Passed my CISSP!
Woo. Mostly studied the Shon Harris book. Wrote my own study guide and practiced off the included CD. I had "CISSP for dummies" but it was a terrible read and not nearly as helpful as the Shon Harris book.
On a less fun note, one of my new co-workers just failed hers a few days ago. I guess that is good, relatively speaking?
On a less fun note, one of my new co-workers just failed hers a few days ago. I guess that is good, relatively speaking?
Comments
Congrats on your passing. Great achievement. Did the Sec+ help in prepping for CISSP? Are you able to share the study guide you put together? Is it in soft form?
Unfortunately, the way I ended up going was writing most of the things I wanted to learn into a kind of ghetto Python 3 flash card system that allowed you to do flash cards on chapter, question type, etc. Mostly, studying on how to script more efficiently and effectively in Python coincided with my study time so I tried to mix the two.
Snippet of an older version...
#program written to help study for CISSP import os class TestBank: def __init__(self, index, question, answer, chapter, type): self.i = index self.q = question self.a = answer self.c = chapter self.t = type a = [] a.append(TestBank(len(a)+1,'What is the definition of Information Warfare?','can be defined \ as any action to deny, exploit, corrupt, or destroy the enemy’s information and its \ function, while at the same time protecting oneself against those same actions.', 2, 'defn')) a.append(TestBank(len(a)+1,'What is the objective of security and a security program?','To protect\ the company and its assets.', 3, '')) a.append(TestBank(len(a)+1,'What approach should Information Security be applied in? ', ' Top-down ', 3 ,' ')) a.append(TestBank(len(a)+1,'What are three types of controls that can be used to achieve management security directives? ', ' Administrative, Technical (logical), and Physical ', 3 ,' list ')) a.append(TestBank(len(a)+1,'What are examples of administrative controls? ', ' Policies, standards, procedures, and guidelines; risk management; screening of personnel; conducting training; and implementing change control procedures. ', 3 ,' defn ')) a.append(TestBank(len(a)+1,'What are examples of a Technical Control? ', ' Implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and configuration of the infrastructure. ', 3 ,' defn ')) a.append(TestBank(len(a)+1,'What are examples of Physical Controls? ', ' These entail controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls. ', 3 ,' defn ')) a.append(TestBank(len(a)+1,'Who is held liable for any negligence when it comes to protecting the companys information assets? ', ' Information Owner ', 3 ,' defn ')) a.append(TestBank(len(a)+1,'What is due care? ', ' a legal term and concept used to help determine liability in a court of law. If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place. ', 3 ,' defn ')) a.append(TestBank(len(a)+1,'What are the three MAIN PRINCIPLES of all security programs?', 'availability, integrity, and confidentiality.',3,'list')) a.append(TestBank(len(a)+1,'What are the three main principles of security programs known as?', 'The CIA triad',3,'defn')) a.append(TestBank(len(a)+1,'What part of the CIA triad ensures reliability and timely access to data and resources to authorized individuals?', 'Availability',3,'defn')) a.append(TestBank(len(a)+1,'What part of the CIA traid is upheld when the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented?', 'Integrity',3,'defn')) a.append(TestBank(len(a)+1,'Which part of the CIA triad ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure?', 'Confidentiality',3,'defn')) a.append(TestBank(len(a)+1,'What is shoulder surfing?', 'when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. ',3,'defn')) a.append(TestBank(len(a)+1,'What is social engineering?', 'when one person tricks another person into shar- ing confidential information, for example, by posing as someone authorized to have access to that information.',3,'defn')) a.append(TestBank(len(a)+1,'Define vulnerability.', 'a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.',3,'defn')) a.append(TestBank(len(a)+1,'Define threat.', 'any potential danger to information or systems.',3,'defn')) a.append(TestBank(len(a)+1,'Define risk.', 'the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.',3,'defn')) a.append(TestBank(len(a)+1,'Define exposure.', 'an instance of being exposed to losses from a threat agent.',3,'defn')) a.append(TestBank(len(a)+1,'Define countermeature, or safeguard', 'put into place to mitigate the potential risk. ',3,'defn')) a.append(TestBank(len(a)+1,'Is security through obscurity recommended?', 'No',3,'tf')) a.append(TestBank(len(a)+1,'What is Kerchoffs principle?', 'No algorithm should be kept