Principles of Information Security: CISSP Domain Review (All 8 Domains Summary)

CISSP Domain Review (All 8 Domains Summary)

CISSP Domain Review: All 8 Domains Summary – Exam-Ready Study Guide

What This Is

The CISSP (Certified Information Systems Security Professional) covers 8 security domains that form the Common Body of Knowledge (CBK) for cybersecurity governance, risk management, and technical controls. These domains align with NIST SP 800-53, ISO 27001, and OWASP frameworks and are essential for securing organizations against threats like ransomware (e.g., WannaCry), supply chain attacks (e.g., SolarWinds), and insider threats (e.g., Edward Snowden). Mastering these domains ensures you can design, implement, and manage a risk-based security program—critical for passing the CISSP exam and succeeding in real-world security roles.

Key Terms & Concepts

Domain 1: Security and Risk Management

• CIA Triad: Confidentiality, Integrity, Availability – The foundational goals of security. Example: Encryption (AES-256) ensures confidentiality, hashing (SHA-256) ensures integrity, and RAID ensures availability.
• Risk Management Framework (RMF): NIST SP 800-37 6-step process (Identify, Assess, Respond, Monitor) for managing security risks.
• Governance, Risk, and Compliance (GRC): Aligns security policies with business objectives, regulations (GDPR, HIPAA), and standards (ISO 27001, COBIT).
• Business Impact Analysis (BIA): Identifies critical business functions, recovery time objectives (RTO), and recovery point objectives (RPO). Example: A hospital’s BIA may prioritize patient records (RTO = 1 hour) over cafeteria systems (RTO = 24 hours).
• Due Care vs. Due Diligence:
• Due Care: Implementing reasonable security controls (e.g., firewalls, patching).
• Due Diligence: Continuously monitoring risks (e.g., vulnerability scans, audits).
• Security Awareness Training: NIST SP 800-50 recommends phishing simulations, role-based training, and gamification to reduce human error.
• Third-Party Risk Management (TPRM): Assessing vendors (e.g., SOC 2 Type II reports, ISO 27001 certifications) to prevent supply chain attacks.

Domain 2: Asset Security

• Data Lifecycle: Creation-Storage-Use-Sharing-Archiving-Destruction (NIST SP 800-88 for media sanitization).
• Data Classification: Public, Internal, Confidential, Restricted (e.g., HIPAA Protected Health Information (PHI), PCI DSS Cardholder Data).
• Data Retention Policy: Defines how long data is kept (e.g., GDPR’s "right to erasure," IRS 7-year tax record rule).
• Data Loss Prevention (DLP): Tools like Symantec DLP, Microsoft Purview prevent unauthorized exfiltration (e.g., blocking USB transfers, scanning emails for SSNs).
• Media Sanitization:
• Clearing: Overwriting data (e.g., DoD 5220.22-M 7-pass wipe).
• Purging: Degaussing (magnetic media) or crypto-shredding (deleting encryption keys).
• Destruction: Physical destruction (e.g., shredding, incineration).

Domain 3: Security Architecture and Engineering

• Security Models:
• Bell-LaPadula (BLP): "No read-up, no write-down" (confidentiality).
• Biba: "No read-down, no write-up" (integrity).
• Clark-Wilson: Separation of duties (SoD) for commercial systems.
• Trusted Computing Base (TCB): Hardware, software, and controls that enforce security (e.g., TPM, Secure Boot, hypervisor).
• Cryptography:
• Symmetric: AES (128/256-bit), DES ( broken), 3DES ( deprecated).
• Asymmetric: RSA (2048+ bits), ECC (smaller keys, same strength), Diffie-Hellman (key exchange).
• Hashing: SHA-256 ( SHA-1 is broken), MD5 ( collision attacks).
• Public Key Infrastructure (PKI): X.509 certificates, Certificate Authorities (CAs), CRL/OCSP for revocation.
• Virtualization & Cloud Security:
• Hypervisor Types:
  • Type 1 (Bare Metal): VMware ESXi, Microsoft Hyper-V.
  • Type 2 (Hosted): VirtualBox, VMware Workstation.
• Cloud Models: IaaS (AWS EC2), PaaS (Azure App Service), SaaS (Salesforce).
• Shared Responsibility Model: Cloud provider secures infrastructure; customer secures data/apps.

