CISSP Last Minute Review

Domain 1:
Security and Risk Management

Organizations are subject to a wide variety of legal and

regulatory compliance obligations from:
• Criminal laws that may involve prison or fines.
Y

• Civil laws that regulate non-criminal disputes.

LIT

• Administrative laws set by government agencies.

TIA

• Regulations from industry bodies.

EN

The major categories of intellectual property protection

ID

IN

include:
NF

TE

• Trademarks protect words and symbols.

CO

GR

• Copyrights protect creative works.

ITY

• Patents protect inventions.

AVAILABILITY • Trade secrets require maintaining secrecy but don’t
expire.

Personnel security principles include:

The three main goals of information security are: • Need to know requires a legitimate business need
• Confidentiality prevents unauthorized disclosure to access information.
• Integrity prevents unauthorized alteration • Least privilege grants individuals the minimum
• Availability ensures authorized access necessary permissions to perform their jobs.
• Separation of duties blocks someone from having
Security activities must be aligned with business strategy, two sensitive privileges in combination.
mission, goals, and objectives. This requires strategic, • Two-person control requires two people to perform
tactical, and operational planning. a sensitive activity.
• Mandatory vacations and job rotation seek to
Security frameworks provide templates for security prevent fraudulent activity by uncovering malfeasance.
activities. These include COBIT, NIST CSF, and ISO 27001/2.
Risks are the combination of a threat and a corresponding
Due care is taking reasonable steps to protect the interest vulnerability.
of the organization. Due diligence ensures those steps
are carried out. Quantitative risk assessment uses the following formulas:
• SingleLossExpectancy =
Security governance is carried out through: AssetValue * ExposureFactor
• Policies which state high-level objectives • AnnualizedLossExpectancy =
(mandatory compliance). AnnualizedRateofOccurence * SLE
• Standards which state detailed technical
requirements (mandatory compliance). Responses to a risk include:
• Procedures which provide step-by-step processes • Avoid risk by changing business practices
(mandatory compliance). • Mitigate risk by implementing controls
• Guidelines which offer advice and best practices • Accept risk and continue operations
(optional compliance). • Transfer risk through insurance or contract

© 2024, CertMike.com 1
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 1:
Security and Risk Management

Security controls may be preventive, detective, or

corrective.

Business continuity planning conducts a business impact

assessment and then implements controls designed to
keep the business running during adverse circumstances.

Privacy Law Region

General Data Protection Regulation (GDPR) European Union
California Consumer Privacy Act (CCPA) California
Personal Information Protection Law (PIPL) China
Protection of Personal Information Act (POPIA) South Africa

Supply chain risks result from issues that might arise in

the hardware, software, and services that organizations
obtain from vendors. Options for mitigating supply chain
risks include third-party assessment and monitoring and
service level requirements (SLRs).

The hardware root of trust establishes a foundational

security benchmark by using cryptographic methods to
ensure the integrity of a system from the boot process,
protecting against unauthorized changes.

Physically unclonable functions (PUFs) secure devices

by using the unique physical variations of hardware
as cryptographic keys, making the hardware’s identity
nearly impossible to replicate or forge.

Organizations employ software bills of materials

(SBOMs) to document software components and
dependencies, aiding in vulnerability management,
license compliance, and swift response to security
threats in the software supply chain.

© 2024, CertMike.com 2
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 2:
Asset Security

Information should be classified based upon its Collect only data that is necessary for legitimate
sensitivity to the organization. Assets should be business purposes. This is known as data minimization.
classified based upon the classification of information Data should be retained no longer than necessary. Use
that they store, process, and transmit. sanitization technology to ensure that no traces of data
remain on media (data remnance) before discarding it.
Common classes of sensitive information include:
• Erasing performs a delete operation on a file but the
Personally identifiable information (PII) which data remains on disk.
uniquely identifies individuals. • Clearing overwrites the data with random values to
ensure that it is sanitized.
Protected health information (PHI) which includes
individual health records. Data Role Responsibilities
Data Owner Senior-level executive who establishes rules and
Proprietary information which contains trade secrets. determines appropriate controls for information.
Data Controller Organization or person within an organization
Data State Description who determines the purpose and means of data
processing. Special significance under GDPR.
Data at Rest Data stored on a system or media device
Data Custodian Individuals who are responsible for managing data
Data in Motion Data in transit over a network and data security controls for an organization.
This role is commonly found within IT teams.
Data in Use Data being actively processed in memory
Data Processor An organization that handles information on
behalf of another organization, typically a
business-to-business relationship.
TOP SECRET HIGHLY SENSITIVE Data User Individuals who interact with information during
the normal course of business.
Data Subject Individuals who may be individually identified
INCREASING SENSITIVITY

