
Explore the CISSP framework across eight domains, including security and risk management, asset security, security architecture and engineering, and identity and access management.
Shamier introduces himself as a trainer with IT consulting, sysadmin, and solution architect, highlighting information security, cloud system administration, identity service management, asset management, and CISSP and AI certified credentials.
The CISSP experience requirements: five years of full-time work in two or more domains, or four years with a college degree; certain certifications may waive one year.
Explore two CISSP exam formats: CAD-based adaptive testing and linear CAT; CAD lasts 3 hours with 100–150 questions, and CAT adapts to ensure a fighting chance.
Lasts six hours with 250 questions and innovative items in the linear CISSP exam. The exam offers a passing score of 100 out of 1000 and is available in languages.
Understand CISSP exam retake rules: you may attempt up to three times per year, with 30-day, 90-day, and 180-day waiting periods and a $649 fee per attempt.
Summarize the average CISSP domain weights across eight domains—15%, 10%, 13%, 13%, 13%, 12%, 13%, and 11%—and note that domain 4 drops to 13% while domain 8 rises to 11%.
Master cat exam tips: allocate 80 seconds per question, eliminate wrong options, read questions and answers carefully, and use a dry erase board before the test.
Explore security and risk management fundamentals, including ethics, governance, and policy frameworks. Emphasize risk modeling, supply chain risk, business continuity planning, compliance, and legal and regulatory issues.
Identify and classify assets, define requirements, and establish asset ownership and handling and data management. Apply security controls and meet compliance requirements.
Explore fundamentals of security engineering, secure design principles, vulnerability management, cryptographic concepts, attack awareness, and site and facility controls within domain three.
Explore network architecture and design, implement device security, and examine models of communication network security, including IoT, TCP/IP and the OSI model, security protocols, and secure design technologies.
Explore identity and access management as a layer, covering physical and logical access control, authentication systems, and lifecycle management from creation to revocation of IDs, defending against access control attacks.
Compare security assessments and tests, apply audit strategies, and perform security control testing while collecting data, reporting findings, and conducting audits.
explore day-to-day security operations, from provisioning resources and patch management to incident response, logging, monitoring, and maintaining business continuity plans, with emphasis on protecting human life.
Explore domain eight of software development security, covering system development controls, programming languages and concepts, secure coding standards, software testing, assurance, and vulnerabilities.
Review the CISSP exam policies and procedures before registering to understand the examination requirements. Access the comprehensive breakdown via the following link to ensure informed preparation.
Review the references and check the square link for the SCI specification to complete the introduction. Join the next lecture for continuation.
Master security and risk management concepts, including governance, policies, and guidelines, personnel security, threat modeling, supply chain risk management, and business continuity planning with legal and regulatory issues.
Explore the essentials of professional ethics by examining the code of professional ethics and your organizational code of ethics.
Define ethics as doing what is morally right and distinguish right from wrong, and apply this in any situation while promoting professional ethics and organizational codes of conduct.
Explore the (ISC)2 code of professional ethics, including the canons and preamble that uphold society's safety, the common good, as a condition of certification.
Define the organizational code of ethics as policies guiding ethical business conduct, also called code of conduct or code, reflecting company values, ethics, objectives, and responsibilities within the organizational culture.
Review the code of professional ethics to remember for life, and explore how consultants and lawyers shape ethical codes within organizations to maintain certification.
Explore security terminology, explain the CIA triad and D&D triad, and examine triple-A services and protection mechanisms to build foundational information security concepts.
Introduces key security terms such as information security, cybersecurity, asset, vulnerability, threat, risk, subject, and object.
Protect information across all forms and media by preventing access, use, disclosure, disruption, modification, inspection, recording, or destruction, regardless of where it is created or stored.
Learn how cybersecurity, a subdiscipline of information security, protects electronically stored information and differs from broader information security, including scenarios like USB drives.
Define an asset as anything with value to a company, tangible or intangible, including human resources.
Identify vulnerability as a weakness in the system that allows a threat to compromise security.
Identify a threat as a potential danger tied to exploiting a vulnerability, representing the bad outcome that can occur.
Assess risk as the possibility of damage, destruction, or disclosure. Evaluate the likelihood of a threat exploiting a vulnerability and its business impact.
Understand how a subject acts as an active entity in a system, seeking data from passive objects like files and processes, including a user launching a program.
Identify how an object acts as a passive system that provides information to active subjects. Explore examples like games, file databases, software processes, and storage media as data sources.
Explore the CIA triad of confidentiality, integrity, and availability and how organizations tailor security priorities to CIA, AIC, ICA, or hybrid approaches.
Explore how confidentiality guards against unauthorized access and disclosure, protecting data stored and in transit.
Achieve confidentiality through discretion, concealment, secrecy, privacy, seclusion, and isolation. Explore how these concepts shape the confidentiality topic within the CISSP course.
Explore threats to confidentiality, from poor user training to social engineering, and implement countermeasures like personnel training, access control, encryption, data classification, shielding, and authentication.
Ensure data integrity by guaranteeing accuracy and reliability, with access by authorized subjects only, preventing unauthorized modification and detecting alterations in storage, in transit, and in use via checksums.
Identify and counter integrity threats such as unauthorized data access, data alteration, and malicious modifications. Implement countermeasures through strict access controls, interface restrictions, encryptions, and hash verifications, with personnel training.
Ensure availability by granting access only to authorized subjects and delivering resources promptly within an acceptable performance level, illustrated by bank login and email-based access.
Identify threats to availability, including disasters, equipment failure, and attacks, and apply countermeasures such as training, backups, redundancy, and performance monitoring to protect confidentiality, integrity, and availability.
Explore the DAD triad as the opposites of the CIA triad, with disclosure opposing confidentiality, alteration opposing integrity, and destruction opposing reliability.
Explain how disclosure, alteration, and destruction relate to the CIA triad, including unauthorized object alteration, data modification, and resources becoming inaccessible or damaged.
Identify, authenticate, authorize, audit, and account for all user actions, validating unique identities with usernames and passwords. Track privileges, log events, and review logs to hold subjects accountable.
Explore protection mechanisms, learn defense in depth concepts, and apply data hiding and encryption to safeguard information across systems.
Explore defense in depth by examining multilayer security controls—administrative, physical, and technical—guided by policies, procedures, standards, and the castle approach.
Abstraction groups homogeneous objects into roles or classes and assigns collective permissions. Classifying objects and applying rules to a subject simplifies privilege management and reflects object oriented programming principles.
Explore data hiding as obfuscating data to prevent discovery or access, and examine its role in multilevel secure systems like PDMP, where data is processed at multiple levels.
Explore how the magic of math converts data into an intelligible form using algorithms, with encryption types including symmetric and asymmetric.
Explore the difference between cybersecurity and information security, and begin exploring encryption, using Wikipedia as a starting point for foundational concepts in information security.
Explore security governance principles, define information security governance, compare security governance with security management, examine third-party governance, and review relevant documentation.
Learn governance as the process of how an organization is managed, including rules, norms, and actions that drive direction and accountability. Explore risk management, resource optimization mechanisms, and operations.
Define information security governance as the system directing information security. Distinguish governance from IT security management, recognizing cybersecurity as a subset of information security and guiding with policies and processes.
Clarify the roles of security governance and security management as oversight and implementation. Understand how governance handles policy and accountability, while management handles decision rights, resources, and project planning.
Explore how licensing, contractual obligations, and industry standards drive external entity oversight of third parties. Auditors verify governance, policies, procedures, and implementations to prevent reputational damage, operational risks, and penalties.
Perform a documentation review by verifying security objectives and standards against records before onsite inspections, ensuring completeness and accuracy to prevent noncompliance and authorization risks.
Review the missed ESP series, its full length and DMG length, and explore third party governance through the provided link.
Explore how security functions align with organisational processes and roles, implement security management plans, and apply a security control framework with due care and due diligence.
Align security functions with strategy, goals, mission, and objectives to ensure cohesive governance, with security policy included and a top-down approach requiring management approval.
Align the organization’s strategy, goals, mission, and objectives with its vision and mission statements, translating long-term plans and tactics into action plans that support the overall business.
Define security policy as addressing all issues across the entire organization, not just information security, and show how top level, physical, and administrative policies form the broader security policy.
Top management drives the security program by defining policies, while mid-level management translates them into standards, baselines, guidelines, and procedures; staff implement and end users follow.
Secure management approval is essential to enable an action plan and an effective security policy; educate top management on risks, liabilities, exposure, and residual risks for success.
Top management bears security management responsibility, guiding the development, implementation, and enforcement of security policies by an information security team such as the CSO or ISO.
Explore strategic, tactical, and operational security management plans, defining five-year strategic objectives and security functions, mid-term goals for about a year, and detailed short-term SOP-based project plans.
Organizational processes align with the mission to support information security strategy and mitigate risks such as ROI shortfalls, data loss, outages, and information disclosure during acquisitions and divestitures.
Identify organizational roles and responsibilities, such as senior manager, security professional, asset owner, and data owner, and explain how they sign off on security policy and classify information and assets.
Define roles for custodian, asset owner, and auditor to implement protections per security policy, ensure CIA triad protection, assign asset risk levels, and verify baselines and standards.
Compare security control frameworks such as ISO/IEC 27000 series, Nest RMF, Nest CSF, and ITEL, and learn how they govern information system security and privacy controls.
Explore the difference between due care and due diligence, and learn how reasonable, prudent management protects an organization's assets, with exam-focused examples.
Examine references for security policy and standards, including the BCP article and ISO/IEC 27000 family, and review Qubit Nest SP 853, RMF, and CSF.
Explore how policies, standards, procedures, and guidelines shape an organization's information security framework, including high-level policies, mandatory standards, minimum baselines, and detailed implementation procedures.
Explore personnel security by detailing personnel management across employment, vendor, consultant, and contractor controls, including contract duration and increments, plus compliance, privacy, and security awareness training.
Outline detailed job descriptions for admin security roles and DBA, clarifying tasks, responsibilities, and security classifications, while highlighting separation of duties, redundancy, cross training, audits, and fraud detection.
Implement employment screening, onboarding, and termination processes, including revoking credentials, exit interviews, and escorts during departures, with access controls across transfers, accounts, devices, and assets.
Screening and hiring must be proportional to the position's sensitivity defined by job description, using background, reference, education verification, online background checks, and security clearance validation to ensure due process.
Master onboarding, offboarding, and termination by signing employment agreements and policies, including acceptable use policy, applying rule-based access control, revoking access, notifying security personnel, and conducting exit interviews.
