Guide to the

NEW CISSP ®

CERTIFICATION
2015
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

TABLE OF CONTENTS
Introduction 3

What is CISSP? 5

Domain 1: Security and Risk Management 6

Domain 2: Asset Security 9

Domain 3: Security Engineering 11

Domain 4: Communication and Network Security 14

Domain 5: Identity and Access Management 16

Domain 6: Security Assessment and Testing 17

Domain 7: Security Operations 19

Domain 8: Software Development Security 22

Some Generic Terms 24

www.simplilearn.com 02
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

AN INTRODUCTION

If your goal is to become a certified information security

professional, then the CISSP certification and this study
guide are for you. The purpose of this eBook is to
adequately brief you on the recent changes that have
been incorporated in the (ISC)2’s CISSP CBK and to
elaborate on the key concepts to note if you plan to take
the current version (CISSP® 2015) of the exam. All the
information provided here has been sourced from (ISC)2,
the organizational body that conducts CISSP, and so is
authentic and reliable.

The CISSP certification underwent major changes in April,

2015, and this has caused some confusion among
aspiring candidates. So, what are these changes and why
were they introduced?

In an attempt to stay relevant with the changing scenario

of the information security field, the (ISC)2 updated the
CISSP exam. The (ISC)2, or the International Information
Systems Security Certification Consortium, is a global,
non-profit organization that acts as the accreditation
body of the CISSP exam. Besides CISSP, the organization
offers a number of other information security-related
education and certifications. This organization, which is
often described as the ‘world’s largest IT security
organization’, is operated and run by a board of directors
elected from the highest ranks of its certified
practitioners.

www.simplilearn.com 03
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

The changes to the Exam are as follows:

Refreshed technical content added to the Official (ISC)2 CISSP CBK.
This was done in order to include the most current topics in the information security
industry. The CBK or the Critical/Complete Body of Knowledge is an established common
framework of information on security terms and principles.
The revised exam of 2015 is designed to reflect the technical and managerial competence
expected of an experienced information security professional and tests them on their
ability to effectively design, engineer, implement and manage an organization’s
information security program.

Subsequently, the domains that are updated to describe the topics is reduced to eight
from the previous ten. They are:
Security and Risk Management (Security, Risk, Compliance, Law, Regulations,
Business Continuity)
Asset Security (Protecting Security of Assets)
Security Engineering (Engineering and Management of Security)
Communications and Network Security (Designing and Protecting Network Security)
Identity and Access Management (Controlling Access and Managing Identity)
Security Assessment and Testing (Designing, Performing, and Analyzing Security
Testing)
Security Operations (Foundational Concepts, Investigations, Incident Management,
Disaster Recovery)
Software Development Security (Understanding, Applying, and Enforcing Software
Security)

However, it is to be noted that the reduction in the total number of domains does not translate
to reduction/deletion of content from the previous versions. The exam/or the training material
has only been reorganized to include the most current information and internationally
acclaimed best practices in the information security field.
Also, there is no change in the structure or format of the exam. The CISSP exam remains a
computer-based test with 250 questions, which include ‘drag & drop’ and ‘hotspot’ questions.
(These have been discussed in the latter part of this eBook.) The duration of the exam is six
hours and the passing mark is 700 out of 1000 points.
With the changes to the exam now outlined, let’s delve deep into the other aspects of the
certification itself.

www.simplilearn.com 04
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Drag & Drop and Hotspot CISSP Questions

These innovative question types which have been included since January 15,
2014, are expected to have several benefits over the common MCQs.
The benefits are that:

They measure knowledge at higher cognitive levels

They measure a broad range of skills
They provide more realistic simulation of practice in the field
They provide opportunities for broader content coverage than may be
possible with MCQs.

What is CISSP®?

The Certified Information Systems Security Professional (CISSP) is an ISO/IEC 17024 ANSI
accredited, globally recognized criterion of accomplishment that is proof of an individual’s
knowledge in the information security domain. It is designed for professionals who have
full-time professional experience in the field for at least five or more years. A CISSP certified
professional is understood as having the ability to delimitate the architecture, innovations,
management or commands that ascertain the security of business environment.

