PolitiHack, Or How I Learned to Stop Worrying About Russians Influencing the US Election and Learned to Love Cybersecurity

December 23, 2016 at 4:12 pm | Posted in cybersecurity, Knowledge | 2 Comments
Tags: , , , , , , , , , , , , , ,

Hackitivism and cyberespionage are certainly nothing new, especially emanating from Russia. But the 2016 US presidential election was a swift education for Americans and the watching world regarding the widespread consequences of a successful  APT (advanced persistent threat). A joint statement issued by the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security stated that the “U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations” (emphasis ours).

Thanks to the detailed reporting from the New York Times, the fog of war is beginning to clear and the full extent of the cyberattack has become clear. And what is increasingly apparent is that at every stage, cybersecurity training could have significantly mitigated or (perhaps) even prevented portions of the attack altogether.

kaperskythreatmap

Real-time cyberthreat map from Kapersky Lab

Enter the low-rung MIS contractor hired by the DNC — Yared Tamene.  He claims no cybersecurity expertise, much less any cybersecurity-related certification like GSEC, CASPCISSP, CEH or CFR. So it’s hardly appropriate to assign him the brunt of the blame. Instead, we should use his example to learn how cybersecurity knowledge and skills could have better informed the fateful decisions that he, and many others, made along the way.

In the fall of 2015, the FBI noticed some unusual outgoing network traffic from the DNC network, suggesting that at least one computer was compromised. The early forensics linked the compromise to a known Russian cyberespionage group going by the moniker “the Dukes” (AKA “Cozy Bear” and “APT29”) , who had in just the last few years, penetrated the White House, State Department and Joint Chiefs of Staff email systems. A special agent picked up the phone, called Tamene, and told him what they knew.

Before we even get to Tamene’s response, any trained cybersecurity first responder knows why the FBI called via phone rather than emailing their dire message. Communication protocol during a security incident should be out-of-band, meaning outside of the primary communication channels (primarily network where the attacker could be listening). Ironically, Tamene was convinced that the FBI call was a hoax, and after repeated calls over the new few months, he ignored the urgency. In November, the FBI even confirmed with Tamene that known malware was routing data to servers located in Moscow.

Continue Reading PolitiHack, Or How I Learned to Stop Worrying About Russians Influencing the US Election and Learned to Love Cybersecurity…

CISSP 2015: What’s New (Part 5 of 5)

December 10, 2015 at 9:47 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam. In my fourth post, I covered Domain 5 and 6 of the new CISSP exam. In this, my FINAL post, I will conclude with Domains 7 and 8, Security Operations and Software Development Security.

Broadly speaking, Domain 7 reflects how security should be included as part of day-to-day organizational operations. Domain 8 covers aspects of designing, implementing, and analyzing security for applications.

For my assessment, I’ll start by giving you the entire overview of each domain with its Key Areas of Knowledge. I’ll tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 7: Security Operations – Framework and Key Areas of Knowledge

CISSP 2012 also covered security operations as its own  domain. The majority of the old Domain 7 (Security Operations) has been retained, with the addition of new topics that cover investigations, monitoring, resource protection, incident response, recovery strategies, and physical security. Because day-to-day security operations are fundamental to security, this domain contains the most topics of any area in the exam.

This domain also includes a few topics that were moved from the old Domain 8 (Business Continuity and Disaster Recovery Planning), Domain 9 (Legal, Regulations, Investigations, and Compliance), and Domain 10 (Physical (Environmental) Security).

Domain 7 Key Areas of Knowledge:

