Concealment
- Reliability
- Proof of origin
- Protect data at rest
- Protect data in transit
Mobile Security
- Inner locks (voice, face recognition, pattern, pin, and password)
- Remote wiping
- Device Encryption
- Remote lockout
- Application installation control
- Asset tracking (I.M.I.E. number)
- Mobile Device Management
- Removable storage (SD CARD, Micro SD, etc.)
Domain 4: Communication and Network Security
Start Your 7-Day FREE TRIAL with QuickStart
Seven layers (Permit changes between layers)
- Application
- Presentation
- Session
- Transport
- Network
- Datalink
- Physical
TCP/IP Model
Layers |
Actions |
Example protocols |
Network access |
Used for Data transfer |
Token ring • Frame Relay • FDDI • Ethernet • X.25 |
Internet |
Creation of small data portions called datagrams |
I.P. • R.A.R.P. • A.R.P. • I.G.M.P. • ICMP |
Transport |
Integrity and Flow control |
TCP • U.D.P. |
Application |
Conversion of data into a readable format |
Telnet • S.S.H. • DNS • HTTP • FTP • SNMP • DHCP |
Types of Digital Subscriber Lines (DSL)
Asymmetric Digital Subscriber Line (ADSL) |
· Higher download speed as compared to upload. · Range of max 5500 meters length through telephone lines. · Maximum download 8Mbps, upload 800Kbps. |
Rate Adaptive DSL (R.A.D.S.L.) |
· Upload speed tuned based upon the quality of the transmission line. · Maximum 7Mbps download speed, 1Mbps upload over 5500 meters. |
Symmetric Digital Subscriber Line (SDSL) |
· The identical rate for upstream and downstream transmission. · The distance of 6700 meters via copper telephone cables. · Maximum 2.3Mbps download, 2.3Mbps upload. |
Very-high-bit-rate DSL (VDSL) |
· Higher speeds than standard ADSL · Maximum 52Mbps download, 16 Mbps upload up to 1200 Meters |
High-bit-rate DSL (H.D.S.L.) |
T1 speed for two copper cables for 3650 meters |
Committed Information Rate (C.I.R.) |
Minimum guaranteed bandwidth provided by the service provider |
LAN Packet Transmission
Unicast |
Single source transmission to a single destination |
Multicast |
Single source transmission to multiple destinations |
Broadcast |
Source pack transmission to all the destinations. |
Carrier-sense Multiple Access (CSMA) |
One system re-transmits frames until the destination work station receives it |
CSMA with Collision Detection (CSMA/CD) |
Dismisses transmission on collision detection. Used by Ethernet. |
CSMA with Collision Avoidance (CSMA/CA) |
Upon identifying a busy transmission system, pauses and then re-transmits delayed transmission at an arbitrary interval to minimize two nodes re-sending simultaneously. |
Polling |
The sender sends only if the polling system is free for the destination. |
Token-passing |
The sender can send only when a token is received, representing free to send. |
Broadcast Domain |
Set of devices that get broadcasts. |
Collision Domain |
Set of devices that can create impacts during an instantaneous transfer of data. |
Domain 5: Identity and Access Management
3 Factor Authentication
Knowledge factor: A parameter/anything known by the handler/user.
Ownership factor: An entity that the client has, similar to a token or a key
Characteristic factor: A distinctive user parameter, such as fingerprints, face scan, signatures, initials, or biometrics.
Knowledge factor - Anything is known to you
Salted hash |
Irregular information added to a secret key before hashing and putting away in a database on a server. Utilized rather than plaintext capacity that can be checked without uncovering secret key |
ComplEg. password |
Alphanumeric, over ten characters. Incorporates a mix of upper and lower case letters, numbers and images |
One-time password (OTP) |
Animatedly created to be used for a single transaction or one session |
Static password |
Password unchangeable |
Password Hacking |
Unauthorized password access |
Ownership – Something in your procession
Synchronous toke |
Generate password at fixed time intermissions |
Asynchronous token |
Create a password centered upon a technique called challenge-response. |
Memory card |
A jab card is inclosing user data. |
Smart Cards or Integrated Circuit Card (I.C.C.) |
A dongle or a card including a memory chip like A.T.M./Credit cards. |
Contactless Cards or Proximity |
Easily readable when in the proximity of the reader device. |
Challenge/response token |
A challenge/equation/puzzle/challenge has to be solved by the user response. |
Characteristic – Something you do
Biometric technology permits the handler to be validated based on physiological conduct or characteristics.
- Physiological, i.e., Iris, retina, and fingerprints.
- Behavioral, i.e., Voice pattern
Terminology
- Access: Action mandatory to permit information movement among objects.
- Control: Security measures booked to control or allow access to systems.
- Subject: An object which needs access to an object or multiple objects.
- Object: Object which comprises data.
Authorization Concepts
Security domain: Set of assets having a similar security arrangement.
Federated Identity: Association having a typical arrangement of strategies and guidelines inside the organization.
