CISSP-Notes

CISSP Notes for ISC2 Exam

Domain 1. Security and Risk Management Domain 2. Asset Security Domain 3. Security Architecture and Engineering Domain 4. Communication and Network Security Domain 5. Identity and Access Management (IAM) Domain 6. Security Assessment and Testing Domain 7. Security Operations Domain 8. Software Development Security

Length of exam 3 hours Number of items 100 - 150 Item format Multiple choice and advanced innovative items Passing grade 700 out of 1000 points

• Domain 1: Security and Risk Management - 16% • Domain 2: Asset Security - 10% • Domain 3: Security Architecture and Engineering - 13% • Domain 4: Communication and Network Security - 13% • Domain 5: Identity and Access Management (IAM) - 13% • Domain 6: Security Assessment and Testing - 12% • Domain 7: Security Operations - 13% • Domain 8: Software Development Security - 10%

Length of exam 3 hours Number of items 100 - 150 Item format Multiple choice and advanced innovative items Passing grade 700 out of 1000 points

---

CISSP is not technical, how to think like a security leader.

CISSP is designed to test the ability to make smart, risk-based security decisions at a leadership level. It's about big-picture security strategy, but insuring security aligns with business goals and objectives. It's about risk managment, wieghing threats, vonverabilites, and impact to make the best decision.

Need to think of strategic solutions, not technical fixes.

Understanding and applying sound judgement is key to exam.

CISSP is about strategic, risk based decision making, not just technology.

There's only one right answer.

CISSP tests your ability to apply technical knowledge in a business and risk-based context.

Your not being asked how to configure a firewall, but how to use a firewall as part of a larger security strategy.

You need both technical knowledge and leadership-level descison-making are needed to pass the CISSP exam.

Technical vs. Strategic Thinking

• IT and Cybersecurity professionals instinctively think in technical solutions
• CISSP requires a shift to strategic decision making
• Strategy includes business impact, risk assessment, and compliance

Common Misconceptions

• CISSP is not bout thining like a CIO who prioritizes cost over security
• A CISSP balances risk, business needs, and security best practices

Mindset Shift for CISSP Success

• Stop thinking tactically and start thining stategically
• Tactical thinking focuses on immediate fixes
• Stretegic thinking evaluates long-tem impact on risk, business, and compliance

***Tactical thinking involves solving immediate security issues, such as fixing a vulnerability or updating a firewall rule. Strategic thinking, on the other hand, evaluates the broader impact on business operations, risk management, and governance, which is essential for making the right CISSP exam decisions.

***Unlike technical exams that focus on hands-on configurations, the CISSP exam tests strategic decision-making skills. It requires candidates to evaluate risk, business impact, and compliance, ensuring that security strategies align with organizational goals rather than focusing solely on technical execution.

ISC2 is testing the candidate's ability to make strategic decisions like a security leader.

CISSP questions are not just testing knowledge; they're testing how candidates think

Annualized Loss Expectancy (ALE) is the expected monetary loss per year due to a specific threat or risk. ALE is a monitary value***

SOC 1 Type 1 - (System and Organization Controls) a report that an organization requests if it requires an assessment of the financal reporting controls implemented within the organization at a specific point of tine.

Data Custodian Security Role - responsible for implementing data protection tasks.

5 steps in the data classification process:

• identify the owners
• define data of intrest
• use metadata to focus and accelerate
• report and remediate
• rescan the data

TLS protects data confidentiality and integrity. Intended for protecting data in transit.

Puppet is the configuration management tool that accepts inbound requests from agents by using HTTPS on TCP port 8140. "Widely used"

Deadlocking - when two database processes are denied access to a record at the same time.

Seven types of security controls: directive, deterrent, preventive, compensating, detective, corrective, and recovery.

Detective security controls are used to monitor or send alerts about malicous activity.

A false positive occurs when an assessment identifies a business requirement as a vulnerability.

Mandatory Access COntrol model uses clearance levels to determine access to resources. It assigns security labels to both users and resources, and access is granted only if the users's clearance level is equal to or higher than the resource's security label.

Seven types of security controls: directive, deterrent, preventive, compensating, corrective, recovery.

Be on the lookout for subtle words in ISC2 questions, like: Best, Most, First.

Keyword based questions practice for test:

• Identify the context keywords
• Translate keyword into a question
• re-evaluate all answers based on that translated question
• the wording is a clue, not a trap

CISSP questions want strategic thinking, not technical answers

Always ask, "why might ISC2 see this answer as incomplete or wrong?"