    1. Understand and support investigations – From Domain 9, subheading c in the old version.
      1. Evidence collection and handling (e.g., chain of custody, interviewing) – From Domain 9, subheading c in the old version.
      2. Reporting and documenting – From Domain 9, subheading c in the old version.
      3. Investigation techniques (e.g., root-cause analysis, incident handling) – From Domain 9, subheading c in the old version.
      4. Digital forensics (e.g., media, network, software, and embedded devices) – From Domain 9, subheading d in the old version.
    2. Understand requirements for investigation types – New
      1. Operational – New
      2. Criminal – New
      3. Civil – New
      4. Regulatory – New
      5. Electronic discovery (eDiscovery) – New
    3. Conduct logging and monitoring activities – From Domain 1, subheading a in the old version.
      1. Intrusion detection and prevention – New
      2. Security information and event management – New
      3. Continuous monitoring – New
      4. Egress monitoring (e.g., data loss prevention, steganography, watermarking) – Mostly New. Steganography and watermarking are from Domain 5, subheading 1 in the old version.
    4. Secure the provisioning of resources – From Domain 9, subheading f in the old version.
      1. Asset inventory (e.g., hardware, software) – New
      2. Configuration management – New
      3. Physical assets – New
      4. Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – New
      5. Cloud assets (e.g., services, VMs, storage, networks) – From Domain 9, subheading f in the old version.
      6. Applications (e.g., workloads or private clouds, web services, software as a service) – From Domain 9, subheading f in the old version.
    5. Understand and apply foundational security operations concepts – From Domain 7, subheading a in the old version.
      1. Need to know/least privilege (e.g., entitlement, aggregation, transitive trust) – From Domain 1, subheading c and Domain 7, subheading a in the old version.
      2. Separation of duties and responsibilities – From Domain 7, subheading a in the told version.
      3. Monitor special privileges (e.g., operators, administrators) – From Domain 7, subheading a in the old version.
      4. Job rotation – From Domain 7, subheading a in the old version.
      5. Information lifecycle – From Domain 3, subheading e in the old version.
      6. Service-level agreements – New
    6. Employ resource protection techniques – From Domain 7, subheading b in old version.
      1. Media management – From Domain 7, subheading b in old version.
      2. Hardware and software asset management – From Domain 7, subheading b in old version.
    7. Conduct incident management – From Domain 7, subheading c in the old version.
      1. Detection – From Domain 7, subheading c in the old version.
      2. Response – From Domain 7, subheading c in the old version.
      3. Mitigation – New
      4. Reporting – From Domain 7, subheading c in the old version.
      5. Recovery – From Domain 7, subheading c in the old version.
      6. Remediation – From Domain 7, subheading c in the old version.
      7. Lessons learned – New
    8. Operate and maintain preventative measures – From Domain 7, subheading d in the old version.
      1. Firewalls – New
      2. Intrusion detection and prevention systems – New
      3. Whitelisting/Blacklisting – New
      4. Third-party security services – New
      5. Sandboxing – New
      6. Honeypots/Honeynets – New
      7. Anti-malware – New
    9. Implement and support patch and vulnerability management – From Domain 7, subheading e in the old version.
    10. Participate in and understand change management processes (e.g., versioning baselining, security impact analysis) – From Domain 7, subheading f in the old version.
    11. Implement recovery strategies – From Domain 8, subheading c in the old version.
      1. Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation) – From Domain 8, subheading c in the old version.
      2. Recovery site strategies – From Domain 8, subheadin c in the old version.
      3. Multiple processing sites (e.g., operationally redundant systems) – New
      4. System resilience, high availability, quality of service, and fault tolerance – From Domain 7, subheading g in the old version.
    12. Implement disaster recovery processes – From Domain 8, subheading d in the old version.
      1. Response – From Domain 8, subheading d in the old version.
      2. Personnel – From Domain 8, subheading d in the old version.
      3. Communications – From Domain 8, subheading d in the old version.
      4. Assessment – From Domain 8, subheading d in the old version.
      5. Restoration – From Domain 8, subheading d in the old version.
      6. Training and awareness – From Domain 8, subheading d in the old version.
    13. Test disaster recovery plans – From Domain 8, subheading e in the old version.
      1. Read-through – From Domain 8, subheading e in the old version.
      2. Walkthrough – From Domain 8, subheading e in the old version.
      3. Simulation – From Domain 8, subheading e in the old version.
      4. Parallel – From Domain 8, subheading e in the old version.
      5. Full interruption – From Domain 8, subheading e in the old version.
    14. Participate in business continuity planning and exercises – New
    15. Implement and manage physical security – From Domain 10, subheading b and c in the old version.
      1. Perimeter (e.g., access control and monitoring) – From Domain 10, subheading b in the old version.
      2. Internal security (e.g., escort requirements/visitor control, keys, and locks) – From Domain 10, subheading c in the old version.
    16. Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring) – From Domain 10, subheading f in the old version.
Domain 7 – Just the New Topics, Ma’am

Here’s a shortlist of the entirely new topics in Domain 7.

Knowledge Area B, Understand requirements for investigation types, contains both new and old topics. The definition of “investigation types” is now a little more granular. The candidate will have to understand correct procedures and what constitutes evidence for each type of investigation:

  • Operational – This is a new topic. This topic will focus on the requirements for operational investigations.
  • Criminal – This is a new topic. This topic will focus on the requirements for criminal investigation.
  • Civil – This is a new topic. This topic will focus on the requirements for civil investigations.
  • Regulatory – This is a new topic. This topic will focus on the requirements for regulatory investigations.
  • Electronic Discovery (eDiscovery) – This is a new topic. This topic will focus on the requirements for eDiscovery investigations.

Knowledge Area C, Conduct logging and monitoring activities, contains both new and old topics. As with Knowledge Area B, the topics have become more granular and specific than in the previous exam. These topics within this Domain are new:

  • Intrusion detection and prevention – This is a new topic. This topic will focus on intrusion detection and prevention as part of operational logging and monitoring.
  • Security information and event management – This is a new topic. This topic will focus on security information and event management (SEIM) as part of operational logging and monitoring.
  • Continuous monitoring – This is a new topic. This topic will focus on  continuous monitoring as part of operational logging and monitoring.

Knowledge Area D, Secure the provisioning of resources, contains both new and old topics. The following topics within this Domain are new, and deal with provisioning practices for physical, virtual, and logical assets. Other types of security for these assets are amply covered in Domains 3 and 4. Here the focus is more on sanitation, license management, versioning and baselining, patch management, and inventory control.

  • Asset inventory (e.g., hardware, software) – This is a new topic. This topic will focus on hardware, software, and other asset inventory as a part of resource provisioning.
  • Configuration management – This is a new topic. This topic will focus on configuration management as part of resource provisioning.
  • Physical assets – This is a new topic. This topic will focus on the resource provisioning of physical assets.
  • Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – This is a new topic. This topic will focus on the resource provisioning of virtual assets.

Knowledge Area E, Understand and apply foundational security operations concepts, contains mostly old topics, but does contain one new topic. The following topic withing this Domain is new:

  • Service-level agreements – This is a new topic, and like most new topics for 2015, is driven by the move toward cloud provisioning. This topic will cover service-level agreements and their effect on security operations.

Knowledge Area G, Conduct incident management, contains both new and old topics. The following topics within this Domain are new:

  • Mitigation – This is a new topic. This topic will test on best practice concepts for incident mitigation.
  • Lessons learned – This is a new topic. This topic will focus on documenting and integrating lessons learned from incidents.

Knowledge Area H, Operate and maintain preventative measures, contains mostly new topics, although the Knowledge Area itself is not new. Most of the topics were implied by the old Domain 7 Knowledge Area D, “Prevent or respond to attacks (e.g., malicious code, zero-day exploit, denial of service),” but again, CISSP 2015 is far more granular. These specific topics within this Domain are new:

  • Firewalls – This is a new topic. This topic will focus on using firewalls for intrusion prevention. The previous exam mentioned firewalls in the context of securing the firewall itself; here, the focus is deployment.
  • Intrusion detection and prevention systems – This is a new topic. This topic will focus on deploying types of intrusion detection and prevention systems (HIDS, NIDS, IPS, and so on).
  • Whitelisting/Blacklisting – This is a new topic. This topic will focus on using whitelisting/blacklisting as a prevention strategy, including its advantages and disadvantages.
  • Third-party security services – This is a new topic. This topic will focus on using third-party security services as part of prevention.
  • Sandboxing – This is a new topic. This topic will focus on using sandboxing as part of prevention.
  • Honeypots/Honeynets – This is a new topic. This topic will focus on using honeypots/honeynets as part of prevention.
  • Anti-malware – This is a new topic. This topic will focus on using anti-malware as part of prevention.