Access Control Models
Implicit Deny: Naturally, access to an item is denied except if unequivocally allowed.
Access Control Matrix: Table which included subjects, items, and access controls/benefits.
Capability Tables: Rundown get to controls and benefits doled out to a subject.
- A.C.L.s center on objects though capacity records center around subjects.
Permissions: Access approved for an object.
Privileges: Blend of privileges and approvals.
Domain 6: Security Assessment and Testing
Assessment and Test strategies
Pen Test
- War dialing
- Sniffing: monitoring the network traffic
- Eavesdropping: secret listening
- Dumpster diving: scrutinizing through waste documents, etc.
- Social engineering: Human being manipulation
Security process data
Employment practices and policies: termination procedures and background checks
Roles and responsibilities: management sets the standard and articulates the policy
Security awareness training: inhibits social engineering
Control Models – M.A.C.
Mandatory set of rules
Access control based on rules
Data owners have less freedom
Access is granted on rules or security labels
Every resource owns a label. Every user has clearance
Represents the concept of the need to know
Control Models – D.A.C.
Identity-based Access Control
Access levels specified by the owner
UNIX and Windows Operating Systems
Most commonly used access control
Control Types
Centralized
All objects are controlled at the central point
Strict access controls
Comfort of administration
QuickStart's LITE subscription offers dozens of IT certification training and courses, learning analytics and expert community access free of charge.
Types:
RADIUS: Serves dial-in users. Incorporates dynamic password and authentication server
T.A.C.A.C.S.: Static nature of the password
TACACS+: Supports and back token authentication
Decentralized
Remote authentication
The decision is nearer to the objects
More overhead administration
Different user rights over the network
Hybrid model
A combination of centralized and decentralized
Single Sign-on – Kerberos
Symmetric key cryptography
Components
- D.C.: have the cryptographic keys
- Tickets
- G.S.
Process
- Subject requests access to an object
- The request goes through the KDC
- KDC generates a ticket for both subject and the object
- Subject validates the ticket
- Subject sends the ticket to object
- Object validates the ticket
- Object grants access to the subject
Domain 7: Security Operations
Crime investigation – Evidence
Problems
- Intangible information
- Investigation interferes with business operations
- Difficulty gathering evidence
- Experts are needed
Gathering, controlling, and preserving
Computer evidence can easily be modified
Chain of evidence
Crime investigation – Life Cycle
- Discovery and recognition
- Protection
- Recording
- Collection
- Identification – tagging
- Preservation – store in a proper environment
- Transportation
- Presentation in court
- Return to evidence owner
Crime investigation – Admissibility
- Evidence must meet strict requirements
- Must be relevant – related to the crime
- Legally permissible
- Identified without changing evidence
- Preservation
Incident Management
Incident management is a term defined as the activities of an organization to identify, analyze, and correct dangers to prevent their happening in the future. These incidents within an organization are normally dealt with an I.R.T. or I.M.T.
D.R.P. – Data Processing Continuity
Providing backup systems
Mutual aid agreements
Hot site
- Configured with HVAC
- Servers loaded with apps
- Allows walk-in
- Short time
- High cost
Business Continuity Planning
- BCPs are shaped to prevent disruptions to normal business
- Protect critical business processes from disasters
- Strategy to allow the recommencement of business activity
- Examine critical information areas
- LAN/WAN
- Telecommunications
- Apps and Data
- Disruptive events
- Staff duties
- Man-made events, e.g., strikes
- Top priority is to preserve life
Domain 8: Software Development Security
Software Development Lifecycle (SDLC): Understand and implement security protocols throughout the software development lifecycle (SDLC).
Development Methodologies
Build and fix
- No architecture design
- Problems fixed as soon as they occur
- No formal feedback cycle
- Reactive, not proactive
Waterfall
- Linear and sequential lifecycle
- Each phase is completed before moving to the next
- No formal method to make changes during a cycle
V-shaped
- Based on the waterfall model
- Each cycle is completed before moving on
- Verification and validation after each phase
- No risk analysis phase
Prototyping
- Rapid prototyping
- Evolutionary prototyping
- Operational prototypes
Incremental
- Multiple cycles
- Restart at any time
- Easy to introduce new requirements
- Delivers incremental updates
Spiral
- Iterative
- Risk analyzing during development
- Future information and requirements for risk analysis
- Testing early in development
Rapid Application Development (R.A.D.)
- Fast prototyping
- Designed for abrupt development
- Designs are quickly demonstrated
- Testing and requirements are revisited
Agile
- Multiple methods
- Highlights efficiency
- User activity describes what user behaviors
- Prototypes are filtered down to discrete features
Programming Language Types
- Machine Languages
- Assembly Language
- High-Level Language
Database Architecture and Models
- Relational Model
- Hierarchical Model
- Network Model
- Object-Oriented Model
- Object-Relational Model
Data Warehousing and Data Mining
- Data Warehousing: Collect data from different sources.
- Data Mining: Arrangement of the data into a simple way to make business decisions based on the content.
For more information on the CISSP certification talk to our experts!