Exam Info Domain Weights Study Guide Cheat Sheet Practice Tests Flashcards Exam Prep Tests Security News 📝 My Blog
ISC² Official · April 2024 · Sybex Aligned

Your complete guide to
CISSP certification

All 8 domains covered in depth. Practice questions, cheat sheets, and flashcards — aligned to the official ISC² exam outline and Sybex Study Guide. Free, forever.

Start studying → Take practice test Open flashcards
8
Domains
150
Max questions
700
Passing score
3h
Time limit
$749
Exam fee
5yr
Experience req.
🎯
Format
CAT
Computerized Adaptive Testing — difficulty adjusts to your answers in real-time
📝
Questions
100–150
Multiple choice + advanced innovative items. Some questions are unscored pre-test items
⏱️
Time Limit
3 Hours
Reduced from 4h as of April 2024. Plan ~72 seconds per question
Passing Score
700 / 1000
Weighted scaled score. You must demonstrate competency across all domains
💰
Exam Fee
$749 USD
Administered at Pearson VUE testing centers worldwide
🏆
Experience
5 Years
In 2+ of 8 domains. 1 year waivable with degree or ISC²-approved credential
🔄
Renewal
3 Years
120 CPE credits + Annual Maintenance Fee required to keep certification active
🌐
Languages
CAT All
English, Chinese, German, Japanese, Spanish — all now delivered in CAT format
💡 CAT Tip: Higher-difficulty questions carry more weight. Focus on deep understanding — the exam tests how you think like a senior security manager, not just recall of facts.
#DomainWeightDistribution
D1Security & Risk Management16%
D2Asset Security10%
D3Security Architecture & Engineering13%
D4Communication & Network Security13%
D5Identity & Access Management (IAM)13%
D6Security Assessment & Testing12%
D7Security Operations13%
D8Software Development Security10%
D1

Security & Risk Management

The largest domain. Covers foundational security concepts, risk frameworks, legal/regulatory compliance, personnel security, and business continuity. Think like a CISO.

▲ 16% of exam · Updated 2024

🔒 CIA Triad & Security Concepts

+

The three foundational pillars of information security.

foundationalalways-tested
Key Points
  • Confidentiality — prevent unauthorized disclosure. Controls: encryption, access control, classification.
  • Integrity — prevent unauthorized modification. Controls: hashing, digital signatures, version control.
  • Availability — ensure authorized access when needed. Controls: redundancy, backups, DDoS protection.
  • Non-repudiation — cannot deny performing an action. Achieved via digital signatures.
CISSP questions often ask which CIA component is violated. Disclosure = Confidentiality. Modification = Integrity. Denial of access = Availability.

📊 Risk Management

+

Identifying, assessing and responding to risks using qualitative or quantitative methods.

quantitativecore
Risk Formula
  • Risk = Threat × Vulnerability × Asset Value
  • SLE = Asset Value × Exposure Factor (EF)
  • ALE = SLE × ARO (Annual Rate of Occurrence)
  • Countermeasure Value = ALE(before) – ALE(after) – Annual Cost
Risk Responses
  • Accept — acknowledge and live with the risk.
  • Transfer — shift to third party (insurance, contracts).
  • Avoid — eliminate the activity causing the risk.
  • Mitigate — reduce likelihood or impact with controls.
Qualitative = subjective (High/Med/Low). Quantitative = dollar values (ALE, SLE). Know when to use each.

⚖️ Security Governance

+

Aligning security with business strategy through policies, standards, and oversight.

managementhigh-priority
Policy Hierarchy
  • Policy — high-level mandatory management statements.
  • Standards — specific mandatory requirements supporting policies.
  • Guidelines — recommended but optional best practices.
  • Procedures — step-by-step instructions to implement policies.
Key Concepts
  • Due Care — doing what a reasonable person would do (minimum standard).
  • Due Diligence — ongoing research to maintain due care.
Security function exists to SUPPORT the business. Always choose answers that align security with business objectives.

🏢 Business Continuity (BCP)

+

Planning to maintain business operations during and after a significant disruption.