Knowledge Area K, Implement recovery strategies, contains mostly old and one new topic. This following topic within this Domain is new:

  • Multiple processing sites (e.g., operationally redundant systems) – This is a new topic. This topic will focus on using hot sites, cold sites, service bureaus, and other alternate processing sites for disaster recovery. While the topic may be new, the concept is classic CISSP.

Knowledge Area N, Participate in business continuity planning and exercises, is a new Knowledge Area. It covers designing, maintaining, and implementing business continuity plans and exercises. Again, this is a classic component of risk management and disaster recovery planning; what’s new is the granularity of assigning a complete knowledge area to the concept.

Domain 8: Software Development Security – Framework and Key Areas of Knowledge

Domain 8 consists of content formerly included in the old Domain 4 (Software Development Security). The majority of this Domain was included in CISSP 2012; only a few new topics were introduced for this round. It is primarily concerned with understanding security as part of the software development lifecycle.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Understand and apply security in the software development lifecycle – From Domain 4, subheading a in the old version.
    1. Development methodologies (e.g., Agile, Waterfall) – From Domain 4, subheading a in the old version.
    2. Maturity models – From Domain 4, subheading a in the old version.
    3. Operation and maintenance – From Domain 4, subheading a in the old version.
    4. Change management – From Domain 4, subheading a in the old version.
    5. Integrated product team (e.g., DevOps) – New
  2. Enforce security controls in development environments – From Domain 4, subheading b in the old version.
    1. Security of the software environments – From Domain 4, subheading b in the old version.
    2. Security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation) – From Domain 4, subheading b in the old version.
    3. Configuration management as an aspect of secure coding – From Domain 4, subheading b in the old version.
    4. Security of code repositories – New
    5. Security of application programming interfaces – From Domain 4, subheading b in the old version.
  3. Assess the effectiveness of software security – From Domain 4, subheading c in the old version.
    1. Auditing and logging of changes – From Domain 4, subheading c in the old version.
    2. Risk analysis and mitigation – From Domain 4, subheading c in the old version.
    3. Acceptance testing – New
  4. Assess security impact of acquired software – New
Domain 8 – Just the New Topics already

Here’s a closer look at the new topics in Domain 8.

Knowledge Area A, Understand and apply security in the software development lifecycle, contains mostly old and one new topic. The following topic within this Domain is new:

  • Integrated product team (e.g., DevOps) – This is a new topic. It covers integrated software development concepts, such as Agile, DevOps, and software assurance.

From Knowledge Area B, Enforce security controls in development environments, contains mostly old and one new topic. The following topic within this Domain is new:

  • Security of code repositories – This is a new topic. It discusses securing code repositories in collaborative development environments.

From Knowledge Area C, Assess the effectiveness of software security, contains mostly old and one new topic. This following topics within this Domain is new:

  • Acceptance testing – This is a new topic. It covers using acceptance testing as part of assessing software security effectiveness.

Knowledge Area D, Assess security impact of acquired software, is a new topic. It covers the procedures for assessing the security impact of acquired software, including commercial software.

Recap

I cannot believe I have finally reached the end of my latest magnum opus. Here’s the complete listing of all parts:

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domains 1 and 2.
      • Part 3 covered new domains 3 and 4.
      • Part 4 covered new domains 5 and 6.
      • Part 5 (this post) covers new domains 7 and 8.

It is our sincere hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin A.

CISSP 2015: What’s New (Part 4 of 5)

November 5, 2015 at 1:19 pm | Posted in CISSP, study tips | 2 Comments
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam.

Today I will cover the next two domains, Identity and Access Management and Security Assessment and Testing. In a nutshell, Domain 5 reflects the need to integrate cloud-based access control to workflows like Office 365 and Google Drive with on-premise access control, and Domain 6 adds coverage of designing, implementing, and analyzing security testing practices.

First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 5: Identity and Access Management – Framework and Key Areas of Knowledge

CISSP 2012 covered identity management as a knowledge area in the access control domain. In CISSP 2015, identity management is elevated to the domain level and combined with access control. The majority of the old Domain 1 (Access control) has been moved to the new Domain 5 (Identity and Access Management), with the addition of new topics that cover identity, session, and credential management.

This domain also includes a few topics from the old Domain 10 (Physical (Environmental) Security).

Domain 5 Key Areas of Knowledge:

    1. Control physical and logical access to assets – From Domain 10, subheading e in the old version.
      1. Information – New
      2. Systems – From Domain 10, subheading e in the old version.
      3. Devices – From Domain 10, subheading e in the old version.
      4. Facilities – New
    2. Manage identification and authentication of people and devices – From Domain 1, subheading a in the old version.
      1. Identify management implementation (e.g., SSO, LDAP) – From Domain 1 in the old version.
      2. Single/multi-factor authentication (e.g., factors, strength, errors, biometrics) – From Domain 1 in the old version.
      3. Accountability – From Domain 1 in the old version.
      4. Session management (e.g., timeouts, screen savers) – New
      5. Registration and proofing of identity – New
      6. Federated identity management (e.g., SAML) – New
      7. Credential management systems – New
    3. Integrate identity as a service – New
    4. Integrate third-party identity services (e.g., on-premise) – New
    5. Implement and manage authorization mechanisms – From Domain 1, subheading a in the old version.
      1. Role-based access control (RBAC) methods – From Domain 1, subheading a in the old version.
      2. Rule-based access control methods – From Domain 1, subheading a in the told version.
      3. Mandatory access control (MAC) – From Domain 1, subheading a in the old version.
      4. Discretionary access control (DAC) – From Domain 1, subheading a in the old version.
    6. Prevent or mitigate access control attacks – From Domain 1, subheading b in old version.
    7. Manage the identity and access provisioning lifecycle (e.g., provisioning, review) – From Domain 1, subheading c and d in the old version.
Domain 5 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 5.

