CISSP: The Last Mile
CISSP: The Last Mile
Your guide to the finish line
About the Book
Like his popular CISSP exam prep series on YouTube, "CISSP: The Last Mile" is designed as a consolidated reference that makes advanced exam topics accessible, bringing focus to important exam topics, revealing the "what and why" of key exam concepts without wasting time or space.
Table of Contents
- Preface (Read this first!)
- Legend
- Exam Prep Strategy
- Exam Mindset
- Time management
- Evaluating Exam Answers (The READ Strategy)
- Recommended Study Materials
- Books
- Practice Questions
- Video Training
- Flashcards
- Chapter 1:Domain 1 - Security and Risk Management
- 1.1 Understand, adhere to, and promote professional ethics
- 1.1.1 ISC2 Code of Professional Ethics
- 1.1.2 Organizational code of ethics
- 1.2 Understand and apply security concepts
- The CIA Triad
- AAA Services
- 1.2.1 Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)
- 1.3 Evaluate and apply security governance principles
- 1.3.1 Alignment of the security function to business strategy, goals, mission, and objectives
- Important Terms and Concepts
- 1.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)
- 1.3.3 Organizational roles and responsibilities
- 1.3.4 Security Control Frameworks
- 1.3.5 Due Care/Due Diligence
- 1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
- 1.4.1 Cybercrimes and data breaches
- 1.4.2 Licensing and Intellectual Property requirements
- 1.4.3 Import/export controls
- 1.4.4 Transborder data flow
- 1.4.5 Issues related to privacy
- Privacy Impact Assessment (PIA)
- Cybersecurity Laws and Regulations
- 1.4.6 Contractual, legal, industry standards, and regulatory requirements
- 1.5 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
- Branches of Law
- Investigation Types
- 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
- Security Policy
- Security Standard
- Security Procedure
- Security Guideline
- 1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
- 1.7.1 Business impact analysis (BIA)
- 1.7.2 External dependencies
- 1.8 Contribute to and enforce personnel security policies and procedures
- 1.8.1 Candidate screening and hiring
- 1.8.2 Employment agreements and policy driven requirements
- 1.8.3 Onboarding, transfers, and termination processes
- 1.8.4 Vendor, consultant, and contractor agreements and controls
- 1.9 Understand and apply risk management concepts
- 1.9.1 Threat and vulnerability identification
- 1.9.2 Risk analysis, assessment, and scope
- Risk Analysis Methodologies
- Quantitative Risk Analysis Process
- Quantitative Risk Analysis Formulas
- Quantitative Risk Analysis Example
- 1.9.3 Risk response and treatment (e.g., cybersecurity insurance)
- Other important terms related to risk
- 1.9.4 Applicable types of controls (e.g., preventive, detection, corrective)
- Security Control Categories:
- Security Control Types:
- 1.9.5 Control assessments (e.g., security and privacy)
- 1.9.6 Continuous monitoring and measurement
- 1.9.7 Reporting (e.g., internal, external)
- 1.9.8 Continuous improvement (e.g., risk maturity modeling)
- 1.9.9 Risk frameworks
- Security Control Frameworks
- 1.10 Understand and apply threat modeling concepts and methodologies
- Common Threat Modeling Methodologies
- Principles of Social Engineering
- Social Engineering Attacks
- 1.11 Apply supply chain risk management (SCRM) concepts
- 1.11.1 Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
- 1.11.2 Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
- 1.12 Establish and maintain a security awareness, education, and training program
- 1.12.1 Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
- 1.12.2 Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