BCP/DRhigh-priority
BCP vs DRP
  • BCP — maintains business operations. Long-term, business-wide scope.
  • DRP — restores IT systems. Tactical, IT-focused. Subset of BCP.
Key Terms
  • MTD — Maximum Tolerable Downtime. Business limit before unacceptable damage.
  • RTO — Recovery Time Objective. Must be less than MTD.
  • RPO — Recovery Point Objective. How much data loss is acceptable.
  • Hot/Warm/Cold Site — immediate / hours / days to activate.
RTO must always be less than MTD. BIA is always performed FIRST before writing BCP.

📜 Legal, Regulations & Ethics

+

Laws, regulations, IP frameworks, and the ISC² Code of Ethics.

regulatoryalways-tested
Key Regulations
  • GDPR — EU privacy. 72-hr breach notification. Up to 4% global revenue fine.
  • HIPAA — US healthcare data (PHI).
  • SOX — Public companies, financial reporting integrity.
  • PCI-DSS — Payment card data. 12 requirements.
ISC² Code of Ethics (priority order)
  • 1. Protect society and the common good.
  • 2. Act honorably, honestly, justly.
  • 3. Provide competent service.
  • 4. Advance the profession.
Society ALWAYS wins over employer interest. If employer asks you to cover up a breach — Ethics Canon 1 overrides Canon 3.

👥 Personnel Security

+

People-focused controls from hiring through termination to reduce insider threats.

HRoperational
Key Controls
  • Separation of Duties — no single person controls entire critical process.
  • Least Privilege — minimum access needed for job function.
  • Mandatory Vacation — detects fraud (someone must cover your role).
  • Job Rotation — cross-training and fraud detection.
Termination
  • Hostile — disable access FIRST, then inform the employee.
  • Friendly — exit interview, return assets, disable accounts.
For hostile terminations: disable access FIRST. Sequence matters in exam questions.
D2

Asset Security

Classifying information, determining ownership, handling data throughout its lifecycle, and applying appropriate protection measures.

10% of exam

🏷️ Data Classification

+

Labeling data based on sensitivity to determine protection levels.

classificationcore
Government Levels
  • Top Secret — grave damage to national security.
  • Secret — serious damage.
  • Confidential — damage.
  • Unclassified — no damage expected.
Commercial Levels
  • Confidential/Proprietary → Private → Sensitive → Public
Data Owner sets the classification. Data Custodian implements controls. Never confuse these roles.

👤 Data Ownership Roles

+

Roles and responsibilities for managing data throughout its lifecycle.

rolesalways-tested
Key Roles
  • Data Owner — senior business manager. Accountable. Sets classification.
  • Data Custodian — IT department. Implements technical controls. Not accountable.
  • Data Processor (GDPR) — processes data on behalf of the controller.
  • Data Controller (GDPR) — determines purpose and means of processing.
Owner = accountability. Custodian = responsibility for implementation.

🔒 Data States

+

The three states data exists in and appropriate protection for each.

data-statescore
Three States
  • Data at Rest — stored on disk/DB. Controls: AES encryption, access controls.
  • Data in Transit — moving across network. Controls: TLS 1.3, VPN, HTTPS.
  • Data in Use — in RAM/CPU. Controls: DRM, trusted execution environments.
Data in Use is the hardest to protect. Cold boot attacks target data in use by dumping RAM.

🗑️ Data Destruction

+

Methods for permanently and verifiably destroying data.

destruction
NIST SP 800-88 Methods
  • Clear — overwrite. Protects against simple recovery.
  • Purge — degaussing or secure erase. Protects against lab attacks.
  • Destroy — shred/incinerate. Highest assurance.
  • Crypto-shredding — delete encryption keys. Best for cloud/SSD.
Degaussing only works on magnetic media — NOT SSDs. Use crypto-shredding for cloud data.