Examines transfers across departments or locations, including creating and blocking accounts, adjusting security clearance, and applying least privilege and access control, with notes on fire and rehire implications.
Explore agreement policies and procedures, including security policies, acceptable use policies, or NDAs, and NCAA's mandatory vacation review and audits for privileges, job descriptions, and work tasks.
Implement vendor, consultant, and contractor controls to reduce external risk, define performance levels and client expectations, outline compensation and consequences, and use MOUs and SLAs with clarity.
Compliance means adhering to laws, policies, regulations, standards, guidelines, baselines, or requirements, and serves as a key part of security governance.
Define privacy as the active prevention of unauthorized access to personally identifiable information, and explore how legislation and regulations such as HIPAA, GDPR, PCI, and DSS protect PII.
Focus on security awareness, education, and training to change user behavior and strengthen company security. Adopt safe practices such as avoiding sticky notes for passwords and using multi-factor authentication.
Explore references by revisiting the ISP link and researching compliance articles on Wikipedia to understand privacy concepts.
Experience risk management concepts and risks, presented for practical relevance in information security and CISSP study contexts.
Identify and assess risks to reduce them to an acceptable level, implement cost-effective solutions, and have top management conduct risk assessment, analysis, response, and monitoring.
Learn risk terminologies in cis sp, including asset valuation, threats, threat actors, and attack vectors, and how accidental or intentional exploitation of vulnerabilities informs risk management.
Clarifies risk terminologies by distinguishing vulnerability, exposure, and threat, and explains how attacks exploit vulnerabilities to trigger breaches. It emphasizes safeguards, controls, and risk analyses to reduce or mitigate risks.
Identify all possible threats against each asset by listing threat agents and threat events. Acknowledge that threats can originate from anywhere, including non IP sources, referencing SB 831 revision one.
Identify and rank risks by asset-threat pairs using quantitative and qualitative methods, then combine them in a hybrid approach for a complete risk assessment.
Learn quantitative risk analysis by valuing assets, applying exposure factor and single loss expectancy, and using annual rate of occurrence and cost-benefit analysis to evaluate safeguards.
Multiply the asset value by the exposure factor to get 160,000, then multiply by the annual rate of occurrence to yield 80,000.
Quantitative analysis is a scenario-based approach that ranks on a relative scale to evaluate the risks, costs, and effects, and it involves judgment and experience.
Explore qualitative risk analysis by applying techniques such as brainstorming, focus groups, surveys, questionnaires, interviews, scenarios, Delphi technique, and checklists to assess risks to assets.
Explore risk responses, including mitigation with safeguards, risk transfer to insurers, and acceptance when leadership tolerates risk. Deterring threats and avoiding risks protect assets, while rejection or ignorance are unacceptable.
Apply cost-benefit analysis to safeguard selection, ensuring cost is less than benefit and addresses a real problem. Favor testable, uniform, dependency-free protection with fail-safe and privileged-access overrides, not secrecy.
Explore safeguard and countermeasure implementation within a layered defense, including administrative controls such as policies, procedures, and processes, plus logical, technical, and physical protections.
Identify and categorize security controls by type, including preventive, deterrent, detective, compensating, corrective, recovery, and directive controls, with examples like IPS, CCTV, anti-malware, backups, and policies.
Learn how security control assessments evaluate the effectiveness of security controls and strengthen risk management processes, identifying strengths and weaknesses with ESP 853 guidelines for a federal information system.
Learn to test and measure the effectiveness of security controls, ensure safeguards are testable, and apply native or external monitoring with event recording before and after deployment, plus cost-benefit analyses.
Produce accurate, timely, and comprehensive risk reports for internal, third-party, or public audiences, reflecting a point-in-time risk analysis. Update risk registers daily to document all identified risks.
Continuous improvement emphasizes periodic risk analysis and assessment, providing a point-in-time view to adapt security governance and solutions to evolving threats, including zero-day vulnerabilities and signature-based or heuristic anti-malware updates.
Explore the landscape of risk management frameworks, including the risk management framework (RMF), cybersecurity frameworks, and enterprise risk management approaches.
Offer references for IT risk management and risk management frameworks related to CISSP concepts discussed in the lecture.
Explore threat modeling and what it is all about, outlining its core idea and relevance to the CISSP topic.
Identify, categorize, and analyze potential threats through a security process that can be proactive during design and development or reactive after deployment.
Identify threats by focusing on assets, potential attackers, and their goals, then analyze attacks against assets and the software development process.
Explore common threat models and schemes used to identify and categorize threats, including the security development lifecycle model and STRIDE, highlighting the three most important models frequently tested on exams.
Learn Microsoft's security development lifecycle (sdl), also called sd three plus c, emphasizing secure by design, secure by default, and secure deployment and communication, while minimizing design and coding weaknesses.
Explore STRIDE, the Microsoft-developed threat model, covering spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege.
Apply a seven-stage threat analysis framework, beginning with defining objectives and the first definition of technical scopes to drive risk-centric thinking.
Explore other threat models beyond the core frameworks, including vast visual, agile, and simple trap and try, while noting the breadth of terms relevant to CISSP exam prep.
Diagram potential attacks by mapping data flows and security boundaries across nodes and zones, then assess phone, Windows, Linux, Mac differences and attacks—technical, logical, physical, social—plus VPN and encryption needs.
Performing reduction analysis decomposes an application, system, or environment using five concepts—trust, boundaries, data flow paths, input points, and privileged operations—to support threat modeling, and understanding front-end to back-end logic.
Prioritize and respond to threats by ranking and rating them, using methods such as probability, damage potential, and severity, with risk matrices or heatmaps, and optionally a breath system.
Examine the dread model, a mix of terms such as damage, potential for stability, exploit stability, affected user, and discoverability.
Explore references to show how to use the ICCPR link and the BCP link for models, and cover stride, CRUD, and other models discussed.
Identify how supply chain risk management reduces inherent risk by integrating risk practices in procurement, such as a laptop with Windows 7 end-of-life that could expose the corporate environment.
Explore business continuity planning (BCP) to reduce disruption and protect mission-critical operations, including policies, plans, and procedures, and the relationship to disaster recovery planning (DRP).
Define project scope and planning by identifying business organization analysis, selecting a cross department BCP team, and detailing resources and regulatory requirements for BCP development, implementation, testing, and maintenance.
Identify and prioritize risks with quantitative and qualitative risk analysis, assign asset values to business processes, and define recovery point objectives and recovery time objectives.
Identify risks to address in the business continuity plan, balance risk acceptance and mitigation, and plan for disasters with resources, personnel, facilities, and cloud-based alternatives.
Articulate how plan approval and implementation align top management, budget, and resources to maintain a live, highly classified business continuity plan, reflecting organizational changes and enforcing need-to-know access and training.
Explore references drawn from civic Wikipedia articles and a Wikipedia article on business continuity planning, plus the IOC square, to reinforce CISSP concepts.
Explore compliance, legal, and cultural issues by examining categories of laws, and understanding compliance, contracting, and procurement processes.
Compare criminal, civil, and administrative law: enacted by legislation or agencies with distinct goals; penalties include fines or imprisonment for criminal and administrative, and fines for civil law.
Explore laws governing computer crime and intellectual property, and identify licensing, import and export privacy, and state privacy laws relevant to CISSP questions.
Explore computer crime and the computer fraud and abuse act as federal sentencing guidelines, and the role of the National Institute of Infrastructure Protection, FSMA, and cybersecurity enactments.
Identify copyrights, trademarks, and trade secrets as core forms of intellectual property. Explain how nondisclosure agreements, the DMCA, and the Economic Espionage Act protect organizational IP.
Explore licensing models in software, from contractual agreements and shrink-wrap licenses to click-through and cloud service licenses, and compare their basic differences.
Explore managing transborder data flow for technologies, intellectual property, and PII under ITAR, National Traffic Arms Regulation, United States Nationalist Export Administration Regulation, and the CCL and encryption export controls.
Explore major US privacy laws by name, including the Fourth Amendment Privacy Act of 1974, Electronic Communications Privacy Act, HIPAA, Gramm-Leach-Bliley Act, FERPA, and Identity Theft and Assumption Deterrence Act.
Explore data protection across regions: European Union privacy laws, Data Protection Directive, GDPR, General Data Protection Regulation, and Canadian privacy law, Personal Information Protection and Electronic Document Act.
Explore state privacy laws, including the CCPA, detailing rights to know what is collected, its purpose, processor rights, and opt-out rights, plus four key exam points.
Clarify compliance policy and regulatory obligations that link security regulation to contractual requirements. Prepare for audits and reporting under PCI, DSS, SoCs, HIPA, ISO 37,001.
Perform contracting and procurement with rigorous security reviews and vendor governance, tailoring contracts, analyzing clients, and auditing third-party services including MSPs and cloud vendors.
Highlight references to United States privacy laws and related regulatory frameworks in the lecture. Explore how these references inform information security practice.
Review professional ethics, security concepts, governance, and policies, procedures, standards and guidelines; cover risk management concepts, supply chain risk management, business continuity planning, compliance, and legal and regulatory issues.
Explore the core CISSP domain concepts, including confidentiality, integrity, and availability, governance, ethics, and training. Examine risk management, threat modeling, and policy development within a global regulatory context.
Explore asset identification and classification, ownership and handling requirements, and asset and data management, guided by security controls and compliance considerations in asset security.
Identify assets and classify them by defining sensitive data and applying data and asset classification, noting data states.
Define sensitive data with a clear baseline beyond public or unclassified, and identify what to protect. Use laws like HIPAA and PCI DSS, then classify and label data.
Explore data sensitivity, classification policy, criticality, and ownership roles such as data owner, system owner, custodian, and information security officer, with government and civilian models.
Explore the government and military data classification model, with top secret, secret, confidential, and unclassified levels, plus sub classifications like office use only and sensitive but unclassified for national security.
Learn how to classify data based on potential adverse impact from a data breach and create your own classification labels.
Navigate government and military data classifications from top secret to unclassified, including secret and confidential, and sensitive but unclassified. Apply criteria tied to exceptionally grave damage in exam questions.
Apply data classification labels, such as confidential, proprietary, private, sensitive, or public, to non-government data, using color codes or tiers and definitions to drive adequate security.
Classify assets in alignment with data classification by applying correct labels such as top secret, secret, or confidential, and clearly mark hardware to guide permissible processing and storage.
Explores data states—data at rest on drives and backups, data in transit over networks, and data in memory buffers—and shows how to protect them with symmetric and asymmetric encryption.