Domain 4: Communication and Network Security

• OSI Model (7 Layers): | Layer | Name | Example Protocols/Devices | |-------|---------------|----------------------------------| | 7 | Application | HTTP, FTP, SMTP | | 6 | Presentation | SSL/TLS, JPEG, MPEG | | 5 | Session | NetBIOS, RPC | | 4 | Transport | TCP (reliable), UDP (fast) | | 3 | Network | IP, ICMP, Routers | | 2 | Data Link | Ethernet, MAC, Switches | | 1 | Physical | Cables, Hubs, Repeaters |
• TCP/IP Model (4 Layers):
• Application (OSI 5-7), Transport (OSI 4), Internet (OSI 3), Network Access (OSI 1-2).
• Firewalls:
• Packet Filtering: Stateless (e.g., iptables).
• Stateful Inspection: Tracks connections (e.g., Cisco ASA).
• Next-Gen (NGFW): Deep packet inspection (e.g., Palo Alto, Fortinet).
• VPNs:
• Site-to-Site: IPsec (IKEv2, ESP).
• Remote Access: SSL/TLS (OpenVPN, AnyConnect).
• Wireless Security:
• WPA3: Latest standard ( WEP is broken, WPA2 has KRACK vulnerabilities).
• EAP Methods: PEAP (MS-CHAPv2), EAP-TLS (certificate-based).
• Network Attacks:
• MITM (Man-in-the-Middle): ARP spoofing, SSL stripping.
• DDoS: SYN floods, DNS amplification.
• DNS Attacks: Cache poisoning, DNS tunneling.

Domain 5: Identity and Access Management (IAM)

• Authentication Factors:
• Something you know (password, PIN).
• Something you have (smart card, OTP token).
• Something you are (fingerprint, retina scan).
• Somewhere you are (GPS, IP geolocation).
• Something you do (keystroke dynamics).
• Multi-Factor Authentication (MFA): NIST SP 800-63B recommends 2+ factors (e.g., password + TOTP).
• Single Sign-On (SSO): SAML, OAuth 2.0, OpenID Connect (e.g., "Sign in with Google").
• Access Control Models:
• DAC (Discretionary): Owner sets permissions (e.g., Windows NTFS).
• MAC (Mandatory): System enforces labels (e.g., SELinux, military classifications).
• RBAC (Role-Based): Permissions assigned to roles (e.g., AWS IAM roles).
• ABAC (Attribute-Based): Dynamic rules (e.g., "Allow access if user is in HR AND device is corporate").
• Privileged Access Management (PAM): Just-in-Time (JIT) access, session monitoring (e.g., CyberArk, BeyondTrust).
• Identity Federation: SAML 2.0, SCIM for cross-domain authentication (e.g., Azure AD + AWS SSO).

Domain 6: Security Assessment and Testing

• Vulnerability Assessment vs. Penetration Test:
• VA: Automated scans (e.g., Nessus, OpenVAS) to find CVEs (Common Vulnerabilities and Exposures).
• Pen Test: Manual exploitation (e.g., Metasploit, Burp Suite) to validate risks.
• Red Team vs. Blue Team:
• Red Team: Offensive (simulates attackers).
• Blue Team: Defensive (SOC, incident response).
• Purple Team: Collaboration between red/blue.
• OWASP Top 10 (2021):
• Broken Access Control (e.g., IDOR).
• Cryptographic Failures (e.g., weak TLS).
• Injection (e.g., SQLi, XSS).
• Insecure Design (e.g., lack of threat modeling).
• Security Misconfiguration (e.g., default credentials).
• MITRE ATT&CK Framework: Tactics (e.g., Persistence, Lateral Movement) and Techniques (e.g., Pass-the-Hash, Golden Ticket).
• Security Testing Types:
• Static Application Security Testing (SAST): Code analysis (e.g., SonarQube, Checkmarx).
• Dynamic Application Security Testing (DAST): Runtime testing (e.g., OWASP ZAP, Burp Suite).
• Interactive Application Security Testing (IAST): Combines SAST/DAST (e.g., Contrast Security).