secret; only the key should be the secret component.',3,'defn')) a.append(TestBank(len(a)+1,'What are the different types of goals and what are their associated timeframes?', 'Operational goals are daily; Tactical goals are midterm; Strategic goals are long-term.',3,'list')) a.append(TestBank(len(a)+1,'What is the term for planning via strategic, operational, and tactical goals?', 'Planning Horizon',3,'defn')) a.append(TestBank(len(a)+1,'What are the four domains of the CobiT (Control Objectives for Information and related Technology) framework?', 'Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.',3,'list')) a.append(TestBank(len(a)+1,'When companies turn to standards and industry best practices for how to set up a security program, what was the most common standard, and from what was it designed?', 'ISO 17799 which was derived from the de facto standard: British Standard 7799 (BS7799). BS7799 has two parts: BS7799 Part 1 outlines control objectives and controls to meet those, BS7799 Part 2 outlines how a security program can be set up and maintained as well as serving as a baseline against which organizations may be certified.',3,'defn')) a.append(TestBank(len(a)+1,'How does one become certified against ISO 17799?', 'An authorized third party would evaluate the organization against the requirements of ISO17799 Part 2. They can be certified against all or part of ISO 17799 Part 2.',3,'defn')) a.append(TestBank(len(a)+1,'What are the components of the CobiT framework?', 'Control environment; Risk assessment; Control activities; Information and communication; Monitoring',3,'list')) a.append(TestBank(len(a)+1,'ISO/IEC 27000 series are used for what?', 'Blueprints for organizations to follow when developing their security program.',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27001.', 'Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27002.', 'Code of practice providing good practice advice on ISMS (previously known as ISO 17799), itself based on British Standard BS 7799 Part 1',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27004.', 'A standard for information security management measurements',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27005.', 'Designed to assist the satisfactory implementation of information security based on a risk management approach',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27006.', 'A guide to the certification/registration process.',3,'defn')) a.append(TestBank(len(a)+1,'Explain ISO/IEC 27799.', 'A guide to illustrate how to protect personal health information',3,'defn')) a.append(TestBank(len(a)+1,'Enumerate the ISO/IEC 27002 (formerly ISO 17799) domains.', 'Information security policy for the organization, creation of information security infrastructure, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, business continuity management, compliance.',3,'list')) a.append(TestBank(len(a)+1,'What does ITIL stand for? What is it?', 'The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management.',3,'defn')) a.append(TestBank(len(a)+1,'What is Security Governance?', 'all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organization’s specific needs.',3,'defn')) a.append(TestBank(len(a)+1,'What are the steps of the life cycle approach of security program development?', '1. Plan and organize. 2. Implement. 3. Operate and maintain. 4. Monitor and evaluate.',3,'list')) a.append(TestBank(len(a)+1,'Define Risk Analysis.', ' is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security safeguards.',3,'defn')) a.append(TestBank(len(a)+1,'What does a cost/benefit comparison do?', 'compares the annualized cost of safeguards to the potential cost of loss.',3,'defn')) a.append(TestBank(len(a)+1,'Define project sizing.', 'understand what assets and threats should be evaluated. ',3,'defn')) a.append(TestBank(len(a)+1,'Who should make up the Risk Analysis team?', 'The team members may be part of management, application programmers, IT staff, systems integrators, and opera- tional managers—indeed, any key personnel from key areas of the organization.',3,'defn')) a.append(TestBank(len(a)+1,'What is illogical processing / cascading errors?', 'invalid results are passed on to another process.',3,'defn')) a.append(TestBank(len(a)+1,'Define loss potential.', 'What the company would lose if a threat agent were actually to exploit a vulnerability.',3,'defn')) a.append(TestBank(len(a)+1,'The NIST SP 800-66 was initally created for risk assessment of what field?', 'Healthcare and other regulated industries (HIPAA).',3,'defn')) a.append(TestBank(len(a)+1,'The NIST SP 800-30 risk management methodology is commonly used by who and focuses on what?', 'It is commonly used by security consultants, security officers and internal IT departments, and focuses