new cissp certification 2015

7/23/2019 New CISSP Certification 2015

http://slidepdf.com/reader/full/new-cissp-certification-2015 1/29

CERTIFICATION

Guide to the

2015

NEW CISSP®


http://slidepdf.com/reader/full/new-cissp-certification-2015 2/2902www.simplilearn.com

GUIDE TO THE NEW CISSP® CERTIFICATION, 2015

TABLE OF CONTENTS

Introduction 3

What is CISSP? 5

Domain 1: Security and Risk Management 6

Domain 2: Asset Security 9

Domain 3: Security Engineering 11

Domain 4: Communication and Network Security 14

Domain 5: Identity and Access Management 16

Domain 6: Security Assessment and Testing 17

Domain 7: Security Operations 19

Domain 8: Software Development Security 22

Some Generic Terms 24



AN INTRODUCTION

If your goal is to become a certified information security

professional, then the CISSP certification and this study

guide are for you. The purpose of this eBook is to

adequately brief you on the recent changes that have

been incorporated in the (ISC)2’s CISSP CBK and to

elaborate on the key concepts to note if you plan to take

the current version (CISSP® 2015) of the exam. All theinformation provided here has been sourced from (ISC)2,

the organizational body that conducts CISSP, and so is

authentic and reliable.

The CISSP certification underwent major changes in April,

2015, and this has caused some confusion among

aspiring candidates. So, what are these changes and why

were they introduced?

In an attempt to stay relevant with the changing scenario

of the information security field, the (ISC)2 updated the

CISSP exam. The (ISC)2, or the International Information

Systems Security Certification Consortium, is a global,

non-profit organization that acts as the accreditation

body of the CISSP exam. Besides CISSP, the organization

offers a number of other information security-related

education and certifications. This organization, which is

often described as the ‘world’s largest IT security

organization’, is operated and run by a board of directors

elected from the highest ranks of its certified

practitioners.

03www.simplilearn.com




The changes to the Exam are as follows:

Refreshed technical content added to the Official (ISC)2 CISSP CBK.

This was done in order to include the most current topics in the information security

industry. The CBK or the Critical/Complete Body of Knowledge is an established commonframework of information on security terms and principles.

The revised exam of 2015 is designed to reflect the technical and managerial competence

expected of an experienced information security professional and tests them on their

ability to effectively design, engineer, implement and manage an organization’s

information security program.

Subsequently, the domains that are updated to describe the topics is reduced to eight

from the previous ten. They are:

Security and Risk Management (Security, Risk, Compliance, Law, Regulations,

Business Continuity)

Asset Security (Protecting Security of Assets)

Security Engineering (Engineering and Management of Security)

Communications and Network Security (Designing and Protecting Network Security)

Identity and Access Management (Controlling Access and Managing Identity)

Security Assessment and Testing (Designing, Performing, and Analyzing Security

Testing)

Security Operations (Foundational Concepts, Investigations, Incident Management,

Disaster Recovery)

Software Development Security (Understanding, Applying, and Enforcing Software

Security)

However, it is to be noted that the reduction in the total number of domains does not translate

to reduction/deletion of content from the previous versions. The exam/or the training material

has only been reorganized to include the most current information and internationallyacclaimed best practices in the information security field.

Also, there is no change in the structure or format of the exam. The CISSP exam remains a

computer-based test with 250 questions, which include ‘drag & drop’ and ‘hotspot’ questions.

(These have been discussed in the latter part of this eBook.) The duration of the exam is six

hours and the passing mark is 700 out of 1000 points.

With the changes to the exam now outlined, let’s delve deep into the other aspects of the

certification itself.





These innovative question types which have been included since January 15,

2014, are expected to have several benefits over the common MCQs.

The benefits are that:

They measure knowledge at higher cognitive levels

They measure a broad range of skills

They provide more realistic simulation of practice in the field

They provide opportunities for broader content coverage than may be

possible with MCQs.

Drag & Drop and Hotspot CISSP Questions



What is CISSP®?

The Certified Information Systems Security Professional (CISSP) is an ISO/IEC 17024 ANSI

accredited, globally recognized criterion of accomplishment that is proof of an individual’s

knowledge in the information security domain. It is designed for professionals who have

full-time professional experience in the field for at least five or more years. A CISSP certified

professional is understood as having the ability to delimitate the architecture, innovations,

management or commands that ascertain the security of business environment.