Domain 7: Security Operations

• Incident Response (NIST SP 800-61):
• Preparation (policies, training).
• Detection & Analysis (SIEM alerts, log correlation).
• Containment (short-term: isolate; long-term: patch).
• Eradication (remove malware, close vulnerabilities).
• Recovery (restore systems, monitor for recurrence).
• Lessons Learned (post-mortem, update playbooks).
• Digital Forensics (NIST SP 800-86):
• Order of Volatility: Registers-Cache-RAM-Disk-Remote Logs-Backups.
• Chain of Custody: Legal documentation of evidence handling.
• Tools: FTK, Autopsy, Volatility (RAM analysis).
• Disaster Recovery (DR) vs. Business Continuity (BC):
• DR: IT-focused (e.g., restoring servers from backups).
• BC: Business-focused (e.g., alternate work sites, crisis communication).
• Backup Strategies:
• Full Backup: Complete copy (slow, storage-heavy).
• Incremental Backup: Only changes since last backup (fast, but slow restore).
• Differential Backup: Changes since last full backup (faster restore than incremental).
• Security Operations Center (SOC):
• Tier 1: Alert triage (e.g., Splunk, IBM QRadar).
• Tier 2: Incident investigation (e.g., EDR tools like CrowdStrike, SentinelOne).
• Tier 3: Threat hunting (e.g., MITRE ATT&CK, YARA rules).

Domain 8: Software Development Security

• Secure SDLC (NIST SP 800-64):
• Planning (requirements, threat modeling).
• Design (secure architecture, STRIDE).
• Implementation (secure coding, SAST).
• Testing (DAST, fuzzing).
• Deployment (hardening, least privilege).
• Maintenance (patching, monitoring).
• OWASP Secure Coding Practices:
• Input Validation: Prevent SQLi, XSS (e.g., parameterized queries).
• Output Encoding: Mitigate XSS (e.g., HTML entity encoding).
• Authentication: NIST SP 800-63B (e.g., no password complexity rules, use MFA).
• Session Management: Secure, HttpOnly, SameSite cookies.
• DevSecOps: Integrating security into CI/CD pipelines (e.g., GitHub Actions, Jenkins with SonarQube).
• API Security: OWASP API Top 10 (e.g., broken object-level authorization, excessive data exposure).
• Container Security:
• Docker: Least privilege (non-root), image scanning (Trivy, Clair).
• Kubernetes: Pod security policies, network policies (Calico).

Step-by-Step / Process Flow

1. Conducting a Risk Assessment (Domain 1)

1. Identify Assets: Inventory hardware, software, data, people (e.g., CMDB, asset management tools).
2. Identify Threats: Use STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) or MITRE ATT&CK.
3. Identify Vulnerabilities: Vulnerability scans (Nessus), penetration tests, code reviews.
4. Assess Impact & Likelihood: Qualitative (Low/Medium/High) or Quantitative (ALE = SLE × ARO).
5. Risk Response: Mitigate (controls), Accept (risk appetite), Transfer (insurance), Avoid (discontinue activity).
6. Document & Monitor: Risk register, GRC tools (e.g., RSA Archer, ServiceNow).

2. Implementing IAM (Domain 5)

1. Define Access Policies: Least privilege, separation of duties (SoD).
2. Choose Authentication Method: MFA (TOTP, FIDO2), SSO (SAML/OAuth).
3. Enforce Access Controls: RBAC (roles), ABAC (attributes), MAC (labels).
4. Monitor & Audit: SIEM logs (failed logins, privilege escalations), PAM tools (session recording).
5. Review & Revoke: Periodic access reviews (e.g., quarterly), deprovisioning (HR offboarding).

3. Incident Response (Domain 7)

1. Preparation: IRP (Incident Response Plan), playbooks, tabletop exercises.
2. Detection: SIEM alerts (e.g., "Multiple failed logins from Russia"), EDR detections.
3. Containment:
4. Short-term: Isolate affected systems (e.g., network segmentation, disabling RDP).
5. Long-term: Patch vulnerabilities, reset credentials.
6. Eradication: Remove malware (e.g., Cuckoo Sandbox), close backdoors.
7. Recovery: Restore from clean backups, monitor for recurrence.
8. Lessons Learned: Post-mortem, update IRP, train staff.