Knowledge Area A, Control physical and logical access to assets, contains both new and old topics. The definition of “assets” is now a little more granular, replacing “systems and devices” with “information, systems, devices, and facilities.” The following topics within this Domain are new:

  • Information – This is a new topic. This topic will focus on controlling physical and logical access to information.
  • Facilities – This is a new topic. This topic will focus on controlling physical and logical access to buildings and equipment.

Knowledge Area B, Manage identification and authentication of people and devices, contains both new and old topics. The following topics within this Domain are new:

  • Session management (e.g., timeouts, screen savers) – This is a new topic. This topic will focus on mechanisms that provide session management, both online and at the physical client level.
  • Registration and proofing of identity – This is a new topic. This topic will focus on providing registration and using proof of identity mechanisms before issuing authentication credentials to personnel and devices.
  • Federated identity management (e.g., SAML) – This is a new topic. This topic will focus on  enterprise-level federated identity management used for single sign-on, including Active Directory Directory Services, SAML 2.0, and third-party identity providers.
  • Credential management systems – This is a new topic. This topic will focus on using a credential management system for large enterprises.

Knowledge Area C, Integrate identity as a service, is a new knowledge area. It covers using cloud-based identity-as-a-service (IDaaS) to provide single sign-on services for both SaaS and internal applications. 

Knowledge Area D, Integrate third-party identity services (e.g., on-premise), is also a new knowledge area. This covers using third-party identity services in an enterprise to access both cloud-based and on-premise applications.

Domain 6: Security and Assessment Testing – Framework and Key Areas of Knowledge

A portion of Domain 6 consists of content formerly included in the old Domain 1 (Access Control) and Domain 9 (Business Continuity and Disaster Recovery). However, the majority of this Domain contains content that was not specifically listed in the old CISSP version. To master this domain, you should know the various types of test strategies used by organizations, and understand the strengths and weaknesses of each approach. You should also understand how an organization’s information security policies should be implemented and continually validated. This domain combines policy with practice.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Design and validate assessment and test strategies – New
  2. Control security control testing – New
    1. Vulnerability assessment – From Domain 1, subheading b in the old version.
    2. Penetration testing – From Domain 1, subheading b in the old version.
    3. Log reviews – New
    4. Synthetic transactions – New
    5. Misuse case testing – New
    6. Test coverage analysis – New
    7. Interface testing (e.g., API, UI, physical) – New
  3. Collect security process data – New
    1. Account management (e.g., escalation, revocation) – New
    2. Management review – New
    3. Key performance and risk indicators – New
    4. Backup verification data – New
    5. Training and awareness – New
    6. Disaster recovery and business continuity – New
  4. Analyze and report test outputs (e.g., automated, manual) – New
  5. Conduct or facilitate internal and third party audits – From Domain 9, subheading e in the old version.
Domain 6 – Just the New Topics already

Here’s a closer look at the new topics in Domain 6.

Knowledge Area A, Design and validate assessment and test strategies, is a new knowledge area. It covers the different assessment and test strategies that are used to verify that a control is functioning properly, including automated and manual tests. The key word is “design” – the candidate should understand how to build an integrated strategy, from risk assessment and baselining to implementation and reporting.

From Knowledge Area B, Control security control testing:

  • Log reviews – This is a new topic. It discusses using log review as part of a thorough security control testing plan.
  • Synthetic transactions – This is a new topic. It discusses synthetic transactions as part of security control testing.
  • Misuse case testing – This is a new topic. It discusses misuse cases as part of security control testing.
  • Test coverage analysis – This is a new topic. It discusses analyzing test coverage to ensure that all security controls are tested.
  • Interface testing (e.g., API, UI, physical) – This is a new topic. It discusses testing interfaces as part of security control testing.

From Knowledge Area C, Collect security process data:

  • Account management (e.g., escalation, revocation) – This is a new topic. It covers account management as part of collecting security process data.
  • Management review – This is a new topic. It covers management review of the collected security process data.
  • Key performance and risk indicators – This is a new topic. It covers the key performance and risk indicators that should be collected as part of security process data.
  • Backup verification data – This is a new topic. It covers verifying backup as part of security and assessment testing.
  • Training and awareness – This is a new topic. It covers training and awareness for users to ensure that they understand security and assessment testing.

Knowledge Area D, Analyze and report test outputs (e.g., automated, manual), is a new topic. It covers interpreting and recording the results of your own testing, as well as the results from third-party audits, and developing new mitigations based on test results.

Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 covered new domain 3 and 4.
      • Part 4 (this post ) covers new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The last post will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 3 of 5)

September 30, 2015 at 3:51 pm | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags:

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam.

Today I will cover the next two domains, Security Engineering and Communications and Network Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 3: Security Engineering – Framework and Key Areas of Knowledge

The majority of the new Domain 3 merges topics from the old Domain 5 (Cryptography), Domain 6 (Security Architecture and Design), and Domain 10 (Physical Security).

