Professional Documents
Culture Documents
How To Think Like A Manager For The Cissp Exam
How To Think Like A Manager For The Cissp Exam
"How do you think like a manager?" It is one of the most common questions
asked when preparing for the CISSP exam. Using 25 CISSP practice questions
with detailed explanations, this book will attempt to answer how to think like a
member of a senior management team who has the goal of balancing risk, cost,
and most of all, human life. The questions will take you through how to resist
thinking from a technical perspective to one that is more holistic of the entire
organization. Like all of Study Notes and Theory's CISSP practice questions,
these questions correlate multiple high-level security concepts and require
thinking like a manager. Extracting the most value comes from understanding
not only which choice is correct, but more importantly, why the other choices are
wrong.
The Study Notes and Theory platform is here to fine-tune and provide
clairvoyance into CISSP concepts from a different perspective than traditional
study material. Insight is provided into how to think like a manager, strategy and
mentality during the exam, core CISSP concepts, and some essential exam
knowledge. The idea is that sometimes a simple word, phrase, or statement by
someone else can change our own point of view. The unique thing about the
CISSP exam is that no number of books, bootcamps, practice question engines,
or anything else available are even close to the questions found on the real exam.
It is not about memorizing topics but understanding and being able to apply the
concepts. Years of direct security experience is the recommended best resource
for the CISSP exam. However, some experience can be supplemented by reading
multiple information security books, watching videos, and taking thousands of
practice questions.
Thank you for your time in reading this book and for your support of Study
Notes and Theory.
Thank you to the following for advancing and contributing their precious time
and effort to the Study Notes and Theory platform: Ahmed Khatib, Ahmed
Khan, Dawood Kevar, Wala Suliman, Fadi Sodah, Prashant Mohan, Mohamed
Atef, Prabh Nair, Thor Pedersen, and Zakaria Hadj.
The information contained in this book is for informational purposes only. This book is not meant to reflect
the real exam and there is no affiliation with the (ISC)2 . Any advice is based on my own experience. You
should always seek your own truth, because in the end it's going to be just you in that exam testing center.
This publication does not guarantee an exam pass, this can only be achieved through hard work and
dedication. The use of other CISSP recommended material must be used for success. The practice
questions, exam strategies, and explanations are of my own opinion. No part of this publication shall be
reproduced, transmitted, or sold in whole or in part in any form, without the prior written consent of the
author. All trademarks and registered trademarks appearing in this guide are the property of their respective
owners. Readers of this book are advised to perform their own due diligence of the material in this book and
should be independently verified by your own qualified professionals. By reading this guide, you agree it is
not responsible for the failure of your exam relating to any information presented in this guide.
A. Human error
B. Adherence to security policy
C. Confidentiality
D. Shredder calibration
Get your exam mentality in gear to face four choices that seemingly are correct,
but only one will be the ultimate high-level answer. Focus on the words “most
important reason”.
The new CISSP computer adaptive testing (CAT) style exam was implemented
on December 18, 2017 1 . Now you have a maximum of three hours to complete
the exam instead of the previous six hours. Whether you have just started
studying for the exam, or are a few days away from it, take your time with
practice questions. You will not be able to go back and review questions on the
real exam anymore.
With this and all other questions, argue with yourself over why choice A, B, C,
or D is the most important reason. Alternatively, you can also take this practice
question and look for the least important reason first. This technique increases
your chances of getting the question correct by eliminating a choice that may
seem less important than the others, while getting you closer to the most
important reason. If shredder calibration is less important than accounting for
human error, choice D can be eliminated.
At a high-level, the least important reason would have a lower impact on the
three core foundations of security: confidentiality, integrity or availability. The
most important reason would have a wider impact.
Think Like a Manager
A manager would go with the choice which, if not considered,
would have the most negative impact to not only the media
sanitization process, but also every other type of process.
Exam Essentials
Look for the choice that plays an all-encompassing and
authoritative role in all of the other remaining choices.
“Why does the CISSP exam want me to know the most important reason to
verify that there is no data leftover after sanitization?”
Study Notes and Theory's CISSP practice questions are complex for a reason: to
prepare you for the real exam. It works in your favor to really breakdown the
question and the given choices. It's important to get the question correct, but it's
more important to understand why the other choices are wrong. The real exam
does not care whether you can memorize encryption ciphers, OSI model protocol
numbers, or the steps of the software development life cycle. The exam tests
whether you can apply those concepts.
QUESTION 1 - EXPLANATION
A. Human error
Humans will always make mistakes. This is not the most important reason, but it
is one reason we should verify that data has been totally sanitized without a
shred of data remanence. Data custodians can make mistakes when sanitizing
data or any other process that requires human involvement. In addition to the
verification process post-sanitization, proper personnel training should be
conducted pre-sanitization to ensure adequate skill and competency 5 .
Adhering to the security policy is the most important reason to verify the
sanitization process as it will answer the who, what, when, and why. B is the
only choice that ideally would include accounting for human error, upholding
confidentiality, and the maintenance of physical destruction devices in a policy
and any other supporting document such as a standard, baseline, or procedure.
D. Shredder calibration
A hard drive shredder does one thing: it shreds. It does not shred some or a
portion of the data, it shreds everything. There is less worry about the result of a
hard drive shredder containing data remanence than the other three choices. The
sanitization method of physical destruction provides visual and absolute
verification, there is nothing to check afterwards except pieces of metal. For
added security, material unrelated to the original data can be mixed in to add
another level of confusion in case of reconstruction efforts 10 . Choice D is the
least important reason to verify the sanitization process.
Understanding the definition of the word "primary" will provide the necessary
clairvoyance for choosing the correct answer to this and any other CISSP
practice question:
primary adjective 1
1 Of chief importance
2 Earlier in time or order
Policies or initiatives are not created for the sake of security, a primary business
justification always comes first. The correct choice will serve as the overall
reason for the new initiative, whereas the other choices can be ordered
chronologically to support the primary reason. Initiatives are created to
ultimately maintain the momentum and progress of the organization 2 .
A specific and important process is occurring at Rymar Tech that has many
revisions, methods, and steps outlined in CISSP study guides as well as NIST
documents. But in essence, it is the same general process. Looking at each line
of the question, the following words hint to the process: "prepare", "identify”,
“likelihood”, "impact", "report", “monitor”, and "maintained".
Hint : This particular process can be adjusted to suit each organization, but the
primary concept is the same. What process is occurring in the question? Is it
(a)n:
Evaluation
Analysis
Assessment
Mitigation
Monitoring
Documenting
Exam Essentials
If you are still unsure of the answer, take this time to research each
choice individually. The habit of researching each choice goes a
long way in preparing for the real exam. It is like performing your
own due care and due diligence. Taking practice questions is due
care for the exam, and studying topics that still are unclear is performing due
diligence.
The word "baseline" identifies a purpose, not a primary reason. Risk assessments
can establish a baseline, perform an ongoing reassessment, or re-evaluate
controls as a response to new risks. Whether a baseline is established to define a
required level of security or an enhancement of the current one 3 , the correct
choice will remain the same.
QUESTION 2 - EXPLANATION
A. Providing risk oversight
Risk oversight is a proactive process that starts with the board of directors. The
board has the ultimate task of overseeing the risk management operations and
processes that will be managed by the senior executives 4 . The new initiative is
at the directive of Rymar Tech's management who are going to make risk-based
decisions from the results of a risk assessment. The board will hold management
accountable for a proper enterprise risk management system to determine the
organization's risk appetite.
C. Selecting controls
A baseline risk assessment identifies the controls currently in place. Changes to
an organization require another risk assessment, after which new controls will be
selected to either adjust the existing baseline controls or implement new ones.
This is not the correct answer because the primary initiative is to first have a
baseline risk assessment to account for existing controls, whereas the need for
selecting additional controls comes afterwards 8 .
What would be Gerard’s role after the policy has been issued?
A. Data User
B. Data Owner
C. Data Custodian
D. Data Processor
Out of the four choices, which are the terms you are most familiar with from
your CISSP study guides? More than likely, it is the terms “data owner” and
“data custodian”. Focus on these two terms and look back at Gerard and Troy’s
roles at DS Technology before they had to implement a data classification policy.
Does it make a difference that Gerard is classifying data while Troy is archiving
and backing up the data? Also note that "more funding" means the company is
doing well and their data is becoming more valuable. With value, comes the
need for data privacy and the roles that are responsible for its protection. Think
of which role has the ultimate responsibility of protecting privacy after the new
data classification policy.
Exam Essentials
Master the critical skill of eliminating two choices to increase your
chances of getting the question correct.
Answer the question in your mind first and then look to see if it matches any of
the given choices. It's tiring, but taking CISSP practice questions shouldn’t feel
like a chore that you just want to finish and move on. Treat each practice
question as if it is the real exam. Any sentence, phrase, term, or concept you do
not recognize, proceed to study and nail those unknowns until you are confident
in the subject matter. Take the time now to fully research and learn any
unfamiliar topics to be better prepared for the real exam later on, it's worth it.
Three out of the four choices are closely tied together whereas one is the outlier.
Which three terms are used internally to an organization and which leftover term
is commonly associated with an external entity? Also understand that a data
owner is not the same thing as data ownership 1 .
QUESTION 3 - EXPLANATION
A. Data User
A data user is just someone who uses the data within an organization for their job
function 2 . It takes the data owner, custodian, systems administrator, information
security officer, and senior management to make sure information for the data
user is 3 :
B. Data Owner
One of the primary responsibilities of the data owner is to classify a specific set
of data 4 . Classifying the data means to decide which information is or is not
valuable. Gerard was the first to “classify” the data when there was no formal
data classification policy at DS Technology. He is doing so using an informal
classification scheme of "important, useful, or negligible." When Gerard takes
on a more formal role as the data owner, he will use the more traditional
classification labels associated with organizations.
Assigning classifications and labels is the job of a data owner. The words
“organized" and "valued” hinted to the fact a data owner is required.
Classification organizes data into different subsets that are dependent on their
value. The higher the value, the higher the classification. The words “available at
all times” hints to the primary responsibility of a data custodian: upholding
availability. This is done through marking, labeling, or backing up data.
A data owner organizes and assigns values to data, and a data custodian sets up
security controls to ensure data remains available to each business function. As
DS Technology grows into a bigger company, and given their current
responsibilities, Gerard would be the data owner and Troy would be the data
custodian. In exam language, the data owner is ultimately responsible for the
data and for classifying the data. While initially Troy volunteered to help Gerard,
the data owner also would assign the responsibilities of the data custodian. With
proper governance, Gerard would assign Troy to be a data custodian 6 .
C. Data Custodian
Troy is the data custodian because he initially helped to archive the data (think
availability and a proper archiving process). More importantly, he put the useful
data to an external server which provides a method to ensure there is no single
point of failure in case of a disaster - this upholds availability 7 . Troy deals with
maintaining the data for availability, and not classifying the data. Troy’s
responsibility is closest to the role of someone in security operations and furthest
away from senior management 8 .