- 1.12.3 Program effectiveness evaluation
- 1.1 Understand, adhere to, and promote professional ethics
- Chapter 2:Domain 2 - Asset Security
- 2.1 Identify and classify information and assets
- 2.1.1 Data classification
- Data classification in government and public organizations
- 2.1.2 Asset classification
- 2.2 Establish information and asset handling requirements
- 2.3 Provision information and assets securely
- Security Control Baseline
- 2.3.1 Information and asset ownership
- 2.3.2 Asset inventory
- 2.3.3 Asset Management
- Asset Management Lifecycle
- 2.4 Manage data lifecycle
- 2.4.1 Data Roles
- 2.4.2 Data Collection
- 2.4.3 Data Location
- 2.4.4 Data Maintenance
- 2.4.5 Data Retention
- 2.4.6 Data Remanence
- 2.4.7 Data Destruction
- 2.5 Ensure Appropriate Asset Retention (EOL, EOS)
- 2.6 Determine Data Security Controls and Compliance Requirements
- 2.6.1 Data States (In Use, In Transit, At Rest)
- 2.6.2 Scoping and Tailoring
- 2.6.3 Standards Selection
- 2.6.4 Data Protection Methods (DRM, DLP, CASB)
- 2.1 Identify and classify information and assets
- Chapter 3:Domain 3 - Security Architecture and Engineering
- 3.1 Research, implement, and manage engineering processes using secure design principles
- 3.1.1 Threat modeling
- 3.1.2 Least privilege
- 3.1.3 Defense in depth
- 3.1.4 Secure defaults
- 3.1.5 Fail securely
- 3.1.6 Segregation of Duties (SoD)
- 3.1.7 Keep it simple and small
- 3.1.8 Zero trust or trust but verify
- 3.1.9 Privacy by design
- 3.1.10 Shared responsibility
- 3.1.11 Secure access service edge
- 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
- 3.3 Select controls based upon systems security requirements
- Common Criteria
- 3.4 Understand security capabilities of information systems
- 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- 3.5.1 Client-based systems
- Securing the boot process
- Mobile Device Management (MDM)
- Mobile Device Deployment Policies
- 3.5.2 Server-based systems
- 3.5.3 Database systems
- Database Architecture
- RDBMS Attacks
- 3.5.4 Cryptographic Systems
- Goals of Cryptography
- 3.5.5 Operational Technology/Industrial control systems (ICS)
- 3.5.6 Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- What is cloud computing?
- Cloud Service Models
- Cloud Deployment Models
- 3.5.7 Distributed systems
- 3.5.8 Internet of Things (IoT)
- 3.5.9 Microservices (e.g., application programming interface (API))
- 3.5.10 Containerization
- 3.5.11 Serverless
- 3.5.12 Embedded systems
- 3.5.13 High-Performance Computing (HPC) systems
- 3.5.14 Edge computing systems
- Edge Computing
- Fog Computing
- 3.5.15 Virtualized systems
- 3.6 Select and determine cryptographic solutions
- 3.6.1 Cryptographic life cycle
- 3.6.2 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
- Important Terms and Concepts
- Symmetric Cryptography
- Asymmetric Cryptography (Public Key Cryptography)
- Hybrid Cryptography
- Hash Functions
- Types of Ciphers
- Email Security
- Post-Quantum Cryptography
- 3.6.3 Public key infrastructure (PKI)
- 3.6.4 Key management practices
- 3.6.5 Digital signatures and certificates (e.g., non-repudiation, integrity)
- 3.7 Understand methods of cryptanalytic attacks
- 3.7.1 Brute force
- 3.7.2 Ciphertext only
- 3.7.3 Known plaintext
- 3.7.4 Frequency analysis
- 3.7.5 Chosen ciphertext
- 3.7.6 Implementation attacks
- 3.7.7 Side-channel
- 3.7.8 Fault injection
- 3.7.9 Timing
- 3.7.10 Man-in-the-middle (MITM)
- 3.7.11 Pass the hash
- 3.7.12 Kerberos exploitation
- Kerberos Attacks
- 3.7.13 Ransomware
- 3.8 Apply security principles to site and facility design
- Site Selection
- Facility Design
- Disaster Recovery Metrics
- Threats to Physical Security
- Security Control Categories, Types, and Functional Order