Review references and declassification practices, citing data management and classified information, personal data, and protected health information, with a note to consult the Wikipedia article for data management.
Explore asset ownership and handling requirements, and outline data rules related to asset handling within CISSP objectives.
Explore data roles such as data owner, asset owner, data controller, and data processor, including how classification, encryption, and access controls protect sensitive information.
Data owner sets data classification, and custodians maintain protection per that classification, implementing discretionary access control (DAC) and tagging data for access; users are anyone who accesses the data.
Explore asset handling requirements by examining maintenance, marking, and labeling, and clarify the difference between marking and labeling, with notes on weight loss prevention.
Maintain data security by organizing and protecting data while closing gaps between networks, using one-way data transmission, physical separation, and hardware-software solutions, and reviewing policies during maintenance.
Differentiate marking for people from labeling for machines to help users identify data and asset classification levels. Apply physical labels, watermarks, and metadata tags for system applications and software.
Discover data loss prevention (DLP) systems that detect and prevent data exfiltration using keywords, data patterns, and classification tags across endpoints, files, and external devices.
Consult the InfoSec Institute resources for references on data ownership and data loss prevention, and read the recommended article about this topic.
Master asset and data management by handling information assets, eliminating data, and enforcing asset retention for remittance data.
Limit collection to data with purpose, guarding against liabilities and alteration; safeguard onsite, offsite, and cloud locations with physical, logical, and administrative controls, retaining or destroying as required by law.
Learn how data remnants persist after erasure and how sanitization prevents recovery, then compare erasing methods—from simple delete to clearing, deleting media, and purging logs for secure reuse.
Eliminate data remanence by physical destruction for magnetic media, not affect CDs, DVDs or SSDs, and use cryptographic erasure in cloud storage by deleting encryption keys to render data inaccessible.
Data and asset retention begin with policy, with information security policy part of the security policy. Emphasizes record and system retention and employees as assets, plus privacy, standards, laws, regulations.
Form the references by consulting Wikipedia, the IAC organization for data reminiscence, and NIST's media sanitization guidelines, including a special publication like 888, plus data retention.
Explore how security baseline and data security control fit within security controls and compliance requirements for domain two.
Learn how to use security baselines to guide gathering, scoping, and selecting standards for consistent security configurations.
Explore the NIST SP 800-53B control baseline for information systems and organizations, detailing a thorough, comprehensive list of baselines and controls, including low, moderate, high impact and privacy baselines.
Tailor security controls to your organization’s needs through scoping, selecting controls that apply, and eliminating those that don’t, based on business model and assets.
Adopt a well-crafted standard to establish a baseline, the minimum level of protection. Meet mission regulations and industry requirements such as GDPR and PCI DSS for continuous security improvement.
Explore data security controls, including drm rights management with licenses and automatic expiration. Review the cloud access security broker that monitors and enforces security, and uses tokenization, normalization, and anonymization.
Review the references and the public special publication 853 to understand how authoritative sources inform CISSP concepts.
Review domain 2 covers asset classification, ownership rules, data owners, handling requirements, asset and data management, security controls, and compliance considerations across government and private sector regulations.
Review domain 2 concepts in privacy, data owners and processors, information classification by sensitivity and criticality, and destruction policies, plus encryption across data at rest, in transit, and in use.
Explore security architecture and engineering, including security models like Bell-LaPadula and Biba, testing controls, memory protection, vulnerability management, and cryptography basics: symmetric and asymmetric, cryptographic attacks, site and facilities protection.
Explore fundamental security engineering processes and secure design principles, including open vs closed systems, open source vs closed source, CIA controls, and trust and insurance.
Identify subjects as active entities in a system and objects as passive identity; explain how access control manages a subject's access to an object, with admins having full control.
Open systems rely on open industry standards, enabling easy integration but offering lower security; defense in depth protects these systems, while closed systems use proprietary designs for greater security.
Compare open and closed source, explain open source public code and community updates, proprietary closed source code, vendor updates, and cross-applicability in open and closed systems.
Apply confinement, bounds, and isolation to protect confidentiality, integrity, and availability by restricting process actions and preventing cross-program memory access.
Understand mandatory access control with security labels and data classification, need-to-know principles, and discretionary access control by owner control via ACL, plus rule-based access control with firewalls.
Define trust and assurance through trusted systems that stay secure after reboot, crashes, or updates, embracing zero trust and trust but verify as assurance of security needs.
Review essential references for the CISSP course, and examine Esquire self-cited resources for supplementary context on security concepts.
Discover security models that underpin all computing architectures, across Android, Windows, Linux, Macs, and Unix. Examine mandatory, rule-based, and attribute-based access controls and the trusted computing base.
Define the trusted computing base as the total protection of a system, combining hardware, software, and controls to enforce security policy via a reference monitor, security kernel, and trusted paths.
Explore the state machine model, defining state as a snapshot of a system and transitions as inputs that yield outputs and new states, forming a secure foundation for security models.
Explain how the information flow model governs data movement across security levels and how noninterference constrains subject actions, ensuring secure state machine transitions within the trusted computing base.
Explore the Bell-LaPadula model, a confidentiality-focused multilevel security policy, defining top secret to classified levels and rules of no read up and no write down.
Examine the Biba model to enforce integrity by prohibiting write up and read down, highlighting its inverse relationship to the Bell-LaPadula confidentiality model.
Explore the Bell-LaPadula and Biba models, focusing on confidentiality and integrity of information. Remember the four properties, including no read up and no write down.
The Clark-Wilson model enforces data integrity by requiring access to constrained data items through controlled programs or a restricted interface, using integrity verification procedures and transformation procedures.
Explore security models, including the Chinese wall for conflict of interest, and the Graham Denning model's secure creation of objects and subjects with eight protection rules, domain separations, and integrity.
Review key CISSP references, including the square self-study resource link, and core security models such as LaPadula, Clark Wilson, the trusted computing base, and information flow and non-interest model.
Explore the Rainbow series and evaluation models, then compare certification and accreditation to clarify their differences in control selection.
Explore the Rainbow Series, a DoD set of computer security standards and guidelines for evaluating trusted systems, including the Orange Book and password and network security requirements.
Compare three key evaluation models: the Orange Book (TCSEC), the ITSEC European standard, and the current Common Criteria (IEC 15408) with IL levels 1 through 7.
Learn the common criteria evaluation model and memorize L7 through L2 levels and their designations, from formally verified security to structured and discretionary security, to identify protection levels.
Evaluate a system against specific security requirements using a detailed checklist and testing through certification. Accredit the system as a declaration by top management that it meets organizational security needs.
Access essential references such as the Rainbow series and orange book, FTC, and SEC, and understand how common criteria guide testing and evaluation of firewalls, systems, and security.
Explore the security capabilities of information systems, including memory protection, virtualization, the trusted platform module, and TPMB interfaces and wall tolerance.
Memory protection safeguards data in use by enforcing bounds and isolation, protecting memory and loaded data; Spectre and Meltdown threaten isolation between OS and apps, enabling data theft or disruption.
Explore virtualization basics, including type one bare-metal and type two hypervisors, and their advantages, costs, space savings, legacy OS support, plus vulnerabilities such as VM vulnerabilities and hyperjacking.
Explore the trusted platform module, an international standard crypto processor that stores and processes crypto keys as a hardware security module on motherboards or USB dongles.
Explore interfaces as connections for data exchange across hardware, software, and user interfaces, including hardware ports and usb, apis that restrict privileges, and browser-based login interfaces.
Understand fault tolerance as a system’s ability to continue operating despite faults by using redundant components to avoid a single point of failure, including active-active and active-passive configurations.
Review references and self-study resources, including TPMB Wikipedia article, and connect Meltdown and Spectre vulnerabilities and memory errors to hardware, software, UI, API, interfaces, and the VB article on interfaces.
Explore vulnerability management in security architectures and designs, including edge, embedded devices, endpoints, serverless, and cloud-based systems, and apply protection techniques against architectural flaws and security issues.
Outline cpu execution types—multitasking, multiprocessing, multi programming, and multi-threading—and their impact on concurrent computing. Describe process states and protection rings, from ring zero kernel mode to ring three user mode.
Explore processor security modes—dedicated system, system high, compartmented, and multi-level—and how classification, clearance, and need-to-know govern data access. Review memory types from ROM to RAM, secondary storage, and paging.
Understand firmware as software stored in ROM, including BIOS that runs Cisco switches. Identify EFI unified extensible firmware interface as the latest, offering improvements and secure boot.
examine client-based systems, applets, and the roles of ActiveX and Java virtual machines in managing local caches, DNS, host file modifications, spoofing risks, and ARP poisoning countermeasures like split DNS.
Learn how server-based systems manage processes, devices, and networks, enable load balancing, control data transmission, and defend against threats like denial-of-service attacks across Windows, Linux, and Xen environments.
Explore distributed systems as interconnected computing and storage resources that support services and resources. Learn how data locations and interdependence create vulnerabilities that threaten the whole system if not protected.
Explore high-performance computing systems and real-time operating systems that enable ultra-fast compute, network, and storage with minimal latency.
Learn cloud computing foundations, including private, public, hybrid and community clouds, compare serverless, containerization, and virtualization, and examine iaas, paas, and saas service models.
optimize data delivery by locating edge compute resources near the end user to reduce latency and bandwidth, with fog systems collecting sensor data for centralized processing.
Identify how industrial control systems, including PLCs, run on older operating systems with limited memory, and apply defense in depth to secure these vulnerable systems.
Protect endpoints by securing device hardware, encrypting storage, and implementing remote wipe and tracking. Enforce app controls, credential management, BYOD policies, and MDM to secure embedded devices and cyber-physical systems.
Examine critical security protection mechanisms, including security policy, defense in depth, and hardware and network segmentation for BYOD and corporate devices, plus continuous monitoring and disaster recovery for high availability.
Examine common architectural flaws and security issues, such as input validation, maintenance backdoors, trust recovery, salami attacks, timing and radiation exploits, and defenses in service oriented architectures.
Review four references on security modes and distributed systems, with linked articles from USGS and the VB article, noting that supercomputers relate to HBCUs.
Explore references on civil centralization, edge fog, and ICS embedded in cyber-physical systems. See how legacy embedded systems are automated, monitored, or controlled for the CISSP exam.
Explore cryptographic concepts, solutions, and attacks, starting with the foundation of modern cryptography and applied cryptography, and concluding with cryptographic attacks.
Explore the goals of cryptography, cryptographic concept, and cryptographic mathematics, and clarify the difference between codes and ciphers.
