CISSP Preparation Guide

1

Security and Risk Management

~15% of exam · Day 1–2

1.1 — CIA Triad, DAD Triad & Additional Security Concepts

CIA Triad

Confidentiality — Preventing unauthorized disclosure of information. Threats: eavesdropping, social engineering, shoulder surfing. Controls: encryption (AES-256, TLS), access controls (RBAC, MAC), data classification, steganography, secure channels.
Integrity — Ensuring data accuracy and trustworthiness; preventing unauthorized modification. Threats: MITM, malware, unauthorized changes. Controls: hashing (SHA-256, SHA-3), digital signatures, version control, checksums, non-repudiation mechanisms, input validation.
Availability — Ensuring timely, reliable access for authorized users. Threats: DDoS, hardware failure, natural disasters. Controls: redundancy (RAID, clustering), backups, failover, load balancing, SLAs, capacity planning.

DAD Triad (Opposite)

Disclosure — Opposite of Confidentiality (unauthorized access to information).
Alteration — Opposite of Integrity (unauthorized modification).
Destruction / Denial — Opposite of Availability (preventing access).

Additional Security Concepts

Authenticity — Verifying the identity of users and the origin of messages.
Non-repudiation — Ensuring a party cannot deny an action (digital signatures provide this).
Accountability — Tracing actions to a specific individual (requires identification, authentication, and auditing/logging).
Privacy — Right of an individual to control their personal information.
Safety — Protecting people and the physical environment from harm.

Exam Tip: The CIA triad is the foundation of ALL security decisions. Every control maps back to one or more of these three goals. If a question is unclear, ask yourself "Does this protect confidentiality, integrity, or availability?"

1.2 — Security Governance Principles

Governance vs. Management

Governance — Strategic direction set by the board/senior leadership. Ensures security aligns with business objectives, evaluates risk appetite, establishes accountability.
Management — Operational execution of governance directives by CISO, security team, and IT staff.

Organizational Roles

Role	Responsibility
Board of Directors	Ultimate accountability for security; sets risk appetite; fiduciary duty
CEO	Overall organizational responsibility; delegates to CISO
CISO / CSO	Security strategy, policy, budget, compliance, risk management
Data Owner	Senior management; classifies data; determines access
Data Custodian	IT operations; implements and maintains controls (backups, ACLs)
Data Steward	Ensures data quality, metadata, and governance standards
Security Administrator	Implements security settings, manages user accounts, monitors
Auditor	Independent assessment of security controls and compliance

Due Care vs. Due Diligence

Due Care — Doing the right thing; taking reasonable steps (implementing a firewall, security policy).
Due Diligence — Verifying that due care was properly applied; ongoing assessment (audits, pen tests, risk assessments).

Frameworks: COBIT (governance focus), NIST CSF (risk-based framework), ISO 27001/27002 (ISMS), ITIL (service management), COSO (internal controls), TOGAF (enterprise architecture).

1.3 — Compliance, Laws, Regulations & Intellectual Property

Legal Systems

Civil Law (Code Law) — Based on written codes/statutes (most of continental Europe, Japan, Latin America).
Common Law — Based on precedent/case law (US, UK, Canada, Australia).
Religious Law — Based on religious texts (Sharia law in some countries).
Customary Law — Based on regional customs and traditions.

U.S. Laws & Regulations

Law	Focus	Key Points
HIPAA	Healthcare	PHI protection; Privacy Rule + Security Rule; Business Associate Agreements
SOX	Financial	Public company financial reporting integrity; CEO/CFO personal liability; Section 404
GLBA	Financial	Financial institutions must protect NPI; Financial Privacy Rule; Safeguards Rule
FISMA	Federal IT	Federal systems security; NIST standards mandate; ATO process
FERPA	Education	Student record privacy; parental rights transfer at age 18
COPPA	Children	Online privacy for children under 13; verifiable parental consent
CFAA	Computer Crime	Unauthorized access to computers; federal crime statute
ECPA	Communications	Electronic communications privacy; wiretap restrictions
DMCA	Copyright	Digital copyright protection; anti-circumvention provisions
EEA	Trade Secrets	Economic Espionage Act; theft of trade secrets is federal crime

International Regulations

GDPR (EU) — 72-hour breach notification; right to erasure ("right to be forgotten"); data portability; consent must be explicit; DPO required; fines up to 4% global revenue or €20M. Lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests.
PIPEDA (Canada) — 10 fair information principles; meaningful consent required.
LGPD (Brazil) — Similar to GDPR; covers Brazilian residents' data.
POPI Act (South Africa) — Data protection act; 8 conditions for lawful processing.

Intellectual Property

Type	Protects	Duration	Registration
Copyright	Expression of ideas (books, code, music)	Life + 70 years (individual); 95 years (corporate)	Automatic upon creation
Trademark	Brand identifiers (logos, names, slogans)	Renewable every 10 years (indefinite)	Registration recommended
Patent	Inventions / processes	20 years from filing	Must file with patent office
Trade Secret	Proprietary business info	No expiration (if kept secret)	No registration; must actively protect

Import/Export Controls

Wassenaar Arrangement — 42 nations; controls export of dual-use technologies including encryption.
ITAR — International Traffic in Arms Regulations; defense-related items.
EAR — Export Administration Regulations; commercial dual-use items.

1.4 — Risk Management Framework & Risk Analysis

Risk Terminology

Asset — Anything of value (people, data, hardware, reputation, processes).
Threat — Potential cause of an unwanted event (hacker, earthquake, employee error).
Threat Agent / Source — The entity that carries out a threat.
Vulnerability — A weakness that can be exploited by a threat.
Risk — The likelihood that a threat will exploit a vulnerability and cause impact. Risk = Threat × Vulnerability × Impact.
Exposure — The potential loss when a threat exploits a vulnerability.
Countermeasure / Safeguard — A control that reduces risk.
Residual Risk — Risk remaining after controls are applied. Total Risk − Controls = Residual Risk.
Risk Appetite — The amount of risk an organization is willing to accept.
Risk Tolerance — Acceptable variation from risk appetite.