D. Data Processor
In terms of the General Data Protection Regulation (GDPR), if a company
collects personal information, they are a data controller 9 . Think of a data
processor as a third-party legal entity or agency that handles the data given to
them by a data controller. These terms are synonymous with the topic of
personal data privacy within the GDPR. The GDPR states third-party data
processors must ensure the privacy of the data they are handling and implement
security controls such as encryption, tokenization or pseudonymization 10 . Both
Gerard and Troy work within DS Technology and are handling their own data,
nobody is processing it for them. Additionally, DS Technology is not handling
private user data, only data from space. Data processor is a term external to an
organization while the other choices are internal.
A. Vulnerability scanning
B. Penetration testing
C. Hacking
D. Ethical hacking
Choices A, B, and D sound similar, right? All three of these choices appear to be
something a security consultant would be hired to do for an organization. But
because they are three different choices, they must have properties that set them
apart.
For choice C, the security consultant does not seem like she is hacking the
organization, or is she? If the answer is choice C, is there anything in the context
of the question to make it sound like she has ulterior motives? Or could she just
be a victim of circumstance?
It seems like she is going through the steps of someone with the role of a
penetration tester or ethical hacker 1 :
These also seem like the systematic and chronological steps a security
professional or a hacker would take to compromise security controls. Yet, a
major task draws the line between a hacker and an ethical hacker.
Hint : Has the first and last step of the penetration testing process been followed
by the consultant? Aside from finding and exploiting weaknesses, these two
steps serve to formally validate the overall process. Which choice would provide
a true test of a company's protection mechanisms?
B. Penetration testing
Penetration testing goes beyond a vulnerability scan. One of the key differences
between choice A and choice B is that vulnerabilities can actively be exploited in
a penetration test, whereas vulnerabilities are just meant to be discovered in a
vulnerability scan. Penetration testing takes a high degree of skill and can cause
real-world damage to real-world systems. Given this, they also are one of the
best ways to determine an organization's ability to react to real-world threats 4 .
Following are the general steps of a penetration test 5 :
Plan the process - Establish goals, scope, and rules. Make sure to first get
management approval in writing.
Gather target intelligence - Identify IP addresses, port numbers, network
drives, host names, applications, or employee information.
Exploit vulnerabilities - Successful exploitation is the core of a penetration test.
Provide report - Documentation is maintained throughout all the previous steps.
A final report is then securely sent to stakeholders with accompanying mitigation
techniques.
The final report will serve to determine the ability for the organization to tolerate
real-world attacks, gauge the level of skill required, understand defensive
capabilities, and add any additional security controls that can be used to thwart
future attacks 6 . The security consultant followed the proper steps, except for the
most important first step: obtaining written permission from the bank’s senior
management team to touch their systems.
C. Hacking
The correct answer is C, the security consultant was hacking the bank. If the
bank hired the security consultant to exploit their weaknesses, how come she
still is considered to be hacking? In order to “hack” an organization within legal
bounds, one must first get permission from senior management. In this case,
even though the security consultant was being proactive about her urgent job,
she did not wait for formal written permission from the senior management of
the bank who were on holiday.
D. Ethical hacking
The terms ethical hacking and penetration testing can be related, but are not
mutually exclusive. They are both an attempt to actively exploit the weaknesses
within an organization’s system 8 . Just because someone is an ethical hacker
doesn’t also mean they are a penetration tester, and vice versa. An ethical hacker
is one who understands the path a real hacker may take to attack a system, but
does not do so illegally or for personal gain - they follow a code.
QUESTION 5
You are presented with a pop-up screen after logging into a
Windows 10 operating system at your new job as a network
security engineer. It states the following:
A. Policy
B. Standard
C. Guideline
D. Procedure
Know the differences in the four documents as they lay the written
instructions for how the company operates. The documents go from
high-level administrative directives to low-level technical instructions. They
work together in a top-down style starting from policy, standard, baseline,
guideline, and procedure 3 .
Hint : One of the choices is a document that does not have to be followed, it is a
strongly advised suggestion.
QUESTION 5 - EXPLANATION
A. Policy
Policies are high-level documents written by senior management. They can
begin with a general announcement by the leadership of the organization on the
importance and commitment to security. A security policy does not go into
specifics by naming individuals or their specific roles, but more about their
responsibilities, why it's required, and what will happen if it is not followed 4 .
You will not see the steps to create a public/private key pair written in a policy.
Policies are the master security framework upon which standards, baselines,
procedures, and guidelines are based 5 . Policies are official, there is no choice
but to follow them. The other documents are to be crafted to only support and
follow the policy. There can be three types of policies: regulatory, advisory, or
informative 6 .
• Policy
• Example : Information traveling over Rymar Tech's computer network should
be available to support business functions .
• Standard
• Example : Firewalls must be clustered with high-availability capabilities
in an active/standby pair.
• Procedure
• Example : Open PuTTY sessions to both firewalls
Configure VRRP on primary firewall
Configure VRRP on secondary firewall
Set priority on primary firewall to 100
Set priority on secondary firewall to 90
Save configuration on primary
Save configuration on secondary
Log out of PuTTY sessions to both firewalls
• Guideline
• Example : If failover does not occur, manually increase priority on
the secondary firewall to initiate a failover.
• Baseline
• Example : Firewalls should be hardened per NIST per 800-41 7
specifics before being put into production.
B. Standard
Standards present a uniformed and efficiently managed enterprise that benefits
from better consistency, integration, and a higher quality of data and systems
management 8 . In other words, it is easier for a company to maintain users who
are all on the same operating system (Windows) instead of having a
heterogeneous environment (Linux, macOS, Ubuntu). It saves time, money, and
is logistically easier to apply updates, buy software, or plan for end-of-life
devices.
C. Guideline
The definition of guidelines is easy to remember because it’s the only statement
that is recommended 9 - guidelines are not enforced. Consider guidelines as a
helpful suggestion. You can either follow guidelines or not, but remember they
are based on some of the best practices and methods in the security industry.
D. Procedure
Procedures contrast with other high-level documents by providing specific and
detailed step-by-step instructions 10 to accomplish a task, such as setting up a
public/private key pair using PuTTYgen. Procedures are enforced and must be
followed. Procedures are repeatable, detailed, and created for all users, not just
for IT security.
Which of the following should take place first with the third-party
company?
Choice A
Compliance and privacy probably are the most important as they deal with
abiding by the law of the land. The second canon of the (ISC)2 Code of Ethics
states, “Act honorably, honestly, justly, responsibly, and legally ” 1 . A security
professional must act legally and within the bounds of the land upon which they
are rendering services. The law always will supersede any of an organization's
internal policies. These two terms also are important because violations of
compliance and privacy can result in a monetary fine.
Hint : If security considerations are not made at the beginning of a venture, those
risks can remain throughout the span of the project.
Choice B
The Capability Maturity Model Integration (CMMI) provides a framework for
vendors to continuously increase the maturity of their software development
methods, procedures, processes, and overall principles. It is not enough to want
to have better security, but to know how to plan for it 3 . An organization that
tries to be better than it was the day before is one that takes their security
development seriously. But should the verification of a CMMI take place first ?
Choice C
There is an urgency for the startup company to find a vendor who can quickly
start to meet customer deadlines. Choice C is exactly what the startup is looking
for a software vendor to do for them. But is this consideration the first thing that
should take place? In terms of the exam and information security in general,
should this chronologically occur before any of the other choices? Should the
startup be talking business before doing their due diligence?
Choice D
Understanding the risks before going into any venture is a prime example of a
company performing proper due diligence. It is especially important when it
comes to third-party organizations who are outside the bounds of your own
organization’s policies and best practices. A business exposes themselves to
financial, reputational, operational, legal, and regulatory risk when engaging
with a third-party 4 . Would this be a good reason for a risk assessment first ?
QUESTION 6 - EXPLANATION
A. Confirm compliance, privacy policy, governance, and SDLC
It’s a must to confirm third-party vendor frameworks for compliance, privacy
guidelines, governance structure, and their software development life cycle. It is
the confirmation of these factors that enables a customer to verify whether the
company they are doing business with is reputable with a strong security
foundation. It also can expose whether the vendor shows a professional front-end
to customers, but in reality, has chaotic and unmanaged backend business
structures without a proper maturity level 5 .
A. Clark-Wilson (CW)
B. Bell-LaPadula (BLP)
C. Brewer and Nash (B&N)
D. Biba
The security professional and future CISSP should have a deep understanding of
how these models are engineered. If you did not know the term "security model",
then the choices have shown you. Sometimes an exam not only tests us, but also
teaches us a great deal. Perhaps you studied all the choices but did not know they
were referred to as security models. Or maybe you studied BLP and Biba but just
couldn't fully understand CW and B&N. At their core, these models teach two
basic fundamentals of security enforcement: prevent data disclosure
(confidentiality) 1 , deny unauthorized subjects from changing objects, keep the
accuracy of data, and maintain the consistency of the data on our computers with
that of our own reality (integrity) 2 .
Each of the security models holds their own special property: confidentiality,
integrity, separation of duties, or resolving conflict of interest 3 . What would be
the most important property for this financial acquisition? Do the security policy
requirements state it is important to make sure nobody sees the purchase price
and other financial numbers? Is it important to make sure financial statements on
a balance sheet are accurate? Is it important that both parties do not get too much
power in what duties they can perform? Would a conflict of interest totally cause
the acquisition to flop?
Whichever the case, please note whereas the core principles do not change,
security models are not rigid in their approach. Each can be adopted differently
depending on the company security policy.
Hint : Look at the word "alteration" and "directly modify". The security model
that provides a combination of both these terms will be the correct answer.
Is one choice clearly the incorrect answer? Do two choices work to uphold the
same principle, but only one goes further to enforce an additional principle? Can
you determine whether one of the choices could work in this type of financial
acquisition, but does not quite meet the interpretation of the security
requirements? You may never encounter these models in your career, or may be
using them without knowing it. Either way, understanding their primary purpose
will provide more insight into the security field in general and the exam. Which
choice would work the best to make sure financial numbers are kept consistent?
QUESTION 7 - EXPLANATION
A. Clark-Wilson
The Clark-Wilson model has some complex terminology, but it is a special
security model to understand. Following are the components:
When it comes to CW, think of the access triple. An authenticated subject (user)
can only access or change an important object (CDI) by going through a middle
interface (TP)-this enforces separation of duties. An IVP then audits the work of
the TP and checks the consistency of the internal change on the CDI with what is
expected externally. Clark-Wilson works to uphold the three requirements for
integrity, which is integrity itself, access control, and auditing 5 .
This model should be used for the new system because the CFO (user) will
create and send (TP) financial statements (CDI) to different entities. The CEOs
(users) will then approve (TP) the documents (CDI). If there were documents
considered UDIs, the CEOs and CFO would be able to modify them directly
without going through a TP. Whether large-scale corporate acquisitions or a
simple billing invoice, inconsistent numbers will ruin the entire transaction.
B. Bell-LaPadula
This choice could have been eliminated right away as the Bell-LaPadula model
is only meant to uphold confidentiality. It is primarily used in military or
government sectors where maintaining a secret can be of national importance.