Protect confidentiality, integrity, authentication, and non repudiation through cryptography, with encryption securing data and keys enabling or denying access. Identify who locked and unlocked the message to ensure non repudiation.
Clarify core cryptography terms by defining plaintext, ciphertext, encryption, and decryption; identify the role of a key and key space, and explain key size.
Explain how cryptography relies on public algorithms with private keys, emphasizing public keys in asymmetric systems and private keys kept secret to secure communication through the crypto system.
Explore cryptographic mathematics, covering boolean algebra for bitwise operations, one-way functions and work factor, modulo arithmetic, and the concepts of split knowledge, separation of duties, and zero-knowledge proofs.
Examine codes and ciphers as symbols for words or phrases. Codes lack confidentiality, while ciphers provide it, with examples like Morse code, transposition and substitution ciphers, and one-time pads.
Explore key references for CISSP study by checking the self-study resource link, and leverage authoritative materials to reinforce concepts and exam readiness.
Explore modern cryptography by examining hashing, then symmetric key cryptography and asymmetric key cryptography in this overview.
Learn how hashing transforms variable-length input into a fixed-length digest, enabling one-way, collision-resistant integrity verification and checksums, with examples like sha variants and md5.
Symmetric key cryptography uses the same private key for encryption and decryption, offering speed but facing scalability, key management, and repudiation challenges, with des and triple des shown as outdated.
Explore symmetric key cryptography with the advanced encryption standard, noting 128/192/256 bit keys, 128 bit blocks, and 10/12/14 rounds, to show why aes remains widely used.
Explore the challenges of symmetric key management, from distribution and destruction to the keys-per-user explosion, and why offline exchanges push alternative approaches such as zero encryption standard.
Explore asymmetric cryptography with public and private keys and a public key infrastructure, delivering integrity, authentication, non-repudiation, and confidentiality with simpler individual key management.
Explore asymmetric key cryptography, including Diffie-Hellman key exchange, RSA and El-Gamal, and the advantages of elliptic curve cryptography for smaller key sizes with equal security.
Explain asymmetric key cryptography, private key privacy, and long randomized keys with rsa or sec options. Establish key management policies, automated revocation, and backups for keys and certificates.
Explain public key infrastructure, using public and private keys to encrypt and decrypt messages, and how X.509 certificates, certificate authorities, enrollment, verification, and revocation (CRL/OCSP) secure online identities.
Digital signatures use private keys to sign data and public keys to verify, delivering integrity, authentication, and non-repudiation, not confidentiality. Standards include DSA, RSA PKCS, and ECDSA.
Explore the cryptographic lifecycle and why systems must protect data for as long as it remains valuable, guiding algorithm choice, key length, and key creation and destruction.
Explore references and self-study resources, verify integrity with hashing, and understand symmetric versus asymmetric cryptography, key exchange on an insecure channel, and the PCI ISA Digital's signature algorithm.
Explore applied cryptography in internet apps, covering TLS/SSL certificates, symmetric and public-key cryptography, signing and encrypting data, and email security with PGP, also TPM crypto processors, DRM, steganography, and watermarking.
Review references and linked materials for CISSP concepts, including triple signing, encryption, and a final digital signature with digital certificates; explore SMS steganography notes and related videos/links.
Explore cryptographic attacks, from analytic attacks on algorithm logic to implementation attacks that exploit flawed key handling, brute force, fault injection, side-channel observations, and frequency analysis.
Explore cryptographic attack techniques, from key-focused chosen plaintext and chosen ciphertext attacks to meet-in-the-middle and collision attacks, along with replay and birthday paradox concepts.
Explore four references, the IAC square link, and self setting resources for cryptographic attacks, using easy, memorable slides. Google the topics to pass the CISSP exam with concise study materials.
Explore security principles for site and facility design, evaluate site visibility and security controls, and examine physical security within the CISSP domain of site and facility selection.
Develop a secure facility plan by integrating security staff input, critical path analysis, and converged technologies. Evaluate site selection and facility design for visibility, materials, emergency response, and local hazards.
Explore site and facility security controls across administrative, technical, and physical layers, applying defense in depth to deter, deny, detect, and delay intrusions.
Assign roles, enforce chain of custody for media, store in locked cabinets, perform sanitization, and track check-in/check-out with hashes to ensure integrity while isolating networks and enforcing data classifications.
Explain fire safety within site and facility security controls, covering the fire triangle, detection systems, and suppression methods. Review extinguisher classes A through D, halon ban, and FM-200 alternatives.
Secure facilities with perimeter controls such as guards, dogs, fences, lights, alarms, and turnstiles, then enforce two-factor authentication and motion detectors to protect safety, privacy, and related policies.
Explore the references and easy, self-explanatory definitions presented in these slides, making key CISSP concepts memorable without lengthy googling or external reading.
Explore security engineering, secure design principles, and cryptography basics—from symmetric and asymmetric schemes to PKI and digital signatures—covering architectures, cloud, IoT, and site controls.
examine domain 3 review of the CISSP, detailing security architecture design, confidentiality and integrity concepts, security controls, cryptography lifecycle, and securing client-server and distributed systems.
Explore secure network architecture and design, defining security boundaries and topologies. Review tcp/ip model, ipsec and tls protocols, firewalls, network access control, vpn, and common network attacks.
Define secure network architecture and design by examining security boundaries, entry protocols, and IP class differences across communication technologies, followed by a site survey.
Define security boundaries by aligning controls to your organization's business model and data classification, then label and mark physical and logical limits to enforce need-to-know and clearance.
Explore the concept of protocol security, focusing on secure communication protocols and authentication protocols, and understand how each protects data and access.
Explore the most common secure communication protocols, including IPsec, Kerberos, SSH, SSL/TLS, and secure RPC, with detailed coverage in the following slides.
Explore IPsec, a standard security extension that uses public key cryptography to provide encryption, authentication, and non repudiation for VPN connections in IPv4 and IPv6, in transport and tunnel modes.
Kerberos enables network security through SSL single sign-on, protecting login credentials with symmetric key cryptography and AES, authenticating subjects and issuing access tickets to resources.
Explore secure shell (SSH) as an end-to-end encrypted transport protocol used for host-to-host communications and VPN link encryption, serving as a protocol decryptor alongside other protocols.
Explore signal protocol as a cryptographic, end-to-end encrypted solution for voice, video conferencing, and messaging services, noting its non federated design, exam implications, and when alternatives may be used.
Apply secure remote procedure call (S-RPC) as an authentication service to protect cross-network communications and prevent unauthorized code execution on remote systems.
Explore TLS as a widely used encryption protocol operating at layer four of the OSI model, enabling secure communications, especially via HTTPS, and encrypting any application layer protocol.
Explore authentication protocols, from the simple password authentication protocol to challenge-handshake methods, and learn about extensible authentication protocol and common variants like LEAP, PEAP, and TLS.
Explain how the password authentication protocol transmits usernames and passwords in clear text, with no encryption. It is obsolete and should be avoided; do not rely on PAP.
Master the challenge-handshake authentication protocol (chap), using server-issued random challenge and password hash to produce a non-replayable response. Note md5 is no longer secure, and MS-CHAP v2 offers improved security.
Explore extensible authentication protocol as a framework for authentication used with smartcards, security tokens, and biometrics. Review methods like LEAP, PEAP, and EAP-TLS, and how TLS tunnels enable mutual authentication.
Explore the internet protocol and IP basics, including IPv4 and IPv6, defenses, and IP classes. Review the LSM and ICMP concepts to understand network-layer security.
Compare IPv4 and IPv6, noting IPv4's 32-bit addresses with dotted decimal notation and about 4.3 billion addresses, and IPv6's 128-bit hex addresses with auto configuration and disabling rationale.
Explain IP classes A to E: A has the largest space, B 65,534 hosts, C 254 hosts, D multicast, E future use; first and last IP addresses are reserved.
Understand variable subnet masks (VLSM) to create subnets of different sizes without waste, and CIDR to count addresses with masks and merge noncontiguous address sets.
Discover icmp and igmp, essential protocols for network health and multicast management, including ping and traceroute as checks and igmp's role in multicast group membership.
Explore network topologies, transmission media, LAN technologies, and wireless networks to understand topology, communication, and technologies.
Explore common network topologies such as bus, ring, star, and mesh and their configurations. Learn the single point of failure risks and practical considerations for CISSP exam readiness.
Learn about transmission media, including coaxial cables and fiber optics, and compare baseband and broadband. Examine EMI shielding, deployment distances, speed, tapping resistance, and cost relative to twisted pairs.
Explore twisted pair cables, including unshielded and shielded options, and review cat one through cat eight, their ethernet speeds, and the 55 metre distance limit for ten-gigabit ethernet.
Explore LAN technologies and their relation to the Internet, covering analog and digital electronics, baseband and broadband, and compare broadcast, multicast, and unicast alongside LAN media access.
Explore Ethernet as a shared media technology that enables duplex communication, data frames, and LAN media access, with analog, synchronous interconnects, baseband, broadband, broadcast, and multicast.
Explain how analog signals vary in frequency, amplitude, phase, or voltage, with waveform inconsistencies affecting transmission, while digital uses discontinuous on-off pulses to create binary data.
Synchronous transmission uses a clock or timestamp for high data transfer rates, whereas asynchronous transmission relies on start-stop signaling with a limiter bit for smaller data, like PSTN modems.
explains baseband as a single communication channel and broadband as multiple channels, with examples like internet broadband using frequency modulation and dsl or cable tv over coaxial or copper cables.
Differentiate broadcast, multicast, and unicast to guide message delivery. Broadcast reaches all recipients; multicast targets multiple specific recipients; unicast delivers to a single recipient across devices.
Explore LAN media access concepts, including CSA and its types, as well as token passing and polling techniques.
Describe how carrier-sense multiple access forms a media access control protocol where nodes listen before transmitting, then use random backoff and either collision detection or avoidance (CSMA/CD and CSMA/CA).
Use token passing to control network access with a digital token, enabling transmission when held and releasing after use, a legacy technology in token and FDI networks to avoid collisions.
Manage polling by designating a primary system to query secondary nodes; the hub then controls who talks and prevents collisions by granting permission to one node at a time.
Plan the site survey by placing networking devices, using a frequency analyzer, and measuring signal strength to optimize topology and base station deployment, cabling, and minimize external access.
Review references for self-study and explore IPsec, Kerberos, and TLS basics. Compare protocol differences and learn when to use TLS for CISSP exam readiness.
Explore communication protocols, including EAP, IP addressing, and CIDR, and analyze network qualities as well as carrier access to CSA and SMS.