Common Mistakes

Certification Exam Tips

CISSP-Specific Tips

1. Management vs. Technical: CISSP is 80% management, 20% technical. Focus on policies, frameworks (NIST, ISO), and risk management over deep technical details.
2. Scenario-Based Questions: Expect "Which is the BEST approach?" questions. Eliminate extreme answers (e.g., "always," "never").
3. Memorize Key Frameworks:
4. NIST SP 800-53 (security controls).
5. ISO 27001 (ISMS).
6. COBIT (IT governance).
7. Understand "Defense in Depth": Layered security (e.g., firewall + IDS + endpoint protection + user training).

Security+ & CEH Tips

1. Ports & Protocols: Know common ports (e.g., 22=SSH, 443=HTTPS, 3389=RDP) and TCP vs. UDP.
2. Attack vs. Defense: CEH = offensive (how to hack); Security+ = defensive (how to stop hacks).
3. Tools: Security+ = SIEM, firewalls, DLP; CEH = Metasploit, Wireshark, John the Ripper.
4. Acronyms: Expand every acronym (e.g., "What does SAML stand for?").

Quick Check Questions

Question 1

A company’s Business Impact Analysis (BIA) identifies that its customer database must be restored within 4 hours to avoid significant financial loss. Which metric does this describe? ? A. Recovery Time Objective (RTO) ? B. Recovery Point Objective (RPO) ? C. Maximum Tolerable Downtime (MTD) ? D. Mean Time to Repair (MTTR)

Explanation: RTO is the maximum acceptable time to restore a system after a disruption.

Question 2

During a penetration test, an attacker exploits a misconfigured S3 bucket to exfiltrate PII (Personally Identifiable Information). Which OWASP Top 10 category does this fall under? ? A. Security Misconfiguration ? B. Broken Access Control ? C. Insecure Design ? D. Cryptographic Failures

Explanation: Security Misconfiguration includes default settings, unpatched systems, and exposed cloud storage.

Question 3

A CISSP candidate is asked to explain the difference between symmetric and asymmetric encryption. Which statement is correct? ? A. Symmetric encryption uses the same key for encryption and decryption, while asymmetric uses a public/private key pair. ? B. Symmetric encryption is slower but more secure than asymmetric. ? C. Asymmetric encryption is used for bulk data encryption, while symmetric is used for key exchange. ? D. Symmetric encryption is only used in PKI, while asymmetric is used in TLS.

Explanation: Symmetric = same key (fast, e.g., AES); Asymmetric = public/private keys (slow, e.g., RSA).

Last-Minute Cram Sheet

1. CIA Triad: Confidentiality (encryption), Integrity (hashing), Availability (redundancy).
2. Risk Formula: ALE = SLE × ARO (Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence).
3. NIST RMF Steps: Identify-Assess-Respond-Monitor.
4. OSI Model Layers: 7 (Application) to 1 (Physical). TCP/IP = 4 layers (Application, Transport, Internet, Network Access).
5. Firewall Types: Packet Filtering (stateless)-Stateful-NGFW (DPI).
6. IAM Factors: Something you know/have/are/do/are (location).
7. Incident Response (NIST): Prep-Detect-Contain-Eradicate-Recover-Lessons Learned.
8. OWASP Top 3 (2021): Broken Access Control, Cryptographic Failures, Injection.
9. Ports to Know:
10. 22 (SSH), 23 (Telnet insecure), 80 (HTTP), 443 (HTTPS), 3389 (RDP).
11. Cryptography:
    • Symmetric: AES-256 ( DES is broken).
    • Asymmetric: RSA (2048+ bits), ECC (smaller keys).
    • Hashing: SHA-256 ( MD5/SHA-1 are broken).

Final Tip: CISSP is about "why" (strategy), not "how" (tactics). Focus on risk management, governance, and frameworks—not just technical details! ?