CISSP Study Guide


  • Eric Conrad, CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GISP, GCED, Senior SANS instructor and CTO, Backshore Communications
  • Seth Misenar, CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GWAPT, GCWN, GSEC, Senior SANS instructor and Lead Consultant, Context Security, LLC.
  • Joshua Feldman, CISSP, Vice President: IT Risk, Moody's Investments

CISSP Study Guide serves as a review for those who want to take the Certified Information Systems Security Professional (CISSP) exam and obtain CISSP certification. The exam is designed to ensure that someone who is handling computer security in a company has a standardized body of knowledge. The book is composed of 10 domains of the Common Body of Knowledge. In each section, it defines each domain. It also provides tips on how to prepare for the exam and take the exam. It also contains CISSP practice quizzes to test ones knowledge. The first domain provides information about risk analysis and mitigation. It also discusses security governance. The second domain discusses different techniques for access control, which is the basis for all the security disciplines. The third domain explains the concepts behind cryptography, which is a secure way of communicating that is understood only by certain recipients. Domain 5 discusses security system design, which is fundamental for operating the system and software security components. Domain 6 is a critical domain in the Common Body of Knowledge, the Business Continuity Planning, and Disaster Recovery Planning. It is the final control against extreme events such as injury, loss of life, or failure of an organization. Domains 7, 8, and 9 discuss telecommunications and network security, application development security, and the operations domain, respectively. Domain 10 focuses on the major legal systems that provide a framework in determining the laws about information system.
View full description


This study guide and the CISSP certification are aimed at information security professionals with at least 5 years of relevant experience.


Book information

  • Published: July 2010
  • Imprint: SYNGRESS
  • ISBN: 978-1-59749-563-9


"Ideal preparation tool for the CISSP exam; gives you exactly what you need to know in an accurate, concentrated, no frills, no fluff manner. The exam warnings, clear explanations about common misconceptions, are priceless and I learned a lot from them."--Stephen Northcutt, President, SANS Technology Institute

"For anyone serious about passing the exam I would recommend this book to be one of their guides and award the book nine out of ten in terms of its approach, coverage of the material and applicability to the task of preparing a student for the CISSP exam overall."--Jim McGhie, MBCS, CEng CITP

"The CISSP certification is the very first and most prestigious, globally-recognized, vendor-neutral exam for information security professionals. This new study guide is aligned to cover all of the material included in the exam complete with special attention to recent updates."--Dierdre Blake on Dr. Dobb’s Journal

"[T]he book contains all the necessary topics that you will need to know to review for the exam…. Overall the book is more concise than the majority of the other CISSP study guides available. It uses techniques such as "Learn By Example" and "Exam Warning" boxes to illustrate and highlight key points. Well written by technically competent authors, I found the book easy to read. Significantly cheaper than many of its peers, this is all that the more experienced prospective CISSP candidate requires."