Explore the tcp/ip model, secure and converged protocols, and wireless and cellular networks, then review deployment architectures and firewall strategies to implement access control.
Explore the OSI model, an ISO-created abstract framework developed after TCP/IP, serving as a common reference for vendors, with seven layers where each layer communicates with adjacent layers.
Understand encapsulation by adding headers and footers as data moves from application to the physical layer; perform decapsulation by removing them on return path, and verify integrity with checksums.
Learn the seven OSI layers—physical, data link, network, transport, session, presentation, and application—in order, using mnemonics to recall the sequence from 7 to 1 or from 1 to 7.
Analyze OSI layers, from the physical layer’s raw data transmission and encapsulation to the data link’s MAC and LLC sublayers, including ARP and PGP.
Explore ip routing and addressing in layer 3/4, including subnets, routing decisions, icmp and bgp, and transport functions with devices like routers and firewalls.
Explore how the session layer manages host-to-host connections, name recognition, and security, while the presentation layer ensures data compatibility, formats, and encryption with common protocols like TLS, SSL, and ASCII.
Identify the application layer, not the software itself, which communicates with software to enable data transmission. It is closest to the end user and supports protocols like DNS and HTTP/HTTPS.
Discover the four-layer TCP/IP model—application, transport, internet, and link—and how it maps the OSI layers, with the link layer handling data link and physical tasks.
Explore secure communication protocols including IPsec, Kerberos, TLS, RPC, and WSL, and examine their applications in VPN tunnels, auditing, and access management.
Converged protocols merge a proprietary or special protocol with a standard one, avoiding new hardware. Reuse existing gear and leverage examples like San iSCSI and software-defined networking.
Explore how to secure wireless networks by configuring access points, disabling SSID broadcast, conducting site surveys, and implementing encryption protocols from WEP to WPA3, including 802.1x and MAC filtering.
Explore antenna placement and types guided by a site survey, noting obstructions and reflective surfaces. Apply captive portals, change the default password, disable the society broadcast, and use firewalls.
Explore common wireless attacks such as war driving to locate open networks, and examine threats like replay attacks, initialization vectors, and the evil twin to understand wireless security.
Explore cellular networks, including base stations, cell towers, and generations from 1g to 5g, with emphasis on encryption limits and threats like man-in-the-middle and on-path attacks.
Trace the evolution of cellular networks from 1G through 5G, highlighting GSM and CDMA for digital voice and SMS, the shift from circuit to packet switching, and mobile broadband speeds.
Firewalls manage, filter, and protect network traffic between internal and external segments, using static, stateful, deep packet inspection, gateways, and next-gen devices with IPS and content filtering.
Explore firewall deployment architectures, from single-firewall and two-firewall models to three-tier designs, detailing private networks, DMZs, transaction subnets, routers, and internet protection.
Network access control enforces security policy by using identities and privileges to grant or deny access, monitor pre and post admission states, and quarantine noncompliant devices for remediation.
Review key references, including the TCP model and firewall architectures, and compare cellular network deployment architectures and their tiers to understand where and why to use each.
Master secure communications design and technologies by examining core protocols, switching technologies, network attacks, multimedia and email security, remote access management, and virtual private networks for exam prep.
Explore secure communication protocols used in design and implementation, including ipsec tunnels, tls/ssl, https, ssh, Kerberos, secure remote procedure calls, and ldap in Microsoft environments.
Explore voice and multimedia security, including the secure real-time transport protocol for encryption, integrity, and replay protection, and countermeasures against social engineering and telephony fraud.
Assess remote meetings and collaborative environments such as Zoom, Google Meet, and WhatsApp, and secure instant messaging by applying risk assessment and security controls to meet company policy.
focus on email confidentiality, integrity, and non-repudiation; enable delivery verification; use s/mime triple-wrapping with signing and encryption; apply spf, dkim, dmarc, tls, and reputation filtering.
Implement a remote access policy as an administrative control, choose secure connection technologies with strong transmission and authentication protection, and enforce continuous logging to protect internal networks.
Explore remote access and telecommuting techniques, including remote control, screen sharing, vpn or dial-up connections, cloud or ftp services, and centralised security with radius and tacacs.
Vpn creates a secure channel over untrusted networks, enabling access control, authentication, confidentiality, and integrity between clients and servers, using ipsec or tls; availability is not guaranteed.
Compare circuit switching and packet switching: circuit switching uses dedicated paths with constant delays for voice; packet switching sends packets over connectionless networks with variable delays and data loss risk.
Identify the core WAN concepts by comparing dedicated and non-dedicated connections, including leased lines, point-to-point links, DSL variants like ADSL and VDSL, fibre optic, and SDH/SONET optical networks.
Explore common network attacks such as denial of service, spoofing (including DNS and ARP spoofing), eavesdropping, impersonation and masquerading, and replay attacks that reuse credentials to bypass authentication.
Review references for self-study resources and Wikipedia articles. Check VPNs and the SEC, and study common network attacks.
Review domain four concepts including secure network architecture and design, security boundaries, and network models. Master protocols such as IPsec, TLS, and Kerberos, along with firewalls and network access control.
Secure network design mitigates attacks by hardening hardware, endpoints, and protocols across ip networking and ipv4/ipv6, and enables secure channels for remote meetings, vpn, and tls/ssl.
Explore identity and access management basics, including physical and logical access control. Cover authentication methods and factors, the identity lifecycle, and third-party services for scripting access.
Explore physical and logical access control, examine the CIA triad, and describe how access control protects information systems.
Protect tangible and intangible assets with defense in depth by implementing physical and logical access controls and administrative controls to safeguard human safety and data in transit or storage.
Defense in depth, or the castle approach, layers administrative, physical, network, and logical security protections to safeguard systems with encryption, firewalls, and awareness.
Examine the CIA triad—confidentiality, integrity, and availability—and see how defense in depth and access controls protect these principles by restricting access to authorized subjects within a reasonable time frame.
Review references and explore defense in depth, ensuring you understand the CIA triad as the foundational concept of information security.
Explore authentication methods and factors, including types of authentication, as we review subjects and objects, delegation, and the core roles of authorization and accounting in security.
Identify subjects as active entities and objects as passive in information systems interactions, mapping users, programs, and processes as subjects to files, storage, and media as objects.
Identify subjects with unique IDs, authenticate and authorize using credentials, and determine access privileges. Audit and log activities, review accounting logs, and hold subjects accountable.
Grant access to objects based on proven entities. Enforce authorization by differentiating normal user accounts from admin privileges and declaring whether an action is allowed.
Explore how auditing, logging, and monitoring enable accountability by reviewing logs to hold users responsible for their actions, with ID and authentication required but not authorization.
explore authentication factors in this order: something you know, something you have, and something you are, and learn how type one, two, and three factors differ in strength.
Explore how authentication vectors use subject location, time, IP address, device, and platform context to define robust authentication factors and control access.
Examine authentication factors, focusing on something you know—passwords and pass phrases—and note that longer pass phrases resist brute force, while cognitive passwords and length, complexity, age, and history shape security.
Explore type two authentication factors, something you have, such as badges, smart cards with chips, and security tokens, including synchronous and asynchronous time-based tokens.
Understand type 3 authentication factor and biometrics such as fingerprints, facial recognition, and iris scans, including enrollment, throughput, and error rates like false rejection and false acceptance.
Explore authentication types, including multi-factor and passwordless methods, and examine device authentication, service authentication, and mutual application authentication.
Learn how multifactor authentication combines something you know with something you have, via Google Authenticator, and OTP methods such as TOTP and HOTP, as part of defense in depth.
Discover passwordless authentication using biometric verification and Microsoft Authenticator prompts to log in without passwords, with security keys and smartphones supported, promoted by the Vast Identity Online Alliance.
Explore device authentication in Windows domain environments, detailing LDAP and Active Directory foundations, 802.1X port-based authentication, and context-aware access control based on device health and baseline policies.
Service accounts, called savings accounts, grant privileged access for a service or application to perform privileged operations, such as writing to a database, with higher privileges than normal user accounts.
Mutual authentication occurs when two parties verify each other's identity before exchanging data, also called two-way authentication. It uses digital certificates to show server and user authentication.
Review the references and the IAC link, and use self setting resources to ensure you understand all material covered so far; for authentication topics, consult Wikipedia, biometrics, and MFA.
Explore identity federation and third-party identity services, compare centralized versus decentralized access control, and examine single sign-on, credential management, and session management.
Contrast centralized and decentralized access control, detailing a single point for authentication, authorization, and accountability vs. distributed, independent systems with higher admin overhead in multi-domain setups.
Explore how single sign-on centralizes access control across multiple systems, letting users authenticate once to access many services, while emphasizing multi-factor authentication to mitigate single-point failure.
Explore identity federation across on premise, cloud-based, and hybrid environments, enabling one account to access multiple resources without local accounts. Understand just-in-time, context-aware access that automates federation without administrator intervention.
Explore credential management as a secure solution for storing usernames, passwords, and biometrics across local, cloud, on-prem, and hybrid environments, including LDAP, Microsoft ID, and Azure Active Directory.
Use a login script instead of a username and password on legacy systems, where authentication functionality is limited; protect scripts containing hardcoded credentials and plaintext passwords.
Session management creates a secure communication channel, prevents eavesdropping and unauthorized access, and enforces reauthentication after idle timeout to end the session.
Review references by examining the ICC's KRA link for single sign on, the Wikipedia article, and federated identity.
Explore access control models by examining permissions, rights, privileges, authorization mechanisms, and security policies, with a focus on nondiscretionary access control.
Explore permissions, rights, and privileges as levels of access, revealing what actions users can perform on objects, and examples like view only, full access, or print but not modify.
Examine authorization mechanisms, emphasizing deny by default, least privilege, and need-to-know; compare access control matrices and ACLs (object-focused) with capability tables (subject-focused) to determine rights.
Explore authorization mechanisms, including constrained interfaces with grayed-out options, content-dependent and context-dependent access controls, and the principles of least access, need-to-know, and separation of duties.
Define and enforce the organization’s security needs with a comprehensive policy. Require top management approval and cover policies such as password, data protection, data retention, and cybersecurity.
Explore access control models, including discretionary access control (DAC) and non-discretionary access control, and examine role-based, rule-based, attribute-based, mandatory, and risk-based access control.
Discretionary access control lets the owner or creator control access to an object, with ACLs on each object in a decentralized, identity-based model, including on-prem setups.
Nondiscretionary access control is a centralized, rule-based model that grants access independently of user identity, covering rule-based, attribute-based, mandatory, and risk-based controls.