by name or another identifier within the records

PR
NT

SECRET SENSITIVE
maintained by an organization.
IV
ME

AT
RN

E
SE
VE

CONFIDENTIAL INTERNAL Digital rights management (DRM) systems are

CT
GO

technical controls that allow an organization to assert

OR

data ownership rights while sharing information with

UNCLASSIFIED PUBLIC
individuals and other organizations.

INFORMATION CLASSIFICATION Security baselines, such as NIST SP 800-53, provide a

standardized set of controls that an organization may
use as a benchmark.
Information should be labeled with its classification and
security controls should be defined and appropriate for Typically, organizations don’t adopt a baseline standard
each classification level. wholesale, but instead tailor a baseline to meet their
specific security requirements.

© 2024, CertMike.com 3
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 2:
Asset Security

A product’s End of Life (EOL) is the point at which a

product is no longer manufactured or sold. End of
Support (EOS) refers to the time when the manufacturer
stops providing support services, such as updates and
repairs, for the product.

Data Protection Description

Technology
Data Loss Prevention Detects and prevents unauthorized
(DLP) access or transmission of sensitive
information
Cloud Access Security Serves as a security policy enforcement
Broker (CASB) point between cloud service consumers
and providers
Digital Rights Controls the use and distribution of digital
Management (DRM) content, protecting intellectual property

© 2024, CertMike.com 4
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 3:
Security Architecture and Engineering

Least privilege is a security principle that says that In asymmetric encryption, users each have their own
users should have the minimum set of permissions public/private keypair. Keys are used as follows:
necessary to carry out their job functions.
Confidentiality Digital Signature
Separation of duties requires that no single individual
Sender Encrypts with… Recipient’s public key Sender’s private key
have the ability to perform two separate functions that,
when combined, may undermine security. Recipient Decrypts with… Recipient’s private key Sender’s public key

Cryptographic Description
Two-person control requires the concurrence of two Attack
individuals to perform a single sensitive function.
Brute Force Attempts to guess the decryption key by using
random attempts (brute force) to guess all possi-
The defense-in-depth principle requires the use of ble key values until the correct one is found.
overlapping controls to meet the same control objective,
Ciphertext Attacks that work when the attacker only has
protecting against the failure of an individual control. Only access to the ciphertext.
Known Attacks that require the attacker to have access
Fail securely is a design principle that requires that Plaintext to both the ciphertext and the plaintext used to
systems default to a secure state when security create that ciphertext in an attempt to determine
mechanisms fail, preventing anyone from obtaining the decryption key.
unauthorized access. Chosen Attacks that require the attacker to have the ability
Ciphertext to generate ciphertext of their own choosing.
The zero trust model of network architecture says that Chosen Attacks that require the attacker to have the
security decisions should not be made based upon a Plaintext ability to generate ciphertext from plaintext of
user’s network location but should instead be based upon their own choosing.
that user’s identity and other contextual information. Frequency Attacks that analyze the number of times different
Analysis characters appear in the ciphertext in an attempt
The seven pillars of the zero-trust model are: to determine the decryption key.
1. User
2. Device Anything encrypted with one key from a pair may only
3. Network & Environment be decrypted with the other key from that same pair.
4. Application & Workload
5. Data Symmetric Cryptography Asymmetric Cryptography
6. Automation & Orchestration Requires Requires
7. Visibility & Analytics
n(n-1)
keys 2n keys
2
The two basic cryptographic operations are substitution
which modifies characters and transposition, which
moves them around. Secure symmetric algorithms include 3DES, AES, IDEA,
and Blowfish. DES is not secure.
Symmetric encryption uses the same shared secret
key for encryption and decryption. Secure asymmetric algorithms include RSA, El Gamal,
and elliptic curve (ECC).