The (ISC)2 CISSP CBK provides a vendor-neutral, internationally understood common

framework upon which the practice of information security can be advanced. The extensively

covered topics that span the eight domains, ensure relevancy across a wide range of

disciplines in the information security field, thus strongly reaffirming the usability and

implementation on a global level.

Once a CISSP Certification has been acquired, candidates can further advance in their career

by deepening their knowledge in management, architecture, or engineering. One possible

way of achieving this is by coupling their CISSP credentials with certifications in Digital

Forensics (CCFP), Software Development (CSSLP), System Authorization (CAP), and/or the

Certified Cloud Security Professional (CCSP).

Beyond knowledge of the eight domains of the CISSP framework, aspirants taking the exam

are expected to provide certain background information, relating to criminal history.

Affirmation to having been involved in any kind of cybercrime or criminal activity will be

evaluated with due explanation during the endorsement process.

Note




Security and Risk Management: Key Concepts to Note

A. Understand and apply concepts of confidentiality, integrity, and availability

B. Apply security governance principles through:

Alignment of security function to strategy, goals, mission, and objectives

(e.g., business case, budget and resources)

Organizational processes (e.g., acquisitions, divestitures, governance committees)

Security roles and responsibilities

Control frameworks

Due care

Due diligence

C. Compliance

Legislative and regulatory compliance

Privacy requirements compliance

D. Understand legal and regulatory issues that pertain to information security in a

global context

Computer crimes

Licensing and intellectual property (e.g., copyright, trademark, digital-rights

management)

Import/export controls

Trans-border data flow

Privacy

Data breaches

E. Understand professional ethics

Exercise (ISC)2 Code of Professional Ethics

Support organization’s code of ethics

F. Develop and implement documented security policy, standards, procedures, and

guidelines

G. Understand business continuity requirements

Develop and document project scope and plan

Conduct business impact analysis




H. Contribute to personnel security policies

Employment candidate screening (e.g., reference checks, education verification)

Employment agreements and policies

Employment termination processes

Vendor, consultant, and contractor controls

Compliance

Privacy

I. Understand and apply risk management concepts

Identify threats and vulnerabilities

Risk assessment/analysis (qualitative, quantitative, hybrid)

Risk assignment/acceptance (e.g., system authorization)

Countermeasure selection

Implementation

Types of controls (preventive, detective, corrective, etc.)

Control assessment

Monitoring and measurement

Asset valuation

Reporting

Continuous improvement

Risk frameworks

J. Understand and apply threat modeling

Identifying threats (e.g., adversaries, contractors, employees, trusted partners)

Determining and diagramming potential attacks (e.g., social engineering, spoofing) Performing reduction analysis

Technologies and processes to remediate threats (e.g., software architecture and

operations)

K. Integrate security risk considerations into acquisition strategy and practice

Hardware, software, and services

Third-party assessment and monitoring (e.g., on-site assessment, document exchange

and review, process/policy review)




Asset Security: Key Concepts to Note

A. Classify information and supporting assets (e.g., sensitivity, criticality)

B. Determine and maintain ownership (e.g., data owners, system owners,

business/mission owners)

C. Protect privacy

Data owners

Data processors

Data remanence

Collection limitation

D. Ensure appropriate retention (e.g., media, hardware, personnel)

E. Determine data security controls (e.g., data at rest, data in transit)

Baselines

Scoping and tailoring

Standards selection

Cryptography

F. Establish handling requirements (markings, labels, storage, destruction of sensitiveinformation)




An Overview

Security engineering is the second largest domain among the eight, in terms of the number of

topics covered. Security engineering, as defined by (ISC)2, is the practice of building

information systems and related architecture that continue to deliver the required functionality

in the face of threats caused by malicious acts, human error, hardware failure and natural

disasters.

Candidates can be expected to be tested on their ability to implement and manage security

engineering processes using secure design principles. In this regard, candidates are expected

to possess a strong understanding of the fundamental concepts of security models and be

able to develop design requirements based on organizational requirements and security

policies. Candidates should also be able to select controls and countermeasures that satisfy

these design requirements. All this is, in fact, a byproduct of the candidate’s in-depth

knowledge of the security limitations and capabilities of information systems.