Domain 3 Key Areas of Knowledge:

    1. Implement and manage engineering processes using secure design principles. – New
    2. Understand the fundamental concepts of security models (e.g., confidentiality, integrity, multi-level models) – From Domain 6, subheading a in the old version.
    3. Select controls and countermeasures based upon systems security evaluation models – From Domain 6, subheading b and f in the old version.
    4. Understand security capabilities of information systems (e.g. memory protection, virtualization, trusted platform module, interfaces, fault tolerance) – From Domain 6, subheading c in the old version.
    5. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
      1. Client-based (e.g., applets, local caches) – From Domain 6, subheading e in the old version.
      2. Server-based (e.g., data flow control) – From Domain 6, subheading 3 in he told version.
      3. Database security (e.g., inference, aggregation, data mining, data analytics, warehousing) – From Domain 6, subheading e in the old version.
      4. Large-scale parallel data systems – New
      5. Distributed system (e.g., cloud computing, grid computing, peer to peer) – From Domain 6, subheading e in the old version.
      6. Cryptographic systems – New
      7. Industrial control system (e.g., SCADA) – New
    6. Assess and mitigate  vulnerabilities in web-based systems (e.g., XML, OWASP) – From Domain 6, subheading 3 in old version.
    7. Assess and mitigate vulnerabilities in mobile systems – New
    8. Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)) – New
    9. Apply crytography
      1. Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) – From Domain 5, subheading b a in the old version.
      2. Cryptographic types (e.g., symmetric, asymmetric, elliptic curves) – From Domain 5, subheading c in the old version.
      3. Public Key Infrastructure (PKI) – From Domain 5, subheading j in the old version.
      4. Key management practices – From Domain 5, subheading d in the old version.
      5. Digital signatures – From Domain 5, subheading e in the old version.
      6. Digital rights management – New
      7. Non-repudiation – From Domain 5, subheading f in the old version.
      8. Integrity (hashing and salting) – From Domain 5, subheading c in the old version.
      9. Methods of cryptoanalytic attacks (e.g., brute force, cipher-text only, known plaintext) – From Domain 5, subheading g in the old version.
    10. Apply secure principles to site and facility design – From Domain 10, subheading a in the old version.
    11. Design and implement physical security.
      1. Wiring closets – New
      2. Server rooms – From Domain 10, subheading d in the old version.
      3. Media storage facilities – New
      4. Evidence storage – New
      5. Restricted and work area security (e.g., operations centers) – From Domain 10, subheading d in old version.
      6. Data center security – From Domain 10, subheading d in old version.
      7. Utilities and HVAC considerations – From Domain 10, subheading d in old version.
      8. Water issues (e.g., leakage, flooding) – From Domain 10, subheading d in old version.
      9. Fire prevention, detection, and supression – From Domain 10, subheading d in the old version.
Domain 3 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 3.

Knowledge Area A, Implement and manage engineering processes using secure design principles, is a new knowledge area. It covers the secure design principles that need to be understood to pass the exam, including ISO/IEC and NIST standards.

From Knowledge Area E. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements:

  • Large-scale parallel data systems – This is a new topic. This topic will focus on the vulnerabilities of large-scale parallel data systems.
  • Cryptographic systems – This is a new topic. This topic will focus on the vulnerabilities of crytographic systems.
  • Industrial control system (e.g., SCADA) – This is a new topic. This topic will focus on the vulnerabilities of industrial control systems.

Knowledge Area G, Assess and mitigate vulnerabilities in mobile systems, is also a new knowledge area. It covers the vulnerabilities of mobile systems. 

Knowledge Area H, Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)), is also a new knowledge area. This covers the vulnerabilities of embedded devices and cyber-physical systems.

From Knowledge Area I. Apply crytography:

  • Digital rights management – This is a new topic. It focuses on using cryptography to provide digital rights management (DRM), including digital watermarking and other access control methods.

From Knowledge Area K. Design and implement physical security:

  • Wiring closets – This is a new topic. It discusses the physical security of wiring closets.
  • Media storage facilities – This is a new topic. It discusses the physical security of media storage facilities.
  • Evidence storage – This is a new topic. It discusses how to properly store evidence.
Domain 4: Communication and Network Security – Framework and Key Areas of Knowledge

The majority of Domain 4 consists of content formerly included in the old Domain 2 (Telecommunications and Network Security).

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation)
    1. OSI and TCP/IP models – From Domain 2, subheading a in the old version.
    2. IP networking – From Domain 2, subheading a in the old version.
    3. Implications of multilayer protocols (e.g., DNP3) – From Domain 2, subheading a in the old version.
    4. Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) – New
    5. Software-defined networks – New
    6. Wireless networks – New
    7. Cryptography used to maintain communication security – From Domain 5, subheading h in the old version.
  2. Secure network components.
    1. Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile devices) – From Domain 2, subheading b in the old version.
    2. Tranmission media (e.g., wired, wireless, fiber) – From Domain 2, subheading b in the old version.
    3. Network access control devices (e.g., firewall, proxies) – From Domain 2, subheading b in the old version.
    4. Endpoint security – From Domain 2, subheading b in the old version.
    5. Content-distribution networks – New
    6. Physical devices – New
  3. Design and establish secure communication channels.
    1. Voice – From Domain 2, subheading c in the old version.
    2. Multimedia collaboration (e.g., remote meeting technology, instant messaging) – From Domain 2, subheading c in the old version.
    3. Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting) – From Domain 2, subheading c in the old version.
    4. Data communications (e.g., VLAN, TLS/SSL) – From Domain 2, subheading c in the old version.
    5. Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – New
  4. Prevent or mitigate network attacks – From Domain 2, subheading d in the old version.
Domain 4 – Just the New Topics already

Here’s a closer look at the new topics in Domain 4.

From Knowledge Area A, Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation):

  • Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) This is a new topic. It discusses secure design principles for converged protocols.
  • Software-defined networksThis is a new topic. It covers secure design principles for software-defined networks at the infrastructure, control, and application layers.
  • Wireless networks – This is a new topic. It covers secure design principles for wireless networks. 

From Knowledge Area B, Secure network components 

  • Content-distribution networks – This is a new topic. It discusses secure network components for content-distribution networks.
  • Physical devices – This is a new topic. It discusses issues of security for the physical devices used for content-distribution networks.

From Knowledge Area C, Design and establish secure communication channels

  • Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – This is a new topic. It covers the secure communication channels for virtualized networks.
Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 (this post) covers new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next two posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 2 of 5)

September 16, 2015 at 6:29 am | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam. The topics there should at least help you get started preparing for the exam. With this post, I’ll start discussing the domains covered by the new CISSP exam.