© 2024, CertMike.com 5
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 3:
Security Architecture and Engineering

Quantum computing uses the principles of quantum Dedicated System High Compartmented Multilevel

mechanics to perform computing tasks. Quantum Users must be Yes Yes Yes No
cryptography applies quantum computing to encryption cleared for
highest level of
and decryption and may have the ability to defeat odern info processed by
encryption algorithms when fully implemented. system.
Users must have Yes Yes No No
access approval
The Diffie-Hellman algorithm may be used for secure for all info
exchange of symmetric keys. processed.
Users must have Yes No No No
Hashes are one-way functions that produce a unique need to know all
info processed by
value for every input and cannot be reversed. system.

Digital certificates use the X.509 standard and contain Two serious issues can occur when users are granted
a copy of an entity’s public key. They are digitally signed limited access to information in databases or other
by a certificate authority (CA). repositories. Aggregation attacks occur when a user is
able to summarize individual records to detect trends
Transport Layer Security (TLS) is the replacement that are confidential. Inference attacks occur when a
for Secure Sockets Layer (SSL) and uses public key user is able to use several innocuous facts in combination
cryptography to exchange a shared secret key used to to determine, or infer, more sensitive information.
secure web traffic and other network communications.
Mantraps use a set of double doors to restrict physical
The Trusted Computing Base (TCB) is the secure core access to a facility.
of a system that has a secure perimeter with access
enforced by a reference monitor. TCP is a connection-oriented protocol, while UDP is
a connectionless protocol that does not guarantee
CPUs support two modes of operation: user mode delivery.
for standard applications and privileged mode for
processes that require direct access to core resources. TCP Three-Way Handshake

Model Bell-LaPadula Biba

SYN
Goal Confidentiality Integrity SYN/ACK
Simple Property No read up No read down ACK
*-Property No write down No write up

© 2024, CertMike.com 6
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 4:
Communication and Network Security

OSI Model Network engineers make use of a variety of communications

technologies when wired networks are not available.
Layer Description
These include:
Application Serves as the point of integration for user • Wi-Fi networks provide wireless access using radio
applications with the network waves over short distances, such as within a building.
• Zigbee networks support the Internet of Things (IoT)
Presentation Transforms user-friendly data into machine- and home automation deployments within a facility.
friendly data; encryption
• Cellular networks provide longer-range communications
Session Establishes, maintains, and terminates sessions within the line-of-sight of cellular towers. These include
4G networks, which are widely available, and 5G
Transport Manages connection integrity; TCP, UDP, SSL, networks that provide extremely high data transfer
TLS rates but currently have limited coverage.
• Satellite communications provide data service
Network Routing packets over the network; IP, ICMP,
BGP, IPsec, NAT wherever satellites are visible in the sky but are
extremely expensive to use.
Data Link Formats packets for transmission; Ethernet,
ARP, MAC addresses Content distribution networks (CDNs) are global
networks of servers that provide local caches of web
Physical Encodes data into bits for transmission over
wire, fiber, or radio and other content to relieve the burden on remote web
servers and increase the speed of content delivery to users.

DNS converts between IP addresses and domain names. When deploying services in the cloud, organizations
ARP converts between MAC addresses and IP addresses. may choose from three major cloud strategies:
NAT converts between public and private IP addresses. • Software-as-a-Service (SaaS) deploys entire
applications to the cloud. The customer is only
Wi-Fi networks should be secured with WPA2 or WPA3 responsible for supplying data and manipulating the
encryption rather than WEP or WPA. WPA2 uses the application.
CCMP protocol, while WPA3 uses the simultaneous • Infrastructure-as-a-Service (IaaS) sells basic
authentication of equals (SAE) in conjunction with AES building blocks, such as servers and storage. The
cryptography. customer manages the operating system and
configures and installs software.
Network switches generally work at layer 2 and • Platform-as-a-Service (PaaS) provides the customer
connect directly to endpoints or other switches. with a managed environment to run their own
Switches may also create virtual LANs (VLANs) to software without concern for the underlying hardware.
further segment internal networks at layer 2.