The (ISC)2 CISSP CBK provides a vendor-neutral, internationally understood common

framework upon which the practice of information security can be advanced. The extensively
covered topics that span the eight domains, ensure relevancy across a wide range of
disciplines in the information security field, thus strongly reaffirming the usability and
implementation on a global level.

Note

Once a CISSP Certification has been acquired, candidates can further advance in their career
by deepening their knowledge in management, architecture, or engineering. One possible
way of achieving this is by coupling their CISSP credentials with certifications in Digital
Forensics (CCFP), Software Development (CSSLP), System Authorization (CAP), and/or the
Certified Cloud Security Professional (CCSP).

Beyond knowledge of the eight domains of the CISSP framework, aspirants taking the exam
are expected to provide certain background information, relating to criminal history.
Affirmation to having been involved in any kind of cybercrime or criminal activity will be
evaluated with due explanation during the endorsement process.

www.simplilearn.com 05
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

We'll now begin with a discussion of the theoretical components of the examination and
cover the eight domains that are dealt with by the CISSP framework

Domain 1: Security and Risk Management

An Overview

The Security and Risk Management is an umbrella domain covering a broad range of general
information pertaining to topics in – fundamental security principles of confidentiality,
availability and integrity – the core pillars on which the information security functions are
built. The Security and Risk management domain then builds upon these pillars/concepts in
areas of security governance and compliance – these are two major areas the candidates can
be expected to be tested upon.

For information security to function effectively, it is essential that it functions on carefully

constructed and uniformly applied security policies and procedures. It is for this reason that
specific background information is ascertained from candidates during the application
process, and they are also tested on their ability to develop and implement security policies
and procedure within an information security context.

The other aspects that are covered in this domain include: business continuity planning, (such
as information and requirements gathering), business impact analysis, and recovery point
objectives.

Risk management is a central part of this domain and aspirants are expected to have a
thorough understanding of the concepts covered in this area. Risk management concepts that
candidates are expected to know include: introduction of threat modeling, integration of risk
management into the acquisition and management of hardware, software and service
contacts.

Other areas that candidates can expect to be tested on are: personnel security policies,
capability to establish and maintain security education, training, and awareness programs.

www.simplilearn.com 06
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Security and Risk Management: Key Concepts to Note

A. Understand and apply concepts of confidentiality, integrity, and availability

B. Apply security governance principles through:

∠ Alignment of security function to strategy, goals, mission, and objectives
(e.g., business case, budget and resources)
∠ Organizational processes (e.g., acquisitions, divestitures, governance committees)
∠ Security roles and responsibilities
∠ Control frameworks
∠ Due care
∠ Due diligence

C. Compliance
∠ Legislative and regulatory compliance
∠ Privacy requirements compliance

D. Understand legal and regulatory issues that pertain to information security in a

global context
∠ Computer crimes
∠ Licensing and intellectual property (e.g., copyright, trademark, digital-rights
management)
∠ Import/export controls
∠ Trans-border data flow
∠ Privacy
∠ Data breaches

E. Understand professional ethics

∠ Exercise (ISC)2 Code of Professional Ethics
∠ Support organization’s code of ethics

F. Develop and implement documented security policy, standards, procedures, and

guidelines

G. Understand business continuity requirements

∠ Develop and document project scope and plan
∠ Conduct business impact analysis

www.simplilearn.com 07
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

H. Contribute to personnel security policies

∠ Employment candidate screening (e.g., reference checks, education verification)
∠ Employment agreements and policies
∠ Employment termination processes
∠ Vendor, consultant, and contractor controls
∠ Compliance
∠ Privacy

I. Understand and apply risk management concepts

∠ Identify threats and vulnerabilities
∠ Risk assessment/analysis (qualitative, quantitative, hybrid)
∠ Risk assignment/acceptance (e.g., system authorization)
∠ Countermeasure selection
∠ Implementation
∠ Types of controls (preventive, detective, corrective, etc.)
∠ Control assessment
∠ Monitoring and measurement
∠ Asset valuation
∠ Reporting
∠ Continuous improvement
∠ Risk frameworks

J. Understand and apply threat modeling

∠ Identifying threats (e.g., adversaries, contractors, employees, trusted partners)
∠ Determining and diagramming potential attacks (e.g., social engineering, spoofing)
∠ Performing reduction analysis
∠ Technologies and processes to remediate threats (e.g., software architecture and
operations)

