Landoll Doug Everything About Cissp

Everything
You Need to Know

About the New CISSP Exam
Doug Landoll
CEO
Lantego
April 25, 2015
www.lantego.com
(512) 633-8405
dlandoll@lantego.com
@NTXISSA
Session Agenda
CBK & QuesOon Depth

2015 CBK
New Test QuesOon Formats
Study Strategies
Test Taking Strategies
@NTXISSA
Common Body of Knowledge

Mile wide and an inch deep
Lots of vocabulary
Minimal numbers and form

No port #s, No RFC #s
Know your history

Classic deniOons
Old criteria (e.g. Orange Book)
NTX ISSA Cyber Security Conference April 24-25, 2015
@NTXISSA
PreparaAon Process
Learn in groups and relaOonships
Look for relaOonship between terms and
principles, across domains, and in pracOce.
Learn and build mnemonics

Use memory devices such as anagrams,
drawings, and phrases.
Many of these will be presented in class
Compiling these together is referred to as
creaOng your data dump sheet
@NTXISSA
Data Dump Sheet Example
@NTXISSA
2015 Common Body of Knowledge

2015 CBK
Security and Risk Management
Legal,
Risk Management
Asset Security
Cryptography
Physical Security
Security Engineering
Security Architecture
CommunicaOon and Network Security
TelecommunicaOons
IdenOty and Access Management
Access Control
Security Assessment and TesOng

Security OperaOons
BCP
So`ware Development Security
OperaOons
8 Domains vs. 10 Domains Who Cares!

@NTXISSA
2015 CBK: Whats New: Topics

3rd Party Risk Management
BYOD Risks
IoT
So`ware Dened Networks
Cloud IdenOty Services (OAuth 2.0)
Maybe + 4%
@NTXISSA
Access Control
Mostly Vocabulary
Passwords: StaOc, Dynamic, CogniOve, vs.
Passphrases, Hashes, Thresholds
Biometrics: EecOve: RIP; Accepted: VSHK
Strong Auth
IdM: Ident, Authent, Auth (x.500, LDAP, XML,
SPML, SAML, SOAP)
Policies: DAC, MAC, RBAC
SS: Kerberos, KryptoKnight, SESAME
@NTXISSA
Architecture
Computer Architecture
CPU
OperaOng System
System Architecture
System boundaries
Security policy models
Modes of operaOon
System EvaluaOon & AccreditaOon

System EvaluaOon
CerOcaOon & AccreditaOon
Enterprise Architecture
Architecture Threats
@NTXISSA
Architecture: Models
Model
ATributes
Policy
Comments
Access Matrix S, O, accesses
C: DAC
Rows:CLs
Columns: ACLs
BLP
S,O,a; no read up, no

write down
C: DAC, MAC
Biba
S,O,a; no read down

no write up
I: Auth changes
Clark Wilson
S,O,a; no read down

no write up
I: Auth changes, Well-formed transacOons,

no mistakes, data separaOon of duty
consistency
Non
Interference
Inputs (cmds),
Outputs (views)
I: Auth changes
C: MAC
Useful in CCA
Not lakce
InformaOon
Flow
Objects, info ow
I: Auth changes
C: MAC
Useful in CCA
Not lakce

Flips BLP
@NTXISSA
10
Cryptography
SYMMETRIC
DES, TDES, AES, IDEA
Blowsh, RCx, CAST,
SAFER, Serpent
KEYED HASH
HYBRID
MAC, HMAC
HASH
MD5, RIPEMD, SHA-x
ASYMMETRIC
D-H, RSA, El Gamal, ECC,
LUC, Knapsack
DIGITAL SIGNATURE
DSS, RSA-DS, DSA
@NTXISSA
11
TelecommunicaAons
@NTXISSA
12
Legal
Type
IP Protected
Term
Issues
Patent
InvenOon
20 years
Patent & Trade
Oce
1st to le vs invent
< 1 year of 1st Public Use
Copyright
Works of authorship
Life + 70; 95 yrs

Fair Use
Library of Congress InternaOonal
DMCA

Trademark
Right to disOnguish
goods and services
10 years (+)
PTO
OpOon le
DisOncOveness
(TM) (R)
DiluOon
Trade Secret
Proprietary
InformaOon
None
Requirements
Commercially viable
Not in public domain
Reasonable protecOon
@NTXISSA
13
OperaAons
(Learning) Discovery
EnumeraOon
Vulnerability Mapping
ExploitaOon
LEVER OR
DEnVER
Newsgroups
Domain name registries
Ping sweep, trash INT
Port Scanning
OS ngerprinOng
Vulnerability Scanning
Casing
Exploit vulnerabiliOes
Social Engineer
Escalate privileges
Report to
Management
@NTXISSA
14
New Test QuesAon Formats

Majority: MulOple Choice, 4 candidate
ansers, pick one
New QuesOons:
Scenario
Drag and Drop
Hot Box
@NTXISSA
15
Scenario QuesAons
DescripOon:
SituaOonal: 1-2 paragraphs describing an
environment, results of an audit, etc.
3-5 quesOons on the scenario
TacOcs:
Read the quesOon rst
Consider operaOonal issues (tradeos)
@NTXISSA
16
Drag and Drop

Which algorithms below are examples of
symmetric cryptography?
Advanced
EncrypOon
Standard
Rivest Shamir
Adlemann
Die Hellman
El Gamal
Data EncrypOon
Standard
@NTXISSA
17
Hot Spot
The diagram below is a design of a Public Key Infrastructure
to secure internet transacOons. Within the design is a
CerOcate Authority, a RegistraOon Authority, and a
ValidaOon Authority.
Click on the locaOon of the registraOon authority.
@NTXISSA
18
Study Strategies
Register NOW
Allows for study planning
Commits you to the process of successfully studying
Develop a study plan

Available days
Number of days from now unOl the exam date work and
family commitments
Rule of 12 (Now Rule of 10?)

