CISSP study guide pass your CISSP first time CISSP Study Guide from cyberonthewire CISSP Practice Questions app Features: • First 50 questions FREE • Intuitive navigation • No ads • No signup required • No internet connection required • Questions/answers written by CISSP certifed author CISSP Flashcards app Features : • 100+ FREE fashcards • Covers all CISSP domains • No network connection required when using the app • Content created while actually studying for and passing the CISSP exam Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire contents 1. What is CISSP? 2. Planning for certification 3. Study options 4. Planning your CISSP study 5. Note taking 6. Flashcards 7. How to revise 8. How to know when you're ready 9. 24hrs to go... 10. My top 5 CISSP exam tips 11. Passed? - now get certified 12. Thanks for reading (and where you can get more) 13. Appendix A – Didn’t quite make it first time? Don’t give up! 14. Appendix B - List of study resources 15. Disclaimer Get more study resources at: cyberonthewire 1. what is CISSP? CISSP stands for Certified Information Systems Security Professional and is an industry recognized certification run by an organization called (ISC)². The official description provided for CISSP is: “The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks” ( (ISC)² accessed January 2017). The most important things to know about the certification are: • it’s aimed at managers • you will need to have several years of paid relevant experience in order to become certified (more on this later) • it covers a (very) broad range of subjects • there are ongoing annual requirements to remain certified In my opinion, the reference to ‘deep technical’ should not be misinterpreted as suggesting that you have to be able to program/conduct hands on analysis of network vulnerabilities or conduct forensic recovery of digital media, rather it refers to being able to manage and have a working knowledge/understanding of all the parts of an organization’s security program. For example you may not have to physically set up an IDS but you will certainly need to know what it is and what it should do. Note also that it’s not a certification that you are awarded by passing an exam alone. In order to be awarded the full CISSP certification you must have 4-5 years CISSP Study Guide from cyberonthewire (depending on whether you can waive a year) of paid, relevant experience. The subject matter that you have to study ranges from high level governance topics to being able to provide the result of XORing two sets of binary values and everything in between. It’s the sheer scale and variety of the exam material which makes it difficult and even once you’re certified you still need to provide evidence of professional development each year. So, why would you want to get certified? why would I want to sit the CISSP exam? Well the answer is clearly because you want to get certified but why might you choose this certification over others? And for that matter why would you bother going through the study and expense to get any certification? Well for most people the short answer is because it helps you to secure a new job. You can find lots of lively discussion about whether this is the case (both in terms of certifications in general and the CISSP) but here is my view on it: it can’t do any harm. If you have a wealth of experience you may be able to secure a role based solely on that and you may not need a certification, however there are plenty of jobs which list being CISSP certified as either essential or desirable criteria (a quick search on indeed.com at the time of writing brought back over 11,000 jobs mentioning CISSP). This may mean that although you are perfectly capable of doing the job, those sifting applications will sift you out simply because there are other candidates who are certified. Additionally if you are very experienced you may well find that there is less for you to Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire learn because you already know much of the material from your experience, making studying for the exam easier. Remember that those doing the initial sift of applications may not be people who are knowledgeable about the role, they may have a massive stack of applications which they’ve been told to whittle down to 20 – if CISSP is desirable criteria they may well simply dump all those who don’t have it – even if the person doing the sifting doesn’t know what CISSP is! However, what if you don’t have a great deal of experience? Well academic qualifications aside, having a certification will help mark you out as having demonstrated that you at least have the relevant knowledge for a role even if your experience is limited. Note that if you have no paid experience you cannot be CISSP certified, you can however become an Associate of (ISC) 2 If you put yourself in the position of someone recruiting for a role and you have two resumes in front of you, both with limited experience but one has a relevant certification which one would you choose? In addition to these two points I would also suggest that you will learn things which improve your general knowledge and understanding making you better at your job. You may even find some of it interesting! why choose CISSP over another certification? This is another topic on which you can find many a flame war with people making wild claims that the CISSP is the ‘only cert worth having’ while others say it’s worthless and that there are others much more worthy of your time. From what I’ve seen, the CISSP is still the most sought after, desirable certification to have on your resume if you are