An introduction to the CISSP certification for self study groups

An introduction to the
CISSP certification for
self-study groups

Tomas Ericsson, CISSP-ISSAP

Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: tomas.ericsson@vemendo.se
Twitter: @tomas_ericsson
vemendo

grundat

1997

med ett speciellt öga för kundens affärer

Agenda
• Why become a CISSP?
• About (ISC)²
• The Credentialing Process
• The 10 CBK Domains
• Study Resources
• Tips on the way
• Questions and answers
vemendo

grundat

1997


Why become a CISSP?
• The world changes with growing needs for
security
• Prove that you meet predefined standard of
knowledge and experience
• Broaden your knowledge of security concepts
and practices
• Become more marketable in a competitive
workforce
• Show your dedication to the security
discipline
vemendo

grundat

1997


About (ISC)²
• A global not-for-profit organization
• Formed in 1989 – First public certification
available in 1995

• Sole purposes – certification and education
in information security
International Information Systems
Security Certification Consortium

• First information security credential
accredited by ANSI ISO/IEC Standard
17024
• Certified thousands of information security
practitioners in over twenty-seven countries
vemendo

grundat

1997


(ISC)² Certifications
• CISSP
• Certified Information Systems Security
Professional
• CISSP Concentrations
• Information Systems Security Architecture
Professional (ISSAP)
• Information Systems Security Engineering
Professional (ISSEP)
• Information Systems Security Management
Professional (ISSMP)
• CSSLP
• Certified Secure Software Lifecycle Professional
• SSCP
• Systems Security Certified Practitioner
• CAP
• Certified Authorization Professional

vemendo

grundat

1997


Number of certified professionals
per July 2011*
CISSP-ISSAP
• In Sweden: 4
• World-Wide: 998
CISSP-ISSEP
• In Sweden: 0
• World-Wide: 726

•

CISSP
• In Sweden: 350
• World-Wide: 75 000

•

•

•

CISSP-ISSMP
• In Sweden: 4
• World-Wide: 720

*Source: (ISC)² web site member resources .

vemendo

grundat

1997


(ISC)² Credentialing Process
• Required Experience
• Minimum of five years full-time working experience in any combination of
two of the CBK domains. Four years if holding a bachelor or masters
degree, or another approved certificate .

• Application
• Validating your education and/or experience

• CISSP Examination
• Passing the exam

• Code of Ethics
• Committing to principles and guidelines set forth by (ISC)2

• Endorsement Process
• Attesting to your eligibility requirements

vemendo

grundat

1997


Code of Ethics
• Safety of the commonwealth requires
that we adhere to the highest ethical
standards of behavior
• Therefore, strict adherence to this
code is a condition of certification
• Certificate holders will:
• Protect society, the commonwealth,
and the infrastructure
• Act honorably, honestly, justly,
responsibly and legally
• Provide diligent and competent
service to principals
• Advance and protect the profession
vemendo

grundat

1997


The Exam
• “An inch deep and a mile wide”
• 250 multiple choice questions
• 25 for research purposes
• Some scenario based

• Up to 6 hours to complete and a score of
minimum 70% to pass (700 out of 1000 points).
• Information Security Concepts
• Vendor and product independent
• Measures habitual knowledge, not skill
• Standard English dictionaries are ok to use

vemendo

grundat

1997


The long wait…
• Finally you receive a mail telling that you have
passed the exam (you will not know the score).
Congratulations!
• If you fail to pass the exam you will receive a mail
with your score. Domains are listed with ranking
from weakest to strongest.

• A small sample group of candidates will be audited
after passing the exam.

vemendo

grundat

1997


The Endorsement Process
• Next step after passing the exam
• Another CISSP (in good standing)
verifies that you have the
experience you claim to have
• After approval from the (ISC)²
board of directors you will receive
your certificate.

vemendo

grundat

1997


Maintaining your CISSP certificate
in good standing
• The CISSP certification is valid for
three years
• Remain in Good Standing by:
• Being compliant with (ISC)² Code
of ethics
• Earn 120 Professional Education
Credits (CPEs) during the three
year period
• Pay Annual Maintenance Fees
(AMFs)

• This will qualify you for an examfree recertification
vemendo

grundat

1997


How you earn CPE credits
• Attending educational courses or
seminars
• Attending security conferences