Table of Contents

AcknowledgmentsAbout the authorsChapter 1 Introduction    How to Prepare for the Exam         The Notes Card Approach         Practice Tests         Read the Glossary         Readiness Checklist    How to Take the Exam         Steps to Becoming a CISSP         Exam Logistics         How to Take the Exam         After the Exam    Good Luck!Chapter 2 Domain 1: Information security governance and risk management    Unique Terms and Definitions    Introduction    Cornerstone Information Security Concepts         Confidentiality, Integrity, and Availability         Identity and Authentication, Authorization, and Accountability    Risk Analysis         Assets         Threats and Vulnerabilities         Risk = Threat  × Vulnerability         Impact         Risk Analysis Matrix         Calculating Annualized Loss Expectancy         Total Cost of Ownership         Return on Investment         Risk Choices         Qualitative and Quantitative Risk Analysis         The Risk Management Process    Information Security Governance         Security Policy and Related Documents         Security Awareness and Training         Roles and Responsibilities         Compliance with Laws and Regulations         Privacy         Due Care and Due Diligence         Best Practice         Outsourcing and Offshoring         Auditing and Control Frameworks         Certification and Accreditation    Ethics         The (ISC)2 © Code of Ethics    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 3 Domain 2: Access control    Unique Terms and Definitions    Introduction    Cornerstone Access Control Concepts         The CIA triad         Identification and AAA         Subjects and objects    Access Control Models         Discretionary Access Controls (DAC)         Mandatory Access Controls (MAC)         Non-Discretionary Access Control         Content and Context-Dependent Access Controls         Centralized Access Control         Decentralized Access Control         Access Control Protocols and Frameworks    Procedural Issues for Access Control         Labels, Clearance, Formal Access Approval, and Need to Know         Rule-Based Access Controls         Access Control Lists    Access Control Defensive Categories and Types         Preventive         Detective         Corrective         Recovery         Deterrent         Compensating         Comparing Access Controls    Authentication Methods         Type 1 Authentication: Something You Know         Type 2 Authentication: Something You Have         Type 3 Authentication: Something You Are         Someplace You Are    Access Control Technologies         Single Sign-On (SSO)         Kerberos         SESAME         Security Audit Logs    Types of Attackers         Hackers         Black Hats and White Hats         Script Kiddies         Outsiders         Insiders         Hacktivist         Bots and BotNets         Phishers and Spear Phishers    Assessing Access Control         Penetration Testing         Vulnerability Testing         Security Audits         Security Assessments    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 4 Domain 3: Cryptography    Unique Terms and Definitions    Introduction    Cornerstone Cryptographic Concepts         Key Terms         Confidentiality, Integrity, Authentication, and Non-Repudiation         Confusion, Diffusion, Substitution, and Permutation         Cryptographic Strength         Monoalphabetic and Polyalphabetic Ciphers         Modular Math         Exclusive Or (XOR)         Types of Cryptography    History of Cryptography         Egyptian Hieroglyphics         Spartan Scytale         Caesar Cipher and other Rotation Ciphers         Vigenère Cipher         Cipher Disk         Jefferson Disks         Book Cipher and Running-Key Cipher         Codebooks         One-Time Pad         Hebern Machines and Purple         Cryptography Laws    Symmetric Encryption         Stream and Block Ciphers         Initialization Vectors and Chaining         Data Encryption Standard         International Data Encryption Algorithm (IDEA)         Advanced Encryption Standard (AES)         Blowfish and Twofish         RC5 and RC6    Asymmetric Encryption         Asymmetric Methods    Hash Functions         Collisions         MD5         Secure Hash Algorithm         HAVAL    Cryptographic Attacks         Brute Force         Known Plaintext         Chosen Plaintext and Adaptive Chosen Plaintext         Chosen Ciphertext and Adaptive Chosen Ciphertext         Meet-in-the-middle Attack         Known Key         Differential Cryptanalysis         Linear Cryptanalysis         Side-channel Attacks         Birthday Attack         Key Clustering    Implementing Cryptography         Digital Signatures         HMAC         CBC-MAC         Public Key Infrastructure         IPsec         SSL and TLS         PGP         S/MIME         Escrowed Encryption         Steganography         Digital Watermarks    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 5 Domain 4: Physical (Environmental) security    Unique Terms and Definitions    Introduction    Perimeter Defenses         Fences         Gates         Bollards         Lights         CCTV         Locks         Smart Cards and Magnetic Stripe Cards         Tailgating/piggybacking         Mantraps and Turnstiles         Contraband Checks         Motion Detectors and Other Perimeter Alarms         Doors and Windows         Walls, floors, and ceilings         Guards         Dogs         Restricted Areas and Escorts    Site Selection, Design, and Configuration         Site Selection Issues         Site Design and Configuration Issues    System Defenses         Asset Tracking         Port Controls         Drive and Tape Encryption         Media Storage and Transportation         Media Cleaning and Destruction    Environmental Controls         Electricity         HVAC         Heat, Flame, and Smoke Detectors         Safety Training and Awareness         ABCD Fires and Suppression         Types of Fire Suppression Agents    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 6 Domain 5: Security architecture and design    Unique Terms and Definitions    Introduction    Secure System Design Concepts         Layering         Abstraction         Security Domains         The Ring Model         Open and Closed Systems    Secure Hardware Architecture         The System Unit and Motherboard         The Computer Bus         The CPU         Memory         Memory