🔐 Privacy Protection

+

Protecting personal information in compliance with global privacy regulations.

privacyGDPR
Key Definitions
  • PII — Personally Identifiable Information (name, SSN, email).
  • PHI — Protected Health Information (medical records).
GDPR Principles
  • Data minimization — collect only what's necessary.
  • Purpose limitation — use only for stated purpose.
  • Right to erasure — "right to be forgotten".
  • Privacy by design — build privacy in from the start.
GDPR applies to ANY org processing EU residents' data regardless of location. Fines: up to €20M or 4% of global revenue.
D3

Security Architecture & Engineering

Secure design principles, security models, cryptography, physical security, and vulnerability assessment. The most technically deep domain.

13% of exam

🏛️ Secure Design Principles

+

Core principles every security architect must apply.

principlescore
Key Principles
  • Least Privilege — minimum access needed.
  • Defense in Depth — multiple independent layers of controls.
  • Fail Secure — default to denied state on failure.
  • Separation of Privilege — require multiple conditions to grant access.
  • Economy of Mechanism — keep security simple; complexity = risk.
  • Zero Trust — never trust, always verify. Assume breach.
Defense in Depth = multiple independent layers. If one fails, others remain. Like an onion.

🔐 Security Models

+

Formal frameworks defining rules for access control and data protection.

modelsalways-tested
Confidentiality Models
  • Bell-LaPadula — No Read Up, No Write Down. Military confidentiality.
Integrity Models
  • Biba — No Read Down, No Write Up. Opposite of BLP.
  • Clark-Wilson — Integrity via well-formed transactions (CDI, TP, IVP).
Other Models
  • Brewer-Nash (Chinese Wall) — prevents conflict of interest.
  • State Machine — must be secure in all possible states.
BLP = Confidentiality. Biba = Integrity. They have opposite rules. BLP prevents leaks DOWN; Biba prevents corruption from BELOW.

🔑 Cryptography Fundamentals

+

Symmetric, asymmetric, and hashing algorithms — the backbone of security.

cryptocore
Symmetric (same key)
  • AES — 128/192/256-bit. Current gold standard. FIPS 197.
  • 3DES — Being phased out. Slow.
  • RC4 — BROKEN. Used in WEP (why WEP is broken).
Asymmetric (key pairs)
  • RSA — prime factorization. 2048+ bits recommended.
  • ECC — smaller keys, same security. 256-bit ECC ≈ 3072-bit RSA.
  • Diffie-Hellman — key EXCHANGE only, not encryption.
Hash Functions
  • MD5/SHA-1 — BROKEN/WEAK. Never use for security.
  • SHA-256/512 — Current standard. Use these.
  • HMAC — Hash + secret key = integrity AND authentication.
Hybrid = asymmetric for key exchange, symmetric for bulk data. This is how TLS works.

📜 PKI & Digital Certificates

+

Infrastructure for managing digital certificates and public/private key pairs.

PKIhigh-priority
PKI Components
  • CA — Certificate Authority. Issues and signs certificates.
  • X.509 — certificate format used in TLS/HTTPS.
  • CRL — Certificate Revocation List. Batch, periodic.
  • OCSP — Online Certificate Status Protocol. Real-time revocation.
Digital Signatures
  • Signing — encrypt hash with YOUR PRIVATE key.
  • Verification — decrypt with sender's PUBLIC key.
  • Encryption — encrypt with recipient's PUBLIC key.
Signatures use PRIVATE key (only you can sign). Encryption uses recipient's PUBLIC key. Memorize this — always tested.

🛡️ Physical Security

+

Protecting physical assets, facilities, and personnel.

physical
Defense Layers (outside in)
  • Perimeter — fences, walls, lighting, CCTV, guards.
  • Outer — building exterior, badge readers.
  • Inner — mantraps, biometrics.
  • Target — server room, vault, data center.
Key Controls
  • Mantrap — two-door entry, prevents tailgating.
  • CPTED — Crime Prevention Through Environmental Design.
  • FM-200/Halon — clean agent fire suppression for data centers.
No technical control matters if an attacker has physical access to your servers.
D4

Communication & Network Security

Network architecture, protocols, secure communications, and protection against network attacks. Know the OSI model cold.