• Being a member of an association
chapter and attending meetings
• Serving on the board for a
professional security organization
• Volunteering for a government, public
sector and other charitable
organizations, including (ISC)2
volunteer committees
vemendo

grundat

1997

1 CPE = Approx. 1
hour


How you earn CPE credits (cont.)
• Completing higher academic courses
• Providing security training

• Publishing security articles or books
• Participating in self-study courses,
computer-based training or Web casts
• Reading an information security book or
subscribing to an information security
magazine
vemendo

grundat

1997


Two types of CPE credits
• Group A

• Group B

• Access Control
• Application Security
• Business Continuity and Disaster
Recovery Planning
• Cryptography
• Information Security and Risk
Management
• Legal, Regulations, Compliance and
Investigations
• Operations Security Team
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network
Security
vemendo

grundat

1997

• Organizational Behavior
• Strategic Planning
• Programming Languages &
Techniques
• Tools and Techniques
• Interpersonal Communications
Skills
• Interviewing Techniques
• Development Skills
• Project Management Skills
In a three year period you need a
minimum of 120 credits of which at
least 80 need to be Group A credits.


CBK – Common Body of
Knowledge
• A collection of topics relevant to
information security professionals
around the world
• Establishes a common framework of
information security terms and principles
• Review Committee consisting of leading
information security specialists,
educators and practitioners.
• Focus on Confidentiality, integrity and
availability (CIA), and attempts to
balance the three across ten areas of
interest called CBK domains.
vemendo

grundat

1997


The 10 CISSP CBK Domains
• Access Control
• Application Development Security
• Business Continuity and Disaster Recovery
Planning
• Cryptography
• Information Security Governance and Risk
Management
• Legal, Regulations, Investigations and
Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security
vemendo

grundat

1997


CBK Domain #1
Access Control

• Authentication methods, models, and technologies
• Access Control Models
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Non-discretionary Access Control

• Identity Management Solutions
•
•
•
•

vemendo

Directories
Web Access Management
Password Management
SSO

grundat

1997


CBK Domain #1 (cont.)
Access Control

• Intrusion detection systems
• Network vs. Host-based
• Behavior vs. Signature-based

• Threats to access control practices and
technologies
•
•
•
•
•

Race condition
Brute Force
Dictionary
Social
Rainbow tables

• Accountability, monitoring, and auditing
practices
vemendo

grundat

1997


CBK Domain #1
Access Control

• Which access control method is user-directed?
A.
B.
C.
D.

Non-discretionary
Mandatory
Identity-based
Discretionary

• Which item is not part of a Kerberos authentication implementation?
A.
B.
C.
D.

vemendo

Message Authentication Code
Ticket granting service
Authentication service
Users, programs, and services

grundat

1997


CBK Domain #2
Application Development Security

• Various types of software controls and
implementation
• Database concepts and security issues
• Database views
• Aggregation
• Inference

• Software life-cycle development
processes

vemendo

grundat

1997



Web Security
• Threats
• Safeguards

• Malicious Software
•
•
•
•

vemendo

Viruses
Worms
Trojan horses
Logic bombs

grundat

1997


CBK Domain #2

• Which of the following replicates itself by attaching to other programs?
A.
B.
C.
D.

A worm
A virus
A Trojan horse
Malware

• Database views provide what type of security control?
A.
B.
C.
D.

vemendo

Detective
Corrective
Preventive
Administrative

grundat

1997


CBK Domain #3
Business Continuity and Disaster Recovery Planning

• Project initiation steps
•
•
•
•

Business Impact Analysis (BIA)
Recovery strategy
Recovery plan
Implementing, testing and maintaining the plan

• Recovery and continuity planning requirements
• Backup alternatives
• Full backup
• Incremental
• Differential

vemendo

grundat

1997



• Backup and offsite facilities
•
•
•
•

Hot
Warm
Cold
Reciprocal agreements

• Offsite backups
• Remote journaling
• Electronic vaulting

• Types of drills and tests
•
•
•
•
vemendo

Walk through
Checklist
Simulation
Full Interuption
grundat

1997


CBK Domain #3

• What is one of the first steps in developing a business continuity plan?
A. Identify backup solution
B. Decide whether the company needs to perform a walk-through, parallel, or
simulation test
C. Perform a business impact analysis
D. Develop a business resumption plan

• Which best describes a hot-site facility versus a warm- or cold-site
facility?
A.
B.
C.
D.