NIST Risk Management Framework (SP 800-37)

1. Prepare — Establish context and priorities.
2. Categorize — Categorize system based on impact (FIPS 199: Low/Moderate/High).
3. Select — Choose appropriate controls from NIST SP 800-53.
4. Implement — Deploy selected controls.
5. Assess — Evaluate control effectiveness.
6. Authorize — Authorize system operation (ATO — Authorization to Operate).
7. Monitor — Continuously monitor for changes and effectiveness.

Quantitative Risk Analysis

Term	Formula	Meaning
AV	—	Asset Value
EF	—	Exposure Factor (% of asset lost, 0–100%)
SLE	AV × EF	Single Loss Expectancy ($ loss per event)
ARO	—	Annualized Rate of Occurrence (frequency/year)
ALE	SLE × ARO	Annualized Loss Expectancy ($/year)
Cost-Benefit	ALE(before) − ALE(after) − Cost	Value of implementing a control

Example: Server worth $100,000 (AV). Fire would destroy 60% (EF=0.6). SLE = $60,000. Fire expected once every 10 years (ARO=0.1). ALE = $6,000/year. A suppression system costing $4,000/year that reduces EF to 10% → new ALE = $1,000. Benefit = $6,000 − $1,000 − $4,000 = $1,000 net benefit.

Qualitative Risk Analysis

Uses subjective judgment: High/Medium/Low ratings in a risk matrix.
Delphi Technique — Anonymous expert opinions gathered iteratively until consensus.
Brainstorming — Group identification of risks.
Scenario Analysis — Examining specific "what-if" situations.
Risk Register — Document tracking identified risks, owners, likelihood, impact, and treatment.

Risk Treatment / Response Options

Option	Action	Example
Mitigate / Reduce	Implement controls to reduce likelihood or impact	Install firewall, encrypt data
Transfer / Share	Shift risk to third party	Buy insurance, outsource to MSP
Accept	Acknowledge and absorb (must be management decision)	Risk within risk appetite
Avoid	Eliminate the activity causing risk	Discontinue a risky product line
Reject / Ignore	Deny the risk exists	NEVER VALID — always wrong on exam

Control Types

By Function	Description	Example
Preventive	Stops incident before it occurs	Firewall, encryption, training
Detective	Identifies incident during or after	IDS, audit logs, CCTV
Corrective	Fixes damage after incident	Patching, restoring backups
Deterrent	Discourages potential attackers	Warning banners, fences, policies
Compensating	Alternative control when primary isn't feasible	Monitoring when separation of duties isn't possible
Recovery	Restores to normal operations	DR site, backup restoration
Directive	Mandates behavior	Policies, regulations, standards

By Implementation	Examples
Administrative / Managerial	Policies, procedures, training, background checks, risk assessment
Technical / Logical	Firewalls, IDS, encryption, access controls, antivirus
Physical / Operational	Locks, fences, guards, CCTV, mantraps, fire suppression

1.5 — Security Policies, Standards, Baselines, Guidelines & Procedures

Policy Hierarchy (most to least authoritative)

Document	Mandatory?	Description
Policy	Yes	High-level management intent; approved by senior leadership. Types: Regulatory (compliance), Advisory (expected behavior), Informative (general info)
Standard	Yes	Specific mandatory requirements (e.g., "All passwords must be 14+ characters with MFA")
Baseline	Yes	Minimum security configuration for a system type (e.g., CIS Benchmarks, DISA STIGs)
Guideline	No	Recommended best practices (not mandatory but strongly suggested)
Procedure	Yes	Step-by-step instructions for tasks (e.g., "How to reset a password")

Personnel Security

Separation of Duties (SoD) — No single person controls all critical functions. Prevents fraud.
Dual Control — Two people must act together to complete a critical action (e.g., two keys for safe).
Job Rotation — Employees rotate roles; detects fraud, cross-trains staff.
Mandatory Vacations — Force employees to take time off; allows others to detect irregularities.
Least Privilege — Minimum access needed to perform duties.
Need-to-Know — Access requires business justification even with clearance.
NDA (Non-Disclosure Agreement) — Legal contract protecting confidential information.
AUP (Acceptable Use Policy) — Defines acceptable use of organizational resources.
Termination Procedures — Disable access immediately; exit interview; return of assets; escort.

1.6 — Business Continuity Planning (BCP) & Disaster Recovery

BCP vs. DRP

BCP — Focuses on maintaining business operations during a disruption (proactive, strategic).
DRP — Focuses on restoring IT infrastructure and data after a disaster (reactive, tactical).
BCP is the umbrella; DRP is a component of BCP.

BCP Process (NIST SP 800-34)

1. Project Initiation — Senior management sponsorship (critical!); define scope; BCP team formation.
2. Business Impact Analysis (BIA) — Identify critical business functions; quantify impact of disruptions; determine recovery priorities.
3. Recovery Strategy Development — Select recovery approaches for each critical function.
4. Plan Design & Development — Document procedures, roles, communication plans.
5. Implementation & Testing — Deploy and test the plan regularly.
6. Maintenance — Update as business changes; annual review minimum.

Critical: Senior management support is the MOST important factor in BCP success. Without it, the plan will lack funding, authority, and organizational commitment. This is a frequently tested concept.

BIA Key Metrics

Metric	Definition	Who Determines?
MTD / MAD	Maximum Tolerable Downtime — longest a function can be down before unacceptable damage	Management / BIA
RTO	Recovery Time Objective — target time to restore a system/function	Must be ≤ MTD
RPO	Recovery Point Objective — maximum acceptable data loss (measured in time before disruption)	Business requirements
WRT	Work Recovery Time — time to verify restored systems and catch up on transactions	RTO + WRT ≤ MTD
MTBF	Mean Time Between Failures — average uptime between failures	Hardware reliability
MTTR	Mean Time To Repair — average time to restore after a failure	Support/engineering

Test Types (least to most disruptive)

Test	Description	Disruption
Checklist Review	Distribute plan for review; individuals verify their sections	None
Tabletop Exercise	Key personnel walk through scenario in a meeting room	None
Walkthrough / Structured	Team members physically walk through steps	Minimal
Simulation	Practice response to a specific scenario (no actual failover)	Low
Parallel Test	Activate recovery site while primary stays running	Moderate
Full Interruption	Shut down primary; operate from backup site	High (risky)