13% of exam

🌐 OSI & TCP/IP Models

+

Layered networking models that define how data moves across networks.

modelsalways-tested
OSI 7 Layers (top → bottom)
  • 7 Application — HTTP, DNS, SMTP, FTP.
  • 6 Presentation — Encryption, compression.
  • 5 Session — Sessions, NetBIOS.
  • 4 Transport — TCP (reliable), UDP (fast). Ports here.
  • 3 Network — IP, ICMP, routing.
  • 2 Data Link — MAC, ARP, switches.
  • 1 Physical — Cables, hubs, bits.
Mnemonic: All People Seem To Need Data Processing. Firewalls = L3/L4. WAFs = L7.

🔒 Wireless Security

+

Wireless protocols from WEP (broken) to WPA3 (current standard).

wirelesscore
Protocol Evolution
  • WEP — BROKEN. RC4 misuse. Crack in minutes. Never use.
  • WPA — TKIP. Weak. Deprecated.
  • WPA2 — AES/CCMP. Strong. Use Enterprise (802.1X) mode for corporate.
  • WPA3 — SAE handshake. Forward secrecy. Current gold standard.
Only WPA2 and WPA3 are acceptable. 802.1X + RADIUS = enterprise wireless auth.

🛡️ IDS/IPS

+

Systems that monitor network traffic to detect and optionally block attacks.

IDS/IPS
IDS vs IPS
  • IDS — detects and alerts only. Passive. Out-of-band.
  • IPS — detects and blocks. Active. Inline deployment.
Detection Methods
  • Signature-based — matches known patterns. Fast, can't detect zero-days.
  • Anomaly-based — detects deviations from baseline. Finds new attacks, high false positives.
False positive = legitimate traffic flagged. False negative = real attack missed (dangerous).

⚡ Network Attacks

+

Common attacks targeting network infrastructure and communications.

attacks
Attacks & Mitigations
  • DoS/DDoS — overwhelm resources. Mitigate: rate limiting, CDN.
  • ARP Poisoning — associate attacker MAC with legitimate IP. Mitigate: dynamic ARP inspection.
  • MITM — intercept communications. Mitigate: TLS, mutual authentication.
  • Replay Attack — resend captured auth data. Mitigate: timestamps, nonces.
For every attack know the countermeasure. CISSP tests "what would you do" not just "what is this."

🔑 Critical Port Numbers

+

Essential ports every CISSP candidate must know.

portsmemorize
Must-Know Ports
  • 22 — SSH/SFTP/SCP (secure)
  • 23 — Telnet (INSECURE — replace with SSH)
  • 53 — DNS (UDP queries, TCP zone transfers)
  • 80/443 — HTTP / HTTPS
  • 389/636 — LDAP / LDAPS (secure)
  • 1812/1813 — RADIUS
  • 3389 — RDP (high risk — always restrict)
  • 88 — Kerberos
Always choose the encrypted alternative. TLS 1.2 acceptable, TLS 1.3 preferred. SSL and TLS 1.0/1.1 are broken.
D5

Identity & Access Management (IAM)

How users, devices, and services are identified, authenticated, and granted access. The first line of defense.

13% of exam

🪪 Identification, Authentication, Authorization

+

The three fundamental steps of access control.

corealways-tested
Four Steps
  • Identification — claiming an identity (username).
  • Authentication — proving identity (password, MFA).
  • Authorization — what actions are permitted (ACLs, roles).
  • Accountability — logging all actions (audit trail, non-repudiation).
All four must be present for complete access control. Missing accountability = no audit trail.

🔐 Authentication Factors

+

The categories of evidence used to prove identity.

authenticationcore
Three Primary Factors
  • Something you Know — password, PIN, passphrase.
  • Something you Have — token, smart card, OTP app.
  • Something you Are — biometrics: fingerprint, iris, facial.
MFA Rule
  • MFA requires 2+ DIFFERENT factor TYPES.
  • Password + PIN = NOT MFA (both are "know").
  • Password + OTP app = MFA (know + have). ✅
Two passwords = Single Factor. MFA requires factors from DIFFERENT categories. Common trick question.