Assign access by user and admin roles, combining rights and permissions by job description and responsibilities, with admins grouping subjects to enforce the principle of least privilege.
Apply RuBAC by enforcing rules and filters that govern access, showing how blocking internet or support affects the entire organization.
Explore attribute-based access control (abac) through multi-attribute policies that combine user id, group membership, location, time, device, network, and context-aware authentication to grant access.
Discover how mandatory access control uses subject clearance, object classification labels, and need to know to grant access only when levels match, with no discretionary control—even for admins.
Assess each access request by evaluating its risk before granting or denying access, using factors like security policy, location, and circumstances. Compare this risk-based approach to attribute-based access control.
Explore references for security models, including discretionary, role-based, attribute-based, and mandatory access control, as well as risk-based considerations, with self-study resources and linked Wikipedia articles.
Explore how provisioning, maintenance, review, and revocation shape the identity and access lifecycle, from formal request-driven account creation and biometric enrolment to privilege management and access revocation.
Explore authentication systems by examining how SSL operates on the internet and its role within internal networks.
Discover how single sign-on enables seamless access across diverse technologies, including XML, SAML, and OpenID Connect, and learn what these standards mean for internet security.
Explore the Extensible Markup Language (XML), the most common markup language, and learn how it describes and displays data. Examine its use in XML-based languages for applications and authorization.
Explore SAML 2.0 as an XML-based framework for authentication and authorization, defining the principal, service provider, and identity provider, and use authentication, assertion, authorization, and attributes to control access.
Understand OAuth as an IETF-maintained standard for access delegation and authorization framework, not a protocol; it uses access tokens to share user data with third parties without passwords over HTTP/HTTPS.
OpenID is an authentication standard maintained by the OpenID Foundation that enables decentralized authentication and single sign-on across multiple websites with one set of credentials.
OpenID Connect authenticates users by serving as an authentication layer that provides identity and authorization, enabled by the Open ID Foundation, enabling a single credential across multiple sites.
Explore single sign-on and internal networks, focusing on Kerberos and radius as core authentication and network access concepts.
Explore the five elements of triple A protocols—identification, authentication, authorization, auditing, and accountability—and how they centralize access control and remote connections such as VPN.
Kerberos uses a ticket-based authentication system to verify the user and issue access tickets, centered on the key distribution center and ticket granting service, secured with symmetric cryptography and AES.
Demonstrate Kerberos authentication, with a client obtaining a ticket from the authentication server via the KDC and using it to access the service server with authorization.
Learn how radius centralizes authentication, authorization, and accounting for remote access like vpn and dial-in, while default udp encrypts only password exchange, and tls can encrypt the full session.
Diameter is an authentication, authorization, and accounting protocol that overcomes radius limitations, provides end-to-end security for the full session over TCP or HTTP, and remains compatible with radius.
TACACS+ is a Cisco-developed protocol that offers improvements over TACACS. It supports AAA in two separate processes on different servers and uses TCP for connection-oriented communication.
Review key references for CISSP study, including Wikipedia articles and OpenID and OpenID Connect resources, noting OpenID Connect as a framework, maintained by the OpenID Foundation.
Explore the Kerberos authentication protocol, an AAA system that remains a legacy yet widely used solution, with references to related Wikipedia articles.
Explore access control attacks and clarify the cracker versus hacker distinction while outlining the most common attack types.
Clarify the difference between crackers and hackers by defining crackers as malicious attackers and hackers as individuals who use skills to identify vulnerabilities and help mitigate them.
Cover common attacks, including privilege escalation, dictionary and rainbow table attacks, brute force, credential stuffing, birthday attacks, and sniffing, and discuss protections like least privilege and separate admin accounts.
Learn how spoofing attacks impersonate trusted sources through email spoofing and number spoofing, where attackers forge messages from banks, CEOs, or friends and manipulate caller ID or email addresses.
Strengthen information security by enforcing layered protection methods, starting with user awareness and training to fend off social engineering, and implementing robust access controls, MFA, and password protections.
Discuss physical and logical access control basics, authentication methods, and access models from discretionary to role-based, provisioning lifecycle, ssl use, and defenses against brute force, rainbow tables, and dictionary attacks.
Explore identity and access management to prevent access control attacks, covering authentication of people and devices, multifactor options, federated management like SAML, provisioning lifecycle, and RBAC, MAC, and DAC models.
Explore security assessment tests and audit strategies, learn how to test controls, and apply security processes, data collection, reporting, and audits to ensure effective security.
Compare security testing, security assessments, and security audits, and clarify the differences among these three approaches to evaluating an organization's security.
Explain how security testing validates that controls are working via automated scans, pen tests, and manual attempts, addressing physical, logical, technical, and administrative controls within layered defense.
Assess security testing's impact on normal business operations and availability. Consider staff and tester availability, change management, data sensitivity, system criticality, misconfiguration, rate of change, and environmental effects.
Security assessments expand beyond testing to cover the environment, requiring resources and time, are not interchangeable with security testing, and combine threat, risk, asset evaluations with approach and recommendations.
Security audits validate the effectiveness of security controls using a SIEM-based assessment, conducted by independent auditors to meet regulatory standards and demonstrate protection of the CIA.
Explore essential resources on security testing, information technology, security assessment, and information security audits through curated references.
Explore security control testing by examining vulnerability assessment, penetration testing, and software testing, and distinguish between vulnerability assessment and security assessment.
Identify weaknesses in a system through vulnerability assessment, without exploiting them, using vulnerability scanning and vulnerability management workflows to describe vulnerabilities and distinguish it from security testing and penetration testing.
describe vulnerabilities by using a standardized database and a scalable framework, with a signature and definition; apply the security content automation protocol (gap) as the accepted standard.
Describe how SCAP uses CPE, CCE, XCCDF, and OVAL with the open vulnerability and assessment language to define security checklists and enable platform and configuration enumerations.
Automate vulnerability scanning to proactively identify network, application, and security vulnerabilities, and outline four main types: network discovery scanning, network vulnerability scanning, vulnerability scanning, and database vulnerability scanning.
Explore network discovery scanning techniques that scan IP ranges for open ports, using fingerprints like TCP send scan and UDP scanning, including Christmas scan variants.
Network vulnerability scanning uses a vulnerability database to compare identified vulnerabilities against a targeted system, highlighting false positives and false negatives to improve alert accuracy.
Identify web application weaknesses with purpose-built vulnerability scanners and contrast them with network scanners to understand how exposed web apps create risk, guided by OWASP resources.
Explore database vulnerability scanning with pre-configured tests for database and applications across queries. Identify misconfigurations, missing patches, weak passwords, extra privileges, and default admin accounts.
Explore penetration testing through simulated attacks that assess security controls, identify and exploit vulnerabilities, and follow planning, information gathering, attack execution, and reporting phases.
Compare white box, grey box, and black box penetration testing and their knowledge levels. Understand full knowledge tests, partial knowledge tests, and unknown environment test to guide testing strategies.
Explore software testing methods, including code review, interface testing, misuse testing, case testing, test coverage analysis, and side monitoring.
Learn how peer review and formal inspections reveal flaws through six steps—planning, preparation, inspection, rework, follow-up—and how static testing (sast) checks security without running in source code or compiled application.
Dynamic testing, including dynamic application security testing and FOSS testing, uses mutation, generational testing, and bit flipping to stress test inputs and reveal security weaknesses.
Learn to test APIs, user interfaces, CLI, and physical interfaces to validate the gateways into complex systems, ensuring security controls provide adequate protection.
Explore misuse case testing by enumerating abuse cases a user might try, then attempt to exploit them on a simple calculator, e.g., typing alphabets that should be rejected.
Calculate test coverage by dividing the number of tested use cases by the total use cases, and explore branch coverage, conditional coverage, function coverage, statement coverage, and loop coverage.
Understand website monitoring as performance management and troubleshooting to uncover security issues. Compare passive monitoring, real user monitoring (rom), and synthetic monitoring, using artificial transactions to test performance before incidents.
Explore the references, including the Esquire website dependability assessment, and the Wikipedia articles on penetration testing and software testing.
Review data collection and reporting, review logs, manage accounts, support disaster recovery and business continuity, then deliver security awareness training and record KPI entries.
Review security logs of events, errors, and user reactions to detect system or application issues and illegal activity, while noting audited privileged accounts and backups within BCP and BRP.
Train people to follow comprehensive security processes and embrace technology to protect assets. Monitor KPIs and risk indicators, collect data, reinforce accountability, and enforce acceptable use policies against noncompliant behavior.
Explore four references by following the square link or consulting Wikipedia articles, and review previous topics to deepen your understanding.
Explore the categories of audits, auditing standards, and compliance checks, and see how compliance appears in different contexts.
The lecture explains the three audit categories—internal, external, and third party—highlighting who performs them, who the audience is, and why organizations hire outsiders, including regulatory and acquisition contexts.
Examine auditing standards that test IT systems, including a3402 reports on controls and SOC attestation engagements, and review ISO 27,001 and ISO 37,002 as a framework.
Implement and validate compliance checks to ensure that every control in a regulatory plan is effective, by testing assets against baselines and periodic assessments to prevent regulatory issues.
Track references for CISSP study by linking articles, numbers 18 and 3402 SOC, and integrating ISO IEC 27000 series.
Master domain six by applying security assessments and test and audit strategies, perform security control testing and data collection, and strengthen reporting, audit types, and compliance checks.
Review domain six by mapping design, validate assessment and test strategies, audits, test output analysis, security process data collection, and security control testing, including pen test log reviews.
Master security operations concepts, including incident management, logging and monitoring, and patch and vulnerability management, plus configuration change controls. Review BCP, DRP, BRP, and ethics for incident response and investigation.
Explore the foundational security concepts: need to know, the principle of privilege, separation of duties or responsibilities to pursue control and split knowledge, and compare job rotation with mandatory vocation.
Explain the need to know and the principle of least privilege, and relate them to security clearance and mandatory access control for confidentiality and integrity.
Explain separation of duties and two-person control to prevent single points of failure and reduce fraud, using peer review and two-key or split knowledge concepts.
Rotate employees across roles and enforce mandatory vacations to enable peer review, detect fraud, and deter collusion through cross-training and detective controls.
Restrict privileged account access, monitor usage, and detect unusual activity, while service level agreements define acceptable service levels with penalties.
Review four references and check out the ISS link to support your CISSP course learning.
Implement personal safety duress systems with distress buttons or codes that alert authorities, prioritize human life, and emphasize emergency management, training, awareness, and secure practices like vpn over free wifi.