The former version of CISSP had 10 domains:

  1. Access Control
  2. Telecommunications and Network Security
  3. Information Security Governance and Risk Management
  4. Software Development Security
  5. Cryptography
  6. Security Architecture and Design
  7. Security Operations
  8. Business Continuity and Disaster Recovery Planning
  9. Legal, Regulations, Investigations, and Compliance
  10. Physical Security

With the 2015 update, the content was rearranged into 8 domains:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Today I will cover the first two domains, Security and Risk Management and Asset Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 1: Security and Risk Management – Framework and Key Areas of Knowledge

The majority of the new Domain 1 merges topics from the old Domain 3 (Information Security Governance & Risk Management) and Domain 9 (Legal, Regulations, Investigations, & Compliance).

Domain 1 Key Areas of Knowledge:

    1. Understand and apply concepts of confidentiality, integrity, and availability. – From Domain 3, subheading C in old version.
    2. Apply security governance principles through:
      1. Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget, and resources) – From Domain 3, subheading a and j in old version.
      2. Organizational processes (e.g., acquisitions, divertitures, governance committees) – From Domain 3, subheading b in old version.
      3. Security roles and responsibilities – From Domain 3, subheading b and Domain 9, subheading c in old version.
      4. Control frameworks – From Domain 3, subheading b in old version.
      5. Due care – From Domain 3, subheading b in old version.
      6. Due diligence – From Domain 3, subheading b in old version.
    3. Compliance
      1. Legislative and regulatory compliance – From Domain 3, subheading b and Domain 9, subheading e in old version.
      2. Privacy requirements compliance – From Domain 3, subheading b in old version.
    4. Understand legal and regulatory issues that pertain to information security in a global context.
      1. Computer crimes – From Domain 9, subheading a in old version.
      2. Licensing and intellectual property (e.g., copyright, trademark, digital-rights management) – From Domain 9, subheading a in old version.
      3. Import/export controls – From Domain 9, subheading a in old version.
      4. Trans-border data flow – From Domain 9, subheading a in old version.
      5. Privacy – From Domain 9, subheading a in old version.
      6. Data breaches – New
    5. Understand professional ethics.
      1. Exercise (ISC)2 Code of Professional Ethics. – From Domain 9, subheading b in old version.
      2. Support organization’s code of ethics. – From Domain 9, subheading b in old version.
    6. Develop and implement documented security policy, standards, procedures, and guidelines. – From Domain 3, subheading d and j in old version.
    7. Understand business continuity requirements.
      1. Develop and document project scope and plan. – From Domain 8, subheading a in old version.
      2. Conduct business impact analysis. – From Domain 8, subheading b in old version.
    8. Contribute to personnel security policies.
      1. Employment candidate screening (e.g, reference checks, education verification) – From Domain 3, subheading h in old version.
      2. Employment agreement and policies – From Domain 3, subheading h in old version.
      3. Employment termination processes – From Domain 3, subheading h in old version.
      4. Vendor, consultant, and contractor controls – From Domain 3, subheading h in old version.
      5. Compliance – New
      6. Privacy – New
    9. Understand and apply risk management concepts.
      1. Identify threats and vulnerabilities. – From Domain 3, subheading g in old version.
      2. Risk assessment/analysis (qualitative, quantitative, hybrid) – From Domain 3, subheading g in old version.
      3. Risk assignment/acceptance (e.g., system authorization) – From Domain 3, subheading g in old version.
      4. Countermeasure selection – From Domain 3, subheading g in old version.
      5. Implementation – New
      6. Types of controls (preventive, directive, corrective, etc.) – From Domain 1, subheading a in old version.
      7. Control assessment – New
      8. Monitoring and measurement – New
      9. Asset valuation – From Domain 1, subheading b and Domain 3, subheading g in old version.
      10. Reporting – New
      11. Continuous improvement – New
      12. Risk frameworks – New
    10. Understand and apply threat modeling. – Although some of this topic was covered in Domain 1, subheading b, the majority of this topic is new.
      1. Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – New
      2. Determining and diagramming potential attacks (e.g., social engineering, spoofing) – New
      3. Performing reduction analysis – New
      4. Technologies and processes to remediate threats (e.g, software architecture and operations) New
    11. Integrate security risk considerations into acquisition strategy and practice
      1. Hardware, software, and services – New
      2. Third-party assessment and monitoring (e.g. on-site assessment, document exchange and review, process/policy review) – From Domain 3, subheading f in the old version.
      3. Minimum security requirements – New
      4. Service-level requirements – New
    12. Establish and manage information security education, training, and awareness – From Domain 3, subheading 1 in old version. Although this topic is covered there, the 2015 subheadings are all new.
      1. Appropriate levels of awareness, training, and education required within organization – New
      2. Periodic reviews for content relevancy – New
Domain 1 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 1.

From Knowledge Area D. Understand legal and regulatory issues that pertain to information security in a global context:

  • Data breaches – While this is a “new” topic because it wasn’t originally in Domain 9, subheading a, most of the topics covered in this section should already be known to the security professional.

From Knowledge Area H. Contribute to personnel security policies:

  • Compliance – This is a new topic. While compliance is covered in other areas, the CISSP exam has never specifically covered compliance as related to personnel security policies. This topic will focus on the ways an organization can ensure that personnel complies with any security policies that are in place.
  • Privacy – This is a new topic. While privacy is covered in other areas, the CISSP exam has never specifically covered privacy as related to personnel. This topic will focus on the organization’s responsibility to ensure that personnel’s information remains private, and also on how to ensure that personnel understand the importance of privacy for any data the organization owns.

From Knowledge Area I. Understand and apply risk management concepts:

  • Implementation – This is a new topic. It focuses on following implementation guidelines when implementing a risk management process at an organization.
  • Control assessment – This is a new topic. It covers how to assess the controls that you have implemented.
  • Monitoring and measurement – This is a new topic. It covers monitoring and measuring risk and the controls that are implemented to protect against the risks.
  • Reporting – This is a new topic. It explains the process for reporting on risk management.
  • Continuous improvement – This is a new topic. It covers how to improve the risk management process over time.
  • Risk frameworks – While technically a new topic, risk frameworks were generally covered as part of the risk management process, just not as an individual topic. This topic is about any international and industry risk frameworks that may be available to help guide your organization.