📏 Access Control Models

+

Frameworks governing how access decisions are made.

access-controlhigh-priority
Model Comparison
  • DAC — Discretionary. Owner controls. Most flexible. Least secure.
  • MAC — Mandatory. System enforces via labels. Most secure. Government.
  • RBAC — Role-Based. Access by job role. Most common in enterprise.
  • ABAC — Attribute-Based. Dynamic policies. Most flexible/complex.
DAC = owner decides. MAC = system decides via labels. RBAC = most common in business.

🧬 Biometrics

+

Using physical or behavioral characteristics for authentication.

biometricsmemorize
Error Rates
  • FAR (Type II) — False Acceptance Rate. Unauthorized ACCEPTED. Security risk!
  • FRR (Type I) — False Rejection Rate. Authorized REJECTED. Usability issue.
  • CER/EER — Crossover Error Rate. Where FAR = FRR. Lower = better.
FAR = security concern. FRR = usability concern. CER compares biometric systems — choose lowest CER.

🌐 Federation & SSO

+

Technologies enabling single sign-on and cross-org identity trust.

federationcore
Key Protocols
  • SAML 2.0 — XML-based. Enterprise SSO between IdP and SP.
  • OAuth 2.0 — Authorization delegation. NOT authentication.
  • OpenID Connect — Authentication layer on top of OAuth 2.0.
  • Kerberos — Ticket-based SSO. KDC issues TGT. Port 88.
  • RADIUS — UDP 1812/1813. AAA for network access.
  • TACACS+ — TCP 49. Encrypts entire payload. Cisco networks.
OAuth = Authorization. OpenID Connect = Authentication. They're often confused. SAML = enterprise SSO standard.
D6

Security Assessment & Testing

Validating security controls through assessments, audits, vulnerability scanning, penetration testing, and logging.

12% of exam

🔍 Vulnerability Assessment vs Pen Testing

+

Two complementary approaches to finding security weaknesses.

testingalways-tested
Key Differences
  • Vulnerability Assessment — identifies weaknesses. Non-destructive. No exploitation.
  • Penetration Test — actively exploits. Simulates real attacker. Demonstrates impact.
  • Both require — written authorization and Rules of Engagement.
Testing Knowledge Levels
  • Black Box — no prior knowledge. Most realistic.
  • White Box — full knowledge. Most thorough.
  • Gray Box — partial knowledge. Most common in real engagements.
VA = what vulnerabilities exist. PT = which are exploitable. Both are needed.

📊 Security Metrics

+

Quantitative measures to track security program effectiveness.

metricsmemorize
Key Metrics
  • MTTD — Mean Time To Detect.
  • MTTR — Mean Time To Repair/Restore.
  • MTBF — Mean Time Between Failures (reliability).
  • MTTF — Mean Time To Failure (non-repairable).
  • Availability = MTBF ÷ (MTBF + MTTR)
Five 9s = 99.999% = ~5.26 minutes downtime/year. Improve availability: increase MTBF or decrease MTTR.

📋 Security Audits & SOC Reports

+

Formal evaluations of security controls, policies, and compliance.

auditinghigh-priority
SOC Report Types
  • SOC 1 — financial reporting controls.
  • SOC 2 Type I — control design at a point in time. Weaker assurance.
  • SOC 2 Type II — operating effectiveness over 6-12 months. Strongest.
  • SOC 3 — public version of SOC 2. Marketing use.
SOC 2 Type II is what customers ask cloud providers for. Type II = sustained period = strong assurance.

🎯 Red / Blue / Purple Teams

+

Structured adversarial exercises to test and improve security.

teams
Team Roles
  • Red Team — offensive. Simulates real attackers.
  • Blue Team — defensive. Detects, responds, recovers.
  • Purple Team — both working together. Maximizes learning.
Exercise Types
  • Tabletop Exercise (TTX) — discussion-based. No live systems. Tests plans.
  • Live Fire — real systems, real attacks. Tests actual capabilities.
Tabletop exercises are cheapest and safest way to test IR. Live exercises are realistic but carry unintended damage risk.
D7

Security Operations

Day-to-day management: incident response, disaster recovery, change management, and investigations. The most procedural domain.

13% of exam

🚨 Incident Response (PICERL)

+

The structured 6-phase NIST SP 800-61 incident response process.