As the role of information security professionals includes assessing and mitigating

vulnerabilities in security architectures, designs, and solution elements, candidates areexpected to have a strong grounding in these areas as well. Topics covered under this include:

client and server-side vulnerabilities, database security, distributed systems and cloud

security, cryptographic systems and industrial controls. Web application vulnerabilities, mobile

devices and embedded systems are also covered.

Cryptography, a key area in security engineering, involves the protection of information, both

while in motion and at rest, which is done by altering that information in order to maintain a

good level of integrity, confidentiality and authenticity. Some general topics in cryptography

that candidates can be expected to be tested upon are: the cryptographic lifecycle,cryptographic systems, public key infrastructure, key management practices, digital

signatures, and digital rights management. Candidates should also possess a thorough

understanding of cryptanalytic attack vectors including social engineering, brute force,

cipher-text only, known plaintext, frequency analysis, chosen cipher-text and implementation

attacks. However, one should note that security engineering does not limit itself to information

systems development, and additional topics in the security engineering domain include:

application of secure design principles to site and facility design and physical security.

Domain 3: Security Engineering




Security Engineering: Key Concepts to Note

A. Implement and manage engineering processes using secure design principles

B. Understand the fundamental concepts of security models (e.g. Confidentiality,

Integrity, and Multi-level Models)

C. Select controls and countermeasures based upon the system’s security evaluation

models

D. Understand security capabilities of information systems (e.g., memory protection,

virtualization, trusted platform module, interfaces, fault tolerance)

E. Assess and mitigate the vulnerabilities of security architectures, designs, and

solution elements Client-based (e.g., applets, local caches)

Server-based (e.g., data flow control)

Database security (e.g., inference, aggregation, data mining, data analytics,

warehousing)

Large-scale parallel data systems

Distributed systems (e.g., cloud computing, grid computing, peer to peer)

Cryptographic systems Industrial control systems (e.g., SCADA)

F. Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)

G. Assess and mitigate vulnerabilities in mobile systems

H. Assess and mitigate vulnerabilities in embedded devices and cyber-physical

systems (e.g., network-enabled devices, Internet of things (IoT))

I. Apply cryptography

Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol

governance)

Cryptographic types (e.g., symmetric asymmetric, elliptic curves)

Public Key Infrastructure (PKI)

Key management practices

Digital signatures

Digital rights management




An Overview

Communication and Network Security is an umbrella area covering aspects of network

architecture, transmission methods, transport protocols, control devices, and the security

measures used to maintain the confidentiality, integrity and availability of information

transmitted over both private and public communication networks.

Candidates will be expected to exhibit a thorough understanding of network fundamentals like

network topologies, IP addressing, network segmentation, switching and routing, wirelessnetworking, the OSI and TCP models and the TCP/IP protocol suite. They will further be tested

on cryptography, part of which is related to secure network communication. Ability to securely

operate and maintain network control devices will be key expectations from this domain.

Other concepts covered in this area include: security considerations inherent in the various

forms of transmission media, network access control, endpoint security, and content

distribution networks.

With a thorough knowledge gained from this domain, candidates should be able to design and

implement secure communication channels using a wide range of technologies to facilitate anumber of applications like data, voice, remote access, multimedia collaboration and

virtualized networks. Knowledge of network attack vectors and ability to prevent/mitigate

these attacks are key concepts candidates are expected to know.

Domain 4: Communication and Network Security

Communication and Network Security: Key Concepts to Note

A. Apply secure design principles to network architecture (e.g., IP & non-IP protocols,

segmentation) OSI and TCP/IP models

IP networking

Implications of multiplayer protocols (e.g., DNP3)

Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)

Software-defined networks

Wireless networks

Cryptography used to maintain communication security




B. Secure network components

Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile

devices)

Transmission media (e.g., wired, wireless, fiber)

Network access control devices (e.g., firewalls, proxies)

Endpoint security

Content-distribution networks

Physical devices

C. Design and establish secure communication channels

Voice

Multimedia collaboration (e.g., remote meeting technology, instant messaging)

Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting)

Data communications (e.g., VLAN, TLS/SSL)

Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation)

D. Prevent or mitigate network attacks




An Overview

The identity and access management (as stated by (ISC)2) involves ‘provisioning and managing

the identities and access used in the interaction of humans and information systems, of

disparate information systems, and even between individual components of information

systems. In order to gain unauthorized access to systems and information and subsequently

gain access to confidential data, attacks are based on compromising identity and access control

system. This domain helps CISSP candidates to equip themselves with enough knowledge to

prevent attacks of this sort.