For BLP, preventing the disclosure of information is more important than the
alteration of it. Here is how it is done:
Simple Security Rule - A lower level subject cannot read confidential objects
from a higher level, they cannot read up.
Star Property Rule - A higher level subject cannot write to data at a lower level,
they cannot write down.
Strong Star Property - A subject can only read and write to data objects in their
own security level, not higher or lower 7 .
D. Biba
While the Biba model does address integrity, it does not practice separation of
duties. Even so, integrity is maintained for subject-to-object access with data
flowing directly between higher and lower integrity level subjects. Rymar Tech
could have used the Biba model, but the requirements were that nobody except a
middle interface was to conduct actions. Following are the Biba Model's
properties:
Star Integrity Axiom - Subjects cannot write data up to a higher level, they
cannot write up.
Simple Integrity Axiom - Subjects cannot read data from a lower level, they
cannot read down.
Invocation Property - Subjects cannot invoke the services of objects in a higher
integrity. Think of it as a simple way to keep data clean 9 .
QUESTION 8
A company has made significant configuration changes that would
protect them from most Open Systems Interconnection (OSI)
Layer 4 attacks. From which attacks are they still vulnerable?
I. SYN flood
II. Smurf Attack
III. Fraggle Attack
IV. Ping flood
A. III, IV
B. I, II
C. II, III
D. II, IV
This may seem like a short and simple question, but it tests your knowledge of
the OSI model. Not only do you have to know each layer and function, but also
at which OSI layer each type of attack would occur.
Exam Essentials
Each communication device, protocol, technology, or network can
be allocated in a layer of the OSI model.
It can be understood that knowing the OSI model builds a solid foundation to
understand all other networking topics in Domain 4. If you know how each
attack functions, then you know whether it uses ICMP, TCP, or UDP. This leads
to being able to focus on the attacks that are not associated with Layer 4. The
exam is not just about memorizing the definition of an attack, but understanding
the concept. Do yourself a favor and get to know the OSI Model.
"SYN" and "Ping" flood are the only choices that directly provide
some insight into which layer of the OSI model the attacks occur.
To figure that out, you’d have to know the protocols synonymous
with using a “SYN” and the protocol used for “Ping”. Knowing
this can help you confirm which of the choices can be eliminated
right away.
Hint : The question is looking for attacks that occur at OSI Layer 3. SYN floods
use TCP 1 , so now you know it operates at Layer 4. Knowing this eliminates
choice B. If you know a Ping flood uses ICMP, which is in Layer 3 2 , then you
know either choice A or D is correct. This process of elimination has now left
only two choices.
SYN, SYN-ACK, ACK are the three parts necessary to establish a full TCP
connection. One of the benefits of having a full TCP three-way handshake is that
it allows data packets to be retransmitted if lost during transmission 4 .
Because there isn't a confirmed connection between a client and server when
using UDP, data packets do not have an established path to be retransmitted.
SMTP, HTTPS, SSH, or FTP are protocols that must have a confirmed
connection between a client and server and will use TCP. DHCP, SIP, DNS or
TFTP are protocols that do not always require confirmation and use UDP 5 .
QUESTION 8 - EXPLANATION
A. III, IV
B. I, II
C. II, III
D. II, IV
Choice D is the correct answer. Because protections have been put in place for
"most" Layer 4 attacks, there is a higher risk of vulnerabilities for Layer 3
attacks. A SYN flood uses Transmission Control Protocol (TCP) and a Fraggle
attack uses User Datagram Protocol (UDP) 6 , both of which fall under OSI
Model Layer 4. A Smurf attack and a Ping flood are under Layer 3, as they both
utilize the Internet Control Message Protocol (ICMP) 7 .
When the victim server accrues a large quantity of unanswered SYN/ACKs, the
memory and CPU start to reach an exhausting measure of utilization. At this
point, legitimate connections start to get dropped.
A. Implement tokenization
B. Request data encryption
C. Conduct a risk assessment
D. Data obfuscation
Let's just start by stating the correct answer is C. Sometimes it helps to glance at
the correct answer to a practice question before really thinking about it. It
provides a reverse perspective and method of reasoning. Here is the concept of
why choice C is correct:
Exam Essentials
Get to know these fairly new security terms: tokenization,
pseudonymization, and anonymization.
The SaaS cloud vendor can implement encryption for their supply chain (data in
motion) and for their data custodians (data at rest) to uphold confidentiality. Like
choices A and D, the request for encryption stems from an assessment to see
which cryptographic controls are first lacking and which ones are already in
place.
Following are some questions Rymar Tech could ask their SaaS vendor to
address their privacy issues 10 :
D. Data obfuscation
Unlike encryption and tokenization, obfuscation is not as complex and merely
uses obscurity to mask the data 11 . Obfuscating data can be as simple as re-
arranging the letters of a word or converting from ASCII to ANSI format.
Obfuscation may not always provide the guaranteed confidentiality of
encryption nor does it use a token to represent the original data 12 . The vendor
could obfuscate Rymar Tech's data, but it would be less effective than encryption
or tokenization. Still, it would only be a request after a risk assessment.
QUESTION 10
What is the greatest advantage of an IaaS in a private cloud over a
public cloud?
A. System granularity
B. Dedicated resources
C. Cost-effective solution
D. Multi-tenant architecture
The cloud is the next frontier for the security professional. For the
CISSP exam and the real world, be prepared to know the following
cloud types: public, private, community, and hybrid. Also know the following
cloud services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS),
and Software as a Service (SaaS). Most importantly, as entire businesses or some
of their processes start moving to the cloud, it is the CISSP's job to ensure the
security of their data is treated the same as it was within the organization.
Hint : The answer can be found even if you do not know anything about an IaaS.
All you have to know is the main difference between a private cloud and a public
cloud. Only one choice represents why an organization will specifically go for a
private cloud over a public, community, or hybrid cloud.
Knowing about cloud types and cloud service models allows you to ask the
following questions, which would help in eliminating some of the choices:
With knowledge of cloud computing terms, the question can then be reworded to
adjust for more clarity:
This may seem like a simple question, but in actuality requires basic knowledge
of the common cloud computing terms to answer correctly. It is advised to know
your cloud.
These security concerns are for when using the cloud in general, but strongly
suggested when using a public cloud because resources and data may flow
through shared systems.
QUESTION 10 - EXPLANATION
A. System granularity
B. Dedicated resources
C. Cost-effective solution
D. Multi-tenant architecture
The greatest advantage of a private cloud for any of its services, not just IaaS,
are dedicated resources for a single cloud tenant. A public cloud offers their
service to multiple tenants who share resources 3 .
Cloud Types 4
Public cloud
A public cloud deployment model has a multi-tenant
architecture , meaning it provides services to more than one
customer and can be used by the general public.
Example : AWS, Google Cloud, or Microsoft Azure.
Private cloud
A private cloud provides dedicated resources to a single
tenant. It can exist either on- or off-premise. Management of a
private cloud can fall on the customer or a third-party.
Example : A government agency uses an on-premise private
cloud behind a firewall to safeguard their critical operations.
Community cloud
A community cloud is also a multi-tenant environment like a
public cloud, but does not function for everyone. It is for a
similar community of organizations.
Example : Financial organizations sharing a common cloud
accounts payable software. Data processing companies
accessing a community cloud for data parsing software.
Hybrid cloud
A hybrid cloud is a combination of public, private, and
community clouds with the workload traversing each cloud
type. Interoperability of a technology between multiple
infrastructures is a key attribute of hybrid clouds.
Example : Organizations with an on-site private cloud, off-site
public cloud, and an outsourced community cloud.
Core Concept
Just because something is cheaper does not automatically make it a
cost-effective solution. A risk analysis will determine if a control,
software, system, countermeasure, or vendor is too costly or within
budget for the organization.
QUESTION 11
The IT Department Head (DH) is looking into purchasing a
security control for a system that hosts processes owned by the
Sales program manager. The system is valued at $5,000,000. The
options for the cost of the control are either $2,000,000 from one
vendor or $4,000,000 from a different vendor. The IT department
initially chooses the $4,000,000 purchase option, but the head of
Sales interjects and requests an analysis comparing the two
different solutions. After some discussion, both departments decide
to go with the $2,000,000 solution.
A. Data owner
B. System owner
C. Business owner
D. Data processor
A lot of numbers are thrown around in this question. Does that mean you should
immediately start remembering the formulas for single loss expectancy (SLE) or
the annual loss expectancy (ALE)? Not always. Remember the CISSP exam is
not a math test, it is a test of concepts and managerial thought process. However,
it's still important to know the formula for calculating both the SLE and ALE 1 :
We are given the asset value of $5,000,000, but not the exposure factor - we will
not be able to determine the SLE. Because we cannot determine the SLE, we are
unable to determine the ARO. When values are missing, the correct choice will
be determined by knowing the concepts.
• A. Data owner
• Who is the data owner? Is anyone in the Sales or IT department a data
owner? If so, what “data” do they own?
• B. System owner
• What exactly is a system owner?
• What is the difference between a data and system owner? Or are they the
same entity?
• C. Business owner
• How does the role of business owner differ from a data or system owner?
• D. Data processor
• How come choices A, B, and C end in “owner” and choice D ends in
“processor”?
Even without being given the details of the "discussion", which entity would
have the ultimate decision about spending money?
Hint : Out of the four choices, the role with "owner" at the end of it is the correct
answer. When it comes to financial decisions, the buck stops with someone who
has final ownership.
IT wanted to go with the most expensive control, but the head of Sales had a
problem with that decision. What could have been the intention to request an
analysis of the two prices in order to use the cheaper option? Whatever the
reason, think about whether the request of a system owner would supersede a
business owner. Does a data owner have any say on purchasing new systems?
Data must align with the mission and business of the organization
Set a proper policy for the security, control, and sharing of data
Determine if the data is exclusive or if it can be replaced
Verify accuracy of the data as well as the retention period
Confirm if the data can be shared or if it will remain internal
Data is compliant and has proper intellectual and copyrights
Conditions surrounding the use of the data are set with all parties
B. System owner
Let’s say a network security engineer manages the firewall for Rymar Tech, a
company in the middle of a huge project to migrate their database and file
servers to a new location. Under the direction of the IT DH, multiple change
requests are being issued for both the servers and the firewalls protecting those
servers. A security engineer will configure ACLs, VPNs, and NAT among other
necessary changes on the firewall. Then a server administrator will make
changes on each server such as creating new passwords, updating the operating
system, setting RDP access levels, disabling NetBIOS over TCP/IP, or
configuring allowable Kerberos encryption types. The changes to the firewall
and servers will support the business processes. In this case, the IT DH is the
system owner 4 . This person knows how the system works, supports making
required security changes on the system, and understands the value the system
will provide to support the business.
Exam Essentials
Different books and study guides have various definitions of
system owners, as well as NIST 800-18 5 . As with everything
CISSP, knowing the exact definition is not necessary, know the
general concept.