Routers generally work at layer 3 and connect networks

to each other. Firewalls are the primary network security
control used to separate networks of differing security levels.

© 2024, CertMike.com 7
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 4:
Communication and Network Security

Port(s) Service Most Virtual Private Networks (VPN) use either TLS
or IPsec. IPsec uses Authentication Headers (AH) to
20, 21 FTP
provide authentication, integrity and nonrepudiation
22 SSH and Encapsulating Security Payload (ESP) to provide
confidentiality.
23 Telnet

25 SMTP Cloud services may be built and/or purchased in several

forms:
53 DNS • Public cloud providers sell services to many
80 HTTP different customers and many customers may share
the same physical hardware.
110 POP3 • Private cloud environments dedicate hardware to a
123 NTP
single user.
• Hybrid cloud environments combine elements of
135, 137-139, 445 Windows File Sharing public and private cloud in a single organization.
• Community cloud environments use a model
143 IMAP
similar to the public cloud but with access restricted
161/162 SNMP to a specific set of customers.
443 HTTPS
Software Defined Networks (SDN) move away from
1433/1434 SQL Server hardware-centric models to software-based control.
This approach uses Application Programming
1521 Oracle
Interfaces (APIs) to programmatically control network
1720 H.323 behavior, Software-Defined Wide-Area Networks (SD-
WAN) to connect and manage enterprise networks over
1723 PPTP large geographical distances, and Network Function
3389 RDP Virtualization (NFV) to virtualize network services
traditionally run on hardware.
9100 HP JetDirect Printing

© 2024, CertMike.com 8
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

The core activities of identity and access management are: Organizations often use centralized access control
• Identification where a user makes a claim of identity. systems to streamline authentication and authorization
• Authentication where the user proves the claim of and to provide users with a single sign on (SSO)
identity. experience. These solutions often leverage Kerberos
• Authorization where the system confirms that the which uses a multi step logon process:
user is permitted to perform the requested action. 1. User authenticates to a client on his or her device.
• Accounting where the system tracks user activity 2. Client sends the authentication credentials to the
Key Distribution Center (KDC).
In access control systems, we seek to limit the access 3. KDC verifies the credentials and creates a ticket
that subjects (e.g. users, applications, processes) have granting ticket (TGT) and sends it to the user.
to objects (e.g. information resources, systems) 4. Client makes a service access request to the KDC
using the TGT.
Access controls work in three different fashions: 5. KDC verifies the TGT, creates a service ticket (ST) for
• Technical (or logical) controls use hardware the user to use with the service, and sends the ST to
and software mechanisms, such as firewalls and the user.
intrusion prevention systems, to limit access. 6. User sends the ST to the service.
• Physical controls, such as locks and keys, limit 7. Service verifies the ST with the KDC and grants access.
physical access to controlled spaces.
• Administrative controls, such as account reviews,
provide management of personnel and business
practices. FAR
Multifactor authentication systems combine authentication
FRR
technologies from two or more of the following categories:
Error Rate

• Something you know (Type 1 factors) rely upon

secret information, such as a password.
• Something you have (Type 2 factors) rely upon physical
possession of an object, such as a smartphone.
CER
• Something you are (Type 3 factors) rely upon
biometric characteristics of a person, such as a face
scan or fingerprint.

Authentication technologies may experience two types of

errors. False positive errors occur when a system accepts
an invalid user as correct. It is measured using the false
acceptance rate (FAR). False negative errors occur
Sensitivity
when a system rejects a valid user, measured using the
false rejection rate (FRR). We evaluate the effectiveness RADIUS is an authentication protocol commonly
of an authentication technology using the crossover used for backend services. TACACS+ serves a similar
error rate (CER), as shown in the diagram to the right: purpose and is the only protocol from the TACACS
family that is still commonly used.