Key concepts in this domain that candidates can expect to be tested on are: identity

management systems, single and multi-factor authentication, accountability, session

management, registration and proofing, federated identity management, and credential

management systems.

Other areas that candidates need to note are: integration of third party cloud based and

premise identity services. Candidates will be expected to demonstrate their ability to implement

and manage authorization mechanisms, like those based on role-based, rule-based, mandatoryand discretionary access control. Topics thus included are: prevention and mitigation of attacks

targeting access control systems, and on the identity management lifecycle.

Identity and Access Management: Key Concepts to Note

A. Control physical and logical access to assets

Information Systems Devices Facilities

B. Manage identification and authentication of people and devices

Identity management implementation (e.g., SSO, LDAP)

Single/multi-factor authentication (e.g., factors, strength, errors, biometrics)

Accountability

Session management (e.g., timeouts, screensavers)

Registration and proofing of identity

Federated identity management (e.g., SAML)

Credential management systems

Domain 5: Identity and Access Management




C. Integrate identity as a service (e.g., cloud identity)

D. Integrate third-party identity services (e.g., on-premise)

E. Implement and manage authorization mechanisms

Role-Based Access Control (RBAC) methods

Rule-Based Access Control Methods

Mandatory Access Control (MAC)

Discretionary Access Control (DAC)

F. Prevent or mitigate access control attacks

G. Manage the identity and access provisioning lifecycle (e.g., provisioning, review)

An Overview

Security assessment and testing aims to cover evaluation of information assets and associated

infrastructure using various tools and techniques for the purposes of identifying and

mitigating risk arising out of architectural issues, design flaws, configuration errors, hardwareand software vulnerabilities, coding errors, and any other weaknesses that may affect an

information system’s ability to deliver in a secured manner.

Candidates may be tested in the areas of: continuous validation of the application of

organizational information security plans, policies, processes and procedures, validating

assessment and test strategies and of carrying out those strategies using various techniques.

Other areas that candidates will be tested on include: vulnerability assessments, penetration

testing, synthetic transactions, code review and testing, misuse case, and interface testing.

Domain 6: Security Assessment and Testing




Security Assessment and Testing: Key Concepts to Note

A. Design and validate assessment and test strategies

B. Conduct security control testing

Vulnerability assessment

Penetration testing

Log reviews

Synthetic transactions

Code review and testing (e.g., manual, dynamic, static, fuzz)

Misuse case testing

Test coverage analysis

Interface testing (e.g., API, UI, physical)

C. Collect security process data (e.g., management and operational controls)

Account management (e.g., escalation, revocation) Management review

Key performance and risk indicators

Backup verification data

Training and awareness

Disaster recovery and business continuity

D. Analyze and report test outputs (e.g., automated, manual)

E. Conduct or facilitate internal and third party audits

In addition to ensuring that the security policies and procedures are continuously and

uniformly applied, it is also the responsibility of information security professionals to ensure

that disaster recovery and business continuity plans are maintained, updated, and function as

intended in the event of disaster. Therefore, this domain includes topics in the collection of

security process data. Candidates will be tested on account management, management

review, key performance and risk indicators, verification of backups, training and awareness,and disaster recovery and business continuity.

As is obvious, security assessment and testing cannot be successful in the absence of careful

analysis and reporting of assessment results in a way that appropriate mitigation strategies

can be developed and implemented. Candidates will hence be tested on their ability to

conduct/facilitate third party audits.




An Overview

Security Operations is of a practical nature and is intended to cover the tasks and

situations that information security professionals are expected to perform/presented

with on a daily basis. It is therefore a broad area covering a range of topics in the

application of information security concepts and best practices to the operation of

enterprise computing systems; and is the largest of all the eight domains constituting

the CISSP CBK.

This domain aims to assess candidate’s knowledge of and ability to support forensic

investigations, besides their skill in using various investigative concepts including

evidence collection and handling, documentation and reporting, investigative techniques

and digital forensics. CISSP candidates should be adept at investigation that their

understanding of the subject from an operational, criminal, civil, and regulatory

perspective is in-depth.