C. Business owner
Ideally, there should be a compromise between security and cost. IT chose a
control that did not cost more than the system itself, but it still was the more
expensive control. Perhaps IT saw new and advanced technologies that would
better protect their systems. But the business owner may have thought the
control picked by IT went overboard or maybe the $4,000,000 control provided
more security than necessary. After further analysis, the cheaper option was
chosen. Either way, IT still has a control that provides adequate security, and the
business owner just saved the company $2,000,000. Bottom line: the role of the
business owner grants them the authority to put cost over security if necessary.
The business owner cares about maximizing value and profit 6 . IT does not
generate profit for the company; information technology actually is an
expenditure. The Sales team makes money. Human life is always the #1 priority
in an organization, but making money is a close second. Security professionals
want the very best technology when protecting business processes. This does not
always align with the mindset of a business owner, or the CISSP exam. The best
is not always the most cost-effective. The cheaper option was chosen to control
cost.
D. Data processor
The data processor is a system, agency, or entity that handles the processing of
personal data 8 . If the company you work for outsources their payroll service to a
third-party, then that third-party is now the data processor. There was no
indication of a data processor in this question and this choice could have been
immediately eliminated. For the exam, equate the term "data processor" with the
GDPR.
QUESTION 12
The CISO of a global bank is traveling to a country where the
Internet is monitored. She needs to send a secret message to the
bank's CEO, but her remote VPN client is being blocked by the
host nation's Internet service provider. She calls her bank's security
officer who suggests to first write up her secret message, hash it
with SHA256, encrypt the hash digest with her private key, then
email the encrypted hash along with the secret message to the
CEO. The CEO will hash the message, decrypt the encrypted hash
with the CISO’s public key, and compare it to the appended
message.
A. Nonrepudiation
B. Confidentiality
C. Integrity
D. Authentication
Cryptography provides a high degree of trust that the data we are storing and
sending back and forth retains its confidentiality, privacy and integrity.
If you have no idea how to even begin answering the question, then
try to eliminate which basic cryptographic service has been
provided. For example, we know the secret message will be hashed with the
SHA256 algorithm. This means at some point the service of integrity has been
provided 2 , eliminating choice C as the correct answer. Cryptography also
provides confidentiality, authentication, and nonrepudiation 3 , so what still has
not been achieved by the CISO? To fully understand the choices, start by
learning about asymmetric encryption, public key infrastructure (PKI), hashing
algorithms, and how a VPN works.
The CISO's objective is to get a secret message to her CEO. If it were not
blocked, a remote VPN would have provided confidentiality, integrity, and
authentication 4 . Does that make nonrepudiation the correct answer? No, because
nonrepudiation was achieved when the CISO signed the hash with her private
key. Digitally signing a message means a sender can never deny sending the
message (assuming the sender is always in possession of their private key). This
leaves us with either choice B or D. How has confidentiality or authentication
not been achieved by the CISO's actions? The security officer's suggestion is not
wrong; however, it doesn't go far enough to achieve the full measure of the
security considerations that should be taken by the CISO.
Hint : A sender signing a message with their private key provides a different
cryptographic service than encrypting the message with a receiver's public key.
QUESTION 12 - EXPLANATION
A. Nonrepudiation
B. Confidentiality
C. Integrity
D. Authentication
Through the procedures provided by the security officer, the CISO is creating a
digital signature. Digital signatures do not provide confidentiality. They provide
nonrepudiation, integrity, and authentication 5 . This question tests to see if you
knew that choices A and D occur when a message is signed with a private key,
and choice B occurs when a message is encrypted with a public key. Both acts of
message signing involve asymmetric encryption. Choice C is achieved through
hashing.
Asymmetric encryption involves a private and public key 6 . The public key can
be shared with anyone, but the private key must never be shared and kept secret
at all costs. For asymmetric encryption or PKI to work, both the sender and
recipient of a message must have 100% confidence that each one has properly
secured and has complete ownership over their private key. Since only the sender
signs the hash with their private key in a digital signature, it shows to the
recipient that the hash digest can have come only from the sender, they cannot
deny sending it (as they should be the only one to have their private key). The
inability to deny sending a message is known as nonrepudiation 7 . Additionally,
signing a message with a private key also shows possession of the private key,
proving authentication . Hashing the plaintext message with SHA256 will
confirm to the recipient that the message did not change in transit, upholding
integrity 8 .
SENDER'S RESPONSIBILITY 9
• Step 1 - Create plaintext message
• No cryptographic service
• Step 2 - Hash plaintext message with SHA256
• The resulting hash digest provides maintenance of integrity
• Step 3 - Sign the resulting hash with private key
• This provides nonrepudiation and authentication
• Step 4 - Send plaintext message and digitally signed hash
• Appending the plaintext to the signed hash lets the receiver, or anyone
else, read and confirm the message has not been changed in transit. There
is no confidentiality provided
RECEIVER'S RESPONSIBILITY 11
• Step 1 - Receive digital signature and plaintext message
• Receives signed hash and plaintext message
• Step 2 - Decrypt the signed hash with sender public key
• Decryption with public key reveals original SHA256 hash
• Step 3 - Hash plaintext message with SHA256
• Hash plaintext to compare to the decrypted SHA256 hash
• Step 4 - Compare decrypted hash with computed hash
• Message integrity is intact if both hash digests match
Exam Essentials
The word “least” means that all the choices are close to being
correct, but one choice did not play as important of a role as the
other choices. It takes a complete analysis of the question context
and the choices to figure out which one is the “least” important.
Hint : The primary site was unavailable but then rapidly made available by a hot
site. Which of the choices is most likely not required for this type of site? Did all
the choices contribute equally to the BCP/DRP?
Recovery means to restore critical business functions at the hot site and
restoration means to build and repair the damage caused by the earthquake at the
primary site 1 .
Cold Site 2 A cold site does not contain any of the infrastructure, systems, or
software required to bring up the organization right after a disaster. At the least,
it will contain the HVAC, plumbing, electrical wiring, and some furniture.
Everything else required to bring up the site will have to be delivered at the time
of the disaster. Cold sites provide a low-cost solution with the longest recovery
time.
Warm Site 3 Associate the word “partial” when thinking of a warm site;
everything is partially ready. Routers, switches, firewalls, or servers may be
ready, they just need to be physically connected. The initial network connectivity
may need to be set up. Server images, ISOs, or data may still need to be
delivered to the site. Warm sites provide a medium-cost solution with a medium-
length recovery time.
Hot Site 4 For a company that requires a fully operational site with critical
networking hardware, server software, and capacity considerations ready to go
immediately or within a few short hours, regardless of the cost, hot sites are the
solution. Depending on their BCP/DRP planning, data may already be at the hot
site via backups, remote journaling, or electronic vaulting. This type of
assurance comes with a heavy cost as hot sites are the most expensive solution
with the shortest recovery time.
A. Two-tier I
B. Two-tier II
C. Three-tier I
D. Three-tier II
This is a straight technical question. There is not a high-level aspect to it, you
just have to know the technical aspects of firewall deployment architectures.
Let’s take a look at the requirements again to see if we can narrow the best
possible choice by process of elimination.
DMZ is Required
Since a DMZ is "required", it means at least three choices contain a DMZ
network. If all choices contain a DMZ, then it’s a matter of looking at which of
the other requirements are missing. DMZs are traditionally separated from the
internal network, so even a single firewall architecture will be able to have
multiple networks. Firewalls traditionally contain multiple interfaces for
segmenting multiple networks.
Exam Essentials
Different terminology exists for firewalls and networking. For the
exam, stick with the terms in the official guides.
With the pen and paper provided at the testing center, quickly sketch out what an
architecture with two firewalls protecting a DMZ and a private network would
look like. Chances are you will draw the one with the least administrative
overhead first.
While this architecture has a DMZ and is easier to manage than the other
choices, it consists of only one deployed firewall.
B. Two-tier II
Two-tier II deployments practice defense-in-depth, as it requires two firewalls to
inspect traffic inbound to the private network 4 . A DMZ exists inline and is
protected by the first firewall. This deployment requires increased routing and
access-control rules.
Choice B meets the requirements of at least two firewalls, a DMZ, and of all the
other choices, has the least administrative complexity.
C. Three-tier I
Three-tier systems can be the most secure as traffic is filtered from subnet-to-
subnet until reaching the private network. Three-tier I deployments consist of
three firewalls 5 . A single routing change on the network may require updated
routes and ACLs on all three firewalls, making them the most complex
architecture to manage.
D. Three-tier II
This matches the two-tier II deployment in terms of the DMZ and number of
firewalls used, but this design also creates a transaction subnet between the two
firewalls that must be managed 6 .
The transaction subnet creates an added layer of administrative complexity just
like with three-tier I deployments.
Which of the following is the best reason the fine was reduced?
A. Compliance
B. Due diligence
C. Due care
D. Risk assessments
If not, what would lessen the risk of this type of incident from happening again?
Would any other types of laws have been broken if Rymar Tech's security guards
tried to physically stop and search the employee?
Exam Essentials
The "best” choice requires applying deep-level CISSP concepts.
The answer cannot be looked up in a book.
Security breaches have become serious business as they can lead to fines, firings,
class-action lawsuits 2 , and business closures.
Hint : Here is the secret to getting this question correct: know the difference
between due care and due diligence. Think of which one will be scrutinized in an
investigation from a legal standpoint.
QUESTION 15 - EXPLANATION
A. Compliance
Privacy and the right to privacy has brought the creation of multiple laws and
regulations in order to better protect private information. The GDPR, PCI DSS,
and PIPEDA are forms of privacy protection laws aimed at making sure
organizations are doing their due care to keep user information safe 3 . Failure to
follow compliance can result in legal action that could incur multiple fines and
penalties 4 . Making sure to understand compliance requirements is a part of the
due diligence process, while implementing the controls to uphold compliance
would be due care. Rymar Tech was not following any particular compliance,
nor is it a reason to reduce fines if followed.
B. Due diligence
Conducting due diligence falls on the responsibility of those in senior
management. It is the act of due diligence that results in the actions of due care;
for without due diligence there is no due care 5 . Disabling personal USB drives
on corporate computers (technical), conducting background checks
(administrative), having security guards, CCTVs, and badge readers (physical)
are examples of due care security controls. These controls only exist as a result
of policies created by a wider risk-focused research program initiated by
management.
The due diligence done before the breach is proactive, while due
diligence after the breach is reactive. Reactive due diligence is about
understanding the reason behind an incident, event, or breach and making sure
the steps to rectify the situation are done within measured risk parameters.
Whether it is mandated from within the company or under legal action, due
diligence has the primary responsibility of making sure the same incident does
not occur twice.
Core CISSP Concept
Due diligence and due care are simply ways to show that the
company cares about their risks. There is never a way to eliminate
all risk, which means there is always some level of risk. Due
diligence shows prudent executive leadership and due care shows
judicious security operations.
C. Due care
A lack of assigned due care controls by executives can lead to legal action 6 . For
Rymar Tech, the fines were reduced because they had in place adequate
technical, administrative, and physical due care security controls. Despite the
insider attack being able to circumvent the controls, the company was proactive
in their approach to risk management. It takes due diligence to make sure all
these due care measures are in place and continuously maintained. Essentially,
Rymar Tech did everything they could to mitigate their risk of a data breach, just
short of a full body search. They were not able to completely eliminate this risk.