1.7 — Threat Modeling, Supply Chain Risk & Security Awareness

Threat Modeling Methodologies

Model	Focus	Details
STRIDE	Threat categories	Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege (Microsoft)
DREAD	Risk rating	Damage, Reproducibility, Exploitability, Affected Users, Discoverability (1-10 each)
PASTA	Risk-centric	7-stage Process for Attack Simulation and Threat Analysis
VAST	Agile integration	Visual, Agile, Simple Threat modeling; separate app and infra models
Attack Trees	Goal-oriented	Tree structure showing ways to achieve an attack goal
MITRE ATT&CK	Tactics/Techniques	Knowledge base of adversary behavior; maps tactics to techniques

Supply Chain Risk Management (SCRM)

Assess third-party vendors: SOC 2 reports, questionnaires, on-site audits.
SLAs with security requirements; right-to-audit clauses.
Hardware/software supply chain integrity: verify firmware, use trusted suppliers, code signing.
SBOM (Software Bill of Materials) — inventory of software components.
NIST SP 800-161: Supply Chain Risk Management Practices.
Fourth-party risk — your vendor's vendors also pose risk.

(ISC)² Code of Ethics

Canon I: Protect society, the common good, necessary public trust, and the infrastructure.
Canon II: Act honorably, honestly, justly, responsibly, and legally.
Canon III: Provide diligent and competent service to principals.
Canon IV: Advance and protect the profession.

Priority Order: If canons conflict, they are prioritized I → II → III → IV. Society always comes first, then honesty, then your employer, then the profession.

Security Awareness & Training

Awareness — For everyone; "what" to be aware of (phishing, passwords, physical security).
Training — Role-based; "how" to perform security tasks (admins, developers, incident responders).
Education — Career development; "why" — deep understanding (CISSP, CISM, degrees).
Social engineering defenses: phishing simulations, vishing awareness, tailgating prevention, pretexting recognition.
Metrics: phishing click rates, incident reporting rates, policy acknowledgment rates, training completion.

2

Asset Security

~10% of exam · Day 3

2.1 — Data Classification, Categorization & Ownership

Classification Levels

Government (Military)	Commercial / Private	Sensitivity
Top Secret	Confidential / Proprietary	Highest — grave damage
Secret	Private	Serious damage
Confidential	Sensitive	Damage
Unclassified	Public	No damage expected

Data Roles (Detailed)

Data Owner — Senior/executive management. Accountable for data classification, determining who can access, approving access requests, ensuring appropriate protection. They OWN the liability.
Data Custodian — IT operations. Implements controls defined by the owner: backups, encryption, access permissions, patching. Day-to-day maintenance.
Data Steward — Ensures data quality, accuracy, metadata standards, and compliance with governance rules.
Data Controller (GDPR) — Organization that determines WHY and HOW personal data is processed.
Data Processor (GDPR) — Third party that processes data on behalf of the controller (e.g., cloud provider, payroll company).
Data Subject — The individual whose personal data is being collected/processed.
System Owner — Responsible for the overall system (hardware + software) that processes data.

Exam Tip: The Data OWNER determines classification. The Data CUSTODIAN implements protection. The owner is always from management (not IT).

Asset Classification Process

1. Identify assets → 2. Classify based on sensitivity/value → 3. Label/mark → 4. Handle per classification → 5. Declassify/destroy when appropriate.
Classification should be based on the HIGHEST sensitivity of any data element within the asset.

2.2 — Data States, Lifecycle & Handling

Three States of Data

State	Description	Protection Controls
Data at Rest	Stored on disk, tape, cloud storage, database	Full-disk encryption (BitLocker, LUKS), database TDE, file-level encryption, access controls
Data in Transit	Moving across networks (LAN, WAN, internet)	TLS 1.3, IPSec VPN, SSH, SFTP, HTTPS, WPA3
Data in Use	Being processed in memory/CPU	Process isolation, memory encryption, Intel SGX/TDX, homomorphic encryption, secure enclaves

Data Lifecycle

Create / Collect — Classify at creation; apply labels; determine ownership.
Store — Encrypt; access controls; backups; physical security.
Use — Process isolation; least privilege; monitoring.
Share / Transfer — Encryption in transit; DLP; data sharing agreements.
Archive — Long-term storage; integrity verification; retention policies; encryption.
Destroy — Proper sanitization based on classification level.

Data Destruction & Remanence

Method	Description	Use Case
Clearing	Overwriting with patterns (DoD 5220.22-M: 7 passes)	Internal reuse of media
Purging / Sanitizing	Degaussing (magnetic fields), crypto-erasure	Media leaving organization
Destruction	Physical: shredding, incineration, pulverizing, dissolving	Highest-classified media; end of life

Crypto-shredding: Destroy the encryption keys to render encrypted data permanently unrecoverable. Especially effective in cloud environments where physical destruction isn't possible.

Data Remanence — Residual data remaining on media after deletion. Simply deleting files or formatting doesn't remove data — it only removes the pointer. Proper sanitization is required.

2.3 — Privacy Protection & Data Loss Prevention

OECD Privacy Principles (Foundation for GDPR, PIPEDA, etc.)

Collection Limitation — Collect only necessary data; obtain consent.
Data Quality — Keep data accurate, complete, and up-to-date.
Purpose Specification — State the purpose at time of collection.
Use Limitation — Use data only for stated purpose.
Security Safeguards — Protect data with reasonable security measures.
Openness — Be transparent about data practices.
Individual Participation — Allow individuals to access and correct their data.
Accountability — Data controller is accountable for compliance.

De-identification Techniques

Technique	Description	Reversible?
Anonymization	Irreversibly removes all PII; cannot re-identify	No
Pseudonymization	Replaces identifiers with pseudonyms; reversible with key	Yes (with key)
Tokenization	Replaces sensitive data with non-sensitive tokens; mapping in secure vault	Yes (with vault)
Data Masking	Obscures data (e.g., XXX-XX-1234); static or dynamic	No (static) / Yes (dynamic)
Generalization	Reduces precision (exact age → age range)	No
Perturbation	Adds noise/random changes to data	No

Data Loss Prevention (DLP)

Network DLP — Monitors data in transit across the network (email, web, FTP).
Endpoint DLP — Monitors data on endpoints (USB, clipboard, print, local save).
Cloud DLP — Monitors data in cloud storage and SaaS applications.
Detection methods: content inspection (regex, keywords), context-aware (who, where, when), exact data matching, fingerprinting.
Actions: alert, block, quarantine, encrypt, watermark.