- 3.9 Design site and facility security controls
- 3.9.1 Wiring closets/intermediate distribution frame
- 3.9.2 Server rooms/data centers
- Badges and Smartcards
- 3.9.3 Media storage facilities
- 3.9.4 Evidence storage
- 3.9.5 Restricted and work area security
- 3.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
- 3.9.7 Environmental issues (e.g., natural disasters, man-made)
- 3.9.8 Fire prevention, detection, and suppression
- Fire Detection
- Fire Suppression
- 3.9.9 Power (e.g., redundant, backup)
- 3.10 Manage the information system lifecycle
- 3.10.1 Stakeholders needs and requirements
- 3.10.2 Requirements analysis
- 3.10.3 Architectural design
- 3.10.4 Development /implementation
- 3.10.5 Integration
- 3.10.6 Verification and validation
- 3.10.7 Transition/deployment
- 3.10.8 Operations and maintenance/sustainment
- 3.10.9 Retirement/disposal
- 3.1 Research, implement, and manage engineering processes using secure design principles
- Chapter 4:Domain 4 - Communication and Network Security
- 4.1 Apply secure design principles in network architectures
- 4.1.1 Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
- Other Important TCP/IP Protocols
- 4.1.2 Internet Protocol (IP) version 4 and 6 (IPv6) (e.g., unicast, broadcast, multicast, anycast)
- Network Attacks
- 4.1.3 Secure Protocols (e.g., IPSec, SSH, SSL/TLS)
- Authentication Protocols
- VPN Protocols
- 4.1.4 Implications of multilayer protocols
- 4.1.5 Converged protocols (e.g., iSCSI, VoIP, InfiniBand over Ethernet, Compute Express Link)
- Voice Protocols: PBX, PSTN, VoIP
- PBX and Voice-related Attacks
- Communications Attacks
- 4.1.6 Transport architecture (e.g., topology, data/control/management plane, cut-through/store-and-forward)
- Types of Network Equipment
- Network Topologies
- Other Network Technologies and Concepts
- 4.1.7 Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-noise ratio)
- 4.1.8 Traffic flows (e.g., north-south, east-west)
- 4.1.9 Physical segmentation (e.g., in-band, out-of-band, air-gapped)
- 4.1.10 Logical segmentation (e.g., VLANs, VPNs, virtual routing and forwarding, virtual domain)
- 4.1.11 Micro-segmentation (e.g., network overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust)
- Perimeter Networks
- 4.1.12 Edge networks (e.g., ingress/egress, peering)
- 4.1.13 Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite)
- Bluetooth Attacks
- Wi-fi
- Wireless Coverage
- Wireless Attacks
- 4.1.14 Cellular/mobile networks (e.g., 4G, 5G)
- 4.1.15 Content distribution networks (CDNs)
- 4.1.16 Software defined networks (SDN) (e.g., application programming interface (API), Software-Defined Wide-Area Network (SD-WAN), network functions virtualization (NFV))
- Software Defined Everything (SDx)
- 4.1.17 Virtual Private Cloud (VPC)
- 4.1.18 Monitoring and Management (e.g., network observability, traffic flow/shaping, capacity management, fault detection and handling)
- 4.2 Secure network components
- 4.2.1 Operation of infrastructure (e.g., redundant power, warranty, support)
- 4.2.2 Transmission media (e.g., physical security of media, signal propagation quality)
- 4.2.3 Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
- 4.2.4 Endpoint security (e.g., host-based)
- 4.3 Implement secure communication channels
- 4.3.1 Voice, video, collaboration (e.g., conferencing, Zoom rooms)
- 4.3.2 Remote access (e.g., network administrative functions)
- 4.3.3 Data communications (e.g., backhaul networks, satellite)
- Virtual Circuits, PVCs, SVCs, and Related Concepts
- 4.3.4 Third-party connectivity (e.g., telecom providers, hardware support)
- 4.1 Apply secure design principles in network architectures
- Chapter 5:Domain 5 - Identity and Access Management (IAM)