Moving forward, a policy limiting employee privacy in the workplace could
provide a pathway to search personal employee property, including emptying out
pockets.
Due diligence is performed by senior management and comes before due care.
Diligence is about knowing and due care is about doing.
D. Risk assessments
Conducting proper risk assessments throughout the organization at least once a
year is a part of performing due diligence. The results of a risk assessment are
the formal way to determine due care controls.
Exam Essentials
Sometimes due care is an action that should most likely be taken,
and due diligence is an action that may not be necessary, but is best
for the long-term.
QUESTION 16
Rymar Tech is conducting a quantitative analysis of their financial
file server. The SLE for the server is $50,000. The organization
wants to account for the file server to fail once every two years.
Three different managers have provided their suggestions for the
necessary security controls required to protect the file server from
a potential breach, denial of service, or other types of compromise.
A. Manager 1
B. Manager 2
C. Manager 3
D. Manager 1 & 3
At its core, this question is the embodiment of thinking like a manager. Three
managers have provided three different suggestions and it is your job to take all
that you have learned in your CISSP journey and choose the “most effective”
choice. All of the choices may seem correct, but one choice does not have any
unnecessary controls that affect cost, security, or network design.
Hint : It is best to calculate the value of the asset first and then compare it to the
cost of the suggested controls.
Exam Essentials
Study the technical terms and concepts in order to understand the
question, not to answer it.
If the value of the file server is $50,000, and it fails once every two years, then
the annual loss will be $25,000.
B. Manager 2
When a badge and PIN are used for gaining access to an asset, two-factor
authentication is taking place 6 . By removing the use of a badge and a PIN,
Manager 2 has actually made access to the file server less secure, as two-factor
authentication is more secure than single-factor authentication any day of the
week. If a biometric system replaced both these two forms of authentication, it
would be using single-factor authentication. As technologically accurate as it
may be, a biometric system by itself is just proving something you are. Entering
biometric information coupled with something you have (badge) or something
you know (PIN) would work better to uphold confidentiality and integrity. From
a manager’s perspective, biometric devices are an expensive cost. It costs money
not just to buy it, but to hire the professionals who need to administer the
system, enroll users, generate templates, balance the crossover error rate, and
provide continuous administrative support 7 . Ultimately, Manager 2’s suggestion
is not the most effective choice because it increases cost and lessens the security
posture of the organization.
C. Manager 3
Manager 3’s suggestion is not correct due to: the addition of a load balancer. A
load balancer is meant to mathematically distribute network traffic
proportionally across multiple servers or network devices 8 . The question
focuses only on one financial file server. There is not another server to distribute
the traffic load coming into the network; a load balancer is not necessary. The
cost of an additional IPS, IDS, load balancer, and hot site were not mentioned
and they all combined could have been more or less than the cost of the file
server itself, but that was not the determining factor. However, all the additional
devices sans the load balancer could provide adequate security for the file server
depending on cost.
D. Manager 1 & 3
Only Manager 1’s suggestion is correct.
QUESTION 17
A security operations center (SOC) has lost three firewall
engineers and does not have the budget to hire replacements.
Management has given Casey, the service desk technician, the
additional responsibility of only viewing firewall configurations
for customer tickets. She is to make sure the right firewall policies,
VPN usernames, and network address translation rules exist on the
firewall, as well as verifying if site-to-site IPSec tunnels are active.
The security administrator has created an account for Casey that
enables her to view the firewall configuration and deploy any
necessary changes as long as it is approved by a senior engineer.
A. Need to know
B. Least privilege
C. Job rotation
D. Separation of duties
In addition to service desk tasks, Casey is now being asked to take on more
technical responsibilities. When this happens in a company, it is up to the
security professional to make sure access is properly provisioned. While Casey
may currently be in a role that limits her network device access, the addition of
her new firewall responsibilities now increases those rights and privileges. This
in turn can be a direct correlation to the SOC's overall risk exposure 1 . If Casey
was leaving her old role for a new one, it would be best practice to remove her
previous access.
Authorization creep will occur if a worker's rights and permissions have not been
removed when rotating to new job positions 2 . In the question though, she is
receiving more rights in addition to her existing ones.
Casey's current role deals with service desk tasks and not firewall issues. She
would not have as much experience in her new technical role as the previous
SOC engineers. This can lead to mistakes and has to be accounted for when
considering what level of access to provide Casey. In this regard, the systems
administrator has given her read access as well as write access, but only with
prior approval. This follows a proper change management process in security
operations.
Casey's new role will require an additional level of need to know access. Least
privilege will then further restrict that access to just the tasks related to her job.
Presently, Casey has not only need to know access to perform her job as a
service desk technician, but will also require read-only access to the firewalls.
In due time, when more engineers have been hired, Casey's firewall rights and
privileges will have to be revoked. The glaring security flaw that has not been
followed will stand out to two types of people: security professionals with years
of experience or those who have thoroughly understood their CISSP concepts.
There is no experience requirement to take the CISSP exam, but it is highly
recommended. Spending time understanding concepts, whether at work or at
home, is the only way to gain security knowledge and to accumulate the wisdom
to fix broken processes.
QUESTION 17 - EXPLANATION
A. Need to know
Giving only the access required to do the job is practicing proper need to know 4 .
The goal of implementing need to know is to prevent unapproved access. This
was followed when management gave Casey need to know access to customer
firewalls in order to accommodate her new job role. However, she is supposed to
be only "viewing" and "verifying" the configurations, as management did not
state she is to make any kind of changes to the firewall. The security
administrator fulfilled Casey's need to know by creating a firewall account to
view the configuration, but violated the directive by also allowing Casey to
deploy changes. This is not the correct choice because Casey was given need to
know access to the firewall, but her least privilege was not restricted to just read
operations.
B. Least privilege
By allowing Casey to have write access to the firewall as well as read-only
access, the security administrator failed to follow the principle of least privilege.
Least privilege will fine-tune a subject's access to an object by assigning just the
very minimum rights and permissions to it 5 . Casey required need to know
access to the firewall with management's permission to read configurations only,
not the additional privilege to make actual changes.
D. Separation of duties
Separation of duties prevents a single person from performing a high-impact task
8 . A single firewall engineer who can request, design, and implement changes to
a firewall by themselves and without permission, has a significant degree of
power. They can collude with outside entities to give them unfettered access to
the protected network behind the firewall, or the firewall itself. Even if a security
professional remains virtuous, a compromise of their own account would lead to
the attacker now having the same access. Even though it was a mistake for the
security administrator to give Casey write access to the firewall, separation of
duties still was followed as all changes had to be first approved by a senior
engineer.
Exam Essentials
Need to know, least privilege, and separation of duties are
preventative controls 9 . Job rotation is a detective control 10 (meant
to uncover, not prevent). All four choices fall under administrative controls.
QUESTION 18
Expenses, extra responsibilities, and reduced profits are a result of
what?
A. Security
B. Efficiency
C. Convenience
D. Operability
Only one of the choices will result in all three of the outcomes presented in this
question. Ideally, a business would like to attain all four of the choices:
maximum security, high efficiency, ultra-convenience, and smooth operability.
Each of the choices has its own strengths and weaknesses.
Security
Think of how security is perceived during our CISSP exam studies. Is security a
negative or positive addition to an organization? Does a business actively seek
out security? Does it look to security to lower expenses, reduce responsibilities,
or increase profits? Would security be an obstacle, necessity, or a cost which
contributes to or reduces these effects? Emotionally, think of how you and your
fellow security professionals feel about security as compared to your senior
management team.
Efficiency
High efficiency--that is a manager’s dream. Efficiency for a
business means to squeeze every bit of work out of daily tasks in order to further
focus on more complex problems. Developers want to focus on building new
software, not to keep patching and updating old software. Network engineers
want to fine-tune the organization’s bandwidth usage, not continuously
troubleshoot connectivity issues. By increasing efficiency, we also are increasing
the effectiveness of measured security controls. Would this result in any of the
outcomes in the question?
Convenience
Security professionals and business executives may not consider convenience to
be one of their top priorities, yet it absolutely must be. Not everyone in a
company may be highly technical or aware of security in their role, so some
require a modest level of convenience to perform their job. When employees can
perform their job, productivity goes up. We can say that convenience can
increase productivity, which will increase profits. As a CISSP, we must provide a
balance between security and user convenience. For example, two-factor
authentication is useless if a user does not know how to correctly use it.
Operability
Operability can be likened to reliability in that there is a high degree of
confidence that something will work from start to finish. A security professional
may practice a “security” mindset at their organization, but if that same security
professional were to go skydiving, they would want the parachute to have
greater operability instead of a high level of security. In an enterprise, operability
and security must be balanced to provide something that works as it is supposed
to and with the least amount of risk while doing so. When it comes down to it, is
operability expected to increase expenses or revenue for the company? Will it
add more work to maintain a certain level of operability? Will it cut into the
bottom line?
B. Efficiency
Peak efficiency and effectiveness of programs and systems occur if they are
operating as intended, have correctly implemented security controls, and are
meeting desired outcomes 3 . If an intrusion prevention system (IPS) is blocking
network traffic containing malicious signatures, it is operating as intended.
Security controls such as frequent IPS signature updates, restrictive access
control, and high-availability add to its desired effectiveness in reducing the total
amount of security incidents. Expenses are lowered, additional responsibilities
are not necessary, and profits are increased when a company does not have to
deal with frequent security events.
C. Convenience
Security is not here to be convenient, but security and convenience have to play
nice with each other. If users find memorizing long and complex passwords too
inconvenient, they will write it down on a piece of paper. To provide both
convenience and security, the security advisor can suggest using passphrases, as
they are easier to remember while satisfying password complexity requirements.
D. Operability
The CISSP is an exam for security professionals, but it also takes a business
executive's frame of mind to succeed. Both want a secure and operational
system, but given a choice, operability drives the business. At the same time,
operability needs the functions of security to prevent or lessen its own
downtime. Operability is not an added expense with extra responsibilities that
cuts into the profit margin; operability is mandatory. The result of operability is a
functioning business continuing to be fully engaged in cutting cost, reducing
overhead, and focusing on profits.
QUESTION 19
Fred has been contracted as a penetration tester. He will have
access to the internal lines of code and general design of an
application that needs to be tested. Fred always has had malicious
intent. Howard is testing the same software without any prior
knowledge. He will approach his duty as if thinking like a
malicious attacker. Howard is a security professional.
A. Fred
B. Howard
C. Robin
D. Gary
Think of which individual would cause the least damage to eliminate a choice
right away. Look for the type of testing that would be the most isolated away
from a production environment. Then look for which individual would have the
least motivation or tendency to cause intentional damage. This can be
determined by their skill level and knowledge of the weaknesses in the system.
Just because someone has been hired by a company does not always mean they
will be ethical during or after they have completed their assignment.
Hint : The context of the question gives insight into the background and the
extent of each individual's knowledge.
Factors such as scope, level of access, and total knowledge of the system
determines the type of testing required. One type of test does not work for every
company and it is advised to use multiple types to get a holistic view. Likewise,
not all systems are alike and each one requires a different testing tool.