mainly on computer systems.',3,'defn')) a.append(TestBank(len(a)+1,'What is FRAP? Is it qualitative or quantitative?', 'acilitated Risk Analysis Process. It is designed to explore a qualitative risk as- sessment process',3,'defn')) a.append(TestBank(len(a)+1,'What is OCTAVE? Who created it?', '(Operationally Critical Threat, Asset, and Vulnerability Evaluation) was created by Carnegie Mellon University’s Soft- ware Engineering Institute.',3,'defn')) a.append(TestBank(len(a)+1,'What type of threats do NIST, OCTAVE, and AS/NZS 4360 respectively focus on?', 'NIST = IT threats, OCTAVE = IT threats, AS/NZS 4360 = broad, to understand financial, capital, human safety, and business decisions.',3,'defn')) a.append(TestBank(len(a)+1,'What is FMEA and what does it do?', 'Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure ef- fects through a structured process. ',3,'defn')) a.append(TestBank(len(a)+1,'What is a useful method of identifying failures in a complex environment?', 'Fault tree analysis',3,'defn')) a.append(TestBank(len(a)+1,'Is purely quantitative risk analysis possible?', 'No. There are always uncertainties.',3,'tf')) a.append(TestBank(len(a)+1,'What are the steps of a risk analysis? (5 steps)', '1. Assign value to assets, 2. estimate potential loss per threat, 3. perform a threat analysis, 4. derive the overall annual loss potential per threat, 5. reduce, transfer, avoid, or accept the risk.',3,'list')) a.append(TestBank(len(a)+1,'Explain EF, SLE, ARO, and ALE with regards to risk analysis.', 'SLE = Single loss expectancy, the dollar amount for a single loss event. It is calculated by asset value x exposure factor (EF) = SLE. ARO = Annualized rate of occurence, the estimation of the frequency a threat occurs in a year. ALE = Annualized loss expectancy, SLE x ARO',3,'eq')) a.append(TestBank(len(a)+1,'What are examples of qualitative risk assessment techniques?', 'Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews.',3,'list')) a.append(TestBank(len(a)+1,'What is the equation for calculating a cost/benefit analysis?', '(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company',3,'eq')) a.append(TestBank(len(a)+1,'What is the formula for total risk?', 'threats × vulnerability × asset value = total risk',3,'eq')) a.append(TestBank(len(a)+1,'What is the formula for residual risk?', '(threats × vulnerability × asset value) × controls gap = residual risk',3,'eq')) a.append(TestBank(len(a)+1,'What are the four ways risk can be dealt with?', 'Transfer, Avoidance, Mitigation, Acceptance',3,'list')) a.append(TestBank(len(a)+1,'What is the definition of the security policy?', 's an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.',3,'defn')) a.append(TestBank(len(a)+1,'What are the different types of security policies?', 'Organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Issue-specific policy, also called a functional implementing policy, addresses spe- cific security issues that management feels need more detailed explanation and atten- tion to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. System-specific policy, presents the management’s decisions that are specific to the actual computers, networks, applications, and data.',3,'defn')) a.append(TestBank(len(a)+1,'Define standards.', 'Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction.',3,'defn')) a.append(TestBank(len(a)+1,'List and define the categories of policies (3).', '• Regulatory This type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries. Advisory This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information or financial transactions, or how to process confidential information. Informative This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.',3,'defn')) a.append(TestBank(len(a)+1,'Define access controls.', 'security features that control how users and systems communicate and interact with other systems and resources.',4,'defn')) a.append(TestBank(len(a)+1,'Define access.', 'the flow of information between a subject and an object.',4,'defn')) a.append(TestBank(len(a)+1,'Define subject and object in relation to access.', 'A subject is an active entity that requests access to an object or the data within an object. A subject can be a user, program, or process that accesses an object to accomplish a task. When a program accesses a file, the program is the subject and the file is the object. An object is a passive entity that contains information. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database.',4,'defn')) a.append(TestBank(len(a)+1,'Define Identification and Authentication with respect to access control.', 'Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identifica- tion can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identifica- tion number (PIN), anatomical attribute, or token.',4,'defn')) a.append(TestBank(len(a)+1,'What is a race condition?', 'when processes carry out their tasks on a shared resource in an incorrect order',4,'defn')) a.append(TestBank(len(a)+1,'What is the order of the four steps of access?', 'Identification, Authentication, Authorization, Accountability',4,'list')) a.append(TestBank(len(a)+1,'What is the purpose of directory service?', 'The directory service allows an administrator to configure and manage how identification, authenti- cation, authorization, and access control take place within the network. The objects within the directory are labeled and identified with namespaces. Ex: AD',4,'defn')) a.append(TestBank(len(a)+1,'Most directories follow a hierarchical database format based on what standard?', 'X.500 standard',4,'defn')) a.append(TestBank(len(a)+1,'What allows a directory service to keep entities organized by identifying and naming the objects?', 'namespaces',4,'defn')) a.append(TestBank(len(a)+1,'What type of directory gathers the nec- essary information from multiple sources and stores them in one central directory?', 'meta-directory',4,'defn')) a.append(TestBank(len(a)+1,'Define virtual directory.', 'A virtual directory plays the same role and can be used instead of a meta-directory. The difference between the two is that the meta-directory physically has the identity data in its directory, whereas a virtual directory does not and points to where the actual data resides. ',4,'defn')) a.append(TestBank(len(a)+1,'What does Web Access Management (WAM) software do?', 'Web access management (WAM) software controls what users can access when using a web browser to interact with web-based enterprise assets.',4,'defn')) a.append(TestBank(len(a)+1,'What are the most common password management techniques?', 'Password synchronization, self-service password reset, assisted password reset.',4,'list')) a.append(TestBank(len(a)+1,'What is typically the authoritative source?', 'HR Database',4,'defn')) a.append(TestBank(len(a)+1,'What is the identity repository?', 'Centralized directory',4,'defn')) a.append(TestBank(len(a)+1,'What is user provisioning?', 'refers to the creation, maintenance, and deactivation of user ob- jects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. ',4,'defn')) a.append(TestBank(len(a)+1,'What is a federated identity?', 'a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises.',4,'defn')) a.append(TestBank(len(a)+1,'What is the genealogy of markup languages?', 'HTML came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Lan- guage (GML). A more powerful markup language, Extensible Markup Language (XML), was devel- oped as a specification to create various markup languages.',4,'list')) a.append(TestBank(len(a)+1,'What is SPML?', 'Service Provisioning Markup Language (SPML). This language allows company interfaces to pass service requests, and the receiving company provisions (allows) access to these services.',4,'defn')) a.append(TestBank(len(a)+1,'Explain XACML.', 'eXtensible Access Control Markup Language (XACML). Application security policies can be shared with other ap- plications to ensure that both are following the same security rules.',4,'defn')) a.append(TestBank(len(a)+1,'What is the purpose of biometrics for access control?', 'Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying iden- tification.',4,'defn')) a.append(TestBank(len(a)+1,'What are the two categories of biometrics?', 'Physiological - physical attributes unique to a specific individual. Fingerprints are a common example of a physiological trait used in biometric systems; Behavioral - This is based on a char- acteristic of an individual to confirm his identity. An example is signature dynamics. Physiological is “what you are” and behavioral is “what you do.”',4,'list')) a.append(TestBank(len(a)+1,'What is Type 1 error in biometrics?', 'When a biometric system rejects an authorized individual, it is called a Type I error (false rejection rate).',4,'defn')) a.append(TestBank(len(a)+1,'What is Type II error in biometrics?', 'When the system accepts impostors who should be rejected, it is called a Type II error (false acceptance rate).',4,'defn')) a.append(TestBank(len(a)+1,'What is the crossover error rate (CER) in relation to biometrics?', 'This rating is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when deter- mining the system’s accuracy. A biometric system that delivers a CER of 3 will be more accurate than a system that delivers a CER of 4.',4,'defn')) a.append(TestBank(len(a)+1,'What are the different types of biometric systems and the physiological or behavioral characteristics they examine?', 'Fingerprint, Palm Scan, Hand Geometry, Retina Scan, Iris Scan, Signature Dynamics, Keystroke dynamics, Voice Print, Facial