Strategic thinking always fixes the root problem

CISSP is about leadership and strategy, not just technical solutions

Every answers must be evaluated based on risk, governance, and business impact, what aligns best to strategtic leadership thinking

CISSP questions are not just testing knowledge; they're testing how candidates think.

Trap #1: answers that all seem correct Trap #2: Subtle wording changes

Core access control principles: Least Privilege - only grant users and systems the minimum level of access necessary to perform their job functions. Reduces the risk of accidental or malicious misuse.

Need to Know - access is granted based on whether the user has a specific, valid reason to access the information. FOcuses on data classification and role-specific access.

Seperation of Duties - no single individual should have complete control over all aspects of a critical function.

Identification - Users must prove who they are before access is granted. Via usernames/passwords, account IDs, or digital certificates.

Authentication - verifies that a user's claimed identity is legitimate. I.E. passwords, biometrics, smart cards, MFA.

Authorization - determines what resources a user is allowed to access and what actions they can perform. Usually enforces via access control lists, role-based access control, or attribute-based access control.

Accountibility/Auditing - event access event shuld be loggedd and traceble to an individual or system. Supports auditing, forensic analysis, and incident response.

Inplied Trust/Implicit Deny - if access is not granted, assume denial by default.

Defense in Depth - use of layered access control mechanisms so that the failure of one layer doesn't compromise the system. Combines physical, logical, and administrative controls.

White-box testing provides every piece of available information to the pen tester, Also known as full-knowledge testing, customers sometimes are already aware of some vulnerabilites and are seeking ways to mitigate them.

Recommended steps with addressing Malware removal:

1. Identify malware symptoms.
2. Quarantine infected systems,
3. Disable system restore.
4. Remediate infected systems.
5. Schedule scans and run updates.
6. Enable system restore, and create a restore point.
7. Educate end users.

Role Based Access Control (RBAC) is a data access control type that is least likely to control access by using explicit rights and permissions.

OIDC (OpenID Connect) relies on OpenID technologies for authentication. OpenID decentralizes authentication. OpenID decentralizes authentication. It works by redirecting a user to an OpenID provider after prompting that user for an OpenID identity. Upon redirection, the OpenID provider and the relaying party(RP) form a secure connection. THe user is prompted for an OpenID password. If correct, the user is then aithenticated on the thrid-party site.

Cross-Site Request Forgery (XSRF) - an attack that takes advantage of a software vulnerability and involves the redirection of static content within a trusted site.

Granting alevated privleges to a user account does not result in a loss of accountability. A loss of accountability occurs when you are unable to determine who performed an action.

A Layer 3 switch can route data from one VLAN to another.

Data custodian - a security role that is most likely to be responsible for implementing data protection tasks that are derived from the data classification process, including any data classigication tasks that are delegated by the data owner. Data custodian implments data protection as defined by the policies, procedures, and requirements of management. Data custodian might also perform backups, monitor data integrity, and manage storage.

Explotation phase of a penetration test is most likely to involve breaking into a network server or database. The exploitation phase is the fourth phase of the five-phase penetration test process.

The implicit deny rule on a firewall automatically blocks traffic that is not specifically granted access. The purpose of a firewall is to control the flow of network traffic bt preventing unwanted traffic from entering or exiting a network.

Incident Response and Management Steps:

1. Detection - involves the discovery of a security incident by using log reviews, detective security controls, or automated analysis of network traffic.

2. Response - the process of activating the incident response team.

3. Mitigation - the process of containing the incident and preventing further damage.

4. Reporting - the process of documenting the security incident so that management and law enforcement can be fully informed.

5. Recovery - the process of returning the system to the production enviornment Recovered systems should be carefully monitored to ensure that no traces of the agent that caused the security breach remain on the system.

6. Remediation - the process of understanding the cause of the security breach and preventing the breach from occuring again. This phase is valuable becuase it can identify flaws in a security system or process as well as ways of preventing simalir security incidents.

7. Lessons Learned - the process of reviewing of the incident to determine whether any imporvements in response can be made.

MPLS VPNs, support access control, Quality of Service, and traffic engineering.

Enforcing the least priviledge principle is the best way ro mitigate pass-the-hash attacks.

Three typical nethods of authentication for gaining access to a secure environment: something you know, something you have, and something you are.

1. Something you Know - passwords, PINs, answers to security questions
2. Something you Have - smart cards, security tokens, key fobs, mobile authenticator apps
3. Something you Are - fingerprint, facial recognition, iris scan