To maximize the coverage of unseen areas of a system, use both automated and
manual testing tools 4 . Penetration testing is not only about attacking a target
system, but also a test of the company's own ability to respond and defend
against attack. Although damage can disrupt business operations, the
information gained from the incident can be more beneficial in the company's
long-term security 5 . An organization's security program can only evolve if it can
prevent the same incident from frequent occurrence.
QUESTION 19 - EXPLANATION
A. Fred
Fred is performing white box testing. This kind of test provides him detailed
information on the internal workings of software and the lines of code before
any kind of test is even conducted 6 . White box testing helps target a specific
area of software vulnerabilities for a more comprehensive result. The fact that
Fred knows all about the software before testing it, provides him the knowledge
to perform penetration tests from multiple known vectors. In other words, Fred
does not have to do any kind of reconnaissance on the target to find
vulnerabilities. Out of all the types of testing, white box testing provides the
most cost-effective technique 7 , however, someone having full knowledge before
conducting an external attack is not realistic of actual real-world threats. It takes
black box testing to understand all the possible and unseen ways an adversary
will try to compromise a system.
Fred can leverage his position as a contractor with authorized access to do the
most damage as an insider threat. He also could cause the most damage if he left
the company, as he would be taking the knowledge with him. Apart from just
damage, Fred could also steal, sabotage, or sell the information to a competitor.
C. Robin
Robin is performing gray box testing, which can be used to patch the spots
missed by both black and white box testing 13 . Gray box testing makes up for the
internal controls missed by black box testing and provides an added element of
realism missing in white box testing. Any damage caused by Robin is either
unintentional or done so in a controlled manner. As an ethical hacker, Robin has
already obtained management's acceptance to expect this kind of damage.
D. Gary
Gary would cause the least amount of damage because SQL injections
performed on his database will never leave the confines of his lab.
A. Initiation
B. Development/Acquisition
C. Implementation/Assessment
D. Operations and Maintenance
Security can be implemented during the initiation phase of the SDLC just by the
mention of its existence. While everyone else is talking about business
functionality and goals, the security professional has to carefully place emphasis
on the right type of security to uphold those same business objectives 1 . As
discussions about money and operability take the lead, someone has to interject
with addressing security. The security and business objective discussion can then
be further formalized into a baseline during the development or acquisition
phase 2 . Security is important in this phase as it is focused not only on the system
itself, but also the effect it will have on other systems once system integration
has been completed. This also is the time to look into supply chain risks if
acquiring a system instead of developing it 3 .
Once the system has been implemented into a production environment, more
security testing and assessments are required to complete the certification and
accreditation of the system 4 . Once fully operational , it is important to
maintain a rigid change management process 5 . This ensures that any system
changes will be reviewed before implementation as to avoid unforeseen security
implications.
Think about where planting the idea of security would have the
highest impact on the current and future value of the system. Is it
better to start security from the very beginning or is it unnecessary to use up
resources at this early phase when it could be focused on the product
functionality instead? Should security be implemented when the actual
development is occurring, when the actual architecture and coding is being done,
or should security start when the system is being implemented into a live
operational network? After all, if at this point the new system manages to
inadvertently stop other critical business functions, the whole project may have
to be scrapped anyway. The decision of when to initiate security will have a
cascading effect in all the other phases of the SDLC. The true measure of the
security considerations during software development life cycle will be revealed
if the software ever falls under the publicly known Common Vulnerabilities and
Exposure (CVE) list 6 .
QUESTION 20 - EXPLANATION
A. Initiation
The first place to start security planning is the initial phase of the SDLC 7 . At a
high-level, this phase has the most management-facing exposure, thereby having
the most influence in their decisions. The initial phase includes assessing the
software's impact on the current business functions along with an ideal measure
of the recovery point and time objectives 8 . This phase enforces security beyond
just system information, but also the risks to private user data when at rest,
stored, or in use. This is the phase when an SDLC model is chosen for the
developers to follow. Software development models are not followed as
accurately as depicted in our CISSP study guides. It depends on the company
environment and whether they want to choose a standard model or one which is
security-centric 9 .
Exam Essentials
Besides the SDLC, the initiation phase of any other process should have security
from the beginning. These include BCP/DRP, PKI, IoT, mobile
security, chain of custody, or governance and compliance.
B. Development/Acquisition
Users and system experts work together in this stage to turn the initial
requirements into a maturely designed reality. If the project requirements have
changed, then security risks to the system should continue to be assessed looking
for unexpected weaknesses and threats. Security controls are to be selected and
documented as to where, when, and how they will be applied to the architectural
design of the system. It is at this point when security has formally been applied
to the system, that complete consideration has been given to how it affects other
business and IT interdependencies 12 . This is the very definition of implementing
security early, not waiting until completion, but during development. Software
and hardware acceptance testing should then be conducted to validate that the
new system matches both functional and security requirements. Complete
documentation should accompany all activities in this phase as well as all the
other phases.
C. Implementation/Assessment
Utmost care must be practiced once the delivery, installation, or deployment of
the new system is established in a critical production environment. The system
must undergo a complete certification process and the results sent to the system
owner, developer, and other stakeholders. Management will then provide
accreditation, marking the final risk decision on the new system as well as how it
interacts with other systems in operation 13 .
A. Data Classification
B. Access Control
C. Cryptography
D. Network Security
The protection controls surrounding information are reflective of its salience for
providing value. Not all information is the same, some require more or less
security than others 1 . The importance of data can also change over time. Which
choice will be able to protect information given its current sensitivity, usage, and
criticality levels? Protecting information is not just about confidentiality, it also
means the data is unchanged and available throughout its life cycle all the way
until the disposal stage 2 . Which choice would have a plan to dispose of data
when it has reached its usefulness?
Choice A, data classification, could effectively adjust for all these types of
documents. The new propulsion system could give the company a
competitive edge - this kind of information must be kept
confidential. Disclosure of pilot health data may not damage the
entire company, but still is something that should be kept private.
Information about profit forecasts or workforce totals are not vital
to the organization, but sensitive nonetheless.
Hint : The correct choice is part of an overall life cycle that includes an
acquisition, usage, archival, and disposal stage 3 .
Cryptographic controls could secure data at rest and in motion with a near-
absolute degree of confidentiality. Wouldn't crypto controls be the most effective
way to protect the documents from untrusted eyes? If so, how would we know
when and why to use which cryptographic cipher? What would determine
whether we use DES with Cipher Block Chaining mode or a stronger algorithm
such as AES256?
C. Cryptography (Domain 3)
A multitude of cryptographic controls exist from which to choose, each one with
its own price and complexity. Classification labels help to narrow down the
decision within budget and resources. For example, classifications help to decide
whether to use Perfect Forward Secrecy for an IPSec VPN tunnel, or use the
Diffie-Hellman key exchange in Phase 1. It provides the criticality level of data
at rest and in motion to determine whether the company should buy Trusted
Platform Modules or install software-based encryption.
Because the CISSP exam involves high-level subject matter, the concepts
learned in each domain can be applied to a wide span of heterogeneous
industries and environments for their information security management.
Concepts do not change; they are high-level principles and can address multiple
types of enterprise requirements. The context of the question does not matter,
only that subjects need access to objects with a few restrictions. It may take a
single or hybrid combination of controls for just the right type of access.
The humans would like the aliens to feel free to look around the
information system, which would serve as a gateway to learning
about mankind's entire existence. They want to be careful what
they show because this kind of knowledge will reveal human
strengths and weaknesses. Decisions must be made, such as would
it be better to blatantly restrict and confine the alien's access like in
a MAC system? If so, it may insult the aliens or show a lack of trust. How about
customizing access rights for each and every file in the database like in DAC? It
would certainly allow the beings to only view the files chosen by the human data
owners.
Would it help to use conditional attributes like in ABAC? And if using RBAC, it
would provide a centrally managed access model with a single set of rights and
permissions that can be applied to all those in the group of extraterrestrials.
Information has value. This value determines who can have access to it. Security
professionals are not here to help users get access to valuable information; they
are here to protect information from unauthorized access. Access control models
are most effective when built into the system so it serves as a technical
preventative control as part of a layered defense approach.
The most optimal access control model is one that does not expose any
information to extraneous entities 1 . The security professional must consider
capability, performance, cost, metrics, and the upkeep of an access model 2 .
Once implemented, it brings with it the complexities of any new system. The
impact of which can affect user productivity throughout the enterprise or be
isolated to a single operational function 3 . Use policies, models, and security
mechanisms when designing the access control system.
QUESTION 22 - EXPLANATION
A. Mandatory Access Control
The MAC model is all about keeping secrets, but the humans want to seem open
in showing their history without looking too secretive. MAC is the most
restrictive form of access control as it significantly scales down the amount of
choices a user has when accessing information on an operating system. A user
may even know there are many other objects in existence on the system, but they
do not have access to anything outside their boundaries. The MAC model is
commonly used in government or military environments where confidentiality is
of the highest regard. Mandatory access control is a nondiscretionary control as
it has a predetermined set of security labels that can only be accessed by those
who have the security clearance matching those labels 4 . The humans would not
use MAC at all because it is for highly secretive data, which is not the type of
information they are trying to present to the aliens in the first place.
A. Defense-in-depth
B. Crime Prevention Through Environmental Design (CPTED)
C. Natural Access Control
D. Target Hardening
Hint : Look for the answer that may seem like an assortment of separate
controls, but at a high-level are meant to all work in concert with each other.
Defense-in-depth aims to layer defensive controls one after another making it
progressively difficult for a variety of attack methods to reach the target 1 . It is
meant to deter social engineers from gaining physical access, prevent hackers
from making it past the firewall, and account for insider threats who are
attempting to access or destroy valued information. Does this sound like what
the corporation wants to do for the new data center hosting classified
information?
CPTED makes it difficult for an attacker to get away with their actions without
being seen by creating an area of high public visibility. Natural surveillance,
territorial reinforcement, designated spaces, and scheduled maintenance ensures
a place where people practice awareness to prevent crime and maintain security 2
. Is this what the corporation is trying to do? Is CPTED an incomplete approach
for the facility?
Natural access control is meant to provide physical security without being too
obvious. It is meant to guide people on a general path toward a specific location
while discouraging any deviations. An IPS, firewall, encryption cipher, or
malware scanners do not achieve this. Fences and bollards could control natural
access 3 , but they do not protect the actual digital data located in a server, nor
can natural access prevent attacks from inside the building. Target hardening is
about denying access and not caring whether it is done politely or in a friendly
manner 4 . Does this sound like the only type of control being designed for the
data center?
In order to protect all human life, critical assets, and remain profitable, a
business has to look at themselves from a holistic perspective, from a high-level
view. This means to have a strong physical perimeter (fences, biometrics, motion
detector, dogs), a network architecture based on a sound security foundation
(VPN, web application firewall, WPA2, fiber optics) and a strong set of controls
preventing direct access to the asset (access control, encryption, antivirus). The
idea being if one control fails to protect the asset, there are multiple other
controls that still need to be overcome by an attacker 6 .