K. Integrate security risk considerations into acquisition strategy and practice

∠ Hardware, software, and services
∠ Third-party assessment and monitoring (e.g., on-site assessment, document exchange
and review, process/policy review)

www.simplilearn.com 08
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

∠ Minimum security requirements

∠ Service-level requirements

L. Establish and manage information security education, training and awareness

∠ Appropriate levels of awareness, training, and education required within organization
∠ Periodic reviews for content relevancy

Domain 2: Asset Security

An Overview

Asset Security, the second domain of the CISSP certification, deals with the collection,
handling and protection of information throughout the lifecycle. Candidates are expected to
be knowledgeable in areas of classification of information and supporting assets – the key
topics covered in this domain. The other topic that is covered under this domain that goes
along with the previous topic is the knowledge of ownership and how it relates to information,
systems, and business processes.

With the continued expansion of collected and stored digitized personal information, privacy
concerns have gained importance. This forms an integral part of asset security domain. The
topics covered in this domain include: concepts of data owners, data processors, data
remanence, and limitations on collection and storage. Data retention should always be
considered hand-in-hand with organizational, legal and regulatory requirements and
candidates will be tested on each of these areas.

Thus, the responsibility for the selection of appropriate data security controls falls on the
information security professional and candidates can expect to be tested on these areas. The
sub-topics covered within this area include: baselines, scoping and tailoring, standards
selection and cryptography.

Other topics covered under this area are: data storage, labeling, and destruction. Evaluating
data handling requirements, developing appropriate policies and procedures based on that
evaluation are skills expected of CISSP candidates.

www.simplilearn.com 09
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Asset Security: Key Concepts to Note

A. Classify information and supporting assets (e.g., sensitivity, criticality)

B. Determine and maintain ownership (e.g., data owners, system owners,

business/mission owners)

C. Protect privacy
∠ Data owners
∠ Data processors
∠ Data remanence
∠ Collection limitation

D. Ensure appropriate retention (e.g., media, hardware, personnel)

E. Determine data security controls (e.g., data at rest, data in transit)

∠ Baselines
∠ Scoping and tailoring
∠ Standards selection
∠ Cryptography

F. Establish handling requirements (markings, labels, storage, destruction of sensitive

information)

www.simplilearn.com 10
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Domain 3: Security Engineering

An Overview

Security engineering is the second largest domain among the eight, in terms of the number of
topics covered. Security engineering, as defined by (ISC)2, is the practice of building
information systems and related architecture that continue to deliver the required functionality
in the face of threats caused by malicious acts, human error, hardware failure and natural
disasters.

Candidates can be expected to be tested on their ability to implement and manage security
engineering processes using secure design principles. In this regard, candidates are expected
to possess a strong understanding of the fundamental concepts of security models and be
able to develop design requirements based on organizational requirements and security
policies. Candidates should also be able to select controls and countermeasures that satisfy
these design requirements. All this is, in fact, a byproduct of the candidate’s in-depth
knowledge of the security limitations and capabilities of information systems.

As the role of information security professionals includes assessing and mitigating

vulnerabilities in security architectures, designs, and solution elements, candidates are
expected to have a strong grounding in these areas as well. Topics covered under this include:
client and server-side vulnerabilities, database security, distributed systems and cloud
security, cryptographic systems and industrial controls. Web application vulnerabilities, mobile
devices and embedded systems are also covered.

Cryptography, a key area in security engineering, involves the protection of information, both
while in motion and at rest, which is done by altering that information in order to maintain a
good level of integrity, confidentiality and authenticity. Some general topics in cryptography
that candidates can be expected to be tested upon are: the cryptographic lifecycle,
cryptographic systems, public key infrastructure, key management practices, digital
signatures, and digital rights management. Candidates should also possess a thorough
understanding of cryptanalytic attack vectors including social engineering, brute force,
cipher-text only, known plaintext, frequency analysis, chosen cipher-text and implementation
attacks. However, one should note that security engineering does not limit itself to information
systems development, and additional topics in the security engineering domain include:
application of secure design principles to site and facility design and physical security.

www.simplilearn.com 11
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Security Engineering: Key Concepts to Note