interested in roles relating to information security, especially if you want a role in management. The CISSP is not practical, you won’t learn how to conduct penetration testing, or how to assess a network for weaknesses. If that’s more your thing then I would agree that you should be looking Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire elsewhere, but if you are looking for something at the management level or above, then this is still one of the most sought after certifications in terms of job adverts. The other point that I’d like to make about the CISSP is that because it covers such a wide range of topics it doesn’t tie you to a specific field. (ISC) 2 state in their description of the certification that CISSP is ideal for the following roles: • Security Consultant • Security Manager • IT Director/Manager • Security Auditor • Security Architect • Security Analyst • Security Systems Engineer • Chief Information Security Officer • Director of Security • Network Architect (source: (ISC)2 February 2017) So, for my money, unless you aren’t interested in management and/or there is a specific role/field you want to work in – you should be considering CISSP as your primary certification. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 2. planning for certification This chapter discusses the various options for getting CISSP certified and answers some of the common questions that arise. The bottom line in terms of getting certified is that there are two primary hurdles: you must pass the CISSP exam: • you must pass the CISSP exam • you must have 5 (or in some circumstances 4) years of relevant experience Although you may have your sights set on the exam and are concentrating on that being the challenge, it’s important that you consider the experience requirement carefully. From the point that you pass the exam, you start a timer which gives you 6 years to certify. If you don’t manage this, you have to take the exam again (which no one wants to have to do, believe me, once is enough). This 6 year window gives you time to build up your experience in order to get certified but what sort of experience do you require? experience requirement The first thing you need to know, is how much experience is required. You may have noticed that in the bullet points above I referred to either 5 or 4 years being required. This depends on whether you can waive a year by having a relevant qualification or certification. The (ISC)2 guidelines state that: “A candidate shall be permitted a waiver of one year experience if: Based on a candidate’s education Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or regional equivalent or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE). OR Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire For holding an additional credential on the (ISC)² approved list below Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.” (source: (ISC) 2 February 2017) So, if you want to use 4 rather than 5 years, you either need an undergraduate degree (or the alternative listed above) or you need a credential from the approved list In addition the work must be paid and cover at least two of the 8 domains from the Common Body of Knowledge. The best source that I’ve found to decide whether your experience is sufficient, is to use the exam outline provided by (ISC) 2 because it breaks down each domain into sub topics, which make it much easier to gauge your level of relevant experie nce. planning when to take the exam By now you should have noticed that this decision is dictated largely by how you intend to fulfil the experience requirement. If you already have the 4/5 years of experience then it doesn’t matter when you pass. If you’re looking to change careers and feel being certified would be of benefit, or if you have a significant period of free time in which to study, then of course these factors will affect your decision of when to take the Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire exam, but having the experience already makes the tactical decision of when to study for/take the exam moot. You can pass the exam without the experience and become an Associate of (ISC) 2 This effectively means that you get to bank your exam for 6 years, at the end of which you must have your 4/5 years of experience in order to certify as a full CISSP. You can call yourself an Associate of (ISC)2 but cannot call yourself CISSP, or imply that you are certified in any way while you are an associate. This 6 year timer can give you a good idea of how to plan your certification if you don’t yet have the required amount of experience. There are a number of situations you may find yourself in which I have laid out below: 1. you have no relevant experience and are not in a job that will give you that experience 2. you have no relevant experience but have started a permanent full time job that will give you the relevant experience (in 2+ domains) 3. you have some years of relevant experience but are short of the required 4-5 years If you fall into scenario 1 you may wish to think twice about whether you really want to study for the exam just yet. If you pass, you then have the pressure of finding the relevant 4-5 years of experience when don’t yet even have a job that will give you that experience. My recommendation in this case is to wait until you are in a relevant role. For those of you who are in scenario 2 there’s nothing stopping you taking the exam and becoming an Associate of (ISC) 2 until you have accrued the relevant experience. Your timing in this case will probably depend on when you have the time to study (e.g. if you’re planning on having children in the next couple of years then now might be a better time to hit the books!). The 3rd scenario is similar but gives you a little more of a cushion in that you can already knock some time of the 4/5 year requirement. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 3. study options This chapter introduces the various study options available to you when you prepare for the CISSP exam. As with most exams there are a variety of study options available to you, which you decide to choose will likely depend on a number of factors including: • money • time • location • how you absorb and assimilate information The options available to you broadly fit into three categories: • self study with the Official (ISC) 2 Study Guide, other books and free online resources • take a paid online course • take physical – location based training of course you can mix and match and do a combination of these options. self study This is the cheapest option as you can technically buy only the Official Study Guide and use this to study for the exam, however it’s also the hardest. It will be down to you to work out how to plan your study and incorporate effective revision. The material that the CISSP exam covers is very broad which means that it’s hard to keep your knowledge fresh for every area and if you aren’t used to studying you might find the whole thing too daunting and never get started in the first place. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire The important thing about self-study is to have a plan, the old adage of ‘fail to prepare – prepare to fail’ fits well and if you simply read the book without studying then you are unlikely to fare well. The other benefit of self study is that you can fit it around your life. If you have downtime or commute time you can fit some study in. This isn’t something that you can do with physically delivered courses. Other resources you may wish to make use of are YouTube videos, other study guides and online searches. I would recommend that you structure your study plan with the Official Guide at the center, it is, after all, the official guide which should give you a strong foundation for your test. I used YouTube videos and online searches mostly to clarify things that I had read in the guide but didn’t properly understand. Any additional study materials that you might use will depend on how you learn best. For example you may not learn particularly well through reading but find that you do learn well from videos or audio. Even if you do learn well through reading, you may find that supplementing this with video or audio helps to cement the information in your mind. paid online courses This option is of course more expensive that just studying on your own with books and free resources but online courses are a way to get yourself onto a program of study that doesn’t require you to do the planning – that’s done for you. If you are considering taking a paid online course there are a few things that you will want to know before you fork over your hard earned cash. Firstly, is it a course which you can do whenever you want or does it consist of live webinars that require you to be available at a specific time? The former is clearly more convenient and you can go at your own pace, but the live option may be easier from the point of view of being able to ask questions to clarify what’s being taught at in a live classroom style environment. You will want to know what options you have to ask questions about the material as this could range from real time (phone/chat) to none. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire You’ll also want to know what materials are included in terms of video, online written material, material that you can download or in some cases hard copies of materials that can be posted to you. You should also have the opportunity to see samples of the materials before you buy a course as well being clear on what the money-back guarantee is. physical location based training This is the most expensive option (typically well over 1000 USD) and the most traditional in the sense that it is effectively classroom teaching. The benefits of this are that as with any other classroom training you can ask questions of your teacher and get an immediate response. Similarly if something isn’t clear you can ask for clarification. The drawbacks are that you cannot set your own pace, so if you already work as a network engineer for example but have knowledge gaps in other areas you still have to sit through the section on what IP and MAC addresses are – time which you could have better spent on another topic. The courses tend to be intensive (e.g. a week) which may not be the best way to absorb so much information. If you do decide to take a course I would recommend doing so only after you’ve read the book. At least that way you will be familiar with the material and can treat the course as a revision tool prior to the exam. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 4. planning your CISSP study This chapter is about how you actually plan your studies, including the techniques I used to study for and pass the CISSP exam. We will cover: • study techniques and styles • timescales and setting goals • resources study techniques and styles The first thing to realize is that not everyone learns most efficiently in the same way. Although there are plenty of resources which go into great depth on this topic, I will use the three broad categories that feature on the wikiHow page on learning: • visual • aural • kinesthetic Visual is fairly self explanatory – you learn well through the use of images, diagrams, colors and perhaps through (reading) text. Aural is learning through listening, this would include listening to podcasts or other recordings, or perhaps through someone speaking on a video or in person. Kinesthetic or tactile learners learn primarily through ‘doing’ or touch. It’s not important to get too tied up with the details of exactly which category you fall into, but what is important is to be willing to try more than one technique in your learning – especially if you haven’t studied for a long time. For example I know that I learn better by not only reading material, but by writing notes as well (even if I don’t use them to revise later). To me this suggests that there is an element of the kinesthetic learner in me – the action of writing helps me to remember. However I’m also highly visual in that diagrams or pictures are something that I can easily remember – I can then remember the facts that are associated with them. If those images weren’t there then I would struggle to remember the words on their own. Another technique that I find very helpful is using and visualizing examples ; Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire particularly where there are abstract theories involved. Again, for me this suggests that I learn best through visualizing the example (visual type learning) and through ‘acting out’ the example in my mind (kinesthetic type learning). The reason this is important, is that generally everyone’s initial study starts off with buying the Official Study Guide – a text book. I would recommend that you at least experiment with other study techniques, other than simply reading, to work out how you learn best. timescales and setting goals One of the hardest things when studying on your own is pacing yourself and setting goals. This is what you should be doing in your planning phase before you even start your study. That way, even when you’re up to your armpits in governance or malware, the end is always in sight! I recommend that you base your planning on the Official Study Guide. My study technique is simple, structured and is made up of two phases: • studying – initial learning of material and making your own revision materials as you go • revising – revisiting key material, refreshing your memory and testing yourself studying In terms of studying this is how I recommend that you structure it, working from the Official Study Guide: 1. work through the book chapter by chapter 2. as you read make your own notes or flashcards 3. use the end of chapter activities and revision questions to refresh your knowledge The chapters do vary in length, however I strongly recommend setting a goal for your study dependent on how much free time you are willing to dedicate. For example you might decide to aim to do one chapter every 2 days which would give you a total time of six weeks to complete the book. You will have a better idea of how long you need Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire once you’ve done the first couple of chapters, but by having a goal like this at least the end is in sight! You can look at your diary and say: “well at least I’ll have finished the book by such-and-such a date.” This really helps with motivation and I also found that when I didn’t study, I felt a bit guilty because I wasn’t keeping up with the schedule I had set. If I hadn’t set one, then I wouldn’t have minded so much because I wouldn’t have been off schedule – there wouldn’t have been one! While we’re on the topic of pacing, it’s worth being wary of the dangers of either rushing through the material too quickly or being overly slow. If you rush through the material at breakneck speed you might find that you struggle to retain the knowledge because you’re simply cramming information into your mind at a speed that you can’t keep up with – your mind does need some time in order to process what you’re learning. Conversely, if you only read a page a day it would take you so long to finish the book that by the time you finished you probably wouldn’t remember much of what was at the beginning of the chapter, let alone the beginning of the book. This makes revision even harder because you don’t have much of a foundation to build on. To set your own schedule for completing the book I suggest that you time yourself to see how long you need to complete the first chapter then establish how much time you’re likely to have day-to-day over the coming weeks so that you can set your own goals in terms of how long you will give yourself to complete a chapter. My overall study time was around 3 months. revising The revision phase is where you’ve completed your initial study/learning of the material and you’re now trying to refresh that knowledge to a point where you can use it in the exam. If you’ve been through the chapters in order, by the time you’ve finished chapter 21 on Malicious Code you will probably have forgotten much of the material in chapter 1 – Security Governance. This is where your revision notes/flashcards become particularly valuable. Because you’ve distilled the essential keywords and facts and cut out all the explanation you can quickly refresh your knowledge without getting Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire bogged down. I wrote flashcards rather than notes which meant that I had questions that I had written myself on one side with the answers on the other. One of the benefits of this, was that it exercised the recall part of memory, forcing me to access the knowledge, rather than just repeatedly reading facts. Once you’re comfortable with the knowledge on your flash cards it’s time to try some of the Sybex