Stair towers with clear glass walls in parking garages. Individuals may
be deterred from criminal acts in visible areas.
D. Target Hardening
Target hardening is another component of CPTED that involves the blatant use
of physical or manmade boundaries. It is not about making the data center look
friendly or welcoming, but a show of force to discourage any trespassers,
malicious or otherwise 12 . Although this is being practiced in the question, it still
is just a physical control. Choices C and D are components of choice B.
QUESTION 24
Without prior notification or coordination, Rymar Tech's network
engineers changed their firewall's public IP address over the
weekend and unexpectedly broke a VPN tunnel to an e-commerce
service provider. This meant customers could no longer conduct
online shopping purchases, process credit card payments, or access
their account. The business managers were made aware of the
situation after hearing it directly from escalated customer
complaints. They immediately instructed security operations to
restore all business processes even if it meant putting functionality
over security. Ignoring their directive, the system architects
worked with the network team to revert back to the old IP address
and restore full connectivity. Moving forward, what kind of
changes to the organization can you advise C-level executives to
better align IT security with business objectives?
Communication and procedures do not seem like they are in order at Rymar
Tech. Network engineers are doing rogue maintenance work, architects are not
listening to their bosses, and managers are making decisions that may impact
integrity, confidentiality, availability, or user privacy.
The correct choice will not only fix broken communication channels, but also
bring strategic and operational processes together. The solution will make sure
that if the exact same problem occurs again, it will be handled more cohesively.
Although it may take some time, money, and considerable initial effort, the
ultimate solution will actually create a more organized business that can handle
sudden changes with ease and a proper governance structure.
Hint : Which choice will be able to align, enable, enhance, and increase security
effectiveness?
All the choices seem like they would work to help align IT with the business. If
this is true, then the "best" answer is the one that will have the biggest and most
long-term positive impact. Which one will not be practiced in just a single silo,
but every part of the enterprise? Which choice would work to account for each
issue in the question?
It was recommended that for an immediate fix, it would be okay to bypass VPN
security, which could compromise confidentiality and integrity. It is important to
remember that the business comes first and whatever senior management says to
do has to be done; however, security architecture can allow business decision
makers to understand and make choices based on security concerns 3 . While
security operations resolved the issue, a security architecture would also avoid
situations where architects ignore executive instructions and put security over
functionality at their own discretion.
If one part of the company does not understand how another part works, it is a
risk. Suppose management wants to add an expedited shipping process for online
purchases, but may not fully understand that their operations department does
not have the resources to support such a service. Security architecture reduces
disconnect and works to lay out the capabilities and components of each layer of
the company beforehand along with the security objectives. When IT has to
perform changes or maintenance on their side, it should be in concert with
making sure it does not affect the security of other business processes. When the
business makes strategic decisions, it should attempt to align with operational
and security capability.
A. Change management
B. Regression testing
C. Threat modeling
D. Extreme Programming (XP)
It may first help to see which choice is about performing due care. Due care
means to direct prompt focus on the best thing to do for a certain situation at that
given moment. Which choice would have helped the most to perform just before
the new software was deployed? Which choice may have detected the reason
behind the server locking up?
Was it the absence of change management that failed the company's process?
Given the deployment and release schedule already in place, development
projects seem to have some measure of existing management and repeatable
control - similar to Level 2 of the Capability Maturity Model Integration 1 .
Remember that change management and regression testing occur after initial
software deployment, while threat modeling and XP occurs beforehand.
Threat modeling can take two forms: one done during risk management and one
during software development. Both work to look for the number of probable
threats in correlation with existing vulnerabilities, instead of the ones which are
just possible 3 . Is this choice a due care measure and could it have detected the
software malfunction before it locked up the server?
Hint : Are the choices in chronological order? Does one choice come first then
the other when it comes to making a software change?
QUESTION 25 - EXPLANATION
A. Change management
More changes are occurring within the enterprise now than any other time in
telecommunications 5 . Software updates, hotfixes, vulnerability patches,
upgrading old devices, failover testing, and firewall rules all require a change
management process. It is important to make sure rapid technology changes do
not wind up creating unexpected issues once implemented. There must be a
formal method to request, design, approve, test, deploy, rollback, and document
all changes. Integrity is the primary goal of change management and it is
achieved by having multiple eyes verifying that information remains consistent
before, during, and after a new change 6 . This is not the correct answer because
deploying compression software that is "pending approval" insinuates the
developers have an existing change management process in place already. There
is a software release schedule to be followed, minimizing ad hoc changes.
Change management is a form of due diligence as it is a long-term objective.
B. Regression testing
Regression testing is making sure new code does not alter software that is
already in place. Changes to software, however big or small, must be tested
before being put into a live enterprise. The idea is not only that regression tests
should be performed before making a change that may or may not affect a
system, but to just test the overall system once again since initial deployment 7 .
A single interactive acceptance test by humans may not always root out flaws
hidden deep within the lines of software code 8 . Think of regression testing as
not only to check the validation of new code, but also a way to make sure
previously corrected development issues are not recurring. This is the correct
choice because testing something before deploying it is just a prudent thing to
do, which is the definition of due care. For software engineers, regression testing
is to make sure the software update is working properly. For managers, it's a way
to prevent a disruption to the performance of the business, which could lead to
increased cost and lowered productivity. For security professionals, it is to make
sure a new change does not inadvertently open up new vulnerabilities or widen
existing ones.
The other two types of testing are unit and integration. In unit testing a single
part of the overall software is tested, while integration testing determines
whether all the parts are able to work together per the design. A combination of
both these tests will provide an optimal degree of confidence in the application's
ability to reduce risk 9 . Please note: software should never be tested in a
production environment.
C. Threat modeling
The importance of this model is to take into consideration the reasonable types
of insider or outsider threats to the application whether in a malicious capacity or
in the form of a mistake. Then proceed to map how these probable attacks can be
realized with the existing or new vulnerabilities in the software. Threat modeling
is a type of due diligence because of the amount of research put in beforehand
and is most effective during the design phase of software development 11 .
Regression testing is the more accurate answer.
D. Extreme Programming
There is a cute reason for the name of this programming model, it consists of an
extreme amount of teamwork. The engineers, senior developers, team leads,
managers, and the customers are considered equals in a bid to turn out software
as quick as possible 12 . Part of the Agile methodology, XP brings people together
without overburdening its developers with a lot of processes to follow 13 . Unit
testing may be used in XP at a minimal level as only the minimal amount of code
will be used to pass the test. This process could have tested for server lock-ups
before deployment. XP provides software releases as fast as possible without a
set schedule, making this an incorrect choice. XP is also a software development
model that is not a form of due care.
WHY THE CISSP IS WORTH IT
If you want job security, the CISSP is worth it. If you want to spend more
time with your family, the CISSP is worth it. If you lose your job and need to
get another job fast before your mortgage is due, then the CISSP is worth it.
If you are 100% qualified for a high-paying job, but one of the requirements
is that you have a CISSP, you don't have to worry about a missed opportunity
because you didn't have something. If you want to be part of a global
community of security professionals (okay maybe you don't need the CISSP
for that, but it helps!) the CISSP is worth it. There was so much I didn't know
about security before studying for the CISSP. While studying I learned about
polyinstantiation, referential integrity, known-plaintext attacks, procedures,
policies, ISO 27001, bollards, and one-time pads. I learned the power of
mathematics while studying about Diffie-Hellman, the importance of
encryption throughout history, the meaning of data remanence, or the
different types of fires and how to best extinguish them. Studying for the
CISSP, even if you don't pass, helps you correlate the many facets of security
and how they all eventually relate to each other. If you want to stop yourself
from constantly needing motivation, but instead cultivate a sense of
discipline that will follow you for the rest of your life, the CISSP is worth it.
The journey to the CISSP, it’s an epic adventure. The harder you study, the more
you lessen the fear of failing. In the testing center, when the timer begins to
count down, there is nothing to focus on except the computer terminal in front of
you presenting deep-level security questions. You take everything you learned in
all those thousands of pages of your study guides, all those hours of watching
videos, all those days of going over nothing but practice questions, and focus it
all into the glow of the monitor. The exam is so intense it is as if you took a
breath, and when you exhaled the exam was over; your fate is either a pass or a
fail. You have to push yourself to pass this thing, you have to want it more than
anything at this point of time in your life.
Imagine the exam ends and you walk toward the testing center proctor, the
longest walk you’ll ever take, and wait to hear the laboring engine of the printer
writing up the destiny of your information security career. You’re either going to
feel a crushing feeling of disappointment or a warm moment of the impossible
realization that you have passed. Whatever the outcome, you’re still not the same
person that you were just a few hours, days, or months ago. You’ve improved.
You have gained a greater perception of information security concepts than ever
before. You can navigate your way around conversations with both technical
engineers and C-level executives. You see the reality that nothing is perfect and
you can’t eliminate every risk. Ultimately, it doesn’t really matter if you pass or
fail, the journey to the CISSP is the real prize.
By now I've spent over 2,000 nights grinding as a CISSP instructor. Similar to
your journey to the CISSP, mine has also been filled with sleepless nights
creating CISSP videos, practice questions, flashcards, and managing multiple
social media platforms. This whole security thing is not a job, it's a commitment.
I am truly grateful for all those who have allowed me to be a part of their CISSP
journey. Your stories inspire me every day.
Question 2
1 “Primary: Definition of Primary by Lexico.” Lexico Dictionaries | English, Lexico Dictionaries. Powered
by Oxford., 2020, www.lexico.com/en/definition/primary .
2 , 3 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
4 “ICGN Guidance on Corporate Risk Oversight.” ICGN International Corporate Governance Network,
ICGN International Corporate Governance Network, 2015, www.icgn.org/sites/default/files/ICGN%20Corp
%20Risk%20Oversightweb_0.pdf .
5 , 6 , 7 , 8 “Guide for Conducting Risk Assessments - NIST.” National Institute of Standards and
Technology, National Institute of Standards and Technology, Sept. 2012, nvlpubs.nist.gov/nistpubs/Legacy
/SP/nistspecialpublication800-30r1.pdf .
Question 3
1 , 5 , 6 , 7 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016
2 , 4 , 8 , 9 , 10 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems
Security Professional Official Study Guide. 8th ed., Wiley, 2018.
3 McCormack, George. “Data Users.” Outcome 1: Describe the Legislation That Applies to the IT
Profession, Higher National Computing: E-Learning Materials, Mar. 2008, www.sqa.org.uk/e-learning
/ITLaw01CD/page_19.htm .
11 Sagan, Carl, 1934-1996. Carl Sagan's Cosmic Connection : an Extraterrestrial Perspective. Cambridge ;
New York :Cambridge University Press, 2000.
Question 4
1 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
2 , 3 , 4 , 5 , 6 NIST 800-15 Scarfone, Karen, et al. “Technical Guide to Information Security Testing and
Assessment.” National Institute of Standards and Technology, National Institute of Standards and
Technology, Sept. 2008, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf .
7 Eltringham, Scott. “Prosecuting Computer Crimes.” The United States Department of Justice, Office of
Legal Education Executive Office for United States Attorneys, 14 Jan. 2015, www.justice.gov/sites/default
/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf .
8 Daniel Regalado. Shon Harris. Allen Harper. Chris Eagle. Jonathan Ness. Branko Spasojevic. Ryan Linn.
Stephen Sims. Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition. McGraw-Hill/Osborne,
2015.
Question 5
1 Puttygen.com
2 , 3 , 4 , 10 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
5 , 6 , 8 , 9 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
7 “Guidelines on Firewalls and Firewall Policy.” Computer Security Resource Center, National Institute of
Standards and Technology, Sept. 2009, csrc.nist.gov/publications/detail/sp/800-41/rev-1/final .
Question 6
1 “Code of Ethics: Complaint Procedures: Committee Members.” Code of Ethics | Complaint Procedures |
Committee Members, 2020, www.isc2.org/Ethics .
2 , 3 , Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
4 , 8 , 10 “Why Is Third Party Risk Management Important?” Third Party Risk Management Managing
Risks in Your Extended Enterprise, Deloitte, 2017, www2.deloitte.com/content/dam/Deloitte/sg/Documents
/risk/sg-risk-third-party-risk-management-brochure.pdf .
5 , 7 , 9 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
11 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
6 “CMMI Institute.” CMMI Institute - CMMI Levels of Capability and Performance, ISACA, 2020,
cmmiinstitute.com/learning/appraisals/levels .
Question 7
1 , 3 , 4 , 6 , 7 , 8 , 9 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th
ed. New York: McGraw-Hill, 2016.
2 , 5 Blake, Sonya. “The Clark-Wilson Security Model.” Global Information Assurance Certification Paper,
Global Information Assurance Certification Paper, 17 May 2000, www.giac.org/paper/gsec/835/clark-
wilson-security-model/101747 .
Question 8
5 , 16 , 17 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
3 , 4 , 6 , 7 , 8 , 10 , 11 , 12 , 14 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide. 8th ed., Wiley, 2018.
1 , 2 , 15 “DDoS Quick Guide.” National Cybersecurity and Communications Integration Center, National
Cybersecurity and Communications Integration Center, 29 Jan. 2014, www.us-cert.gov/sites/default/files
/publications/DDoS%20Quick%20Guide.pdf .
9 Specht, Stephen, and Ruby Lee. “Taxonomies of Distributed Denial of Service Networks, Attacks, Tools,
and Countermeasures.” Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and
Countermeasures, Princeton Architecture Laboratory for Multimedia and Security, 16 May 2003, www.
princeton.edu/~rblee/ELE572Papers/Fall04Readings/DDoSSurveyPaper_20030516_Final.pdf .
13 Real-world experience
Question 9
1 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
2 “Art. 50 GDPR - International Cooperation for the Protection of Personal Data.” GDPR.eu, General Data
Protection Regulation (GDPR), 14 Nov. 2018, gdpr.eu/article-50-countries-outside-of-europe-cooperation/ .
3 “Art. 17 GDPR - Right to Erasure ('Right to Be Forgotten').” GDPR.eu, General Data Protection
Regulation (GDPR), 14 Nov. 2018, gdpr.eu/article-17-right-to-be-forgotten/ .
4 “Art. 34 GDPR - Communication of a Personal Data Breach to the Data Subject.” GDPR.eu, General
Data Protection Regulation, 14 Nov. 2018, gdpr.eu/article-34-communication-of-a-personal-data-breach/ .
5 , 9 “Tokenization Product Security Guidelines – Irreversible and Reversible Tokens.” Tokenization
Product Security Guidelines, PCI Security Standards Council, Apr. 2015, www.pcisecuritystandards.org
/documents/Tokenization_Product_Security_Guidelines.pdf .
6 , “All You Need to Know about Tokenization.” All You Need to Know about Tokenization, VISA Inc.,
usa.visa.com/dam/VCOM/download/security/documents/visa-security-tokenization-infographic.pdf .
7 , 10 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
8 , 12 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
11 McCallister, Erika, et al. “Guide to Protecting the Confidentiality of Personally Identifiable Information
(PII).” Recommendations of the National Institute of Standards and Technology, National Institute of
Standards and Technology, Apr. 2010, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122
.pdf .
Question 10
1 Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” Recommendations of the
National Institute of Standards and Technology, National Institute of Standards and Technology, Sept. 2011,
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf .
2 , 3 , 4 , 5 Jansen, Wayne, and Timothy Grance. “Guidelines on Security and Privacy in Public Cloud
Computing.” Guidelines on Security and Privacy in Public Cloud Computing, National Institute of
Standards and Technology, Dec. 2011, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144
.pdf .
Question 11
1 , 2 , Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
3 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
4 , 6 , 7 , 8 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
5 Swanson, Marianne, et al. “NIST Special Publication (SP) 800-18 Rev. 1, Guide for ...” Guide for
Developing Security Plans for Federal Information Systems, National Institute of Standards and
Technology, Feb. 2006, csrc.nist.gov/publications/detail/sp/800-18/rev-1/final .
Question 12
1 Hoffman, P., and B. Schneier. “Doc: RFC 4270: Attacks on Cryptographic Hashes in Internet Protocols.”
Attacks on Cryptographic Hashes in Internet Protocols, Network Working Group, Nov. 2005, www.hjp.at
/doc/rfc/rfc4270.html .
2 , 3 , 4 , 5 , 6 , 8 , 9 , 10 , 11 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th
Edition. 7th ed. New York: McGraw-Hill, 2016.
7 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. 8th ed., Wiley, 2018.
Question 13
1 , 8 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
2 , 3 , 4 , 6 , 7 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed.
New York: McGraw-Hill, 2016.
5 Swanson, Marianne, et al. “Contingency Planning Guide for Federal Information Systems .” National
Institute of Standards and Technology Special Publication 800-34, National Institute of Standards and
Technology, May 2010, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf .
Question 14
1 , 2 , 4 , 5 , 6 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
3 “Firewall Interfaces Overview.” Firewall Interfaces Overview, Palo Alto Networks, 30 Apr. 2020, docs.
paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-interfaces/firewall-interfaces
-overview .
Question 15
1 “NIST Risk Management Framework Overview.” NIST Risk Management Framework Overview,
National Institute of Standards and Technology, 28 Mar. 2018, www.nist.gov/system/files/documents/2018
/03/28/vickie_nist_risk_management_framework_overview-hpc.pdf .
2 Xu, William; Grant, Gerald; Nguyen, Hai; and Dai, Xianyi (2008) "Security Breach: The Case of TJX
Companies, Inc.," Communications of the Association for Information Systems: Vol. 23, Article 31.
3 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. 8th ed., Wiley, 2018.
4 , 5 , 6 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
Question 16
7 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
1 , 2 , 3 , 4 , 5 , 6 , Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed.
New York: McGraw-Hill, 2016.
8 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. 8th ed., Wiley, 2018.
Question 17
1 2 3 5 6 9 10 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
4 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. 8th ed., Wiley, 2018.
7 8 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
Question 18
1 , 2 Chew, Elizabeth, et al. “I N F O R M A T I O N S E C U R I T Y .” Performance Measurement Guide
for Information Security, National Institute of Standards and Technology, July 2008, nvlpubs.nist.gov
/nistpubs/Legacy/SP/nistspecialpublication800-55r1.pdf .
3 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. 8th ed., Wiley, 2018.
Question 19
1 2 7 8 Scarfone, Karen, et al. “Technical Guide to Information Security Testing and Assessment.” Special
Publication 800-115, National Institute of Standards and Technology, Sept. 2008, nvlpubs.nist.gov/nistpubs
/Legacy/SP/nistspecialpublication800-115.pdf .
3 9 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
4 5 6 11 12 13 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
10 “Combating the Insider Threat.” National Cybersecurity and Communications Integration Center, US
Department of Homeland Security, 2 May 2014, www.us-cert.gov/sites/default/files/publications
/Combating%20the%20Insider%20Threat_0.pdf .
Question 20
1 2 3 4 5 7 8 10 11 12 14 15 Kissel, Richard, et al. “Security Considerations in the System Development Life
Cycle.” NIST Special Publication 800-64 Revision 2, National Institute of Standards and Technology, Oct.
2008, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf .
9 13 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
6 https://cve.mitre.org/cve/
Question 21
1 2 3 4 5 6 8 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
7 “Security and Privacy Controls for Federal Information Systems and Organizations.” NIST Special
Publication 800-53, National Institute of Standards and Technology, Apr. 2013, nvlpubs.nist.gov/nistpubs
/SpecialPublications/NIST.SP.800-53r4.pdf .
Question 22
1 2 3 7 Hu, Vincent, et al. “Assessment of Access Control Systems.” Assessment of Access Control Systems,
National Institute of Standards and Technology, Sept. 2006, nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7316
.pdf .
4 11 12 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
5 6 “Security and Privacy Controls for Federal Information Systems and Organizations.” NIST Special
Publication 800-53, National Institute of Standards and Technology, Apr. 2013, nvlpubs.nist.gov/nistpubs
/SpecialPublications/NIST.SP.800-53r4.pdf .
8 9 10 Hu, Vincent C, et al. “Guide to Attribute Based Access Control (ABAC) Definition and
Considerations.” NIST Special Publication 800-162, National Institute of Standards and Technology, Jan.
2014, nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf .
Question 23
1 5 8 Chapple, Mike, and James M Stewart. (ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide. 8th ed., Wiley, 2018.
2 10 11 12 Hoon, Tan. “CRIME PREVENTION THROUGH ENVIRONMENTAL DESIGN.” National
Crime Prevention Council, National Crime Prevention Council, Oct. 2003, rems.ed.gov/docs/Mobile_docs
/CPTED-Guidebook.pdf .
3 4 9 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New York:
McGraw-Hill, 2016.
6 Barnum, Sean, et al. “Defense in Depth.” Cybersecurity and Infrastructure Security Agency CISA, United
States Computer Emergency Readiness Team, 2005, www.us-cert.gov/bsi/articles/knowledge/principles
/defense-in-depth .
7 McGuiness, Todd. “Defense In Depth.” Information Security Reading Room, SANS Institute, 7 May
2020, www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525 .
Question 24
1 2 3 4 5 6 7 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
Question 25
1 https://cmmiinstitute.com/learning/appraisals/levels
2 3 9 10 13 Harris, Shon. and Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Edition. 7th ed. New
York: McGraw-Hill, 2016.
4 12 extremeprogramming.org
5 6 11 Gordon, Adam. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press). 4th ed. Taylor and Francis
Group, LLC. 2015.
7 8 Libes, Don. “Regression Testing and Conformance Testing Interactive Programs.” Testing Interactive
Programs, National Institute of Standards and Technology, 12 June 1992, tsapps.nist.gov/publication
/get_pdf.cfm?pub_id=821305 .
About the Author
Luke Ahmed is a CISSP instructor and the founder of Study Notes and Theory.
He provides a different way to study for the CISSP exam by striving to come up
with a casual and conducive learning environment using a mix of high-level
concepts and technical terminology. Luke is a perpetual optimist dedicated to
helping those on their journey to the CISSP and becoming a better security
professional.