Scan, Hand Topography',4,'list')) a.append(TestBank(len(a)+1,'What is compared during a biometrics fingerprint scan?', 'Minutiae (made up of ridge endings, bifucations)',4,'defn')) a.append(TestBank(len(a)+1,'What is scanned during a Retina Scan for biometrics?', 'Blood vessel pattern of the retina at the backside of the eyeball.',4,'defn')) a.append(TestBank(len(a)+1,'Which biometric system is the most accurate and has the most reference coordinates?', 'Iris Scan',4,'defn')) a.append(TestBank(len(a)+1,'What happens during a replay attack?', 'istening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.',4,'defn')) a.append(TestBank(len(a)+1,'What are techniques used to try to obtain a password?', 'Electronic monitoring, access the password file, brute force attacks, dictionary attacks, social engineering, rainbow table.',4,'list')) a.append(TestBank(len(a)+1,'What is a clipping level in terms of access control?', 'The threshold at which a user is locked out (for unsuccessful attempts).',4,'defn')) a.append(TestBank(len(a)+1,'What is the difference between a password checker and a password cracker?', 'Usually just who is using it. Checker = Security professional; Cracker = hacker.',4,'defn')) a.append(TestBank(len(a)+1,'What is a salt in relation to password hashing?', 'Salts are random values added to the encryption process to add more complexity.',4,'defn')) a.append(TestBank(len(a)+1,'What is a cognitive password?', 'Cognitive passwords are fact- or opinion-based information used to verify an individ- ual’s identity.',4,'defn')) a.append(TestBank(len(a)+1,'What is a one time password, or dynamic password?', 'It is used for authen- tication purposes and is only good once.',4,'defn')) a.append(TestBank(len(a)+1,'What is the difference between synchronous and asynchronous token authentication?', 'asynchronous is based on challenge/response mechanisms, while synchronous is based on time- or counter-driven mechanisms.',4,'defn')) a.append(TestBank(len(a)+1,'Explain the process of using a passphrase? What is it transformed into?', 'A passphrase is a sequence of characters that is longer than a password (thus a “phrase”) and, in some cases, takes the place of a password during an authentication process. The user enters this phrase into an application and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application.',4,'defn')) a.append(TestBank(len(a)+1,'What is the difference between a memory card and a smart card?', 'A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information. ',4,'defn')) a.append(TestBank(len(a)+1,'What type of smart card attack introduces errors and then reviews both the incorrect and correct result to attempt to uncover the key?', 'Fault Generation',4,'defn')) a.append(TestBank(len(a)+1,'What are nonintrusive attacks such as differential power analysis, electromagnetic analysis, and timing?', 'Side-channel attacks',4,'defn')) a.append(TestBank(len(a)+1,'What is ISO/IEC 14443 and what are the three pieces?', 'An ISO/IEC standard, 14443, outlines the following items for smart card stan- dardization: ISO/IEC 14443-1 Physical characteristics ; ISO/IEC 14443-3 Initialization and anticollision ; ISO/IEC 14443-4 Transmission protocol.',4,'list')) a.append(TestBank(len(a)+1,'What is microprobing with respect to smart card attacks?', 'Microprobing uses needles and ultrasonic vibration to remove the outer protec- tive material on the card’s circuits. Once this is completed, data can be accessed and manipulated by directly tapping into the card’s ROM chips.',4,'defn')) a.append(TestBank(len(a)+1,'What are 5 access criteria in relation to access control?', '1. Roles, 2. Groups, 3. Physical/logical location, 4. Time of day, 5. Transaction type',4,'list')) a.append(TestBank(len(a)+1,'What should access control mechanisms default to?', 'No access.',4,'defn')) a.append(TestBank(len(a)+1,'Explain Authorization Creep.', 'Assigning privileges but never taking away unneccesary ones.',4,'defn')) a.append(TestBank(len(a)+1,'What is Kerberos?', 'Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT’s Project Athena. It works in a client/server model and is based on symmetric key cryptography.',4,'defn')) a.append(TestBank(len(a)+1,'What is a Key Distribution Center and what does it do?', 'The Key Distribution Center (KDC) is the most important component within a Kerberos environment. The KDC holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality. The clients and services trust the integrity of the KDC, and this trust is the foundation of Kerberos security. The KDC provides security services to principals, which can be users, applications, or network services. A ticket is generated by the ticket granting service (TGS) on the KDC and given to a principal when that principal, let’s