online practice tests that come free with your Official Study Guide. When you get questions wrong, it’s important to consider whether they are pointing to a specific weakness in your knowledge and if so, revisit the relevant section of the book. For example, I found that I was getting quite a few questions wrong which were about the Governance topic so I decided to go back and re-read the relevant sections of the book. resources The resources that you will need to prepare for the CISSP exam are, in my view, separated into the ‘must have’ and ‘could have’ categories. The Official Study Guide is a must-have along with the online resources that come with it. Either making your own notes/flashcards as you go along or having someone else’s are another must-have. Other resources depend a bit on your learning style. If you find them helpful, then look into what audio/video resources there are as well as other companion books. But remember that a companion book is just another book to read and you might find that you’re adding to your workload without a great deal of benefit. I would also suggest that you don’t solely use videos or audio guides for your study but rather use them to supplement your study of the book. In short: Must have: Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire • Official Study Guide (with accompanying online resources) • Either your own notes/flashcards or someone else’s (that you trust) Could have: • Videos (free or paid) • Audio/podcast • Companion books • Online or in person delivered training course Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 5. note taking The purpose of this chapter is to cover how you actually s tudy (rather than just read) a section of the CISSP study guide and how to take notes. We will work through an example of text from the study guide which I break down into sections and discuss my decision process on which material to note down and which to leave out. you’re studying, not reading The first thing that’s important to remember is that you are studying. This is different to just reading a book. If you’re reading for pleasure it doesn’t really matter how hard you’re concentrating or whether you actually retain much of what you’re reading. Studying is reading with a purpose! You’re looking for key points within the text that you think are something that is ‘testable’. Generally with a text book you will have a number of these facts/theories along with a load of explanatory text. The aim is to be able to pick out these facts and base your notes/flash cards on them. Below I use an example from the study guide about the Bell-LaPadula model to demonstrate what I mean. “ The US Department of Defense (DoD) developed the Bell- LaPadula model in the 1970s to address concerns about protecting classified information. The DoD manages multiple levels of classified resources, and the Bell-LaPadula multilevel model was derived from the DoD’s multilevel security policies. The classifications the DoD uses are numerous; however, discussions of classifications within the CISSP CBK are usually limited to unclassified, sensitive but unclassified, confidential, secret, and top secret. The multilevel security policy states that a subject with any level of clearance can access resources at or below its clearance level. However, within the higher clearance levels, access is granted only on a need-to-know basis. In other words, access to a specific object is granted to the classified levels only if a specific work task requires such access. For example, any person with a secret security clearance can access secret, confidential, sensitive but Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire unclassified, and unclassified documents but not top-secret documents. Also, to access a document within the secret level, the person seeking access must also have a need to know for that document. By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less secure clearance levels. This is accomplished by blocking lower- classified subjects from accessing higher-classified objects. With these restrictions, the Bell-LaPadula model is focused on maintaining the confidentiality of objects. Thus, the complexities involved in ensuring the confidentiality of documents are addressed in the Bell-LaPadula model. However, Bell-LaPadula does not address the aspects of integrity or availability for objects. Bell-LaPadula is also the first mathematical model of a multilevel security policy. This model is built on a state machine concept and the information flow model. It also employs mandatory access controls and the lattice concept. The lattice tiers are the classification levels used by the security policy of the organization. The state machine supports multiple states with explicit transitions between any two states; this concept is used because the correctness of the machine, and guarantees of document confidentiality, can be proven mathematically. There are three basic properties of this state machine: ■ The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up). ■ The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down). This is also known as the Confinement Property. ■ The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control. These first two properties define the states into which the system can transition. No other transitions are allowed. All states accessible through these two rules are secure states. Thus, Bell-LaPadula–modeled systems offer state machine model security.The Bell-LaPadula properties are in place to protect data confidentiality. A subject cannot read an object that is Get more study resources at: cyberonthewire