A. Implement and manage engineering processes using secure design principles

B. Understand the fundamental concepts of security models (e.g. Confidentiality,

Integrity, and Multi-level Models)

C. Select controls and countermeasures based upon the system’s security evaluation
models

D. Understand security capabilities of information systems (e.g., memory protection,

virtualization, trusted platform module, interfaces, fault tolerance)

E. Assess and mitigate the vulnerabilities of security architectures, designs, and

solution elements
∠ Client-based (e.g., applets, local caches)
∠ Server-based (e.g., data flow control)
∠ Database security (e.g., inference, aggregation, data mining, data analytics,
warehousing)
∠ Large-scale parallel data systems
∠ Distributed systems (e.g., cloud computing, grid computing, peer to peer)
∠ Cryptographic systems
∠ Industrial control systems (e.g., SCADA)

F. Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)

G. Assess and mitigate vulnerabilities in mobile systems

H. Assess and mitigate vulnerabilities in embedded devices and cyber-physical

systems (e.g., network-enabled devices, Internet of things (IoT))

I. Apply cryptography
∠ Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol
governance)
∠ Cryptographic types (e.g., symmetric asymmetric, elliptic curves)
∠ Public Key Infrastructure (PKI)
∠ Key management practices
∠ Digital signatures
∠ Digital rights management

www.simplilearn.com 12
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

∠ Non-repudiation
∠ Integrity (hashing and salting)
∠ Methods of cryptanalytic (e.g., brute force, cipher-text only, known plaintext)

J. Apply secure principles to site and facility design

K. Design and implement physical security

∠ Wiring closets
∠ Server rooms
∠ Media storage facilities
∠ Evidence storage
∠ Restricted and work area security (e.g., operations centers)
∠ Data center security
∠ Utilities and HVAC considerations
∠ Water issues (e.g., leakage, flooding)
∠ Fire prevention, detection and suppression

www.simplilearn.com 13
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Domain 4: Communication and Network Security

An Overview

Communication and Network Security is an umbrella area covering aspects of network

architecture, transmission methods, transport protocols, control devices, and the security
measures used to maintain the confidentiality, integrity and availability of information
transmitted over both private and public communication networks.

Candidates will be expected to exhibit a thorough understanding of network fundamentals like

network topologies, IP addressing, network segmentation, switching and routing, wireless
networking, the OSI and TCP models and the TCP/IP protocol suite. They will further be tested
on cryptography, part of which is related to secure network communication. Ability to securely
operate and maintain network control devices will be key expectations from this domain.
Other concepts covered in this area include: security considerations inherent in the various
forms of transmission media, network access control, endpoint security, and content
distribution networks.

With a thorough knowledge gained from this domain, candidates should be able to design and
implement secure communication channels using a wide range of technologies to facilitate a
number of applications like data, voice, remote access, multimedia collaboration and
virtualized networks. Knowledge of network attack vectors and ability to prevent/mitigate
these attacks are key concepts candidates are expected to know.

Communication and Network Security: Key Concepts to Note

A. Apply secure design principles to network architecture (e.g., IP & non-IP protocols,
segmentation)
∠ OSI and TCP/IP models
∠ IP networking
∠ Implications of multiplayer protocols (e.g., DNP3)
∠ Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
∠ Software-defined networks
∠ Wireless networks
∠ Cryptography used to maintain communication security

www.simplilearn.com 14
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

B. Secure network components

∠ Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile
devices)
∠ Transmission media (e.g., wired, wireless, fiber)
∠ Network access control devices (e.g., firewalls, proxies)
∠ Endpoint security
∠ Content-distribution networks
∠ Physical devices

C. Design and establish secure communication channels

∠ Voice
∠ Multimedia collaboration (e.g., remote meeting technology, instant messaging)
∠ Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting)
∠ Data communications (e.g., VLAN, TLS/SSL)
∠ Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation)

D. Prevent or mitigate network attacks

www.simplilearn.com 15
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Domain 5: Identity and Access Management

An Overview

The identity and access management (as stated by (ISC)2) involves ‘provisioning and managing
the identities and access used in the interaction of humans and information systems, of
disparate information systems, and even between individual components of information
systems. In order to gain unauthorized access to systems and information and subsequently
gain access to confidential data, attacks are based on compromising identity and access control
system. This domain helps CISSP candidates to equip themselves with enough knowledge to
prevent attacks of this sort.