IRalways-tested
NIST SP 800-61 Phases
  • 1. Preparation — IR plan, team, tools, training.
  • 2. Identification — confirm incident, scope, severity.
  • 3. Containment — FIRST PRIORITY. Stop the spread.
  • 4. Eradication — remove malware, close vulnerabilities.
  • 5. Recovery — restore systems, verify operation.
  • 6. Lessons Learned — post-incident review.
Containment is ALWAYS the first active step. "People In California Eat Real Lemons" = PICERL mnemonic.

🔬 Digital Forensics

+

Scientifically collecting digital evidence for legal proceedings.

forensicshigh-priority
Order of Volatility (collect first)
  • 1. CPU registers and cache (most volatile).
  • 2. RAM — processes, connections, encryption keys.
  • 3. Swap/page file.
  • 4. Disk storage.
  • 5. Remote/cloud logs (least volatile).
Key Principles
  • Chain of custody — document all evidence handling.
  • Write blocker — prevents modification of evidence.
  • Forensic copy — bit-for-bit. Never work on originals.
NEVER work on original evidence. Breaking chain of custody = inadmissible in court.

💾 Disaster Recovery

+

Technical plans to restore IT systems after a disaster.

DRcore
Recovery Sites
  • Hot Site — fully operational. Minutes. Most expensive.
  • Warm Site — partially configured. Hours. Medium cost.
  • Cold Site — empty space + power. Days/weeks. Cheapest.
Backup Types
  • Full — all data. Slowest backup, fastest restore.
  • Incremental — since last backup. Fastest backup, slowest restore.
  • Differential — since last FULL. Medium backup, medium restore.
  • 3-2-1 Rule — 3 copies, 2 media types, 1 offsite.
RTO must be less than MTD. RPO determines backup frequency.

🛡️ Security Operations Center (SOC)

+

Centralized team monitoring and responding to security events 24/7.

SOC2024
SOC Tiers
  • Tier 1 — alert triage, initial investigation, escalation.
  • Tier 2 — deeper investigation, incident handling.
  • Tier 3 — threat hunting, malware analysis. Highest skill.
Key Tools
  • SIEM — centralized logging and correlation.
  • SOAR — Security Orchestration Automation and Response.
  • Playbook — step-by-step response procedure.
SOAR automates repetitive SOC tasks (block IP, create ticket, notify team). Reduces analyst fatigue.
D8

Software Development Security

Integrating security throughout the SDLC. Secure coding, software vulnerabilities, and third-party software security.

▼ 10% of exam · Updated 2024

🔄 Secure SDLC

+

Embedding security at every phase of the development lifecycle.

SDLCcore
SDLC Phases + Security
  • Requirements — define security requirements early.
  • Design — threat modeling (STRIDE), secure architecture review.
  • Coding — secure coding practices, code review.
  • Testing — SAST, DAST, pen testing.
  • Deployment — hardened configs, secrets management.
  • Maintenance — patch management, vulnerability monitoring.
Shift-left = fix security earlier = cheaper. A bug found in requirements costs 1x to fix; in production costs 100x.

🐛 OWASP Top 10

+

The most prevalent and dangerous software security weaknesses.

OWASPalways-tested
Key Vulnerabilities
  • Injection (A03) — SQL, XSS, command. Fix: parameterized queries.
  • Broken Access Control (A01) — users exceed permissions. Fix: deny by default.
  • Cryptographic Failures (A02) — weak/no encryption. Fix: TLS, strong algorithms.
  • Security Misconfiguration (A05) — default credentials. Fix: hardening.
  • SSRF (A10) — server makes attacker-controlled requests.
Injection is the classic OWASP vulnerability. Parameterized queries are the primary defense. Never concatenate user input into SQL.

🧪 SAST vs DAST vs IAST

+

Application security testing methodologies.

testing
Testing Types
  • SAST — static analysis. No execution. Find early. False positive prone.
  • DAST — dynamic analysis. Running app. Finds runtime issues.
  • IAST — agent inside running app. Best coverage.
  • Fuzzing — random input to find crashes.
SAST = finds issues in code before running. DAST = finds issues in running app. Both needed.