- 5.1 Control physical and logical access to assets
- 5.1.1 Information
- 5.1.2 Systems
- 5.1.3 Devices
- 5.1.4 Facilities
- 5.1.5 Applications
- 5.1.6 Services
- 5.2 Design identification and authentication strategy (e.g., people, devices, and services)
- 5.2.1 Groups and Roles
- 5.2.2 Authentication, Authorization and Accounting (e.g., multi-factor authentication (MFA), password-less authentication)
- 5.2.3 Session management
- 5.2.4 Identity registration, proofing
- 5.2.5 Federated Identity Management
- 5.2.6 Credential management systems
- 5.2.7 Single sign-on
- Kerberos Components
- Common Kerberos Attacks:
- 5.2.8 Just-In-Time
- 5.3 Federated identity with third-party service
- 5.3.1 On-premises
- 5.3.2 Cloud
- 5.3.3 Hybrid
- 5.4 Implement and manage authorization mechanisms
- 5.4.1 Role-based access control (RBAC)
- 5.4.2 Rule based access control
- 5.4.3 Mandatory access control (MAC)
- 5.4.4 Discretionary access control (DAC)
- 5.4.5 Attribute-based access control (ABAC)
- 5.4.6 Risk based access control
- 5.4.7 Access policy enforcement (e.g., policy decision point, policy enforcement point)
- 5.5 Manage identity and access provisioning lifecycle
- 5.5.1 Account access review
- 5.5.2 Provisioning and deprovisioning
- 5.5.3 Role definition and transition
- 5.5.4 Privilege escalation
- 5.5.5 Service accounts management
- 5.6 Implement authentication systems
- Biometric Authentication
- 5.1 Control physical and logical access to assets
- Chapter 6:Domain 6 - Security Assessment and Testing
- 6.1 Design and validate assessment, test, and audit strategies
- Assessment vs Audit: What’s the Difference?
- 6.1.1 Internal (e.g., within organization control)
- 6.1.2 External (e.g., outside organization control)
- 6.1.3 Third-party Audits (e.g., outside of enterprise control)
- 6.1.4 Location (e.g., on-premise, cloud, hybrid)
- Right-to-Audit in the Cloud
- 6.2 Conduct Security Controls Testing
- 6.2.1 Vulnerability assessment
- 6.2.2 Penetration testing (e.g., red, blue, and/or purple team exercises)
- 6.2.3 Log reviews
- 6.2.4 Synthetic transactions/benchmarks
- 6.2.5 Code review and testing
- 6.2.6 Misuse case testing
- 6.2.7 Coverage analysis
- 6.2.8 Interface testing (e.g., user interface, network interface, application programming interface (API))
- 6.2.9 Breach attack simulations
- 6.3 Collect security process data (e.g., technical, and administrative)
- 6.3.1 Account management
- 6.3.2 Management review and approval
- 6.3.3 Key performance and risk indicators
- 6.3.4 Backup verification data
- 6.3.5 Training and awareness
- 6.3.6 Disaster recovery (DR) and Business Continuity (BC)
- 6.4 Analyze test output and generate report
- 6.4.1 Remediation
- 6.4.2 Exception handling
- 6.4.3 Ethical disclosure
- 6.5 Conduct or facilitate security audits
- 6.5.1 Internal (e.g., within organization control)
- 6.5.2 External (e.g., outside organization control)
- 6.5.3 Third-party (e.g., outside of enterprise control)
- 6.5.4 Location (e.g., on-premise, cloud, hybrid)
- 6.1 Design and validate assessment, test, and audit strategies
- Chapter 7:Domain 7 - Security Operations
- 7.1 Understand and comply with investigations
- Six Categories of Computer Crime
- Electronic Discovery (eDiscovery)
- 7.1.1 Evidence collection and handling
- 7.1.2 Reporting and documentation
- 7.1.3 Investigative techniques
- 7.1.4 Digital forensics
- 7.1.5 Artifacts
- 7.2 Conduct logging and monitoring activities
- 7.2.1 Intrusion detection and prevention system (IDPS)
- 7.2.2 Security information and event management (SIEM)
- 7.2.3 Security orchestration, automation and response (SOAR)
- 7.2.4 Continuous monitoring and tuning
- 7.2.5 Egress monitoring
- 7.2.6 Log management
