CISSP Study Guide

CISSP Study Guide

1st Edition - July 26, 2010

Write a review

  • Authors: Eric Conrad, Seth Misenar, Joshua Feldman
  • eBook ISBN: 9781597495646

Purchase options

Purchase options
DRM-free (PDF, Mobi, EPub)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


CISSP Study Guide serves as a review for those who want to take the Certified Information Systems Security Professional (CISSP) exam and obtain CISSP certification. The exam is designed to ensure that someone who is handling computer security in a company has a standardized body of knowledge. The book is composed of 10 domains of the Common Body of Knowledge. In each section, it defines each domain. It also provides tips on how to prepare for the exam and take the exam. It also contains CISSP practice quizzes to test ones knowledge. The first domain provides information about risk analysis and mitigation. It also discusses security governance. The second domain discusses different techniques for access control, which is the basis for all the security disciplines. The third domain explains the concepts behind cryptography, which is a secure way of communicating that is understood only by certain recipients. Domain 5 discusses security system design, which is fundamental for operating the system and software security components. Domain 6 is a critical domain in the Common Body of Knowledge, the Business Continuity Planning, and Disaster Recovery Planning. It is the final control against extreme events such as injury, loss of life, or failure of an organization. Domains 7, 8, and 9 discuss telecommunications and network security, application development security, and the operations domain, respectively. Domain 10 focuses on the major legal systems that provide a framework in determining the laws about information system.

Key Features

  • Clearly Stated Exam Objectives
  • Unique Terms / Definitions
  • Exam Warnings
  • Helpful Notes
  • Learning By Example
  • Stepped Chapter Ending Questions
  • Self Test Appendix
  • Detailed Glossary
  • Web Site ( Contains Two Practice Exams and Ten Podcasts-One for Each Domain



This study guide and the CISSP certification are aimed at information security professionals with at least 5 years of relevant experience.

Table of Contents

  • Acknowledgments

    About the authors

    Chapter 1 Introduction

        How to Prepare for the Exam

             The Notes Card Approach

             Practice Tests

             Read the Glossary

             Readiness Checklist

        How to Take the Exam

             Steps to Becoming a CISSP

             Exam Logistics

             How to Take the Exam

             After the Exam

        Good Luck!

    Chapter 2 Domain 1: Information security governance and risk management

        Unique Terms and Definitions


        Cornerstone Information Security Concepts

             Confidentiality, Integrity, and Availability

             Identity and Authentication, Authorization, and Accountability

        Risk Analysis


             Threats and Vulnerabilities

             Risk = Threat  × Vulnerability


             Risk Analysis Matrix

             Calculating Annualized Loss Expectancy

             Total Cost of Ownership

             Return on Investment

             Risk Choices

             Qualitative and Quantitative Risk Analysis

             The Risk Management Process

        Information Security Governance

             Security Policy and Related Documents

             Security Awareness and Training

             Roles and Responsibilities

             Compliance with Laws and Regulations


             Due Care and Due Diligence

             Best Practice

             Outsourcing and Offshoring

             Auditing and Control Frameworks

             Certification and Accreditation


             The (ISC)2 © Code of Ethics

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 3 Domain 2: Access control

        Unique Terms and Definitions


        Cornerstone Access Control Concepts

             The CIA triad

             Identification and AAA

             Subjects and objects

        Access Control Models

             Discretionary Access Controls (DAC)

             Mandatory Access Controls (MAC)

             Non-Discretionary Access Control

             Content and Context-Dependent Access Controls

             Centralized Access Control

             Decentralized Access Control

             Access Control Protocols and Frameworks

        Procedural Issues for Access Control

             Labels, Clearance, Formal Access Approval, and Need to Know

             Rule-Based Access Controls

             Access Control Lists

        Access Control Defensive Categories and Types







             Comparing Access Controls

        Authentication Methods

             Type 1 Authentication: Something You Know

             Type 2 Authentication: Something You Have

             Type 3 Authentication: Something You Are

             Someplace You Are

        Access Control Technologies

             Single Sign-On (SSO)



             Security Audit Logs

        Types of Attackers


             Black Hats and White Hats

             Script Kiddies




             Bots and BotNets

             Phishers and Spear Phishers

        Assessing Access Control

             Penetration Testing

             Vulnerability Testing

             Security Audits

             Security Assessments

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 4 Domain 3: Cryptography

        Unique Terms and Definitions


        Cornerstone Cryptographic Concepts

             Key Terms

             Confidentiality, Integrity, Authentication, and Non-Repudiation

             Confusion, Diffusion, Substitution, and Permutation

             Cryptographic Strength

             Monoalphabetic and Polyalphabetic Ciphers

             Modular Math

             Exclusive Or (XOR)

             Types of Cryptography

        History of Cryptography

             Egyptian Hieroglyphics

             Spartan Scytale

             Caesar Cipher and other Rotation Ciphers

             Vigenère Cipher

             Cipher Disk

             Jefferson Disks

             Book Cipher and Running-Key Cipher


             One-Time Pad

             Hebern Machines and Purple

             Cryptography Laws

        Symmetric Encryption

             Stream and Block Ciphers

             Initialization Vectors and Chaining

             Data Encryption Standard

             International Data Encryption Algorithm (IDEA)

             Advanced Encryption Standard (AES)

             Blowfish and Twofish

             RC5 and RC6

        Asymmetric Encryption

             Asymmetric Methods

        Hash Functions



             Secure Hash Algorithm


        Cryptographic Attacks

             Brute Force

             Known Plaintext

             Chosen Plaintext and Adaptive Chosen Plaintext

             Chosen Ciphertext and Adaptive Chosen Ciphertext

             Meet-in-the-middle Attack

             Known Key

             Differential Cryptanalysis

             Linear Cryptanalysis

             Side-channel Attacks

             Birthday Attack

             Key Clustering

        Implementing Cryptography

             Digital Signatures



             Public Key Infrastructure


             SSL and TLS



             Escrowed Encryption


             Digital Watermarks

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 5 Domain 4: Physical (Environmental) security

        Unique Terms and Definitions


        Perimeter Defenses







             Smart Cards and Magnetic Stripe Cards


             Mantraps and Turnstiles

             Contraband Checks

             Motion Detectors and Other Perimeter Alarms

             Doors and Windows

             Walls, floors, and ceilings



             Restricted Areas and Escorts

        Site Selection, Design, and Configuration

             Site Selection Issues

             Site Design and Configuration Issues

        System Defenses

             Asset Tracking

             Port Controls

             Drive and Tape Encryption

             Media Storage and Transportation

             Media Cleaning and Destruction

        Environmental Controls



             Heat, Flame, and Smoke Detectors

             Safety Training and Awareness

             ABCD Fires and Suppression

             Types of Fire Suppression Agents

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 6 Domain 5: Security architecture and design

        Unique Terms and Definitions


        Secure System Design Concepts



             Security Domains

             The Ring Model

             Open and Closed Systems

        Secure Hardware Architecture

             The System Unit and Motherboard

             The Computer Bus

             The CPU


             Memory Protection

        Secure Operating System and Software Architecture

             The Kernel

             Users and File Permissions


             Thin Clients

        System Vulnerabilities, Threats, and Countermeasures


             Covert Channels

             Buffer Overflows

             TOCTOU/Race Conditions


             Malicious Code (Malware)

             Server-Side Attacks

             Client-Side Attacks

             Web Application Attacks

             Mobile Device Attacks

             Database Security


        Security Models

             Reading Down and Writing Up

             State Machine model

             Bell-LaPadula model

             Lattice-Based Access Controls

             Integrity Models

             Information Flow Model

             Chinese Wall Model



             Access Control Matrix

             Zachman Framework for Enterprise Architecture

             Graham-Denning Model

             Harrison-Ruzzo-Ullman Model

             Modes of Operation

        Evaluation Methods, Certification, and Accreditation

             The Orange Book


             The International Common Criteria


             Certification and Accreditation

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 7 Domain 6: Business continuity and disaster recovery planning

        Unique Terms and Definitions


        BCP and DRP Overview and Process

             Business Continuity Planning (BCP)

             Disaster Recovery Planning (DRP)

             Relationship between BCP and DRP

             Disasters or disruptive Events

             The Disaster Recovery Process

        Developing a BCP/DRP

             Project Initiation

             Scoping the Project

             Assessing the Critical State

             Conduct Business Impact Analysis (BIA)

             Identify Preventive Controls

             Recovery Strategy

             Related Plans

             Plan Approval

        Backups and Availability

             Hardcopy Data

             Electronic Backups

             Software Escrow

        DRP Testing, Training, and Awareness

             DRP Testing



        Continued BCP/DRP Maintenance

             Change Management

             BCP/DRP Mistakes

        Specific BCP/DRP Frameworks

             NIST SP 800-34




        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 8 Domain 7: Telecommunications and network security

        Unique Terms and Definitions


        Network Architecture and Design

             Network Defense-in-Depth

             Fundamental Network Concepts

             The OSI Model

             The TCP/IP Model


             Network Access, Internet and Transport Layer Protocols and Concepts

             Application Layer TCP/IP Protocols and Concepts

             Layer 1 Network Cabling

             LAN Technologies and Protocols

             LAN Physical Network Topologies

             WAN Technologies and Protocols

        Network Devices and Protocols

             Repeaters and Hubs







             DTE/DCE and CSU/DSU

             Intrusion Detection Systems and Intrusion Prevention Systems


             Network Attacks

             Network Scanning Tools

        Secure Communications

             Authentication Protocols and Frameworks



             Wireless Local Area Networks


             Remote Access

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 9 Domain 8: Application development security

        Unique Terms and Definitions


        Programming Concepts

             Machine Code, Source Code, and Assemblers

             Compilers, Interpreters, and Bytecode

             Procedural and Object-Oriented Languages

             Fourth-generation Programming Language

             Computer-Aided Software Engineering (CASE)

             Top-Down versus Bottom-Up Programming

             Types of Publicly Released Software

        Application Development Methods

             Waterfall Model

             Sashimi Model

             Agile Software Development


             Rapid Application Development (RAD)



             Software Escrow

        Object-Orientated Design and Programming

             Object-Oriented Programming (OOP)

             Object Request Brokers

             Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)

        Software Vulnerabilities, Testing, and Assurance

             Software Vulnerabilities

             Software Testing Methods


             Software Capability Maturity Model (CMM)


             Types of Databases

             Database Integrity

             Database Replication and Shadowing

             Data Warehousing and Data Mining

        Artificial Intelligence

             Expert Systems

             Artificial Neural Networks

             Bayesian Filtering

             Genetic Algorithms and Programming

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 10 Domain 9: Operations security

        Unique Terms and Definitions


        Administrative Security

             Administrative Personnel Controls

             Privilege Monitoring

        Sensitive Information/Media Security

             Sensitive Information

        Asset Management

             Configuration Management

             Change Management

        Continuity of Operations

             Service Level Agreements (SLA)

             Fault Tolerance

        Incident Response Management


             Types of attacks

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 11 Domain 10: Legal regulations, investigations, and compliance

        Unique Terms and Definitions


        Major Legal Systems

             Civil Law (legal system)

             Common Law

             Religious Law

             Other Systems

        Criminal, Civil, and Administrative Law

             Criminal Law

             Civil Law

             Administrative Law

        Information Security Aspects of Law

             Computer Crime

             Intellectual Property

             Import/export Restrictions



        Legal Aspects of Investigations

             Digital Forensics

             Incident Response


             Evidence Integrity

             Chain of Custody

             Reasonable Searches

             Entrapment and enticement

        Important Laws and Regulations

             U.S. Computer Fraud and Abuse Act

             USA PATRIOT Act


             United States Breach Notification Laws


             Computer Ethics Institute

             IAB’s Ethics and the Internet

             The (ISC)2 © Code of Ethics

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Appendix: Self test



Product details

  • Language: English
  • Copyright: © Syngress 2010
  • Published: July 26, 2010
  • Imprint: Syngress
  • eBook ISBN: 9781597495646

About the Authors

Eric Conrad

Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, Security+), is a SANS-certified instructor and President of Backshore Communications, which provides information warfare, penetration testing, incident handling, and intrusion detection consulting services. Eric started his professional career in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare, in positions ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He has taught more than a thousand students in courses such as SANS Management 414: CISSP, Security 560: Network Penetration Testing and Ethical Hacking, Security 504: Hacker Techniques, and Exploits and Incident Handling. Eric graduated from the SANS Technology Institute with a Master of Science degree in Information Security Engineering.

Affiliations and Expertise

CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GISP, GCED, Senior SANS instructor and CTO, Backshore Communications

Seth Misenar

Seth Misenar (CISSP, GPEN, GCIH, GCIA, GCFA, GWAPT, GCWN, GSEC, MCSE, MCDBA), is a certified instructor with the SANS Institute and serves as lead consultant for Context Security, which is based in Jackson, Mississippi. His background includes security research, network and Web application penetration testing, vulnerability assessment, regulatory compliance, security architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and as the HIPAA and information security officer for a state government agency. He teaches a variety of courses for the SANS Institute, including Security Essentials, Web Application Penetration Testing, Hacker Techniques, and the CISSP course.

Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College, Jackson, Mississippi.

Affiliations and Expertise

CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GWAPT, GCWN, GSEC, Senior SANS instructor and Lead Consultant, Context Security, LLC.

Joshua Feldman

Joshua Feldman (CISSP), is currently employed by SAIC, Inc. He has been involved in the Department of Defense Information Systems Agency (DISA) Information Assurance Education, Training, and Awareness program since 2002, where he has contributed to a variety of DoD-wide Information Assurance and Cyber Security policies, specifically the 8500.2 and 8570 series. Joshua has taught more than a thousand DoD students through his "DoD IA Boot Camp" course. He is a subject matter expert for the Web-based DoD Information Assurance Awareness-yearly training of every DoD user is required as part of his or her security awareness curriculum. Also, he is a regular presenter and panel member at the annual Information Assurance Symposium hosted jointly by DISA and NSA. Before joining the support team at DoD/DISA, Joshua spent time as an IT security engineer at the Department of State's Bureau of Diplomatic Security. He got his start in the IT security field with NFR Security Software, a company that manufactures Intrusion Detection Systems. There, he worked as both a trainer and an engineer, implementing IDS technologies and instructing customers how in properly configuring them.

Affiliations and Expertise

CISSP, Vice President, IT Risk, Moody's Investments

Ratings and Reviews

Write a review

There are currently no reviews for "CISSP Study Guide"