Other than supporting forensic investigations, candidates are expected to have good

knowledge of effective logging and monitoring mechanisms which are essential securityfunctions.

Certain other aspects addressed in this domain include: provisioning of resources,

management and protection of those resources throughout their lifecycle. The security

operations is predicated on the protection of these resources. Candidates will be tested

in their ability to operate and maintain protective controls like firewalls, intrusion

prevention systems, application whitelisting, anti-malware, honeypots and honey-nets

and sandboxing as well manage third party security contracts and services. Other

concepts that candidates can be tested upon are patch, vulnerability, and change

management.

This module/domain is thus aimed at testing candidates solely on their ability to

conduct all aspects of incident management and on their ability to implement and test

disaster recovery processes and participate in business continuity planning.

Domain 7: Security Operations




Security Operations: Key Concepts to Note

A. Understand and support investigations

Evidence collection and handling (e.g., chain of custody, interviewing)

Reporting and documenting

Investigative techniques (e.g., root-cause analysis, incident handling)

Digital forensics (e.g., media, network, software, and embedded devices)

B. Understand requirements for investigation types

Operational

Criminal

Civil

Regulatory

Electronic discovery (eDiscovery)

C. Conduct logging and monitoring activities

Intrusion detection and prevention

Security information and event management

Continuous monitoring

Egress monitoring (e.g., data loss prevention, steganography, watermarking)

D. Secure the provisioning of resources

Asset inventory (e.g., hardware, software)

Configuration management

Physical assets

Virtual assets (e.g., software-defined network, virtual SAN, guest operating

systems)

Cloud assets (e.g., services, VMs, storage, networks)

Applications (e.g., workloads or private clouds, web services, software as a

service)

E. Understand and apply foundational security operations concepts

Need-to-know/least privilege (e.g., entitlement, aggregation, transitive trust)

Separation of duties and responsibilities

Monitor special privileges (e.g., operators, administrators)

Job rotation




Information lifecycle

Service-level agreements

F. Employ resource protection techniques

Media management

Hardware and software asset management

G. Conduct incident management

Detection Response Mitigation Reporting

Recovery Remediation Lessons learned

H. Operate and maintain preventative measures Firewalls

Intrusion detection and prevention systems

Whitelisting/Blacklisting

Third-party security services

Sandboxing

Honeypots/Honeynets

Anti-malware

I. Implement and support patch and vulnerability management

J. Participate in and understand change management processes (e.g., versioning,

baselining, security impact analysis)

K. Implement recovery strategies

Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation)

Recovery site strategies

Multiple processing sites (e.g., operationally redundant systems)

System resilience, high availability, quality of service, and fault tolerance

L. Implement disaster recovery processes

Response Personnel

Communications Assessment

Restoration Training and awareness




An Overview

The Software Development Security is the last domain of the CISSP examination and involves

the application of security concepts and best practices in order to produce and develop

software environments. Although not hardcore software developers or software security

engineers, it is the responsibility of CISSPs to assess and enforce security controls on software

being operated within their environments. In order to achieve this, information security

professionals should understand and apply security in the context of the software

development lifecycle.

Candidates will be tested in areas of: software development methodologies, maturity models,

operations and maintenance and change management and in their understanding of the needs

of an integrated product development team. They should also be able to enforce security

controls in software development environments, and in this regard, will be tested in areas of:

security of software development tools, source code weaknesses and vulnerabilities,

configuration management as it relates to source code development, the security of code

repositories and the security of application programming interfaces.

Topics included in this area thus include: auditing and logging in relation to change

management, risk analysis and mitigation as it relates to software security and the security

impact of acquired software.