vemendo

A site that has disk drives, controllers, and tape drives
A site that has all necessary PCs, servers, and telecommunications
A site that has wiring, central air, and raised flooring
A mobile site that can be brought to the company’s parking lot

grundat

1997


CBK Domain #4
Cryptography

• History of cryptography
• Cryptography components and their
relationships

• Government involvement in cryptography
• Symmetric and asymmetric key algorithms
• Public key infrastructure (PKI) concepts and
mechanisms
•
•
•
•
vemendo

Digital Signatures
Certificates
Certificate Authority (CA)
Registration Authority (RA)
grundat

1997


Cryptography

• Hashing algorithms and uses
• md2, md4, md5
• SHA-1, SHA-2

• Types of attacks on cryptosystems
•
•
•
•
•

vemendo

Cipher attack
Cryptoanalysis
Known-Plaintext
Replay
…and more

grundat

1997


CBK Domain #4
Cryptography

• How many bits make up the effective length of the DES key?
A.
B.
C.
D.

56
64
32
16

• If different keys generate the same cipher text for the same message,
what is this called?
A.
B.
C.
D.

vemendo

Collision
Secure hashing
MAC
Key clustering

grundat

1997


CBK Domain #5
Information Security Governance and Risk Management

• Security management responsibilities
• Difference between administrative,
technical, and physical controls
• Three main security principles
• Confidentiality
• Availability
• Integrity

• Risk management and risk analysis

vemendo

grundat

1997



• Information Security Standards
• ISO 17799
• ISO 27001

• Security policies
• Information classification
• Security awareness training

vemendo

grundat

1997


CBK Domain #5

• What are security policies?
A.
B.
C.
D.

Step-by-step directions on how to accomplish security tasks
General guidelines used to accomplish a specific security level
Broad, high-level statements from the management
Detailed documents explaining how security incidents should be handled

• Which is the most valuable technique when determining if a specific
security control should be implemented?
A.
B.
C.
D.

vemendo

Risk analysis
Cost/ benefit analysis
ALE results
Identifying the vulnerabilities and threats causing the risk

grundat

1997


CBK Domain #6
Legal, Regulations, Investigations and Compliance

• Computer crimes and computer laws
•
•
•
•
•

Criminal law
Civil law
Intellectual Property Laws
Computer crime laws
Privacy Laws (EU)

• Regulations
•
•
•
•
•

SOX
HIPAA
GLBA
BASEL II
PCI DSS

• Motives and profiles of attackers
vemendo

grundat

1997



• Computer crime investigation process
and evidence collection
•
•
•
•

Best evidence
Secondary evidence
Circumstantial evidence
Hearsay evidence

• Incident-handling procedures

• Ethics pertaining to information security
professionals and best practices (Code
of Ethics)

vemendo

grundat

1997


CBK Domain #6

• Which of the following would be a violation to (ISC)² code of ethics, and
could cause the candidate to loose his or her certification?
A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)²
C. Submitting comments to the board of directors regarding the test and content of the
class
D. Conducting a presentation about the CISSP certification and what the certification
means

• Protecting evidence and providing accountability for who handled it at
different steps during the investigation is referred to as what?
A.
B.
C.
D.
vemendo

The rule of best evidence
Hearsay
Evidence safety
Chain of custody

grundat

1997


CBK Domain #7
Operations Security

• Administrative management responsibilities
• Organisational roles
• Separation of duties
• Least privilege

• Operations department responsibilities
• Configuration management
• Trusted recovery states

vemendo

grundat

1997


Operations Security

• Redundancy and fault-tolerant systems
• RAID

• Threats to operations security
•
•
•
•
•
•
•

vemendo

DoS
Man-in-the-middle
Mail bombing
War dialing
Fake login screens
Teardrop
Trafic Analysis

grundat

1997


CBK Domain #7
Operations Security

• Which of the following best describes operations security?
A. Continual vigilance about hacker activity and possible vulnerabilities
B. Enforcing access control and physical security
C. Taking steps to make sure an environment, and the things within it, stay at a certain
level of protection
D. Doing strategy planning to develop a secure environment and then implementing it
properly

• If sensitive data are stored on a CD-ROM and are no longer needed,
which would be the proper way of disposing of the data?
A.
B.
C.
D.

vemendo

Degaussing
Erasing
Purging
Physical destruction

grundat

1997


CBK Domain #8
Physical (Environmental) Security

• Administrative, technical, and physical controls
• Facility location, construction, and management

• Physical security risks, threats, and countermeasures
•
•
•
•

vemendo

Natural Environmental
Supply system
Manmade
Politically motivated

grundat

1997



• Electric power issues and countermeasures
• Fire prevention, detection and suppression

• Fire suppression
• Intrusion detection systems

vemendo

grundat

1997


CBK Domain #8

• When should a Class C fire extinguisher be used instead of a Class A
fire extinguisher?
A.
B.
C.
D.