From Knowledge Area J. Understand and apply threat modeling:

  • Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – This is a new topic. It discusses the different threats to organizational security.
  • Determining and diagramming potential attacks (e.g., social engineering, spoofing) – This is a new topic. It focuses on the potential attacks that the threats can carry out.
  • Performing reduction analysis – This is a new topic. It discusses how to determine if threats and the attacks they carried out can be reduced.
  • Technologies and processes to remediate threats (e.g, software architecture and operations) – This is a new topic. It focuses on how to remediate the threats that you identified.

From Knowledge Area K. Integrate security risk considerations into acquisition strategy and practice:

  • Hardware, software, and services – This is a new topic. It analyzes the security risks when integrating hardware, software, and services when acquisitions occur.
  • Minimum security requirements – This is a new topic. It focuses on determining the minimum security requirements when an acquisition occurs.
  • Service-level requirements – This is a new topic. It discusses all facets of service-level requirements when acquisitions occur.

From Knowledge Area L. Establish and manage information security education, training, and awareness:

  • Appropriate levels of awareness, training, and education required within organization – This is a new topic. It covers levels of security awareness, training, and education that should be provided to personnel.
  • Periodic reviews for content relevancy – This is a new topic. It focuses on reviewing the security education, training, and awareness program to ensure that new security topics are covered.
Domain 2: Asset Security – Framework and Key Areas of Knowledge

The majority of Domain 2 consists of new knowledge areas and topics, though it also pulls in a bit of content formerly included in the old Domains 5 (Cryptopgraphy) and Domain 7 (Operations Security). Why is there so much new content to cover here? Big data is a big asset, and as ISC(2) points, privacy considerations have increased due to “the rapid expansion in the collection and storage of digitized personal information.”

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Classify information and supporting assets (e.g., sensitivity, criticality) – New
  2. Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – New
  3. Protect privacy – New
    1. Data owners – New
    2. Data processors – New
    3. Data remanence – New
    4. Collection limitation – New
  4. Ensure appropriate retention (e.g., media, hardware, personnel) – From Domain 7, subheading a in the old version.
  5. Determine data security controls (e.g., data at rest, data in transit) – From Domain 5, subheading a in old version. Although this topic is covered there, the 2015 subheadings are all new.
    1. Baselines – New
    2. Scoping and tailoring – New
    3. Standards selection – New
    4. Cryptography – New
  6. Establish handling requirements (markings, labels, storage, destruction of sensitive information) – From Domain 7, subheading a in the old version.
Domain 2 – Just the New Topics already

Here’s a closer look at the new topics in Domain 2.

Knowledge Area A, Classify information and supporting assets (e.g., sensitivity, criticality) – Although this is a new knowledge area, it was covered (though briefly) as part of the former CISSP. It covers the procedures for classifying information and assets as part of securing them.

Knowledge Area B, Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – This is a new knowledge area. It focuses on determining which organizational entity or personnel owns the assets you have identified.

Knowledge Area C, Protect privacy – This is another new knowledge area. It discusses protecting the privacy of information and assets. All of the subheadings in this category are also new.

  • Data owners – This is a new topic. It covers the responsibilities of data owners to ensure the privacy of information and assets.
  • Data processors – This is a new topic. It focuses on ensuring that all data processors (including personnel and other assets) understand the importance of information and asset privacy.
  • Data remanence – This is a new topic. It discusses data remanence and its effects on information and asset privacy.
  • Collection limitation – This is a new topic. It focuses on the collection limitations regarding asset privacy.

From Knowledge Area E, Determine data security controls (e.g., data at rest, data in transit):

  • Baselines – This is a new topic. It covers how to obtain data security control baselines.
  • Scoping and tailoring – This is a new topic. It analyzes how to scope and tailor the data security controls to meet the organization’s needs.
  • Standards selection – This is a new topic. It focuses on how the select the security control standards that your organization will use.
  • Cryptography – While technically a new topic, knowledge of cryptography and its effect on data security were covered in Domain 5 in the old version.
Recap

In the coming weeks, I will be posting the other 3 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 (this post) covers new domain 1 and 2.
      • Part 3 will cover new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next three posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 1 of 5)

August 26, 2015 at 8:43 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: , ,

As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.

So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version: https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.

Here’s what I found from my own investigation of the new CISSP exam.

No topics were REMOVED from the exam.

From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”

New topics WERE added to the exam.

From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”

New item types WERE added to the exam.

The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see https://www.isc2.org/innovative-cissp-questions/default.aspx.

The exam contains the same number of questions as before.

This exam still have 250 questions. You still have 6 hours to complete the exam.

The exam was condensed from 10 domains to 8 domains.

But let me repeat, content was not removed. It was simply restructured.

The new domains are:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.

Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”

If you don’t meet the experience requirements, you can still take the exam.

Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See https://www.isc2.org/how-to-become-an-associate.aspx for more information on this loophole.

More detailed analysis is in the works!

Now that you are caught up on the basics regarding this exam, you need to understand the difference between the old domains and new domains. In the coming weeks, I will be posting the other 4 parts of this series. (Hyperlinks will be added as the posts are written.)

  • Part 2 covers new domain 1 and 2
  • Part 3 covers new domain 3 and 4
  • Part 4 covers new domain 5 and 6
  • Part 5 covers new domain 7 and 8

Each of these posts will show you where any topics that were in the old version came from and highlight any new topics.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin Abernathy

CISSP Exam Changing Scope, Topic Coverage on April 15, 2015

February 11, 2015 at 11:17 am | Posted in CISSP | Leave a comment
Tags: , ,
ETA 1/12/2016: Check out Robin’s five-part breakdown of the new CISSP exam topics, starting here: CISSP 2015: What’s New (Part 1 of 5)

(ISC)2 announced a new CISSP exam blueprint that will go into effect on April 15, 2015, so that the exam may “stay relevant amidst the changes occurring in the information security field.” As a result of this update, the 10 domains currently tested in the CISSP exam will be restructured as the following 8 domains:

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communications and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

However, this change does not necessarily mean fewer topics are covered. According to the FAQs , “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” The number of questions and the amount of time allowed for the exam have not changed.