Key concepts in this domain that candidates can expect to be tested on are: identity
management systems, single and multi-factor authentication, accountability, session
management, registration and proofing, federated identity management, and credential
management systems.

Other areas that candidates need to note are: integration of third party cloud based and
premise identity services. Candidates will be expected to demonstrate their ability to implement
and manage authorization mechanisms, like those based on role-based, rule-based, mandatory
and discretionary access control. Topics thus included are: prevention and mitigation of attacks
targeting access control systems, and on the identity management lifecycle.

Identity and Access Management: Key Concepts to Note

A. Control physical and logical access to assets

∠ Information ∠ Systems ∠ Devices ∠ Facilities

B. Manage identification and authentication of people and devices

∠ Identity management implementation (e.g., SSO, LDAP)
∠ Single/multi-factor authentication (e.g., factors, strength, errors, biometrics)
∠ Accountability
∠ Session management (e.g., timeouts, screensavers)
∠ Registration and proofing of identity
∠ Federated identity management (e.g., SAML)
∠ Credential management systems

www.simplilearn.com 16
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

C. Integrate identity as a service (e.g., cloud identity)

D. Integrate third-party identity services (e.g., on-premise)

E. Implement and manage authorization mechanisms

∠ Role-Based Access Control (RBAC) methods
∠ Rule-Based Access Control Methods
∠ Mandatory Access Control (MAC)
∠ Discretionary Access Control (DAC)

F. Prevent or mitigate access control attacks

G. Manage the identity and access provisioning lifecycle (e.g., provisioning, review)

Domain 6: Security Assessment and Testing

An Overview

Security assessment and testing aims to cover evaluation of information assets and associated
infrastructure using various tools and techniques for the purposes of identifying and
mitigating risk arising out of architectural issues, design flaws, configuration errors, hardware
and software vulnerabilities, coding errors, and any other weaknesses that may affect an
information system’s ability to deliver in a secured manner.

Candidates may be tested in the areas of: continuous validation of the application of
organizational information security plans, policies, processes and procedures, validating
assessment and test strategies and of carrying out those strategies using various techniques.
Other areas that candidates will be tested on include: vulnerability assessments, penetration
testing, synthetic transactions, code review and testing, misuse case, and interface testing.

www.simplilearn.com 17
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

In addition to ensuring that the security policies and procedures are continuously and
uniformly applied, it is also the responsibility of information security professionals to ensure
that disaster recovery and business continuity plans are maintained, updated, and function as
intended in the event of disaster. Therefore, this domain includes topics in the collection of
security process data. Candidates will be tested on account management, management
review, key performance and risk indicators, verification of backups, training and awareness,
and disaster recovery and business continuity.

As is obvious, security assessment and testing cannot be successful in the absence of careful
analysis and reporting of assessment results in a way that appropriate mitigation strategies
can be developed and implemented. Candidates will hence be tested on their ability to
conduct/facilitate third party audits.

Security Assessment and Testing: Key Concepts to Note

A. Design and validate assessment and test strategies

B. Conduct security control testing

∠ Vulnerability assessment
∠ Penetration testing
∠ Log reviews
∠ Synthetic transactions
∠ Code review and testing (e.g., manual, dynamic, static, fuzz)
∠ Misuse case testing
∠ Test coverage analysis
∠ Interface testing (e.g., API, UI, physical)

C. Collect security process data (e.g., management and operational controls)

∠ Account management (e.g., escalation, revocation)
∠ Management review
∠ Key performance and risk indicators
∠ Backup verification data
∠ Training and awareness
∠ Disaster recovery and business continuity
D. Analyze and report test outputs (e.g., automated, manual)

E. Conduct or facilitate internal and third party audits

www.simplilearn.com 18
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Domain 7: Security Operations

An Overview

Security Operations is of a practical nature and is intended to cover the tasks and
situations that information security professionals are expected to perform/presented
with on a daily basis. It is therefore a broad area covering a range of topics in the
application of information security concepts and best practices to the operation of
enterprise computing systems; and is the largest of all the eight domains constituting
the CISSP CBK.