Review the key references for the CISSP curriculum by checking the IAC score, the degree system, and the Trigger System for Divorce Code.
Explore secure resource provisioning by examining ownership and management, and asset protection to safeguard assets.
Ownership assigns responsibility for an asset, a job function, or a system. Senior management holds responsibility for protection, policy development, enforcement, auditing, and governance through due care and due diligence.
Define asset management and asset protection, covering tangible and intangible assets like hardware, software, cloud, patents, copyrights, and reputation, and outline administrative, logical, and physical controls to safeguard them.
Review how to verify references by checking sources such as the ISS link and Wikipedia articles on software amendment, while noting the article's discussion of Wikipedia.
Explore configuration management and change management in operations, and differentiate patch management from vulnerability management while outlining their roles in secure systems.
Enable secure provisioning and baseline creation through images and automation, managing hardware and software configurations, version control, testing, and documentation to ensure consistent, compliant deployments.
Change management is a systematic process to control, document, track, and audit changes in an environment, preventing outages and security impacts. It includes change requests, review, approval, testing, and documentation.
Differentiate patch management from vulnerability management; apply patches systematically, detect weaknesses, and conduct scanning and vulnerability assessment to fix vulnerabilities.
Explore references on configuration management, change management, patch management, and vulnerability management, and see how applying changes updates configurations and interconnects these practices.
Master incident management by learning how to respond to incidents, starting with clearly defining what constitutes an incident.
Define incidents as unplanned interruptions in service that affect availability and the CIA. Explore incident management and key guidance from SP 61 and RFC 2350.
Memorize the seven incident response steps in order—detection, response, mitigation, reporting, recovery, remediation, and lesson learned—and understand how teams like helpdesk and CSIRT contain incidents.
Report incidents to internal or regulatory bodies, then recover by raising the security baseline. Collect evidence, perform root cause analysis, implement safeguards, and train staff to improve future responses.
Review key references by checking the squirreling and the special publication Eater 61 and RFD 3350. Access the links provided.
Explore detective and preventive measures, introduce ideas about IPS, and discuss prevention measures and attacks.
Explore intrusion detection systems (ids) and intrusion detection and prevention systems (idps), including host-based and network-based approaches. Compare passive and active responses and inline network-based ips that block traffic.
Explore preventive measures in information security, including keeping systems updated, change and configuration management, blocking unauthorized access, and using firewalls, network segmentation, deny lists, sandboxing, honeypots, and cloud security.
Covers denial of service (DoS) and distributed denial of service (DDoS), including DRDoS, ping floods, and oversized ICMP packets that disrupt the three-way handshake.
Examine teardrop attacks that fragment packets from compromised computers, causing reassembly failures and distributed denial-of-service disruption, including zero-day exploits and spoofed ICMP or target IP floods.
Identify how the man-in-the-middle or on-path attack places a hacker between a client and a server. Note insider sabotage by an employee as a threat to an organization.
Explore references and an IPS article on denial of service attacks, illustrating how most cyber attacks fall under the denial of service category.
explore techniques for logging and monitoring, rollout monitoring and error handling, and automatic incident response within the logging monitoring context.
Learn how logging records events in log files or databases, and how monitoring reviews these logs for policy evaluation. Distinguish security information management from security information and event management systems.
Explore rules of monitoring, including audit trails and accountability, and how log file details support investigations and event reconstruction, with prompt problem notification for OS, software errors, or attacks.
Automating incident response uses security orchestration, automation, and response with playbooks and runbooks to define incidents and drive automated responses, leveraging real-time log analysis, threat intelligence, and machine learning.
Explore threat intelligence as a collection of information about threat actors and threats, the kill chain measure, adversarial tactic techniques, and common knowledge threat feeds, culminating in threat hunting.
Review the references and visit the SIM resource hub to find articles about attacks and to understand what the meter framework is.
Develop, test, implement, and maintain disaster recovery planning within business continuity, exploring disaster nature, resiliency, high availability, tolerance, and differences in recovery strategies, planning, testing, maintenance, documentation, and training.
Identify disasters as events causing damage, which can be natural or manmade, with examples like earthquakes, floods, storms, fires, pandemics, and failures in hardware, software, networks, or utilities.
Design resilient, fault-tolerant, and highly available systems using multi-zone cloud deployments to enable zero downtime, secure recovery, and prioritized quality of service.
Protect services with load balancers and cloud clusters to maintain high availability and fault tolerance, while backups, raid, hot swaps, qos, and ups and generators guard against outages.
Prioritize recovery strategies by risk and cost using RPO, RTO, work recovery time, and MTD to restore department and workgroup operations through crisis management and out-of-band communications.
Explore recovery strategies using alternate processing sites—hot sites, cold sites, mobile cloud, and mutual agreements—covering electronic voting access, remote monitoring with mirroring, and database recovery.
Develop an incident response plan with simple, detailed instructions to reduce panic, assign backups for every role, establish outbound channels, and use a clear checklist for assessment, recovery, and restoration.
Learn testing and maintenance of DRP and BCP through tabletop, simulation, and full interruption tests, with need-to-know access, site activation procedures, and living-document updates.
Document the disaster recovery plan in detail, outlining roles, responsibilities, and contact lists with strict compartmentalization. Provide initial and refresher training for individuals and workgroups, reinforcing BCP and DRP awareness.
Explore disaster types and common natural disasters in the US, review useful links on disaster recovery, and examine articles on disaster recovery and business continuity auditing.
Explore investigations, the major categories of crime, and ethics within information security, highlighting how ethical considerations guide cyber investigations and crime classifications in CISSP context.
Examine various investigation types, learn evidence collection, and understand the investigation process in information systems security.
Examine administrative, internal, and criminal investigations, their enforcers, and the standards of beyond a reasonable doubt and preponderance of the evidence, plus regulatory and discovery processes.
Identify the three requirements for admissible evidence: relevance, materiality, and being legally obtained. Differentiate real, documentary, testimonial, and demonstrative evidence and apply the best and parol evidence rules.
Maintain a strict chain of custody by logging each handoff with person-to-person details and timestamps, apply IOC forensic principles, and perform software, network, and media analysis for forensic evaluation.
Identify major categories of cyber crime, including military and intelligence advanced persistent threats, organized crime and terrorism, and crime against business and financial institutions, insider attacks, and turtle attacks.
Explore the organizational code of ethics and the Code of Ethics, and examine how ethics guide daily security operations within CISSP domain one.
Learn how an organizational code of ethics guides policies and guidelines for ethical conduct, values, ethics, leadership, and employee conduct shaping organizational culture; access via HR or the employee handbook.
Memorize the two types of code of ethics by heart, as exam questions will cover the cannons and the PM.
Explore ethics and the internet, citing RFC 1087. Explain how unauthorized access harms the integrity of computer-based information and user privacy, stressing ethical conduct inside and beyond the workplace.
Explore four references and scrolling evidence, including a Wikipedia article on computer forensics, and review the code of ethics for the organization, along with DRC 1087.
Review domain seven by detailing secure provisioning, configuration changes, patch and vulnerability management, incident defenses and responses, DRP within business continuity, and investigation ethics.
Explore the security operations mind map, covering personal safety, need-to-know privilege, separation of duties, recovery strategies, incident management, business continuity, patch management, disaster recovery testing, and preventive measures like firewalls.
Implement system development controls, programming languages and concepts, and security controls in software development; apply secure coding standards and guidelines, and analyze software testing, assurance, and vulnerabilities.
Explore the system development lifecycle and its parts, review lifecycle models, and outline change management, configuration management, service level agreements, and third-party software acquisition.
Define the end goal with stakeholders via a conceptual definition and outline functional requirements with security-focused control specifications; review design, code, and validation tests, then plan maintenance and change management.
Explore lifecycle models including the waterfall model, spiral model, agile maturity model, and ideal model, and understand how each guides information systems security project lifecycles.
Explore the waterfall model, the first documented software development approach, outlining iterative activities from system requirements to maintenance and showing backtracking limited to one level.
Compare the spiral model to the waterfall, using multiple waterfall iterations to build a mature system that incorporates all requirements, with several prototypes.
Agile dominates modern software development, prioritizing working software and customer collaboration, while responding to change over following a rigid plan, with variants like Scrum and Kanban.
Explore the capability maturity model integration, designed to improve software development and other processes, and learn its five levels: initial, repeatable, defined, managed, and optimized.
Explore the Ideal model from Carnegie Mellon University, detailing its five phases: initiating, diagnosing, establishing, acting, and learning.
Explore change management and configuration management as formal processes for handling software changes, from change control and release control to documenting configurations, applying policies, and auditing for consistency.
Service-level agreements define the required performance between a service provider and customer, detailing uptime, downtime, diagnostics, failover time, and financial and contractual remedies for non-compliance.
Evaluate third-party software acquisition by reviewing custom software from software houses and pre-built solutions, and test for vulnerabilities via internal or independent testing with vendor reports.
Survey references for the proprietary model, using EMU and the Carnegie Mellon University link, and compare agile or maturity model ideas, ice curling, and waterfall spiral.
Explore programming languages, libraries, and APIs; examine the DevOps approach. Identify how these elements relate to DevOps.
Explore five types of programming languages—machine, assembly, high-level, scripting, and visual—covering how binary instructions drive the CPU, mid-level assembly, machine independence, scripting power, and non-text visual languages.
Explore libraries in software development as pre-written code that developers reuse to add functionality, reduce risk, and lower development time and cost, with SDKs providing documentation and examples.
Explore how application programming interfaces act as intermediaries that enable two applications to communicate, while highlighting API bypass risks and the need to test APIs for cleanliness and reliability.
Explore devops as a fusion of software development, quality assurance, and operations that shortens the software lifecycle, aligning with agile practices to deliver software quickly with minimal overhead.
Explore references by examining the IAC square for a programming language, Wikipedia libraries, and APIs; follow the provided link to see APIs in more detail and extend to dev ops.
Explore security controls in software development by examining code security and techniques to improve security in development, including database security and a web application firewall.
Explore techniques to boost code security: input validation, code signing for integrity, validated code reuse, centralized repositories, hash verification, and software diversity to avoid single points of failure.
Explore database security across architectures such as hierarchical, distributed, and relational models, and defense techniques like data minimization, obfuscation, hashing, and tokenization, plus ACID principles for secure transactions.
Explore database security controls, including multi-level access control, partitioning, concurrency, and timestamp handling, and discuss proxies between applications and databases as well as no-sql models—key-value, document, and graph.
Operates at the application layer (layer seven) to filter, monitor, and block traffic to web services, protecting against web application attacks and exploits.