Divide you available days by 12 to get study units
Use 1 unit for each domain
Use 2 units for full length exams and data dump
@NTXISSA
19
Study Strategies (2)

UOlize ALL sources
CISSP Study book(s)
QuesOon resources
Book CD, www.cccure.org,
StudISCope
Course slides and notes
Take unit and mixed unit exams o`en

Mix it up, not same quesOons over and over
Aim for 80% - 85% in all units
@NTXISSA
20
Study Strategies (3)

Use memory devices
Acronyms
Word-based
DEER MRS CARBIDS

Use ANAGRAM solvers to create your own
Sentence-based
Please Do Not Take Sales Peoples Advice

Plain Brown Potatoes Raise Plain Thin Men
Other Mnemonics
Phrases
Reading is simple
Link(in) Tunnel
Diagrams
Concentric squares, ACM
@NTXISSA
21
Test Taking Strategies

The Day Before
Get a good rest
Check out the tesOng center locaOon
The Day of
What to Bring
RegistraOon paper work
Snack & Drink
Jacket or sweater
What NOT to Bring

Cell phone
Digital watch
@NTXISSA
Test Taking Strategies (2)

Other possible issues
Noise from nearby construcOon or
weekend event
Temperature
Dress in layers (bring a jacket)
White board and Marker

Ensure you have a good one
@NTXISSA

Data Dump Strategy
Prior to answering any quesOons
Recall and document diagrams, lists, charts,
and other mnemonics
Three Pass Method (Consider this)

1. Answer obvious quesOons, update diagrams
2. Answer all but the most dicult quesOons
3. Complete all quesOons
@NTXISSA

Individual QuesOon Strategy
Read quesOon carefully
Find keywords and quesOons (e.g., not, best, rst)
Read ALL candidate answers do not jump to rst
good one
Use candidate answers as a clue

Look for slight dierence between candidate
answers
Eliminate clearly wrong answers rst
Phases/steps: key on obvious wrong answers (e.g.,
report before analysis)
@NTXISSA

Individual QuesOon Strategy (cont.)
Use informaOon contained in quesOons
and answers
Update diagrams and lists
Dont argue with the test

Decide what answer ISC2 is looking for
Dumb it Down
@NTXISSA

Drag and Drop QuesOons
EssenOally a matching exercise

Easier than normal quesOons
Make simplest / most obvious match rst

Scenario QuesOons
Find the quesOon rst.

Then go back and get relevant data
Usually operaOonal quesOons
security/usability tradeos,
risk-based decisions,
applicaOon of principles
@NTXISSA
Pearson VUE Screen

Time Remaining
Flag for Review
@NTXISSA
Pearson VUE Screen
Review SelecOon
@NTXISSA
The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (InformaOon Systems Security AssociaOon)

Thank you
@NTXISSA
30

Landoll Doug Everything About Cissp

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Landoll Doug Everything About Cissp

Uploaded by

Copyright:

Available Formats

Everything

You Need to Know

CBK & QuesOon Depth

Common Body of Knowledge

Minimal numbers and form

Know your history

Learn and build mnemonics

Data Dump Sheet Example

NTX ISSA Cyber Security Conference April 24-25, 2015

2015 Common Body of Knowledge

CommunicaOon and Network Security

IdenOty and Access Management

Security Assessment and TesOng

So`ware Development Security

8 Domains vs. 10 Domains Who Cares!

2015 CBK: Whats New: Topics

System EvaluaOon & AccreditaOon

Access Matrix S, O, accesses

S,O,a; no read up, no

S,O,a; no read down

S,O,a; no read down

I: Auth changes, Well-formed transacOons,

NTX ISSA Cyber Security Conference April 24-25, 2015

NTX ISSA Cyber Security Conference April 24-25, 2015

Life + 70; 95 yrs

NTX ISSA Cyber Security Conference April 24-25, 2015

New Test QuesAon Formats

NTX ISSA Cyber Security Conference April 24-25, 2015

NTX ISSA Cyber Security Conference April 24-25, 2015

Drag and Drop

NTX ISSA Cyber Security Conference April 24-25, 2015

Develop a study plan

Rule of 12 (Now Rule of 10?)

Study Strategies (2)

Take unit and mixed unit exams o`en

Study Strategies (3)

DEER MRS CARBIDS

Please Do Not Take Sales Peoples Advice

Concentric squares, ACM

NTX ISSA Cyber Security Conference April 24-25, 2015

Test Taking Strategies

What NOT to Bring

Test Taking Strategies (2)

White board and Marker

Test Taking Strategies (3)

Three Pass Method (Consider this)

Test Taking Strategies (4)

Use candidate answers as a clue

Test Taking Strategies (5)

Dont argue with the test

Test Taking Strategies (6)

EssenOally a matching exercise

Find the quesOon rst.

Pearson VUE Screen

Flag for Review

Pearson VUE Screen

The Collin College Engineering Department

You might also like