© 2024, CertMike.com 9
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

The Security Assertion Markup Language (SAML) Brute force attacks against password systems try to
provides an open standard for different entities to guess all possible passwords. Dictionary attacks refine
exchange authentication and authorization information this approach by testing combinations and permutations
when performing federation. of dictionary words. Rainbow table attacks precompute
hash values for use in comparison. Salting passwords
OAuth is an authorization standard that allows users to with a random value prior to hashing them reduces the
log into applications using credentials provided by other effectiveness of rainbow table attacks.
identity providers without providing the application
with those credentials. OpenID Connect is a consumer- Man-in-the-middle attacks intercept a client’s initial
focused implementation of OAuth used by Google and request for a connection to a server and proxy that
other cloud service providers. connection to the real service. The client is unaware
that they are communicating through a proxy and the
The implicit deny principle says that any action that is attacker can eavesdrop on the communication and
not explicitly authorized for a subject should be denied. inject commands.

Access control lists (ACLs) form the basis of many access

management systems and provide a listing of subjects and
their permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the

owners of objects to modify the permissions that other
users have on those objects. Mandatory access control
(MAC) systems enforce predefined policies that users
may not modify.

Role-based access control assigns permissions to

individual users based upon their assigned role(s) in the
organization. For example, backup administrators might
have one set of permissions while sales representatives
have an entirely different set.

Attribute-based access control (ABAC) systems make

access control decisions based upon characteristics of
the user, system, information, or other attributes.

Risk-based access control systems vary their access control

decisions based upon the current threat environment.

Rule-based access control systems make access control

decisions based upon a set of predefined rules. Firewalls
are a common example.

© 2024, CertMike.com 10
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 6:
Security Assessment and Testing

Security tests verify that a control is functioning • Common Platform Enumeration (CPE)
properly. Security assessments are comprehensive • Extensible Configuration Checklist Description
reviews of the security of a system, application, or other Format (XCCDF)
tested environment. • Open Vulnerability and Assessment Language (OVAL)

Security audits use testing and assessment techniques Network discovery scanning uses tools like nmap to
but are performed by independent auditors. There are check for active systems and open ports. Common
three types of security audits: scanning techniques include:
• Internal audits are performed by an organization’s • TCP SYN scans send a single packet with the SYN flag set.
internal audit staff, normally led by a Chief Audit • TCP Connect scans attempt to complete the three
Executive who reports directly to the CEO. way handshake.
• External audits are performed by an outside • TCP ACK scans seek to impersonate an established
auditing firm. connection.
• Third-party audits are conducted by, or on behalf • Xmas scans set the FIN, PSH, and URG flags.
of, another organization, such as a regulator.
Network vulnerability scanning first discovers active
Organizations that provide services to other organizations services on the network and then probes those services
may conduct service organization control (SOC) audits for known vulnerabilities. Web application vulnerability
under SSAE 18. These engagements produce two different scans use tools that specialize in probing for web
types of reports: application weaknesses.
• Type I reports provide a description of the controls
in place, as described by the audited organization, The vulnerability management workflow includes three
and the auditor’s opinion whether the controls basic steps: detection, remediation, and validation.
described are sufficient. The auditor does not test
the controls. Penetration testing goes beyond vulnerability scanning and
• Type II reports results when the auditor actually attempts to exploit vulnerabilities. It includes five steps:
tests the controls and provides an opinion on their
effectiveness.
Planning

COBIT, ISO 27001, and ISO 27002 are commonly used

standards for cybersecurity audits.
Information
Vulnerability assessments seek to identify known Reporting Gathering &
Discovery
deficiencies in systems and applications.