To download a free copy of the new Client Information Bulletin (CIB), which contains the exam blueprint, you can go to https://www.isc2.org/exam-outline/default.aspx. To find out more information, you should access the FAQ about this new version at https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.

If you are currently preparing for this exam, I suggest you make plans to take the exam BEFORE April 15, 2015. If you plan to take the exam after that date, you will need to make sure that the study materials that you use cover all the new domains and topics. Also, keep in mind that this exam now includes performance-based questions. Because this exam is typically not denoted with a version number (eg. there is no CISSP-002 exam, only the CISSP), you may not be able to tell which version of the exam you are signing up for unless you schedule it well before the cut-off of April 15.

We at Transcender will be updating our practice test later this year. Our current practice test already includes performance-based questions intended to help you prepare for this testing format, and we will definitely include updated performance-based questions in the new version.

Watch for more posts later on the CISSP changes!

-Robin

Transcender pros have published the perfect stocking stuffer

December 11, 2013 at 5:34 pm | Posted in CISSP, Study hints, Transcender news | Leave a comment
Tags: , ,

Transcender developers Robin Abernathy and Troy McMillan have written the latest CISSP Cert Guide published by Pearson IT Certification, a leading publisher in the IT textbook and study guide field. This book is now available in print and electonic format through Amazon, Safari Books Online, Barnes & Noble, and other retailers, as well as directly from Pearson IT.

CISSP guide

This book was released at the end of November. Purchasing the print copy also grants you a 45-day free trial of the e-edition through Safari Books Online. The print and electronic versions include two practice exams. The Premium Edition eBook includes additional practice exams and a more detailed answer key.

The authors were kind enough (a.k.a – they’re sitting right next to me so they don’t really have a choice) to provide a brief Q&A regarding the content.

Q. Would you say this book is exam-focused, or more of a general learning tool?

A: Definitely exam focused. It skips all of the intro fluff, and goes right to the meat of the exam topics.

Q. Who is the intended audience for this book?

A.  The (ISC)2 CISSP exam itself requires that you have four to five years of hands-on experience in information systems security before trying to pass the test. This book contains what any EXPERIENCED security professional needs to review to pass the exam. It’s not designed for beginners.

Q. Do you need to own any particular equipment to use this book effectively?

A. The more devices and hardware you can use to practice the various security techniques, the better. For the book itself you’ll need a Windows desktop or VM to run the practice test engine.

2012 CISSP Update Released by Transcender

March 14, 2012 at 8:27 am | Posted in CISSP, Transcender news, Vendor news | 7 Comments
Tags: ,

Back in September and October, I wrote a few posts regarding the 2012 update to the CISSP exam. (If you missed them, see the post on part I of the changes here, and the post on part II of the changes here).  If you remember, there wasn’t a large amount of new content. Most of the changes are mainly the moving of a subdomain from one domain to another or the revision of the wording of a subdomain.

With that said, we have now released a new version of our CISSP practice test that covers the 2012 Exam Guide. For these latest updates, we have taken the time to write new questions to ensure that you understand these topics. We have also moved the content according to the new Exam Guide. Finally, we have revised some of our old questions to better reflect the live exam experience.

We hope that you’ll take the time to study the explanations when studying for this exam. The explanations often go beyond the scope of the question itself to ensure that you fully understand the topics that you may see on the exam.

Keep in mind that we reference Shon Harris’ CISSP All-in-One Exam Guide, 5th Edition. Word is that a 6th Edition will be released at some point. When that occurs, we’ll be sure to update the reference list on the product so you can have a direct link to the new book.

Be sure to drop a comment here if you have any questions regarding this latest update!

-Robin

Transcender’s Cert-CISSP Practice Test: Now and 2012

October 31, 2011 at 8:45 am | Posted in CISSP | Leave a comment
Tags:

Many of you have probably read the two-part blog post regarding the CISSP updates that are coming in January. Immediately following the post of the 2nd part (here), I started receiving e-mails from customers asking me how they can get this recent update and the update in 2012. Most customers were concerned that they would not be able to get the 2012 updates if they purchased the product now. So I am going to explain what’s different about this version, and how to ensure that you can access these updates.

Current release

The current update for Transcender’s Cert-CISSP practice test (version 2.4.1) is complete, published, and available for purchase. If you previously purchased our Cert-CISSP practice test, and your product is still active, you are eligible to update to this new version at no extra cost. For the online practice test, the updates are performed automatically. If you have the download version or the CD-ROM edition, you will need to update using the update feature in our engine. (Please check our Customer FAQ for more details about the update feature.)

We added about 70 new questions. We also revised the references to point to the Fifth Edition of Shon Harris’ CISSP All-on-One Exam Guide.

Future releases

What about the coming updates in 2012? This update will be a revision of the current content. This will involve writing new questions to cover the new topics that I talked about in the two-part blog post.  When complete, this will be version 2.5.1 (you can find your test version number in the “About” section of the test engine).

Please keep in mind that our online edition of the CISSP practice test, which is the least expensive option, only comes with a 30-day license. This means that if you purchase the online version NOW, your license will be expired by the time the next update is published (sometime in Q1 2012). However, if you purchase the download or CD-ROM versions, your license will enable you to update your product using the update feature once we release the 2012 updates. So purchasing the download or CD-ROM version is a better choice if you are not sure you can successfully pass the live exam before ISC2 releases its updates in 2012.

I hope this helps to clarify things a bit for you! Please keep the questions coming.

-Robin

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: