CISSP Study Guide

CISSP Study Guide

1st Edition - July 26, 2010

Write a review

  • Authors: Eric Conrad, Seth Misenar, Joshua Feldman
  • eBook ISBN: 9781597495646

Purchase options

Purchase options
DRM-free (PDF, Mobi, EPub)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


CISSP Study Guide serves as a review for those who want to take the Certified Information Systems Security Professional (CISSP) exam and obtain CISSP certification. The exam is designed to ensure that someone who is handling computer security in a company has a standardized body of knowledge. The book is composed of 10 domains of the Common Body of Knowledge. In each section, it defines each domain. It also provides tips on how to prepare for the exam and take the exam. It also contains CISSP practice quizzes to test ones knowledge. The first domain provides information about risk analysis and mitigation. It also discusses security governance. The second domain discusses different techniques for access control, which is the basis for all the security disciplines. The third domain explains the concepts behind cryptography, which is a secure way of communicating that is understood only by certain recipients. Domain 5 discusses security system design, which is fundamental for operating the system and software security components. Domain 6 is a critical domain in the Common Body of Knowledge, the Business Continuity Planning, and Disaster Recovery Planning. It is the final control against extreme events such as injury, loss of life, or failure of an organization. Domains 7, 8, and 9 discuss telecommunications and network security, application development security, and the operations domain, respectively. Domain 10 focuses on the major legal systems that provide a framework in determining the laws about information system.

Key Features

  • Clearly Stated Exam Objectives
  • Unique Terms / Definitions
  • Exam Warnings
  • Helpful Notes
  • Learning By Example
  • Stepped Chapter Ending Questions
  • Self Test Appendix
  • Detailed Glossary
  • Web Site ( Contains Two Practice Exams and Ten Podcasts-One for Each Domain



This study guide and the CISSP certification are aimed at information security professionals with at least 5 years of relevant experience.

Table of Contents

  • Acknowledgments

    About the authors

    Chapter 1 Introduction

        How to Prepare for the Exam

             The Notes Card Approach

             Practice Tests

             Read the Glossary

             Readiness Checklist

        How to Take the Exam

             Steps to Becoming a CISSP

             Exam Logistics

             How to Take the Exam

             After the Exam

        Good Luck!

    Chapter 2 Domain 1: Information security governance and risk management

        Unique Terms and Definitions


        Cornerstone Information Security Concepts

             Confidentiality, Integrity, and Availability

             Identity and Authentication, Authorization, and Accountability

        Risk Analysis


             Threats and Vulnerabilities

             Risk = Threat  × Vulnerability


             Risk Analysis Matrix

             Calculating Annualized Loss Expectancy

             Total Cost of Ownership

             Return on Investment

             Risk Choices

             Qualitative and Quantitative Risk Analysis

             The Risk Management Process

        Information Security Governance

             Security Policy and Related Documents

             Security Awareness and Training

             Roles and Responsibilities

             Compliance with Laws and Regulations


             Due Care and Due Diligence

             Best Practice

             Outsourcing and Offshoring

             Auditing and Control Frameworks

             Certification and Accreditation


             The (ISC)2 © Code of Ethics

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 3 Domain 2: Access control

        Unique Terms and Definitions


        Cornerstone Access Control Concepts

             The CIA triad

             Identification and AAA

             Subjects and objects

        Access Control Models

             Discretionary Access Controls (DAC)

             Mandatory Access Controls (MAC)

             Non-Discretionary Access Control

             Content and Context-Dependent Access Controls

             Centralized Access Control

             Decentralized Access Control

             Access Control Protocols and Frameworks

        Procedural Issues for Access Control

             Labels, Clearance, Formal Access Approval, and Need to Know

             Rule-Based Access Controls

             Access Control Lists

        Access Control Defensive Categories and Types







             Comparing Access Controls

        Authentication Methods

             Type 1 Authentication: Something You Know

             Type 2 Authentication: Something You Have

             Type 3 Authentication: Something You Are

             Someplace You Are

        Access Control Technologies

             Single Sign-On (SSO)



             Security Audit Logs

        Types of Attackers


             Black Hats and White Hats

             Script Kiddies




             Bots and BotNets

             Phishers and Spear Phishers

        Assessing Access Control

             Penetration Testing

             Vulnerability Testing

             Security Audits

             Security Assessments

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 4 Domain 3: Cryptography

        Unique Terms and Definitions


        Cornerstone Cryptographic Concepts

             Key Terms

             Confidentiality, Integrity, Authentication, and Non-Repudiation

             Confusion, Diffusion, Substitution, and Permutation

             Cryptographic Strength

             Monoalphabetic and Polyalphabetic Ciphers

             Modular Math

             Exclusive Or (XOR)