Domain 8: Software Development Security

M. Test disaster recovery plans

Read-through Walkthrough Simulation

Parallel Full interruption

N. Participate in business continuity planning and exercises

O. Implement and manage physical security

Perimeter (e.g., access control and monitoring)

Internal security (e.g., escort requirements/visitor control, keys and locks)

P. Implement and manage physical security




Software Development Security: Key Concepts to Note

A. Understand and apply security in the software development lifecycle

Development methodologies (e.g., Agile, Waterfall)

Maturity models

Operation and maintenance

Change management

Integrated product team (e.g., DevOps)

B. Enforce security controls in development environments

Security of the software environments

Security weaknesses and vulnerabilities at the source-code level (e.g., buffer

overflow, escalation of privilege, input/output validation)

Configuration management as an aspect of secure coding

Security of code repositories

Security of application programming interfaces

C. Assess the effectiveness of software security

Auditing and logging of changes

Risk analysis and mitigation Acceptance testing

D. Assess security impact of acquired software

Development methodologies (e.g., Agile, Waterfall)




The next thing to know after having an outline of the structure of the domains and the areas

covered in CISSP, is the common terms that candidates need to be thorough about. The next

section briefs on some of these terms.

As you study for your CISSP exam, you’ll need to master the terms and tools of the trade. This

useful glossary will help you find the definitions for important CISSP terms in a single,

convenient location, and will also serve as a ready reckoner for refreshing what you’ve studied so

far.

ACL:

An access control list is a list that specifies which subjects can access which objects.

Administrative Detective Control:

Policy or rule that detects when something has occurred by using auditing or performance

reviews to see the actions that subjects have taken.

Asynchronized Device:

A token device which uses a challenge-response approach to generate a password.

Authentication:A system for validating that the subject or object is really who or what they say or appear to be.

Authentication Service:

The part of the KDC that actually authenticates the subjects and objects.

Authorization Creep:

Accidentally giving a subject access to objects that are not intended for them to have access to.

Biometrics:The most expensive and secure authentication type which uses physical characteristics to

authenticate a person. Biometrics use characteristics such as retina and iris scans, fingerprint

and handprint characteristics, voice patterns, keystroke patterns, and signatures to authenticate

a subject.

Brute Force:

An attack that attempts to gain access many times using different input types. Examples of

brute force attacks are password guessing and war dialing.

As you study for your CISSP exam, you’ll need to master the terms and tools of the trade. This

useful glossary will help you find the definitions for important CISSP terms in a single,

convenient location, and will also serve as a ready reckoner for refreshing what you’ve studied so

far.

ACL:

An access control list is a list that specifies which subjects can access which objects.

Administrative Detective Control:

Policy or rule that detects when something has occurred by using auditing or performance

reviews to see the actions that subjects have taken.

Asynchronized Device:

A token device which uses a challenge-response approach to generate a password.

Authentication:A system for validating that the subject or object is really who or what they say or appear to be.

Authentication Service:

The part of the KDC that actually authenticates the subjects and objects.

Authorization Creep:

Accidentally giving a subject access to objects that are not intended for them to have access to.

Biometrics:The most expensive and secure authentication type which uses physical characteristics to

authenticate a person. Biometrics use characteristics such as retina and iris scans, fingerprint

and handprint characteristics, voice patterns, keystroke patterns, and signatures to authenticate

a subject.

Brute Force:

An attack that attempts to gain access many times using different input types. Examples of

brute force attacks are password guessing and war dialing.

Generic Terms



CER:

Crossover Error Rate is the value or system based upon the point at which the FRR and the

FAR cross if it were graphed. The CER allows two different biometric methods to be

compared.

Centralized Authentication: Authentication type where a single identity controls all the access to certain objects. It is a

strict control with a single point of failure that allows for easy administration.

Control:

A safeguard that lessens risk once a high probability of a loss has been realized.

DAC:

Discretionary Access Control is an identity-based access control. This means that the user

must be authenticated as a specific user and, based on those privileges, can specify who else

can access that object. DAC gives the owner the ability to specify access restrictions.

Decentralized Authentication:

An authentication type in which administrative access is handled closer to the objects that are

being controlled, such as multiple machines with information like a security domain

Dictionary Attack:

A selective attack where a dictionary of common words, identification credentials, orfrequently used user IDs are submitted to the authentication device.

DoS Attack:

A Denial of Service attack attempts to stop a network by flooding it with useless traffic. A DoS

system is used as a master to communicate with, and host hacking tools from the Internet

allowing the hacker to send out attacks using a single command.

Domain:

A group of computers on a network that share a Security Accounts Manager database andsecurity policies.

FAR:

False Acceptance Rate is the rate at which a biometrics system accepts an invalid subject.

FRR:

False Rejection Rate is the rate at which a biometrics system would reject a valid subject.