Protection    Secure Operating System and Software Architecture         The Kernel         Users and File Permissions         Virtualization         Thin Clients    System Vulnerabilities, Threats, and Countermeasures         Emanations         Covert Channels         Buffer Overflows         TOCTOU/Race Conditions         Backdoors         Malicious Code (Malware)         Server-Side Attacks         Client-Side Attacks         Web Application Attacks         Mobile Device Attacks         Database Security         Countermeasures    Security Models         Reading Down and Writing Up         State Machine model         Bell-LaPadula model         Lattice-Based Access Controls         Integrity Models         Information Flow Model         Chinese Wall Model         Noninterference         Take-Grant         Access Control Matrix         Zachman Framework for Enterprise Architecture         Graham-Denning Model         Harrison-Ruzzo-Ullman Model         Modes of Operation    Evaluation Methods, Certification, and Accreditation         The Orange Book         ITSEC         The International Common Criteria         PCI-DSS         Certification and Accreditation    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 7 Domain 6: Business continuity and disaster recovery planning    Unique Terms and Definitions    Introduction    BCP and DRP Overview and Process         Business Continuity Planning (BCP)         Disaster Recovery Planning (DRP)         Relationship between BCP and DRP         Disasters or disruptive Events         The Disaster Recovery Process    Developing a BCP/DRP         Project Initiation         Scoping the Project         Assessing the Critical State         Conduct Business Impact Analysis (BIA)         Identify Preventive Controls         Recovery Strategy         Related Plans         Plan Approval    Backups and Availability         Hardcopy Data         Electronic Backups         Software Escrow    DRP Testing, Training, and Awareness         DRP Testing         Training         Awareness    Continued BCP/DRP Maintenance         Change Management         BCP/DRP Mistakes    Specific BCP/DRP Frameworks         NIST SP 800-34         ISO/IEC-27031         BS-25999         BCI    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 8 Domain 7: Telecommunications and network security    Unique Terms and Definitions    Introduction    Network Architecture and Design         Network Defense-in-Depth         Fundamental Network Concepts         The OSI Model         The TCP/IP Model         Encapsulation         Network Access, Internet and Transport Layer Protocols and Concepts         Application Layer TCP/IP Protocols and Concepts         Layer 1 Network Cabling         LAN Technologies and Protocols         LAN Physical Network Topologies         WAN Technologies and Protocols    Network Devices and Protocols         Repeaters and Hubs         Bridges         Switches         TAPs         Routers         Firewalls         Modem         DTE/DCE and CSU/DSU         Intrusion Detection Systems and Intrusion Prevention Systems         Honeypots         Network Attacks         Network Scanning Tools    Secure Communications         Authentication Protocols and Frameworks         VPN         VoIP         Wireless Local Area Networks         RFID         Remote Access    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 9 Domain 8: Application development security    Unique Terms and Definitions    Introduction    Programming Concepts         Machine Code, Source Code, and Assemblers         Compilers, Interpreters, and Bytecode         Procedural and Object-Oriented Languages         Fourth-generation Programming Language         Computer-Aided Software Engineering (CASE)         Top-Down versus Bottom-Up Programming         Types of Publicly Released Software    Application Development Methods         Waterfall Model         Sashimi Model         Agile Software Development         Spiral         Rapid Application Development (RAD)         Prototyping         SDLC         Software Escrow    Object-Orientated Design and Programming         Object-Oriented Programming (OOP)         Object Request Brokers         Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)    Software Vulnerabilities, Testing, and Assurance         Software Vulnerabilities         Software Testing Methods         Disclosure         Software Capability Maturity Model (CMM)    Databases         Types of Databases         Database Integrity         Database Replication and Shadowing         Data Warehousing and Data Mining    Artificial Intelligence         Expert Systems         Artificial Neural Networks         Bayesian Filtering         Genetic Algorithms and Programming    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 10 Domain 9: Operations security    Unique Terms and Definitions    Introduction    Administrative Security         Administrative Personnel Controls         Privilege Monitoring    Sensitive Information/Media Security         Sensitive Information    Asset Management         Configuration Management         Change Management    Continuity of Operations         Service Level Agreements (SLA)         Fault Tolerance    Incident Response Management         Methodology         Types of attacks    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyChapter 11 Domain 10: Legal regulations, investigations, and compliance    Unique Terms and Definitions    Introduction    Major Legal Systems         Civil Law (legal system)         Common Law         Religious Law         Other Systems    Criminal, Civil, and Administrative Law         Criminal Law         Civil Law         Administrative Law    Information Security Aspects of Law         Computer Crime         Intellectual Property         Import/export Restrictions         Privacy         Liability    Legal Aspects of Investigations         Digital Forensics         Incident Response         Evidence         Evidence Integrity         Chain of Custody         Reasonable Searches         Entrapment and enticement    Important Laws and Regulations         U.S. Computer Fraud and Abuse Act         USA PATRIOT Act         HIPAA         United States Breach Notification Laws    Ethics         Computer Ethics Institute         IAB’s Ethics and the Internet         The (ISC)2 © Code of Ethics    Summary of Exam Objectives    Self Test    Self Test Quick Answer KeyAppendix: Self testGlossaryIndex