             Types of Cryptography

        History of Cryptography

             Egyptian Hieroglyphics

             Spartan Scytale

             Caesar Cipher and other Rotation Ciphers

             Vigenère Cipher

             Cipher Disk

             Jefferson Disks

             Book Cipher and Running-Key Cipher


             One-Time Pad

             Hebern Machines and Purple

             Cryptography Laws

        Symmetric Encryption

             Stream and Block Ciphers

             Initialization Vectors and Chaining

             Data Encryption Standard

             International Data Encryption Algorithm (IDEA)

             Advanced Encryption Standard (AES)

             Blowfish and Twofish

             RC5 and RC6

        Asymmetric Encryption

             Asymmetric Methods

        Hash Functions



             Secure Hash Algorithm


        Cryptographic Attacks

             Brute Force

             Known Plaintext

             Chosen Plaintext and Adaptive Chosen Plaintext

             Chosen Ciphertext and Adaptive Chosen Ciphertext

             Meet-in-the-middle Attack

             Known Key

             Differential Cryptanalysis

             Linear Cryptanalysis

             Side-channel Attacks

             Birthday Attack

             Key Clustering

        Implementing Cryptography

             Digital Signatures



             Public Key Infrastructure


             SSL and TLS



             Escrowed Encryption


             Digital Watermarks

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 5 Domain 4: Physical (Environmental) security

        Unique Terms and Definitions


        Perimeter Defenses







             Smart Cards and Magnetic Stripe Cards


             Mantraps and Turnstiles

             Contraband Checks

             Motion Detectors and Other Perimeter Alarms

             Doors and Windows

             Walls, floors, and ceilings



             Restricted Areas and Escorts

        Site Selection, Design, and Configuration

             Site Selection Issues

             Site Design and Configuration Issues

        System Defenses

             Asset Tracking

             Port Controls

             Drive and Tape Encryption

             Media Storage and Transportation

             Media Cleaning and Destruction

        Environmental Controls



             Heat, Flame, and Smoke Detectors

             Safety Training and Awareness

             ABCD Fires and Suppression

             Types of Fire Suppression Agents

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 6 Domain 5: Security architecture and design

        Unique Terms and Definitions


        Secure System Design Concepts



             Security Domains

             The Ring Model

             Open and Closed Systems

        Secure Hardware Architecture

             The System Unit and Motherboard

             The Computer Bus

             The CPU


             Memory Protection

        Secure Operating System and Software Architecture

             The Kernel

             Users and File Permissions


             Thin Clients

        System Vulnerabilities, Threats, and Countermeasures


             Covert Channels

             Buffer Overflows

             TOCTOU/Race Conditions


             Malicious Code (Malware)

             Server-Side Attacks

             Client-Side Attacks

             Web Application Attacks

             Mobile Device Attacks

             Database Security


        Security Models

             Reading Down and Writing Up

             State Machine model

             Bell-LaPadula model

             Lattice-Based Access Controls

             Integrity Models

             Information Flow Model

             Chinese Wall Model



             Access Control Matrix

             Zachman Framework for Enterprise Architecture

             Graham-Denning Model

             Harrison-Ruzzo-Ullman Model

             Modes of Operation

        Evaluation Methods, Certification, and Accreditation

             The Orange Book


             The International Common Criteria


             Certification and Accreditation

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 7 Domain 6: Business continuity and disaster recovery planning

        Unique Terms and Definitions


        BCP and DRP Overview and Process

             Business Continuity Planning (BCP)

             Disaster Recovery Planning (DRP)

             Relationship between BCP and DRP

             Disasters or disruptive Events

             The Disaster Recovery Process

        Developing a BCP/DRP

             Project Initiation

             Scoping the Project

             Assessing the Critical State

             Conduct Business Impact Analysis (BIA)

             Identify Preventive Controls

             Recovery Strategy

             Related Plans

             Plan Approval

        Backups and Availability

             Hardcopy Data

             Electronic Backups

             Software Escrow

        DRP Testing, Training, and Awareness

             DRP Testing



        Continued BCP/DRP Maintenance

             Change Management

             BCP/DRP Mistakes

        Specific BCP/DRP Frameworks

             NIST SP 800-34




        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 8 Domain 7: Telecommunications and network security

        Unique Terms and Definitions


        Network Architecture and Design

             Network Defense-in-Depth

             Fundamental Network Concepts

             The OSI Model

             The TCP/IP Model


             Network Access, Internet and Transport Layer Protocols and Concepts

             Application Layer TCP/IP Protocols and Concepts

             Layer 1 Network Cabling

             LAN Technologies and Protocols

             LAN Physical Network Topologies

             WAN Technologies and Protocols

        Network Devices and Protocols

             Repeaters and Hubs







             DTE/DCE and CSU/DSU

             Intrusion Detection Systems and Intrusion Prevention Systems


             Network Attacks

             Network Scanning Tools

        Secure Communications

             Authentication Protocols and Frameworks



             Wireless Local Area Networks


             Remote Access

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 9 Domain 8: Application development security

        Unique Terms and Definitions


        Programming Concepts

             Machine Code, Source Code, and Assemblers

             Compilers, Interpreters, and Bytecode

             Procedural and Object-Oriented Languages

             Fourth-generation Programming Language

             Computer-Aided Software Engineering (CASE)