This domain aims to assess candidate’s knowledge of and ability to support forensic
investigations, besides their skill in using various investigative concepts including
evidence collection and handling, documentation and reporting, investigative techniques
and digital forensics. CISSP candidates should be adept at investigation that their
understanding of the subject from an operational, criminal, civil, and regulatory
perspective is in-depth.

Other than supporting forensic investigations, candidates are expected to have good
knowledge of effective logging and monitoring mechanisms which are essential security
functions.

Certain other aspects addressed in this domain include: provisioning of resources,

management and protection of those resources throughout their lifecycle. The security
operations is predicated on the protection of these resources. Candidates will be tested
in their ability to operate and maintain protective controls like firewalls, intrusion
prevention systems, application whitelisting, anti-malware, honeypots and honey-nets
and sandboxing as well manage third party security contracts and services. Other
concepts that candidates can be tested upon are patch, vulnerability, and change
management.

This module/domain is thus aimed at testing candidates solely on their ability to

conduct all aspects of incident management and on their ability to implement and test
disaster recovery processes and participate in business continuity planning.

www.simplilearn.com 19
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Security Operations: Key Concepts to Note

A. Understand and support investigations

∠ Evidence collection and handling (e.g., chain of custody, interviewing)
∠ Reporting and documenting
∠ Investigative techniques (e.g., root-cause analysis, incident handling)
∠ Digital forensics (e.g., media, network, software, and embedded devices)

B. Understand requirements for investigation types

∠ Operational
∠ Criminal
∠ Civil
∠ Regulatory
∠ Electronic discovery (eDiscovery)

C. Conduct logging and monitoring activities

∠ Intrusion detection and prevention
∠ Security information and event management
∠ Continuous monitoring
∠ Egress monitoring (e.g., data loss prevention, steganography, watermarking)

D. Secure the provisioning of resources

∠ Asset inventory (e.g., hardware, software)
∠ Configuration management
∠ Physical assets
∠ Virtual assets (e.g., software-defined network, virtual SAN, guest operating
systems)
∠ Cloud assets (e.g., services, VMs, storage, networks)
∠ Applications (e.g., workloads or private clouds, web services, software as a
service)

E. Understand and apply foundational security operations concepts

∠ Need-to-know/least privilege (e.g., entitlement, aggregation, transitive trust)
∠ Separation of duties and responsibilities
∠ Monitor special privileges (e.g., operators, administrators)
∠ Job rotation

www.simplilearn.com 20
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

∠ Information lifecycle
∠ Service-level agreements

F. Employ resource protection techniques

∠ Media management
∠ Hardware and software asset management

G. Conduct incident management

∠ Detection ∠ Response ∠ Mitigation ∠ Reporting
∠ Recovery ∠ Remediation ∠ Lessons learned

H. Operate and maintain preventative measures

∠ Firewalls
∠ Intrusion detection and prevention systems
∠ Whitelisting/Blacklisting
∠ Third-party security services
∠ Sandboxing
∠ Honeypots/Honeynets
∠ Anti-malware

I. Implement and support patch and vulnerability management

J. Participate in and understand change management processes (e.g., versioning,

baselining, security impact analysis)

K. Implement recovery strategies

∠ Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation)
∠ Recovery site strategies
∠ Multiple processing sites (e.g., operationally redundant systems)
∠ System resilience, high availability, quality of service, and fault tolerance

L. Implement disaster recovery processes

∠ Response ∠ Personnel
∠ Communications ∠ Assessment
∠ Restoration ∠ Training and awareness

www.simplilearn.com 21
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

M. Test disaster recovery plans

∠ Read-through ∠ Walkthrough ∠ Simulation
∠ Parallel ∠ Full interruption

N. Participate in business continuity planning and exercises

O. Implement and manage physical security

∠ Perimeter (e.g., access control and monitoring)
∠ Internal security (e.g., escort requirements/visitor control, keys and locks)

P. Implement and manage physical security

Domain 8: Software Development Security

An Overview

The Software Development Security is the last domain of the CISSP examination and involves
the application of security concepts and best practices in order to produce and develop
software environments. Although not hardcore software developers or software security
engineers, it is the responsibility of CISSPs to assess and enforce security controls on software
being operated within their environments. In order to achieve this, information security
professionals should understand and apply security in the context of the software
development lifecycle.