Data Retention & Scoping

Retention policies define how long data must be kept (regulatory requirements vary by industry).
Scoping — Determining which controls apply to a specific system or data set.
Tailoring — Customizing baseline controls to fit organizational needs.
NIST SP 800-53 — Catalog of security controls for federal systems.

3

Security Architecture and Engineering

~13% of exam · Day 4–5

3.1 — Security Models (Bell-LaPadula, Biba, Clark-Wilson & Others)

Model	Focus	Key Rules	Mnemonic
Bell-LaPadula	Confidentiality	Simple: No Read Up. Star(*): No Write Down. Strong Star: Read/Write only at own level.	"BLP = don't Look UP, don't write DOWN"
Biba	Integrity	Simple: No Read Down. Star(*): No Write Up. Invocation: No call to higher integrity.	"BIBA = don't read DOWN, don't write UP" (opposite of BLP)
Clark-Wilson	Integrity (commercial)	Well-formed transactions through access triple: Subject → Program(TP) → Object(CDI). IVPs verify integrity. Separation of duties enforced.	"Clark-Wilson = Commercial integrity with middleman"
Brewer-Nash	Conflict of Interest	Chinese Wall model; dynamically prevents access to conflicting data sets	"Consultant can't see both Coke and Pepsi"
Graham-Denning	Access Control	8 primitive rules for creating/deleting objects and subjects, granting/revoking access	—
Harrison-Ruzzo-Ullman (HRU)	Access Control	Extension of Graham-Denning; formal access rights model; undecidability of safety	—
Lipner	Confidentiality + Integrity	Combines Bell-LaPadula and Biba in a practical implementation	—
Take-Grant	Access Rights	Graph-based model; Take, Grant, Create, Remove operations	—

Exam Tip: Bell-LaPadula enforces CONFIDENTIALITY (military classification, "read down/write up"). Biba enforces INTEGRITY (exact opposite: "read up/write down"). Clark-Wilson is for COMMERCIAL integrity using well-formed transactions and separation of duties.

3.2 — System Architecture: TCB, Reference Monitor, Protection Rings

Trusted Computing Base (TCB)

The totality of hardware, firmware, and software that enforces the security policy.
Everything inside the TCB is trusted; everything outside is untrusted.
Security Perimeter — The boundary between the TCB and the rest of the system.

Reference Monitor & Security Kernel

Reference Monitor — Abstract concept; mediates all access between subjects and objects.
Security Kernel — Hardware/software/firmware implementation of the reference monitor.
Must be: Always invoked (complete mediation), Tamperproof (cannot be bypassed), Verifiable (small enough to be formally proven).

CPU Protection Rings

Ring	Level	Components
Ring 0	Highest privilege (Kernel mode)	OS kernel, security kernel
Ring 1	OS services	OS components, device drivers
Ring 2	I/O drivers	Device drivers, utilities
Ring 3	Lowest privilege (User mode)	User applications, processes

Processor Modes

Supervisor / Privileged Mode (Ring 0) — Full access to hardware; executes privileged instructions.
User Mode (Ring 3) — Limited access; must request services from kernel via system calls.

Security Architecture Concepts

Defense in Depth — Multiple layers of security controls (layered defense).
Least Privilege — Subjects receive minimum necessary permissions.
Separation of Duties — Critical tasks split among multiple individuals.
Fail-Secure / Fail-Safe — System defaults to secure state on failure (denies access).
Fail-Open — System allows access on failure (e.g., fire doors that unlock).
Zero Trust Architecture — "Never trust, always verify"; verify every access request regardless of location.

3.3 — Cryptography: Symmetric, Asymmetric, Hashing & PKI

Symmetric Encryption (Shared Secret Key)

Same key encrypts and decrypts; fast; key distribution challenge.
Key count for n users = n(n−1)/2.

Algorithm	Key Size	Type	Status
AES	128/192/256 bit	Block (128-bit blocks)	Current standard (NIST)
DES	56 bit	Block (64-bit blocks)	Deprecated — easily broken
3DES	112/168 bit	Block (64-bit blocks)	Deprecated — slow
Blowfish	32-448 bit	Block (64-bit blocks)	Legacy; replaced by Twofish
Twofish	128/192/256 bit	Block (128-bit blocks)	AES finalist
RC4	40-2048 bit	Stream	Deprecated — biases found
ChaCha20	256 bit	Stream	Modern; used in TLS 1.3

Block Cipher Modes

ECB — Electronic Codebook; same plaintext → same ciphertext; NOT secure for most uses.
CBC — Cipher Block Chaining; uses IV; each block depends on previous; common.
CTR — Counter mode; turns block cipher into stream cipher; parallelizable.
GCM — Galois/Counter Mode; encryption + authentication (AEAD); recommended.

Asymmetric Encryption (Public/Private Key Pair)

Different keys for encryption and decryption; slower; solves key distribution.
Encrypt with recipient's public key → only their private key decrypts (confidentiality).
Sign with sender's private key → anyone can verify with public key (authentication, integrity, non-repudiation).
Key count for n users = 2n.