The Security Content Automation Protocol (SCAP)

provides a standard framework for vulnerability
assessment. It includes the following components:
• Common Vulnerabilities and Exposures (CVE) Exploitation
Vulnerability

• Common Vulnerability Scoring System (CVSS) Scanning

• Common Configuration Enumeration (CCE)

© 2024, CertMike.com 11
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 6:
Security Assessment and Testing

There are three different types of penetration tests: Static testing evaluates software code without
• During white box penetration tests, testers have full executing it, while dynamic testing executes the code
access to information about the target systems. during the test. Fuzz testing supplies invalid input to
• During black box penetration tests, testers conduct applications in an attempt to trigger an error state.
their work without any knowledge of the target
environment. Interface testing evaluates the connections between
• Gray box tests reside in the middle, providing different system components.
testers with partial knowledge about the environment.
Misuse case testing evaluates known avenues of attack
Cybersecurity exercises use several different types of in an application.
teams:
• Red teams simulate attackers, exploiting Test coverage analysis metrics evaluate the
vulnerabilities and penetrating the defenses of their completeness of testing efforts using the formula:
own organization’s networks and systems
• Blue teams defend against red team attacks, by (use cases tested)
test coverage =
detecting, responding to, and mitigating threats (all use cases)
• Purple teams bring together the red and blue teams
to facilitate information sharing and learning from Common criteria for test coverage analysis include:
the exercise. • Branch coverage (if statements tested under all
conditions)
Code review provides an important software assurance • Condition coverage (logical tests evaluated under
tool that allows peer review by fellow developers for all inputs)
security, performance, and reliability issues. • Function coverage (each function tested).
• Loop coverage (every loop executed multiple times,
Fagan inspections are a formal code review process once, and not at all)
that follows a rigorous six-step process with formalized • Statement coverage (every line of code executed)
entry and exit parameters for each step:

Planning

Overview

Preparation

Inspection

Rework

Follow UP

© 2024, CertMike.com 12
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 7:
Security Operations

Security professionals are often called upon to participate Cybersecurity incident response efforts follow this process:
in a variety of investigations:
• Criminal investigations look into the violation of a
criminal law and use the beyond a reasonable doubt Detection
standard of proof.
• Civil investigations examine potential violations of
civil law and use the preponderance of the evidence Lessons
Response
standard. Learned
• Regulatory investigations examine the violation of
a private or public regulatory standard.
• Administrative investigations are internal to an Remediation Mitigation
organization, supporting administrative activities.

Investigations may use several different types of evidence:

• Real evidence consists of tangible objects that may Recovery Reporting
be brought into court.
• Documentary evidence consists of records and
other written items and must be authenticated by
testimony. Tool Description
• Testimonial evidence is evidence given by a witness,
either verbally or in writing. Intrusion Detection Monitor a host or network for signs of
System intrusion and report to administrators.

The best evidence rule states that, when using a Intrusion Prevention Monitor a host or network for signs
System of intrusion and attempt to block
document as evidence, the original document must be malicious traffic automatically.
used unless there are exceptional circumstances. The
Security Information & Aggregate and correlate security
parol evidence rule states that a written agreement is Event Management System information received from other systems.
assumed to be the complete agreement.
Firewall Restricts network traffic to authorized
connections.
Forensic investigators must take steps to ensure that
Application Whitelisting Limits applications to those on an
they do not accidentally tamper with evidence and approved list.
that they preserve the chain of custody documenting
Application Blacklisting Blocks applications on an unapproved list.
evidence handling from collection until use in court.
Sandbox Provides a safe space to run potentially
malicious code.
The disaster recovery process begins when operations
are disrupted at the primary site and shifted to an Honeypot System that serves as a decoy to
attract attackers.
alternate capability. The process only concludes when
normal operations are restored. Honeynet Unused network designed to capture
probing traffic.
User and Entity Behavior Uses advanced analytics to identify
Analytics (UEBA) and assess abnormal user or device
behavior

© 2024, CertMike.com 13
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 7:
Security Operations

Backups provide an important disaster recovery control. When managing the physical environment, you should
Remember that there are three major categories of backup: be familiar with common power issues:

Backup Type Description Power Issue Brief Duration Prolonged Duration

Full Backup Copies all files on a system. Loss of power Fault Blackout
Differential Backup Copies all files on a system that have Low voltage Sag Brownout
changed since the most recent full backup.
High voltage Spike Surge
Incremental Copies all files on a system that have
Disturbance Transient Noise
Backup changed since the most recent full or
incremental backup.

Fires require the combination of heat, oxygen, and fuel.