🚀 DevSecOps

+

Integrating security into DevOps CI/CD pipelines.

DevSecOps2024
Pipeline Security
  • Secrets management — never hardcode credentials. Use vaults.
  • SAST in pipeline — automated code scanning on every commit.
  • Container scanning — check images for vulnerabilities before deploy.
  • SBOM — Software Bill of Materials. Inventory all dependencies.
Hardcoded secrets in repos = #1 DevSecOps mistake. Use HashiCorp Vault, AWS Secrets Manager, etc.

Risk Quantification

SLE = Asset Value × Exposure Factor (EF) ALE = SLE × ARO Countermeasure = ALE(before) − ALE(after) − Annual Cost Risk = Threat × Vulnerability × Asset Value
EF: % of asset destroyed per incident (0–1)
ARO: Times per year (0.5 = once every 2 years)
Example: $500K server × 40% EF × 0.5 ARO = $100K ALE/year

Recovery & Availability

Availability = MTBF / (MTBF + MTTR) WRT = MTD − RTO
MTBF: Mean Time Between Failures
MTTR: Mean Time To Repair/Restore
MTD: Maximum Tolerable Downtime — RTO must be LESS than this
RPO: How much data loss is acceptable — determines backup frequency

Biometric Error Rates

FAR = False Acceptance Rate (Type II) FRR = False Rejection Rate (Type I) CER/EER = where FAR equals FRR (lower = better)
FAR: Unauthorized user accepted — SECURITY RISK
FRR: Authorized user rejected — usability issue

Backup Recovery

Full: Restore needs → 1 tape (fastest) Differential: Restore needs → Full + latest diff Incremental: Restore needs → Full + ALL incrementals (slowest)
Incremental: fastest to backup, slowest to restore
Differential: slower backup, faster restore than incremental
3-2-1 Rule: 3 copies, 2 media types, 1 offsite

Bell-LaPadula — Confidentiality

No Read Up (Simple Security Property) No Write Down (Star Property *)
Goal: Prevent classified info flowing to lower levels. Military.
Mnemonic: "BLP = Be Leaking Prevention"

Biba — Integrity

No Read Down (Simple Integrity Axiom) No Write Up (Star Integrity Property *)
Goal: Prevent data corruption from low-integrity sources.
Note: Opposite of Bell-LaPadula. BLP = Confidentiality. Biba = Integrity.

Clark-Wilson — Integrity

CDI: Constrained Data Item — must maintain integrity
TP: Transformation Procedure — only authorized way to change CDI
IVP: Integrity Verification Procedure — checks CDI validity
Use: Commercial environments. Separation of duties built in.

Access Control Quick Reference

DAC: Owner controls (Windows ACLs) — most flexible
MAC: Labels enforced by system — most secure (government)
RBAC: Access by job role — most common in enterprise
ABAC: Dynamic attribute-based policies — most flexible/complex
Brewer-Nash: Chinese Wall — prevents conflict of interest

Symmetric Algorithms

AES: 128/192/256-bit. Block cipher. Current standard. FIPS 197. ✅
3DES: 112-168-bit. Being phased out. Slow.
RC4: Stream cipher. BROKEN. Used in WEP. ❌
DES: 56-bit. BROKEN. Do not use. ❌

Asymmetric Algorithms

RSA: 2048+ bits. Prime factorization. Key exchange + signatures.
ECC: Smaller key = same security. 256-bit ECC ≈ 3072-bit RSA. Mobile/IoT.
DH: Key EXCHANGE ONLY. Not encryption.
DSA: Signatures ONLY. NOT encryption.

Hash Functions

MD5: 128-bit. BROKEN (collision attacks). ❌
SHA-1: 160-bit. WEAK. Deprecated. ❌
SHA-256/512: Current standard. Use these. ✅
HMAC: Hash + secret key = integrity AND authentication.