Algorithm	Based On	Capabilities
RSA	Factoring large primes	Encryption + digital signatures + key exchange
ECC	Elliptic curve discrete logarithm	Same security with smaller keys (256-bit ECC ≈ 3072-bit RSA)
Diffie-Hellman	Discrete logarithm	Key exchange ONLY (not encryption or signing); vulnerable to MITM
El Gamal	Based on DH	Encryption + signatures; doubles ciphertext size
DSA	Discrete logarithm	Digital signatures ONLY (not encryption)

Hashing (One-Way Functions)

Algorithm	Output Size	Status
MD5	128 bits	Broken — collision attacks found
SHA-1	160 bits	Deprecated — collision demonstrated (2017)
SHA-2 (SHA-256/512)	256/512 bits	Current standard; widely used
SHA-3 (Keccak)	224/256/384/512	Latest NIST standard; different internal structure (sponge)
HMAC	Varies (uses underlying hash)	Hash + secret key = authentication + integrity

PKI (Public Key Infrastructure)

CA (Certificate Authority) — Issues, signs, and revokes digital certificates; root of trust.
RA (Registration Authority) — Verifies identity before CA issues certificate.
CRL (Certificate Revocation List) — List of revoked certificates; downloaded periodically.
OCSP (Online Certificate Status Protocol) — Real-time certificate validation (better than CRL).
X.509 — Standard format for digital certificates (version, serial, issuer, subject, public key, validity, signature).
Certificate Pinning — Associating a host with its expected certificate to prevent MITM.
Key Escrow — Third party holds copy of encryption keys (controversial; enables recovery or lawful intercept).

Digital Signature Process: 1) Sender hashes the message → 2) Encrypts hash with sender's PRIVATE key → 3) Recipient decrypts hash with sender's PUBLIC key → 4) Recipient hashes received message and compares. Match = integrity + authentication + non-repudiation.

3.4 — Cloud Security, Virtualization & Evaluation Criteria

Cloud Service Models

Model	Customer Manages	Provider Manages	Examples
IaaS	OS, middleware, apps, data	Virtualization, servers, storage, network	AWS EC2, Azure VMs
PaaS	Applications, data	OS, middleware, runtime, infrastructure	Azure App Service, Heroku
SaaS	Data, user access config	Everything else	Office 365, Salesforce

Cloud Deployment Models

Public — Shared infrastructure (AWS, Azure, GCP); multi-tenant.
Private — Dedicated to one organization; on-prem or hosted.
Community — Shared among organizations with common goals (government, healthcare).
Hybrid — Mix of public and private; data can move between.

Virtualization Security

Hypervisor Types: Type 1 (bare-metal: ESXi, Hyper-V) — more secure. Type 2 (hosted: VirtualBox, VMware Workstation) — less secure.
VM Escape — Attacker breaks out of VM to access hypervisor or other VMs (critical threat).
VM Sprawl — Uncontrolled proliferation of VMs leading to unmanaged/unpatched instances.
Containers — Lightweight OS-level virtualization (Docker, Kubernetes); share kernel; smaller attack surface than VMs but less isolation.

Common Criteria (ISO 15408)

EAL Level	Assurance	Testing
EAL 1	Functionally tested	Minimal
EAL 2	Structurally tested	Basic
EAL 3	Methodically tested and checked	Moderate
EAL 4	Methodically designed, tested, and reviewed	High (most common for commercial)
EAL 5	Semiformally designed and tested	Very high
EAL 6	Semiformally verified design and tested	Extensive
EAL 7	Formally verified design and tested	Most rigorous

Physical Security & Fire Suppression

Fire Class	Material	Suppression Agent
A	Common combustibles	Water, soda acid
B	Flammable liquids	CO₂, FM-200, dry chemical
C	Electrical equipment	CO₂, FM-200, Novec 1230
D	Combustible metals	Dry powder ONLY
K	Kitchen oils/grease	Wet chemical

Data Center: Temperature 64-75°F (18-24°C), Humidity 40-60%. Positive air pressure prevents contaminants. Hot/cold aisle containment for efficiency. FM-200 or Novec 1230 for fire suppression (safe for electronics and people).

4

Communication and Network Security

~13% of exam · Day 6–7

4.1 — OSI Model, TCP/IP & Network Fundamentals

OSI 7-Layer Model

#	Layer	Function	Protocols	Data Unit	Devices
7	Application	User interface & network services	HTTP, FTP, SMTP, DNS, SNMP, LDAP	Data	Gateway, proxy
6	Presentation	Data format, encryption, compression	SSL/TLS, JPEG, MPEG, ASCII, EBCDIC	Data	—
5	Session	Session establishment, management, termination	NetBIOS, RPC, PPTP, SIP	Data	—
4	Transport	End-to-end delivery, error recovery, flow control	TCP (reliable), UDP (fast)	Segment	—
3	Network	Routing, logical addressing	IP, ICMP, IGMP, IPSec	Packet	Router, L3 switch
2	Data Link	Framing, MAC addressing, error detection	Ethernet, PPP, ARP, Wi-Fi (802.11)	Frame	Switch, bridge, NIC
1	Physical	Physical transmission (electrical, optical, radio)	Ethernet cables, fiber, radio	Bits	Hub, repeater, cable

Mnemonics: Top-down: All People Seem To Need Data Processing. Bottom-up: Please Do Not Throw Sausage Pizza Away.

TCP/IP Model (4 Layers)

TCP/IP Layer	OSI Equivalent
Application	Layers 5, 6, 7
Transport	Layer 4
Internet	Layer 3
Network Access / Link	Layers 1, 2

TCP vs. UDP

TCP — Connection-oriented; 3-way handshake (SYN → SYN-ACK → ACK); reliable delivery; flow control; sequencing. Used for HTTP, FTP, SSH, SMTP.
UDP — Connectionless; no handshake; faster but unreliable; no retransmission. Used for DNS, DHCP, SNMP, VoIP, streaming.

IPv4 vs. IPv6

IPv4 — 32-bit addresses (4.3 billion); dotted decimal (192.168.1.1); NAT to extend address space.
IPv6 — 128-bit addresses (virtually unlimited); hex notation (2001:0db8::1); IPSec built-in; no NAT needed; no broadcast (uses multicast).

4.2 — Network Devices, Protocols & Ports

Network Security Devices

Firewall Types: Packet filtering (Layer 3/4) → Stateful inspection (tracks connections) → Application proxy (Layer 7, deep inspection) → NGFW (combines all + IPS + DPI + threat intelligence).
IDS/IPS: Network-based (NIDS/NIPS) and Host-based (HIDS/HIPS). Detection methods: Signature-based (known patterns), Anomaly-based (baseline deviations), Heuristic (behavioral rules).
WAF — Web Application Firewall; Layer 7; protects against OWASP Top 10 (SQLi, XSS, CSRF).
NAC (Network Access Control) — Verifies device compliance before granting access (802.1X, posture checking).
SIEM — Security Information & Event Management; aggregates and correlates logs from multiple sources.
Proxy Server — Intermediary for requests; can filter, cache, and anonymize. Forward proxy (client-side), reverse proxy (server-side).