Candidates will be tested in areas of: software development methodologies, maturity models,
operations and maintenance and change management and in their understanding of the needs
of an integrated product development team. They should also be able to enforce security
controls in software development environments, and in this regard, will be tested in areas of:
security of software development tools, source code weaknesses and vulnerabilities,
configuration management as it relates to source code development, the security of code
repositories and the security of application programming interfaces.

Topics included in this area thus include: auditing and logging in relation to change
management, risk analysis and mitigation as it relates to software security and the security
impact of acquired software.

www.simplilearn.com 22
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Software Development Security: Key Concepts to Note

A. Understand and apply security in the software development lifecycle

∠ Development methodologies (e.g., Agile, Waterfall)
∠ Maturity models
∠ Operation and maintenance
∠ Change management
∠ Integrated product team (e.g., DevOps)

B. Enforce security controls in development environments

∠ Security of the software environments
∠ Security weaknesses and vulnerabilities at the source-code level (e.g., buffer
overflow, escalation of privilege, input/output validation)
∠ Configuration management as an aspect of secure coding
∠ Security of code repositories
∠ Security of application programming interfaces

C. Assess the effectiveness of software security

∠ Auditing and logging of changes
∠ Risk analysis and mitigation
∠ Acceptance testing

D. Assess security impact of acquired software

∠ Development methodologies (e.g., Agile, Waterfall)

www.simplilearn.com 23
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

The next thing to know after having an outline of the structure of the domains and the areas
covered in CISSP, is the common terms that candidates need to be thorough about. The next
section briefs on some of these terms.

Generic Terms

As you study for your CISSP exam, you’ll need to master the terms and tools of the trade. This
useful glossary will help you find the definitions for important CISSP terms in a single,
convenient location, and will also serve as a ready reckoner for refreshing what you’ve studied so
far.

ACL:
An access control list is a list that specifies which subjects can access which objects.

Administrative Detective Control:

Policy or rule that detects when something has occurred by using auditing or performance
reviews to see the actions that subjects have taken.

Asynchronized Device:
A token device which uses a challenge-response approach to generate a password.

Authentication:
A system for validating that the subject or object is really who or what they say or appear to be.

Authentication Service:
The part of the KDC that actually authenticates the subjects and objects.

Authorization Creep:
Accidentally giving a subject access to objects that are not intended for them to have access to.

Biometrics:
The most expensive and secure authentication type which uses physical characteristics to
authenticate a person. Biometrics use characteristics such as retina and iris scans, fingerprint
and handprint characteristics, voice patterns, keystroke patterns, and signatures to authenticate
a subject.

Brute Force:
An attack that attempts to gain access many times using different input types. Examples of
brute force attacks are password guessing and war dialing.

www.simplilearn.com 24
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

CER:
Crossover Error Rate is the value or system based upon the point at which the FRR and the
FAR cross if it were graphed. The CER allows two different biometric methods to be
compared.

Centralized Authentication:
Authentication type where a single identity controls all the access to certain objects. It is a
strict control with a single point of failure that allows for easy administration.

Control:
A safeguard that lessens risk once a high probability of a loss has been realized.

DAC:
Discretionary Access Control is an identity-based access control. This means that the user
must be authenticated as a specific user and, based on those privileges, can specify who else
can access that object. DAC gives the owner the ability to specify access restrictions.

Decentralized Authentication:
An authentication type in which administrative access is handled closer to the objects that are
being controlled, such as multiple machines with information like a security domain

Dictionary Attack:
A selective attack where a dictionary of common words, identification credentials, or
frequently used user IDs are submitted to the authentication device.

DoS Attack:
A Denial of Service attack attempts to stop a network by flooding it with useless traffic. A DoS
system is used as a master to communicate with, and host hacking tools from the Internet
allowing the hacker to send out attacks using a single command.

Domain:
A group of computers on a network that share a Security Accounts Manager database and
security policies.

FAR:
False Acceptance Rate is the rate at which a biometrics system accepts an invalid subject.

FRR:
False Rejection Rate is the rate at which a biometrics system would reject a valid subject.

www.simplilearn.com 25
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Hacker:
Also referred to as a cracker, a hacker is a person who is well skilled in a programming
language and often considered an expert on the subject. Can be a complimentary or a
derogatory term!