Digital Signatures & PKI

Sign: encrypt hash with YOUR PRIVATE key Verify: decrypt with sender's PUBLIC key Encrypt: use recipient's PUBLIC key
CRL: Certificate Revocation List — periodic batch check
OCSP: Online Certificate Status — real-time check
Key Escrow: Copy of private key held by third party for recovery

Critical Port Numbers

22 SSH/SFTP/SCP (secure ✅) 23 Telnet (INSECURE ❌) 53 DNS (UDP/TCP) 80 HTTP (INSECURE ❌) 88 Kerberos 389 LDAP (INSECURE ❌) 443 HTTPS (secure ✅) 636 LDAPS (secure ✅) 1812 RADIUS 3389 RDP (high risk ⚠️)

Authentication Protocols

Kerberos: Ticket-based SSO. KDC → TGT → service ticket. Port 88.
RADIUS: UDP 1812/1813. Encrypts only password. Network access AAA.
TACACS+: TCP 49. Encrypts entire payload. Separates A-A-A. Cisco.
SAML: XML-based. Enterprise SSO/Federation. IdP issues assertions.
OAuth: Authorization delegation. NOT authentication.

Wireless Security

WEP → BROKEN (RC4 + weak IV) ❌ WPA → TKIP — deprecated ❌ WPA2 → AES/CCMP — strong ✅ WPA3 → SAE + forward secrecy ✅
802.1X: Port-based NAC. Supplicant → Authenticator → RADIUS.

IPSec Components

AH: Authentication Header — auth + integrity ONLY. No encryption.
ESP: Encapsulating Security Payload — auth + integrity + encryption. ✅
Tunnel mode: gateway-to-gateway (encrypts entire IP packet)
Transport mode: host-to-host (encrypts payload only)

OSI Layers

All People Seem To Need Data Processing (Application → Physical, top to bottom) Bottom-up: Please Do Not Throw Sausage Pizza Away

Incident Response — PICERL

P — Preparation I — Identification / Detection C — Containment ← FIRST ACTIVE STEP E — Eradication R — Recovery L — Lessons Learned "People In California Eat Real Lemons"

Recovery Sites

Hot → Ready NOW 💰💰💰 (expensive) Warm → Hours to days 💰💰 (medium) Cold → Days to weeks 💰 (cheapest)
"Hot price = Hot response"

Ethics Priority Order

1. Protect SOCIETY ← always wins 2. Act HONORABLY 3. Provide COMPETENT service 4. Advance the PROFESSION
Society before employer, ALWAYS.

Bell-LaPadula vs Biba

Bell-LaPadula = CONFIDENTIALITY No Read UP, No Write DOWN Biba = INTEGRITY No Read DOWN, No Write UP They are exact opposites.

ISC² Code of Ethics

S — Society (protect the common good) H — Honorably (act honestly and justly) C — Competent (provide quality service) A — Advance (the profession)
Mnemonic: "She Has Competent Abilities"

US Privacy Laws

HIPAA: Healthcare data (PHI). Privacy + Security Rules.
GLBA: Financial institutions. Non-Public Personal Info (NPI).
SOX: Public companies. Financial reporting integrity. CEO/CFO accountability.
COPPA: Children under 13. Parental consent required.
FERPA: Student education records.
FISMA: US federal agencies information security.

International Regulations

GDPR: EU. 72-hr breach notification. Right to erasure. Up to 4% global revenue or €20M fine.
PIPEDA: Canada. Commercial activities privacy law.
APEC CBPR: Asia-Pacific cross-border privacy rules.

Security Standards

PCI-DSS: Payment card data. 12 requirements. Any org processing cards.
ISO 27001: ISMS certification standard (requirements).
ISO 27002: Implementation guidance for 27001.
NIST CSF: Identify → Protect → Detect → Respond → Recover.
NIST SP 800-53: Security controls for federal systems.

Types of Laws

Criminal: Government prosecutes. Beyond reasonable doubt. Imprisonment.
Civil (Tort): Private disputes. Preponderance of evidence. Monetary damages.
Administrative: Government agencies. Compliance fines. Licenses.
Due Care: Doing what a reasonable person would do.
Due Diligence: Ongoing research to maintain due care.
Q 1 of 10
Question 1
Loading...
0%
Quiz Complete!
Loading feed...
Source: The Hacker News via RSS · RSS Feed