Hacker:

Also referred to as a cracker, a hacker is a person who is well skilled in a programming

language and often considered an expert on the subject. Can be a complimentary or a

derogatory term!

Honeypot: A monitoring process that segments an area or entire machine onto a portion of the network,

opening ports to entice a hacker to find and attack the machine.

Hybrid Model:

A combination of centralized and decentralized authentication.

IDS:

An intrusion detection system inspects all network activity and identifies any suspicious

patterns indicative of an attack.

Identification:

A claim to be a valid subject.

KDC:

Key Distribution Center is a component of the Kerberos system which holds all cryptographic

keys. The KDC must be communicated with at every phase in order to initiate any type of

authentication.

Kerberos:

A product developed by MIT that provides authentication and message protection using one

key to encrypt a message on one side and the same key to decrypt the message on the other

side.

Least Privilege:

A concept that grants subjects only enough access for objects to perform the required tasks.

The goal is to limit authorization creep.

Object:

An entity that contains or controls data.

MAC:

Mandatory Access Control is a mandatory set of rules that everyone must abide by. It is a

rule-based access control in which data owners are granted access based upon rules.





Man-in-the-Middle Attack:

A network attack where the hacker intercepts a public key exchange and substitutes his own

public key for the requested one, thus enabling him to intercept messages from both sides of

the communication.

Non-Discretionary Control: A role-based access control in which access is granted based upon the subject’s role instead of

identity. This type of control is common in an environment with frequent personnel changes.

Penetration Testing:

A legal hacking process of pretending to be a hacker, scanning and probing the systems to see

if it can be accessed. A coordinated set of attacks to judge the vulnerability of a system.

Physical Access Controls:

Controls which limit physical access to hardware.

Physical Preventative Control:

A control, such as a badge or access card, which stops something before it occurs.

RADIUS:

Remote Authentication Dial-In User Server is a centralized authentication protocol that

authenticates and authorizes users, generally through dial-up access, and provides the

authentication mechanism that allows dial-up subjects to access objects.

SESAME:

Secure European System for Applications in a Multivendor Environment is an authentication

service for use in Europe. SESAME uses public key cryptography to distribute secret keys and

a Privilege Attribute Certificate: mechanism which contains key information and the necessary

authentication packet to pass authentication.

SSO:

Single Sign-On is a method that allows the users to have a domain of control. SSO simplifiesthe authentication process by allowing the users to authenticate themselves into an entry

point of a domain which signs them into every component of the domain.

Security Label:

A concept that assigns a classification level to objects.

Shoulder Surfing:

An observation technique in which information is obtained by looking over someone’s

shoulder.





With a good grasp of the core concepts for the CISSP certification, and an understanding of the

generic terms, we hope we have laid the foundation to your rigorous preparation to the CISSPcertification examination. On the completion of your preparation to the examination, do practice

with sample exam papers that are available at (ISC)2’s official website.

To know more about the important, reliable books that can aid you in the preparation journey,

you might want to click here.

We wish you good luck in your certification journey!



Spoofing:

A technique used by hackers to gain entry to a system by modifying packet headers so as to

appear as a trusted host.

Synchronized Device:

A token device that generates time-based passwords to correspond with a central server.

TACACS:

Terminal Access Controller Access Control System is a centralized authentication type that

provides single factor authentication and authorization for direct access. The TACACS+ version

implements two-factor authentication.

Ticket:

A multiple component message that is sent back and forth in Kerberos. The message contains

the ticket and an authentication message specifying that the subject is authenticated or that a

subject has been authenticated and is valid to access a specific object.

Token Device:

A small device that generates passwords based on synchronous or asynchronous query to a

centralized server. An example would be a smart card.

War Dialer:

A computer program built to seek modems by dialing continuous phone numbers. War Dialersare built to find vulnerable computer systems.

In Conclusion

http://www.simplilearn.com/book-resources-to-read-for-cissp-certification-exam-article






GOOD LUCK

The CISSP Training from Simplilearn has many hallmark features tostamp its credible benefits to certification seekers:

8 Domain specific test papers

(10 questions each)

5 Simulation Exams(250 Questions each)

32 hours of High Quality

E-learning content

30 CPEs/PDUs Offered 98.6% Pass rate

For any queries on our CISSP Training courses, please write to us at:

new cissp certification 2015

Documents