Disaster recovery sites fit into three major categories: They may be fought with fire extinguishers:
• Class A: common combustible fires
Site Type Support Systems Configured Servers Real-time Data • Class B: liquid fires
• Class C: electrical fires
Cold Site Yes No No
• Class D: metal fires
Warm Site Yes Yes No
Hot Site Yes Yes Yes Organizations may use wet pipe fire suppression systems
that always contain water, dry pipe systems that only fill
with water when activated, or preaction systems that fill
Disaster recovery plans require testing. There are five the pipes at the first sign of fire detection.
major test types:

DR Test Type Description

Read-through/ Plan participants review the plan and their
tabletop specific role, either as a group or individually.
Walkthrough The DR team gathers to walk through the steps
in the DR plan and verify that it is current and
matches expectations.
Simulation DR team participates in a scenario-based exercise
that uses the DR plan without implementing
technical recovery controls.
Parallel DR team activates alternate processing
capabilities without taking down the primary site.
Full DR team takes down the primary site to simulate
interruption a disaster.

© 2024, CertMike.com 14
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 8:
Software Development Security

The waterfall model of software development is fairly rigid, While the agile approach eschews this rigidity for
allowing the process to return only to the previous step: a series of incremental deliverables created using a
process that values:
System • Individuals and interactions instead of processes
Requirements
and tools
Software • Working software instead of comprehensive
Requirements
documentation
Preliminary
• Customer collaboration instead of contract
Design
negotiation
Detailed
• Responding to change instead of following a plan
Design

The Scaled Agile Framework (SAFe) guides enterprises

Code and
Debug in scaling lean and agile practices beyond single
teams. It provides a structured approach for large-scale
Testing projects to deliver high-quality products and services
faster and more efficiently.
Operations
and
Maintenance
DevOps is a collaborative approach that combines
The spiral model uses a more iterative approach: software development and IT operations to shorten
the development lifecycle and continuously deliver
Cumulative cost high-quality software. DevSecOps integrates security
1. Determine Progress 2. Identity and
practices within the DevOps process, aiming to embed
objectives resolve risks security checks and balances seamlessly into the
software development and deployment lifecycle.

Software testing uses several techniques. In static

testing, testers analyze the source code without
executing it. Dynamic testing executes the source code
against test datasets. Interactive testing executes the
source code while testers interact with the application
Requirements
plan Prototype 1 Prototype 2
Operational
prototype in real time. Software Composition Analysis (SCA)
Concept of
operation
Concept of
Requirements Detailed
examines open-source components and libraries within
Requirements Draft
design a codebase to identify security vulnerabilities, license
Development compliance issues, and other risks.
plan
Verification Code
& Validation

Integration Software testers can have varying degrees of knowledge

Test plan Verification
& Validation about the software they are testing. In a white box test,
Test
they have full knowledge of the software. In a black box
Implementation
test, they have no knowledge, while grey box tests reside
4. Plan the Release 3. Development in the middle, providing testers with partial knowledge.
next iteration and Test

© 2024, CertMike.com 15
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519
 CISSP Last Minute Review

Domain 8:
Software Development Security

The top ten security vulnerabilities in web applications,

according to OWASP are:
1. Broken access control
2. Cryptographic failures
3. Injection
4. Insecure design
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10. Server-side request forgery (SSRF)

In addition to maintaining current and patched platforms,

one of the most effective application security techniques
is input validation which ensures that user input matches
the expected pattern before using it in code.

​An Integrated Product Team (IPT) is a multidisciplinary

group of individuals who collaborate throughout
all stages of the product development process to
incorporate diverse perspectives into the design,
development, and implementation of a product.

Software Configuration Management (SCM) tracks and

controls changes in software to maintain consistency,
traceability, and control throughout the software
development lifecycle.

Application Programming Interfaces (APIs) are interface

that allow different software applications to interact and
share data with each other. API security issues stem from
vulnerabilities that can lead to unauthorized access and/
or data leakage.

© 2024, CertMike.com 16
Prepared exclusively for louisejohncacot@gmail.com Transaction: 0141072519