Explore references to secure coding practices, the acid model, NoSQL database concepts, database security, and a web application firewall to reinforce CISSP concepts.
Explore secure coding standards and guidelines, covering source code commands, error and exception handling, hardcoded credentials, and memory management.
This lecture explains how source code comments document workflows and help future developers, reviewers, and troubleshooters. It warns that comments expose code details and should be removed from production releases.
Handle errors and exceptions with special processing for unusual conditions, while developers extensively debug code. Minimize information leakage by informing end users only with basic guidance and maintenance notices.
Learn why hardcoded credentials and backdoors threaten system security, how credentials get embedded in code or libraries, and why they must be removed before production to prevent unauthorized access.
Explore memory management and resource exhaustion, including how failing to return memory causes crashes and reboots, and the role of pointers and null pointer exceptions in security.
Identify author references and credential sources, including Wikipedia and OWASP, and examine how exception handling relates to credentials, threads, password resource exhaustion, DB articles, and pointers.
Explore software testing, assurance, and vulnerabilities to understand how evaluations safeguard systems and reveal weaknesses.
Explore software testing through white-box, gray-box, and black-box approaches. Identify static testing as security assessment without dynamic execution.
Drive software assurance by applying a formal lifecycle approach to achieve trustworthiness, predictable execution, and conformance with DHS standards and procedures.
Explore the types of malware, identify sources of malware, and examine how these threats appear in different attack vectors.
Explore malware types, including viruses with stealth, polymorphic, encrypted, or lock variants, logic bombs, and propagation methods like macro, vector, and worm, with trojan horse, spyware, and adware payloads.
Analyze sources of malware, from advanced persistent threats and government-sponsored groups to script kiddies who download pre-packaged exploits, showing how malicious actors spread globally.
Explore various types of attacks, including application attack, replication attack, reconnaissance, masquerading attacks, and zero attacks.
Explore common password attack methods, including social engineering, phishing, dumpster diving, dictionary attacks, and brute force, and learn countermeasures like a password policy and multi-factor authentication.
Apply input validation to prevent application attacks, validate resource states, remove backdoors and hardcoded credentials, and enforce secure coding standards to prevent escalation of privileges.
Explore web application attacks like sql injection, cross-site scripting, and cross-site request forgery, and learn countermeasures such as input validation, application firewall, and csrf tokens.
Reconnaissance attacks use automated scans and probes across an IP range to identify weaknesses. Firewalls, network monitoring systems, and IPS serve as countermeasures.
Learn how masquerading attacks start with IP spoofing, where an attacker reconfigures a system to impersonate a user and access resources; understand session hijacking and basic countermeasures like firewalls.
Define zero-day attacks and exploits, including discovery outside CVE and CVSS, describe the window of vulnerability from discovery to patch, and emphasize production testing and defense in depth.
Explore references for software testing and apply learnings to shops and restaurants, using a Wikipedia link or top ten and measuring ADT and Seek.
Review domain eight topics, including system development controls, programming languages and concepts, security controls in software development, secure coding standards and guidelines, software testing, assurance, and vulnerabilities.
Explore the security impact of software controls in development environments. Review vulnerability sources, input and output validation, software security testing, risk analysis, auditing, logging, and development lifecycle practices with DevOps.
Explore a concise overview of the entire CISSP course, covering all topics and step topics, organized around mind maps, with essential exam tips.
Identify the CISSP domain average weights and estimated questions for domains like security and risk management, asset security, architecture and engineering, IAM, and software development security.
Explore domain one: security and risk management, covering the CIA triad—confidentiality, integrity, availability—and the DOD triad. Identify, authenticate, authorize, audit, and account to apply protection mechanisms throughout the course.
Security governance starts with policy creation, then procedures and implementation; security management enforces policies, with documentation review and third-party governance aligning to security control frameworks like ISO 27001 and RMF.
Implement and enforce security policies and standard procedures, covering personnel management, hiring and firing processes, vendor and contractor controls, compliance and privacy requirements, and security awareness training.
Explore risk management fundamentals, including risk terminology, threat, asset, liability, threat vectors, and zero day attacks. Implement controls, assess risk, monitor KPIs, report risk, and pursue improvement through risk frameworks.
Identify threats through threat modeling and diagramming attacks, then perform reduction analysis and prioritize responses by threat level, while integrating supply chain risk management and secure acquisitions.
Outline contingency planning by defining project scope, assessing impact, and securing top management approval. Address compliance, legal and regulatory issues, including categories of law, in crafting and procurement.
Explore how governance aligns security with business strategies, manage risk, enforce policies, and implement threat modeling, controls, ethics, privacy, and compliance through organization-wide information security training.
Define and classify assets, identify sensitive data, and apply data classification schemes and handling requirements, with owners and clearance levels ensuring data in transit, in use, and at rest.
Control access to information and assets by applying retention policies based on data type and classification, eliminate data remnants after deletion, and implement security baselines and DLP controls.
Explore asset security by protecting data owners' privacy, applying data minimization and collection limitations, classifying assets by sensitivity, and assigning ownership and custodianship while tailoring controls to business needs.
Examine domain 3 security architecture and engineering, from open vs closed systems and open vs closed source to CIA protection, security controls, and key models like LaPadula and Clark Wilson.
Explore how to select and test information security controls, covering firewalls, antivirus, passwords, and virtualization, and compare Rainbow series, TCSEC, EU criteria, Common Criteria, certification versus accreditation, including verification.
Delve into vulnerability management within security architecture and engineering, covering hardware and firmware, client-based and service-based systems, distributed, HPC, serverless and cloud computing, and embedded IoT and ICS.
Explore cryptography foundations and modern practices, including plaintext and ciphertext, keys, hashing, symmetric and asymmetric schemes, and PKI and digital signatures, plus cryptographic attacks and site and facility security controls.
Explore security architecture and engineering by assessing vulnerabilities across cryptographic systems, key management, digital signatures, and non repudiation, while reinforcing physical and site facility security.
Explore domain 4 communication and network security, covering network architecture and design, security boundaries, protocols such as IP, Kerberos, IPv4/IPv6, CIDR, and typologies like star, mesh, ring, plus site survey.
Explore the TB model with devices per layer and key protocols, including converged MPLS. Examine wireless and cellular network security, firewalls, deployment architectures, and network access control.
Explore security communication protocols, IPsec, and strategies to protect voice, multimedia, and email; compare packet switching and circuit switching, and learn to mitigate DDoS attacks and VPN technologies.
Explore secure network components and transmission media, including firewalls, proxies, MDM, and edge computing, and apply IPsec, TLS, and SSL cryptography to protect IP and non-IP networks.
Explore identity and access management and the role of authentication factors. Understand how access control, authorization, and accounting work within the confidentiality, integrity, and availability framework.
Explore identity and identity federation with third-party services, and compare centralized versus decentralized access control, while examining single sign-on, identity creation, credential management, and session management.
Define access control models and distinguish permissions, rights, and privileges, then compare discretionary and non-discretionary access control. Explore identity lifecycle management, provisioning, verification, maintenance, and review.
Explore domain 5 identity and access management principles, including radius, diameter, tacacs+, password protection methods, multi-factor authentication, account lockout, and the mix of physical, logical, and administrative controls.
Explore identity and access management through role-based and mandatory access controls, including SSL/LADP-based authentication, single and multi-factor authentication, and federated identity management to prevent attacks.
Explore domain 6 security assessment and testing, distinguishing security testing, security assessment, and security audits, and examine audits, control testing, vulnerability assessments, penetration testing, and software testing types.
Review logs and manage accounts to assess identity and access controls and test security controls. Evaluate drp and bcp training, kpis, and audits, including soc 1–3 standards.
Analyze security assessment and testing practices, collect data such as account management and escalation, and facilitate internal, external, and third-party audits while validating controls via vulnerability assessments and interface testing.
Explains core security operations concepts including need-to-know, privilege, separation of duties, two-person control, split knowledge, job rotation, mandatory vacation, account management, SLAs, emergency management, and training and awareness.
Apply asset classification, ownership, and labeling to day-to-day operations, then manage configuration changes, patches, and vulnerability management while executing incident response steps from detection to lessons learned.
Explore domain 7 security operations, including network and host based intrusion prevention systems, logging, monitoring, automatic incident response, disaster recovery planning, investigations, and ethics canons.
Develop disaster recovery and business continuity plans, test through tabletop and interruption exercises, maintain and protect DRP and VCP as live documents, and train staff on investigation ethics.
Prioritize human safety in domain 7 security operations, enforcing least privilege and separation of duties. Implement backup and recovery site strategies, asset management, siem, and incident response to support continuity.
Examine domain eight software development and security, detailing deployment lifecycles, models such as waterfall and CMI, and configuration and change controls for software, code bases, libraries, APIs, and DevOps.
Explore software development security and code security practices, testing techniques, asset model significance, and web application firewalls, alongside secure coding, memory management, and Spectre and Meltdown considerations.
Explore software testing methods, including static, dynamic, and white, gray, and black box testing, to verify vulnerability-free software and understand malware types like viruses, Trojan horses, reconnaissance, and masquerading.
Explore secure software development by linking lifecycle models such as agile, waterfall, and spiral with security and maturity frameworks, DevOps practices, and rigorous testing to prevent vulnerabilities.
Get a good night’s sleep and schedule your CISSP exam. Arrive prepared with empty pockets, use the on-screen calculator, breaks don’t pause the clock, and let staff adjust your seat.
Review CISSP exam tips emphasize time management, option elimination, and careful reading of questions and answers, with guidance on question formats, guessing strategies, and using a dry erase board.
The Certified Information System Security Professional (CISSP) course is one of the most comprehensive courses available for the preparation of CISSP certification exam. The certification is offered by (ISC)2 and is among the most highly sought after certifications in the IT industry. The course reviews in great detail the information security concepts and industry best practices, and covers the eight domains of the official CISSP CBK (Common Body of Knowledge). The candidates are able to gain knowledge in information security that increases their ability to successfully implement and manage security programs in any organization.
The goal of this preparatory course is to help the students achieve the (ISC)2 CISSP certification. The course will enable the students to validate their knowledge about the information security in general and the eight domains of CISSP exam in particular. The course alumni are supposed to become involved in critical security decision and risk management.
On successfully completion of this course, the students shall be able to completely learn and gain indepth understanding of the eight domains of CISSP. The major domains covered in this course are:
1) Security and Risk Management
2) Asset Security
3) Security Engineering
4) Communications and Network Security
5) Identity and Access Management
6) Security Assessment and Testing
7) Security Operations
8) Software Development Security