             Top-Down versus Bottom-Up Programming

             Types of Publicly Released Software

        Application Development Methods

             Waterfall Model

             Sashimi Model

             Agile Software Development


             Rapid Application Development (RAD)



             Software Escrow

        Object-Orientated Design and Programming

             Object-Oriented Programming (OOP)

             Object Request Brokers

             Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)

        Software Vulnerabilities, Testing, and Assurance

             Software Vulnerabilities

             Software Testing Methods


             Software Capability Maturity Model (CMM)


             Types of Databases

             Database Integrity

             Database Replication and Shadowing

             Data Warehousing and Data Mining

        Artificial Intelligence

             Expert Systems

             Artificial Neural Networks

             Bayesian Filtering

             Genetic Algorithms and Programming

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 10 Domain 9: Operations security

        Unique Terms and Definitions


        Administrative Security

             Administrative Personnel Controls

             Privilege Monitoring

        Sensitive Information/Media Security

             Sensitive Information

        Asset Management

             Configuration Management

             Change Management

        Continuity of Operations

             Service Level Agreements (SLA)

             Fault Tolerance

        Incident Response Management


             Types of attacks

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Chapter 11 Domain 10: Legal regulations, investigations, and compliance

        Unique Terms and Definitions


        Major Legal Systems

             Civil Law (legal system)

             Common Law

             Religious Law

             Other Systems

        Criminal, Civil, and Administrative Law

             Criminal Law

             Civil Law

             Administrative Law

        Information Security Aspects of Law

             Computer Crime

             Intellectual Property

             Import/export Restrictions



        Legal Aspects of Investigations

             Digital Forensics

             Incident Response


             Evidence Integrity

             Chain of Custody

             Reasonable Searches

             Entrapment and enticement

        Important Laws and Regulations

             U.S. Computer Fraud and Abuse Act

             USA PATRIOT Act


             United States Breach Notification Laws


             Computer Ethics Institute

             IAB’s Ethics and the Internet

             The (ISC)2 © Code of Ethics

        Summary of Exam Objectives

        Self Test

        Self Test Quick Answer Key

    Appendix: Self test



Product details

  • Language: English
  • Copyright: © Syngress 2010
  • Published: July 26, 2010
  • Imprint: Syngress
  • eBook ISBN: 9781597495646

About the Authors

Eric Conrad

Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GMON, GISP), is a SANS fellow and Chief Technology Officer of Backshore Communications, which provides threat hunting, penetration testing, incident handling, and intrusion detection consulting services. Eric started his professional career in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare, in positions ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He is coauthor of MGT414: SANS Training Program for the CISSP Certification, SEC511: Continuous Monitoring and Security Operations, and SEC542: Web App Penetration Testing and Ethical Hacking. Eric graduated from the SANS Technology Institute with a Master of Science degree in Information Security Engineering.

Affiliations and Expertise

Fellow, SANS Institute, Bethesda, MD, USA; Chief Technology Officer, Backshore Communications LLC., Peaks Island, ME, USA

Seth Misenar

Seth Misenar (CISSP®, GSE, GDSA, GDAT, GMON, GCDA, GCIH, GCIA, GCFA) is a Fellow with the SANS Institute and also serves as Principal Consultant for Jackson, Mississippi-based Context Security, LLC. His cyber security background includes research, host-based and network intrusion detection, architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and a state government agency’s HIPAA and information security officer. He has partnered with the SANS Institute for over 15 years, teaching and authoring courseware and facilitating instructor development. Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College.

Affiliations and Expertise

Fellow, SANS Institute, Bethesda, MD, USA; Principal Consultant, Context Security, LLC., Jackson, MI, USA

Joshua Feldman

Joshua Feldman (CISSP) is Senior Vice President for Security Technology at the Radian Group – a real estate and mortgage insurance conglomerate. His mission is focused on protecting over 10M US consumer financial records. He is the executive responsible for all aspects of Radian’s technical security program. Previous security roles included work at Moody’s Credit Ratings, Corning Inc, and the US Department of Defense and Department of State. In 2008, Joshua was Eric's student when studying for the CISSP exam and was so impressed with Eric’s mastery of the materials that he invited Eric to work with him at the DoD. Quickly after starting work, Eric invited Seth. That project ran successfully for over eight years – a testament to the value brought for US military cyber professionals. Joshua got his start in the cyber security field when he left his public-school science teaching position in 1997 and began working for Network Flight Recorder (NFR, Inc.), a small Washington, DC based startup making the first generation of Network Intrusion Detection Systems. He has a Bachelor’s of Science from the University of Maryland and a Master’s in Cyber Operations from National Defense University. He currently resides in Philadelphia with his little dog, Jacky-boy.

Affiliations and Expertise

Senior Vice President for Security Technology, Radian Group, Wayne, PA, USA

Ratings and Reviews

Write a review

There are currently no reviews for "CISSP Study Guide"