Honeypot:
A monitoring process that segments an area or entire machine onto a portion of the network,
opening ports to entice a hacker to find and attack the machine.

Hybrid Model:
A combination of centralized and decentralized authentication.

IDS:
An intrusion detection system inspects all network activity and identifies any suspicious
patterns indicative of an attack.

Identification:
A claim to be a valid subject.

KDC:
Key Distribution Center is a component of the Kerberos system which holds all cryptographic
keys. The KDC must be communicated with at every phase in order to initiate any type of
authentication.

Kerberos:
A product developed by MIT that provides authentication and message protection using one
key to encrypt a message on one side and the same key to decrypt the message on the other
side.

Least Privilege:
A concept that grants subjects only enough access for objects to perform the required tasks.
The goal is to limit authorization creep.

Object:
An entity that contains or controls data.

MAC:
Mandatory Access Control is a mandatory set of rules that everyone must abide by. It is a
rule-based access control in which data owners are granted access based upon rules.

www.simplilearn.com 26
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Man-in-the-Middle Attack:
A network attack where the hacker intercepts a public key exchange and substitutes his own
public key for the requested one, thus enabling him to intercept messages from both sides of
the communication.

Non-Discretionary Control:
A role-based access control in which access is granted based upon the subject’s role instead of
identity. This type of control is common in an environment with frequent personnel changes.

Penetration Testing:
A legal hacking process of pretending to be a hacker, scanning and probing the systems to see
if it can be accessed. A coordinated set of attacks to judge the vulnerability of a system.

Physical Access Controls:

Controls which limit physical access to hardware.

Physical Preventative Control:

A control, such as a badge or access card, which stops something before it occurs.

RADIUS:
Remote Authentication Dial-In User Server is a centralized authentication protocol that
authenticates and authorizes users, generally through dial-up access, and provides the
authentication mechanism that allows dial-up subjects to access objects.

SESAME:
Secure European System for Applications in a Multivendor Environment is an authentication
service for use in Europe. SESAME uses public key cryptography to distribute secret keys and
a Privilege Attribute Certificate: mechanism which contains key information and the necessary
authentication packet to pass authentication.

SSO:
Single Sign-On is a method that allows the users to have a domain of control. SSO simplifies
the authentication process by allowing the users to authenticate themselves into an entry
point of a domain which signs them into every component of the domain.

Security Label:
A concept that assigns a classification level to objects.

Shoulder Surfing:
An observation technique in which information is obtained by looking over someone’s
shoulder.

www.simplilearn.com 27
 GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

Spoofing:
A technique used by hackers to gain entry to a system by modifying packet headers so as to
appear as a trusted host.

Synchronized Device:
A token device that generates time-based passwords to correspond with a central server.

TACACS:
Terminal Access Controller Access Control System is a centralized authentication type that
provides single factor authentication and authorization for direct access. The TACACS+ version
implements two-factor authentication.

Ticket:
A multiple component message that is sent back and forth in Kerberos. The message contains
the ticket and an authentication message specifying that the subject is authenticated or that a
subject has been authenticated and is valid to access a specific object.

Token Device:
A small device that generates passwords based on synchronous or asynchronous query to a
centralized server. An example would be a smart card.

War Dialer:
A computer program built to seek modems by dialing continuous phone numbers. War Dialers
are built to find vulnerable computer systems.

In Conclusion

With a good grasp of the core concepts for the CISSP certification, and an understanding of the
generic terms, we hope we have laid the foundation to your rigorous preparation to the CISSP
certification examination. On the completion of your preparation to the examination, do practice
with sample exam papers that are available at (ISC)2’s official website.

To know more about the important, reliable books that can aid you in the preparation journey,
you might want to click here.

We wish you good luck in your certification journey!

www.simplilearn.com 28
 The CISSP Training from Simplilearn has many hallmark features to
stamp its credible benefits to certification seekers:

32 hours of High Quality 5 Simulation Exams 8 Domain specific test papers

E-learning content (250 Questions each) (10 questions each)

30 CPEs/PDUs Offered 98.6% Pass rate

GOOD LUCK

For more information on our CISSP offerings, please visit our course page here