When electrical equipment is on fire
When wood and paper are on fire
When a combustible liquid is on fire
When the fire is in an open area

• Which of the following answers contains a category of controls that does
not belong in a physical security program?
A.
B.
C.
D.

vemendo

Deterrence and delaying
Response and detection
Assessment and detection
Delaying and lightning

grundat

1997


CBK Domain #9
Security Architecture and Design

• Computer hardware and Operating Systems Architecture
• Trusted computing base and security mechanisms
• Hardware
• Software
• Firmware

• Protection mechanisms within an operating system
• Security Perimeter
• Reference Monitor
• Security Kernel

vemendo

grundat

1997



•

Security models
• Bell-LaPadula (confidentiality)
• Biba (Integrity)
• Clark Wilson (Integrity)

• Systems Evaluation Methods
• Orange book (TCSEC/ Rainbow series)
• Common Critera

vemendo

grundat

1997


CBK Domain #9

• What is the best description of a security kernel from a security point of
view?
A.
B.
C.
D.

Reference monitor
Resource manager
Memory mapper
Security perimeter

• The trusted computing base (TCB) controls which of the following?
A.
B.
C.
D.

vemendo

All trusted processes and software components
All trusted security policies and implementation mechanisms
All trusted software and design mechanisms
All trusted software and hardware components

grundat

1997


CBK Domain #10
Telecommunications and Network Security

• The OSI model
• TCP/IP and many other protocols
• LAN, WAN, MAN, intranet, and extranet technologies
• Cable types and transmission types
• Communications security management
• Remote access methods and technologies
• Wireless technologies
vemendo

grundat

1997


CBK Domain #10
Telecommunications and Network Security

• At what layer does a bridge work?
A.
B.
C.
D.

Session
Network
Transport
Data link

• Which of the following proxies cannot make access decisions on
protocol commands?
A.
B.
C.
D.

vemendo

Application
Packet filtering
Circuit
Stateful

grundat

1997


Study Resources
• All-in-one CISSP Exam Guide
(Shon Harris)
• Including CD-ROM

• Free resources on the Net
• cccure.org

• Discussion forums and groups
• Linkedin

• And don’t forget
• Code of ethics found at the
(ISC)² Web site
vemendo

grundat

1997


Tips on the way
• Start studying now!
• You will probably need 2-3 months just to
complete the All-in-one exam guide
• Do test exams. Get to know your weakest
domains which will need your attention
before taking the exam.
• Use multiple study resources e.g. books,
eLearning and free test resources on the
net.

• Make sure you have relevant professional
experience
• Prepare for the endorsement process

vemendo

grundat

1997


Tips on the way (cont.)
• The exam
• Be physically and mentally prepared for the 6
hours, and bring something to drink.
• Read the exam questions carefully, my personal
favorite is to start by excluding the two least likely
answers and the choose the correct answer from
the remaining two.
• Watch the clock. With 250 questions and 6 hours
maximum exam time you have an average of 90
seconds per question.
• Be aware that the exam still contains questions
that you might think has been outdated in the real
world.
• Take short breaks to stretch and relax.
vemendo

grundat

1997


Summary
• Why become a CISSP?
• About (ISC)²

• The Credentialing Process
• The 10 CBK Domains

• Study Resources
• Tips on the way

vemendo

grundat

1997


Questions?
Tomas Ericsson, CISSP-ISSAP

Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: tomas.ericsson@vemendo.se
Twitter: @tomas_ericsson
vemendo

grundat

1997


An introduction to the CISSP certification for self study groups

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (8)

Similar a An introduction to the CISSP certification for self study groups

Similar a An introduction to the CISSP certification for self study groups (20)

Último

Último (20)

An introduction to the CISSP certification for self study groups