Essential Port Numbers

Port	Protocol	Port	Protocol
20/21	FTP (data/control)	443	HTTPS
22	SSH / SCP / SFTP	445	SMB (Microsoft file sharing)
23	Telnet (insecure)	514	Syslog
25	SMTP (email send)	636	LDAPS (secure LDAP)
53	DNS	993	IMAPS
67/68	DHCP	995	POP3S
69	TFTP	1812/1813	RADIUS (auth/acct)
80	HTTP	3389	RDP
110	POP3	161/162	SNMP (query/trap)
143	IMAP	49	TACACS+
389	LDAP	88	Kerberos

4.3 — VPN, IPSec, Wireless Security & Network Attacks

IPSec

Component	Function
AH (Authentication Header)	Integrity + authentication only (no encryption); protocol 51
ESP (Encapsulating Security Payload)	Confidentiality + integrity + authentication; protocol 50
Transport Mode	Encrypts only payload; original IP header preserved (end-to-end)
Tunnel Mode	Encrypts entire original packet + new header (gateway-to-gateway)
IKE (Internet Key Exchange)	Negotiates Security Associations (SAs); Phase 1 (ISAKMP SA) + Phase 2 (IPSec SA)

Wireless Security Standards

Standard	Encryption	Auth Protocol	Status
WEP	RC4 (24-bit IV)	Open/Shared Key	Broken — never use
WPA	TKIP + RC4	PSK or 802.1X	Deprecated
WPA2	AES-CCMP	PSK or 802.1X (Enterprise)	Current standard
WPA3	AES-GCMP / SAE	SAE (replaces PSK) or 802.1X	Latest; forward secrecy; resistant to offline dictionary attacks

Common Network Attacks

ARP Spoofing / Poisoning — Attacker sends fake ARP replies to associate their MAC with a legitimate IP. Defense: Dynamic ARP Inspection (DAI), static ARP entries.
DNS Poisoning / Spoofing — Corrupts DNS cache; redirects traffic to malicious sites. Defense: DNSSEC, DNS monitoring.
MITM — Attacker intercepts communication between two parties. Defense: encryption, certificate pinning, mutual authentication.
SYN Flood — Sends massive SYN requests without completing handshake. Defense: SYN cookies, rate limiting, firewall rules.
Smurf Attack — ICMP broadcast amplification. Defense: disable directed broadcasts, ingress filtering.
Fraggle Attack — UDP broadcast amplification (similar to Smurf). Defense: same as Smurf.
VLAN Hopping — Double tagging to reach other VLANs. Defense: disable auto-trunking, set native VLAN to unused.
Rogue AP / Evil Twin — Fake access point. Defense: WIDS, 802.1X, certificate-based auth.
MAC Flooding — Overwhelms switch CAM table, forcing it to act as a hub. Defense: port security.

Network Segmentation

VLAN — Logical segmentation at Layer 2; separate broadcast domains.
DMZ — Screened subnet hosting public-facing services between two firewalls.
Microsegmentation — Zero Trust approach; granular east-west traffic controls between workloads.
SDN (Software-Defined Networking) — Separates control plane from data plane; centralized management.

5

Identity and Access Management (IAM)

~13% of exam · Day 7

5.1 — Authentication Factors, Biometrics & SSO Technologies

Authentication Factors

Factor	Type	Examples
Type 1	Something you know	Password, PIN, passphrase, security questions
Type 2	Something you have	Smart card, OTP token, phone (SMS/app), FIDO key
Type 3	Something you are	Fingerprint, retina, iris, voice, face, palm vein
Type 4	Somewhere you are	GPS location, IP geolocation
Type 5	Something you do	Keystroke dynamics, gait analysis, signature

MFA requires two or more different factor types. Password + PIN = single factor (both Type 1). Password + fingerprint = true MFA (Type 1 + Type 3).

Biometric Errors

FRR (Type I error) — False Rejection Rate; denies a legitimate user. Too sensitive.
FAR (Type II error) — False Acceptance Rate; admits an impostor. Not sensitive enough.
CER / EER — Crossover/Equal Error Rate; where FRR = FAR. Lower CER = more accurate system.
Most biometrics: retina scan is most accurate; fingerprint is most accepted by users.

SSO Technologies

Technology	Protocol	Key Details
Kerberos	Ticket-based	Uses KDC (AS + TGS); symmetric encryption; port 88; TGT + Service Tickets; timestamps for replay protection. Weaknesses: single point of failure (KDC), time sync required.
SAML 2.0	XML-based	Web SSO; IdP (Identity Provider) asserts identity to SP (Service Provider); uses assertions (authentication, authorization, attribute).
OAuth 2.0	Authorization	Delegates access without sharing credentials; provides access tokens; NOT authentication. Used by APIs.
OpenID Connect	Authentication	Authentication layer built ON TOP of OAuth 2.0; provides ID tokens (JWT). "Login with Google/Facebook."
RADIUS	AAA	Remote Authentication Dial-In User Service; encrypts ONLY password; UDP 1812/1813; combines auth & authorization.
TACACS+	AAA	Full packet encryption; TCP port 49; separates authentication, authorization, and accounting. Preferred for device admin.

5.2 — Access Control Models & Identity Lifecycle

Access Control Models

Model	Decision Made By	Description	Use Case
DAC	Resource owner	Owner sets permissions via ACLs; identity-based; most common in file systems	Windows NTFS, Linux file permissions
MAC	System (labels)	System enforces based on sensitivity labels and clearances; mandatory rules	Military, classified government systems
RBAC	Administrator (roles)	Access based on job role/function; roles mapped to permissions; most common enterprise	ERP systems, corporate apps
ABAC	Policy engine (attributes)	Access based on attributes of subject, object, action, and environment. Most granular & flexible.	Cloud, dynamic environments, XACML
Rule-Based	Rules engine	IF-THEN rules applied globally (time of day, IP range, etc.)	Firewalls, ACLs, router configs

Identity Lifecycle Management

Provisioning — Creating accounts, assigning initial permissions based on role.
Access Review / Recertification — Periodic review (quarterly/annually) to ensure access is still appropriate.
Privilege Creep — Accumulation of unnecessary access over time; detected during access reviews.
Revocation — Removing specific permissions when role changes.
Deprovisioning — Disabling/deleting accounts upon termination; must be immediate for security.