- 7.2.7 Threat intelligence (e.g., threat feeds, threat hunting)
- 7.2.8 User and Entity Behavior Analytics (UEBA)
- 7.3 Perform configuration management (e.g., provisioning, baselining, automation)
- 7.4 Apply foundational security operations concepts
- 7.4.1 Need-to-know/least privilege
- 7.4.2 Segregation of Duties (SoD) and responsibilities
- 7.4.3 Privileged account management
- 7.4.4 Job rotation
- 7.4.5 Service-level agreements (SLA)
- 7.5 Applying resource protection
- 7.5.1 Media management
- 7.5.2 Media protection techniques
- 7.5.3 Data at rest/data in transit
- Protecting Data at Rest
- Protecting Data in Transit
- Protecting Data in Use
- 7.6 Conduct incident management
- 7.6.1 Detection
- 7.6.2 Response
- 7.6.3 Mitigation
- 7.6.4 Reporting
- 7.6.5 Recovery
- 7.6.6 Remediation
- 7.6.7 Lessons learned
- 7.7 Operate and maintain detection and preventative measures
- 7.7.1 Firewalls (e.g., next generation, web application, network)
- 7.7.2 Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
- 7.7.3 Whitelisting/blacklisting
- 7.7.4 Third-party security services
- 7.7.5 Sandboxing
- 7.7.6 Honeypots/honeynets
- 7.7.7 Anti-malware
- Malware Types and Propagation Techniques
- 7.7.8 Machine learning and AI tools
- 7.8 Implement and support patch and vulnerability management
- 7.9 Understand and participate in change management processes
- 7.10 Implement recovery strategies
- 7.10.1 Backup storage strategies
- 7.10.2 Recovery site strategies
- 7.10.3 Multiple processing sites
- 7.10.4 System resilience, high availability, QoS, fault tolerance
- 7.11 Implement disaster recovery processes
- 7.11.1 Response
- 7.11.2 Personnel
- 7.11.3 Communications
- 7.11.4 Assessment
- 7.11.5 Restoration
- 7.11.6 Training and awareness
- 7.11.7 Lessons learned
- 7.12 Test disaster recovery plan (DRP)
- 7.12.1 Read-through/tabletop
- 7.12.2 Walkthrough
- 7.12.3 Simulation
- 7.12.4 Parallel
- 7.12.5 Full interruption
- 7.12.6 Communications
- 7.13 Participate in Business Continuity (BC) planning and exercises
- Phases of BCP
- 7.14 Implement and manage physical security
- 7.14.1 Perimeter Security Controls
- 7.14.2 Internal Security Controls
- 7.14 Addendum - Examples of Control Types
- 7.15 Addressing personnel safety and security concerns
- 7.15.1 Travel
- 7.15.2 Security Training and Awareness
- 7.15.3 Emergency Management
- 7.15.4 Duress
- 7.1 Understand and comply with investigations
- Chapter 8:Domain 8 - Software Development Security
- 8.1 Understand and integrate security in the SDLC
- 8.1.1 Development methodologies
- 8.1.2 Maturity models
- 8.1.3 Operation and maintenance
- 8.1.4 Change management
- 8.1.5 Integrated Product Team
- 8.2 Identify and apply security controls in software ecosystems
- 8.2.1 Programming languages
- 8.2.2 Libraries
- 8.2.3 Tool sets
- 8.2.4 Integrated Development Environment (IDE)
- 8.2.5 Runtime
- 8.2.6 Continuous Integration/Continuous Delivery (CI/CD)
- 8.2.7 Software Configuration Management (SCM)
- 8.2.8 Code repositories
- 8.2.9 Application security testing
- 8.3 Assess effectiveness of software security
- 8.3.1 Auditing and logging
- 8.3.2 Risk analysis and mitigation
- 8.4 Assess security impact of acquired software
- 8.4.1 Commercial off-the-shelf (COTS)
- 8.4.2 Open source
- 8.4.3 Third-party
- 8.4.4 Managed services
- 8.4.5 Cloud services
- 8.5 Define and apply secure coding guidelines/standards
- 8.5.1 Security weaknesses at source level
- Application Attacks
- 8.5.2 API security
- 8.5.3 Secure coding practices
- Secure Coding Practices by Language
- 8.5.4 Software-defined security
- What’s Next?
- 8.1 Understand and integrate security in the SDLC
- Preface (Read this first!)
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them