ESSENTIAL CISSP Exam Guide Updated for the 2018 CISSP Body of Knowledge |
ESSENTIAL CISSP Exam Guide Updated for the 2018 CISSP Body of Knowledge Phil Martin Nearsighted Ninja | |
|
Nonce Corp is an independent entity from (ISC) and is not affiliated with (ISC) in any manner. This study/training guide and/or material is not sponsored by, endorsed by, or affiliated with (ISC) in any manner. This publication may be used in assisting students to prepare for the Certified Information Systems Security Professional (CISSP) exam. Neither (ISC) nor Nonce Corp warrant that use of this publication will ensure passing any exam. CISSP is a trademark or registered trademark of (ISC) . All other trademarks are trademarks of their respective owners.
An audio version of this print book is available on audible.com!
Essential CISSP Exam Guide
Copyright 2018 by Nonce Corp. Printed in the United States of America. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
All trademarks or copyrights mentioned herein are the possession of their respective owners and Nonce Corp makes no claim of ownership by the mention of products that contain these marks.
ISBN: 9781723901515
Information has been obtained by Nonce Corp from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, Nonce Corp does not guarantee the accuracy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
Contents
Figures
About
About the Exam
The exam consists of 250 multiple-choice, drag and drop, and Hotspot questions that must be answered in 6 hours.
- Multiple Choice select a single option from many
- Drag and drop select one or more answers and drag them to a drop area; occasionally the order matters
- Hotspot click a visual item that does or does not answer the question
There is no penalty for guessing, so be sure not to skip a question. However, you must manage your time well if you run across a question that you are not sure of, go ahead and guess but then flag it for review. When you have completed all other questions, go back to each flagged question and spend more time on it.
Of the 250 questions, only 225 will be graded 25 are used for research purposes. Therefore, you may run across questions that are completely unfamiliar or appear to be too vague to answer properly go ahead and answer them to the best of your ability, but dont worry too much about these critters they may very well be one of the 25 research questions. Each test taker is given a random sampling of questions pulled from a much larger pool of questions, so you will not be taking the exact same test as the person sitting next to you. You will need to correctly answer 70% of the questions (175 questions).
An important fact to note is that there will be no questions that are specific to a platform (Windows, Linux, etc.). While this book does contain information that is specific to a platform, that content will not be highlighted (see About This Book) in other words you will not need to remember specifics, just the concept. While most questions are direct, there will be some scenario-based questions that present a situation and then ask one or more questions about that scenario.
Once you have passed the exam, you will still need to provide proof that you possess the experience required to obtain the certification. This will include having a CISSP-certified individual sponsor you.
About This Book
This book has been kept simple on-purpose no fluff, just the facts - with a few mnemonic devices thrown in to help you remember.
Some simple rules on text formatting:
This is a term you should memorize:
Italicized and underlined text
This is a concept you should remember:
Bold text
This is to help you understand the other two above:
Normal text
Read normal text at least once, and revisit as often as you need.
After each chapter you will find approximately 5 test questions to gauge how well you have retained the information. While this helps a great deal while reading this book, you will probably want to purchase additional test questions. The companion to this book, Essential CISSP Test Questions , is a great resource for this with over 2,000 sample questions that cover all 8 domains.
Answers for all test questions can be found in the back of the book.
Section 1: Security and Risk Management Domain
The goals of security are contained within 3 security principles, commonly referred to in the industry as CIA confidentiality, integrity and availability.
Chapter 1: CIA and AAA
Confidentiality is achieved when we have a high level of assurance that information is kept from unauthorized parties . Attackers can circumvent confidentiality by social engineering attacks such as shoulder surfing, brute-force password attacks and decrypting packets. Dont worry if these concepts are unfamiliar right now, well discuss them later. Confidentiality is usually enforced by encrypting data, or by classifying and restricting that data. Examples of confidentiality are encryption at-rest, encryption in-transit and access controls. Other important confidentiality-related concepts are:
- Sensitivity , which is a measure of harm or damage if the information were to be disclosed
- Discretion , which is shown by a person when choosing to control disclosure of information to limit damage
- Criticality , or how critical to a mission information is
- Concealment , or the act of hiding or preventing disclosure
- Secrecy , which is the act of keeping something a secret
- Privacy , or the act of keeping information confidential that is personally identifiable or that can cause damage if disclosed
- Seclusion , which is storing something in an out-of-the-way manner
- Isolation , or keeping something separate from others
Integrity is achieved when information remains unaltered (and can be proven to be so) except by authorized parties . We can approach integrity from 3 views:
- Preventing intentional unauthorized modifications
- Preventing accidental modifications
- Ensuring that the internal and external consistency of information remains valid
As an example, if an attacker plants a virus or logic bomb in a system, the integrity of that system has been compromised because it has been altered in an unauthorized manner. Or, an attacker may covertly tamper with data either at-rest or in-transit, meaning that the integrity of the data has not been upheld in this case hashing can often detect this type of attack. Sometimes loss of integrity can be by mistake, such as an employee accidentally entering the wrong amount to charge a customer, with the result of corrupt data. In this case, implementing the correct input validation can prevent corrupt data from happening. Other examples of Integrity might be managing change control, digital signing, and cyclic redundancy checks (or CRC).