Federated Identity & Zero Trust

Federation — Users authenticate once at their home IdP and access services at multiple SPs across organizations via trust relationships.
Zero Trust — "Never trust, always verify." Authenticate every request; least privilege; micro-segmentation; continuous verification. Guided by NIST SP 800-207.
JIT (Just-In-Time) Access — Grant privileges only when needed, for the minimum duration. Part of zero trust and PAM strategies.
PAM (Privileged Access Management) — Special controls for admin/root accounts: vaulting, session recording, MFA, approval workflows.

6

Security Assessment and Testing

~12% of exam · Day 8

6.1 — Vulnerability Assessment & Penetration Testing

Vulnerability Assessment vs. Pen Test

Aspect	Vulnerability Assessment	Penetration Test
Goal	Identify & catalog vulnerabilities	Exploit vulnerabilities; prove impact
Approach	Automated scanning, passive	Manual & automated, active exploitation
Scope	Broad — scan everything	Targeted — specific systems/goals
Output	List of vulnerabilities with severity	Proof of exploitation, attack paths
Frequency	Regular (monthly/quarterly)	Annual or on significant changes

Vulnerability Scoring

CVSS — Common Vulnerability Scoring System (0-10); Base, Temporal, Environmental scores.
CVE — Common Vulnerabilities and Exposures; unique identifier (e.g., CVE-2024-12345).
CWE — Common Weakness Enumeration; categorizes software weakness types.
NVD — National Vulnerability Database; enriches CVEs with CVSS scores and analysis.

Pen Test Types & Phases

Black Box — Zero knowledge (external attacker simulation).
White Box — Full knowledge (source code, architecture, credentials).
Gray Box — Partial knowledge (insider perspective).

Phases: 1. Planning & Scoping (RoE) → 2. Reconnaissance (OSINT, passive/active) → 3. Scanning & Enumeration → 4. Gaining Access (exploitation) → 5. Maintaining Access → 6. Covering Tracks → 7. Analysis & Reporting

Rules of Engagement (RoE) — Must be signed before testing begins. Defines: scope, authorized targets, testing window, techniques allowed, emergency contacts, liability, data handling, and reporting requirements.

6.2 — Audits, SOC Reports & Log Management

SOC Reports (AICPA)

Report	Focus	Type I vs. Type II	Audience
SOC 1	Financial reporting controls (ICFR)	Type I: design at a point in time. Type II: design + operating effectiveness over a period (usually 6-12 months).	Auditors, management
SOC 2	Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy	Same distinction	Management, specific users (restricted)
SOC 3	Same as SOC 2 but general-use summary	General report only	Public / anyone

SIEM & Log Management

SIEM — Aggregates, normalizes, correlates, and analyzes logs from multiple sources in real-time.
Log sources: Firewalls, IDS/IPS, OS events, application logs, authentication systems, endpoint agents.
Best practices: Centralized logging, log integrity protection (write-once/WORM), time synchronization (NTP), defined retention policies (based on legal/compliance requirements), log review procedures.

Software Testing Types

Test Type	Description
SAST	Static analysis of source code without execution (white-box); finds coding errors early
DAST	Tests running application (black-box); simulates attacks against deployed app
IAST	Combines SAST + DAST; instruments running app for deeper analysis
SCA	Software Composition Analysis; scans third-party libraries for known vulnerabilities
Fuzzing	Sends random/malformed inputs to find crashes, memory leaks, and unhandled exceptions
Regression	Ensures code changes don't break existing functionality
Code Review	Manual peer review; Fagan inspection (formal process)

7

Security Operations

~13% of exam · Day 9

7.1 — Incident Response, Evidence & Forensics

NIST IR Lifecycle (SP 800-61)

1. Preparation — Policies, CSIRT formation, tools, training, communication plans, management support.
2. Detection & Analysis — Monitoring, SIEM alerts, triage, classification (severity/priority), notification chains.
3. Containment, Eradication & Recovery

Containment: Short-term (isolate affected systems) + Long-term (apply temporary fixes).
Eradication: Remove root cause (malware, compromised accounts, vulnerabilities).
Recovery: Restore systems from clean backups; verify; monitor for recurrence.

4. Post-Incident Activity — Lessons learned meeting (within 2 weeks); root cause analysis; update procedures; evidence retention.

Evidence Handling

Chain of Custody — Documented record of who handled evidence, when, and what they did. Must be unbroken for legal admissibility.
Evidence Types: Real/Physical (tangible objects) → Documentary (logs, documents — requires authentication) → Testimonial (expert/witness statements) → Demonstrative (charts, models).
Best Evidence Rule — Original documents preferred over copies.
Hearsay Rule — Secondhand info generally not admissible (computer logs are an exception under business records rule).

Digital Forensics

Order of Volatility (most → least): CPU registers/cache → RAM → Swap/page file → HDD/SSD → Removable media → Network traffic → Backup tapes → Printed output.
Forensic Image — Bit-for-bit copy (dd, FTK Imager); always use a write blocker.
Process: Identify → Collect (preserve evidence, chain of custody) → Examine → Analyze → Report.
Legal Holds / Litigation Holds — Requirement to preserve all potentially relevant evidence when litigation is anticipated.

7.2 — Disaster Recovery, Backup & High Availability

Recovery Sites

Type	Equipment	Data	RTO	Cost
Hot Site	Fully equipped, mirrors production	Real-time replication	Minutes–hours	Highest
Warm Site	Partial equipment	Needs data restoration	Hours–days	Moderate
Cold Site	Empty facility (power, HVAC, connectivity)	Must procure everything	Days–weeks	Lowest
Mobile Site	Portable/container-based	Deployable	Hours–days	Moderate
Cloud / DRaaS	On-demand infrastructure	Cloud replication	Minutes–hours	Pay-per-use

Backup Strategies

Type	What's Backed Up	Backup Speed	Restore Speed	Archive Bit
Full	Everything	Slowest	Fastest	Clears all
Incremental	Changed since LAST backup (any type)	Fastest	Slowest (need full + all incrementals)	Clears changed
Differential	Changed since last FULL backup	Moderate	Moderate (need full + latest differential)	Does NOT clear

RAID Levels

RAID	Method	Min Disks	Fault Tolerance	Performance
0	Striping	2	None	Best read/write
1	Mirroring	2	1 disk failure	Good read
5	Striping + distributed parity	3	1 disk failure	Good
6	Striping + double parity	4	2 disk failures	Good
10 (1+0)	Mirrored stripes	4	1 per mirror pair	Excellent

7.3 — Change, Configuration & Patch Management

Change Management

Request → Impact Analysis → Approval (CAB — Change Advisory Board) → Test → Implement → Verify → Document.
Emergency changes still require after-the-fact documentation and review.
Rollback plan must exist for every change.

Configuration Management

Establish and maintain system baselines (approved configurations).
CMDB — Tracks all Configuration Items (CIs) and their relationships.
Tools: Puppet, Chef, Ansible, Terraform (IaC — Infrastructure as Code).
CIS Benchmarks and DISA STIGs for secure baselines.

Patch Management Cycle

Monitor (vendor advisories, CVEs) → Evaluate (criticality, applicability) → Test (staging environment) → Approve → Deploy → Verify → Document.
Prioritize based on CVSS score × asset criticality.
Virtual patching (WAF/IPS rules) for emergency protection before patch deployment.

8

Software Development Security

~11% of exam · Day 10

8.1 — SDLC, Development Models & Secure Coding

SDLC Phases with Security Activities

Phase	Security Activity
Requirements	Security requirements, abuse cases, risk assessment, compliance mapping
Design	Threat modeling (STRIDE), security architecture, design review
Implementation	Secure coding standards, SAST, code review, secret management
Testing	DAST, IAST, fuzzing, pen testing, regression testing
Deployment	Configuration hardening, vulnerability scanning, change management
Maintenance	Patch management, monitoring, incident response, periodic reviews

Development Models

Model	Approach	Best For
Waterfall	Sequential; no backtracking; heavy documentation	Well-defined, stable requirements
V-Model	Waterfall + testing at each phase; verification & validation	High-assurance systems
Agile / Scrum	Iterative sprints (2-4 weeks); adaptive; continuous feedback	Rapidly changing requirements
Spiral	Risk-driven; iterative with risk analysis at each cycle	Large, high-risk projects
DevOps	Dev + Ops; CI/CD pipelines; automation; shared responsibility	Continuous delivery
DevSecOps	DevOps + integrated security at every stage; "shift left"	Modern secure development
RAD	Rapid prototyping; heavy user involvement; iterative	Quick turnaround projects

Maturity Models

CMMI: Initial (chaotic) → Managed (repeatable) → Defined (standardized) → Quantitatively Managed (metrics-driven) → Optimizing (continuous improvement).
SAMM (OWASP) — Software Assurance Maturity Model; measures security practices across governance, design, implementation, verification, operations.

8.2 — Application Attacks, OWASP Top 10 & Database Security

Common Application Attacks

Attack	Description	Defense
SQL Injection	Injects SQL into input fields to read/modify database	Parameterized queries, stored procedures, input validation, least-privilege DB accounts
XSS (Cross-Site Scripting)	Injects malicious scripts into web pages viewed by others	Output encoding, CSP headers, input sanitization. Types: Reflected, Stored, DOM-based
CSRF	Forces authenticated user to execute unwanted actions	Anti-CSRF tokens, SameSite cookies, referer validation
Buffer Overflow	Writes beyond buffer boundaries to execute arbitrary code	Bounds checking, ASLR, DEP/NX bit, safe languages (Rust, Go), stack canaries
TOCTOU	Race condition between check and use of a resource	File locking, atomic operations, mutex
SSRF	Server-Side Request Forgery; forces server to make requests to internal resources	URL allowlisting, network segmentation, input validation
XXE	XML External Entity; exploits XML parsers to read files, SSRF, DoS	Disable external entity processing, use JSON instead
Insecure Deserialization	Exploits deserialization of untrusted data for RCE	Input validation, allowlisting classes, integrity checks
Directory Traversal	Uses ../ to access files outside intended directory	Input validation, canonicalization, chroot jails

Input validation is the #1 defense against injection attacks. Always validate on the SERVER SIDE — client-side validation can be bypassed. Prefer allowlisting (known-good) over blocklisting (known-bad).

Database Security

ACID Properties: Atomicity (all or nothing), Consistency (valid state transitions), Isolation (concurrent transactions don't interfere), Durability (committed data survives failures).
Views — Virtual tables restricting what data users see (logical access control).
Polyinstantiation — Multiple rows with same primary key at different classification levels.
Aggregation — Combining non-sensitive data to derive sensitive conclusions.
Inference — Deducing restricted information from permitted data.
Normalization — 1NF (eliminate repeating groups) → 2NF (remove partial dependencies) → 3NF (remove transitive dependencies). Reduces redundancy and anomalies.

DevSecOps Pipeline Security

Pre-commit: IDE security plugins, secret detection (GitLeaks, TruffleHog).
Build: SAST, SCA (dependency scanning), container image scanning.
Test: DAST, IAST, fuzzing, security acceptance tests.
Deploy: IaC scanning (Terraform, CloudFormation), runtime protection.
Monitor: RASP, WAF, SIEM, continuous vulnerability scanning.

AI/ML & Emerging Technology Security

Data Poisoning — Corrupting training data to manipulate model behavior.
Adversarial Inputs — Crafted inputs that fool ML models into misclassification.
Model Extraction — Stealing model parameters through systematic queries.
Prompt Injection — Manipulating LLM behavior through crafted prompts.
Blockchain: immutable ledger, consensus mechanisms, smart contract vulnerabilities (reentrancy).