say a user, needs to authenticate to another princi- pal, let’s say a print server. A KDC provides security services for a set of principals. This set is called a realm in Kerberos.',4,'defn')) a.append(TestBank(len(a)+1,'What are the steps of the Kerberos Authentication Process when requesting a resource?', '1. User authenticates to AS (authentication service) , 2. AS sends initial ticket to user , 3. User requests to access the file server , 4. TGS (ticket granting service) creates new ticket with session keys , 5. User extracts one session key and sends ticket to file server.',4,'list')) a.append(TestBank(len(a)+1,'What is an authenticator in terms of Kerberos?', 'If a Kerberos implementation is configured to use an authenticator, the user sends to the printer server her identification information and a timestamp and sequence number encrypted with the session key they share.',4,'defn')) a.append(TestBank(len(a)+1,'What is SESAME, what does it do?', 'The Secure European System for Applications in a Multi-vendor Environment (SESA- ME) project is a single sign-on technology developed to extend Kerberos functionality and improve upon its weaknesses. SESAME uses symmetric and asymmetric crypto- graphic techniques to authenticate subjects to network resources.',4,'defn')) a.append(TestBank(len(a)+1,'What is the difference in the key cryptography between Kerberos and SESAME?', 'Kerberos is a strictly symmetric key–based technology, whereas SESAME is based on both asymmetric and symmetric key cryptography',4,'defn')) a.append(TestBank(len(a)+1,'KeWhat are the steps SESAME uses to grant PACs?', 'Kerberos uses tickets to authenticate subjects to objects, whereas SESAME uses Priv- ileged Attribute Certificates (PACs), which contain the subject’s identity, access capa- bilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so the object can validate it came from the trusted authentication server, which is referred to as the Privileged Attribute Server (PAS). The PAS holds a similar role to that of the KDC within Kerberos.',4,'defn')) a.append(TestBank(len(a)+1,'What are four examples of SSO technologies (to include ticketing systems)', 'Kerberos, SESAME (secure european system for applications in a multi-vendor environment), security domains, and thin clients.',4,'list')) a.append(TestBank(len(a)+1,'What is an access control model?', 'a framework that dictates how subjects access objects. ',4,'defn')) a.append(TestBank(len(a)+1,'Explain Discretionary Access Control (DAC).', 'enables the owner of the resource to specify which subjects can access specific resources.',4,'defn')) a.append(TestBank(len(a)+1,'Explain how the MAC model works?', 'In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users’ wishes. This model is much more structured and strict and is based on a security label system.',4,'defn')) a.append(TestBank(len(a)+1,'What is RBAC and what is the other name for RBAC?', 'A role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administrated set of controls to determine how subjects and ob- jects interact.',4,'defn')) a.append(TestBank(len(a)+1,'What are the main characteristics of the 3 access control models?', 'DAC Data owners decide who has access to resources, and ACLs are used to enforce the security policy. , MAC Operating systems enforce the system’s security policy through the use of security labels. , RBAC Access decisions are based on each subject’s role and/or functional position.',4,'list')) a.append(TestBank(len(a)+1,'What is rule based access control based on?', 'Rule-based access control uses specific rules that indicate what can and cannot hap- pen between a subject and an object. It is based on the simple concept of “if X then Y” programming rules',4,'defn')) a.append(TestBank(len(a)+1,'What are three types of Constrained User Interfaces?', 'Menus and shells ; database views ; physically constrained interfaces.',4,'list')) a.append(TestBank(len(a)+1,'What is the difference between a capability table and a ACL?', 'A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.',4,'defn')) a.append(TestBank(len(a)+1,'What is content-dependent access control?', 'Depends on content in the item.',4,'defn')) a.append(TestBank(len(a)+1,'What is context-dependent access control?', 'it makes access decisions based on the context of a collection of information rath- er than on the sensitivity of the data.',4,'defn')) a.append(TestBank(len(a)+1,'What does RADIUS use for transport protocol?', 'UDP',4,'defn')) a.append(TestBank(len(a)+1,'What does TACACS use for transport protocol?', 'TCP',4,'defn')) a.append(TestBank(len(a)+1,'What is encrypted in RADIUS? In TACACS?', 'RADIUS encrypts the password only. TACACS encrypts all data between server and client.',4,'defn')) a.append(TestBank(len(a)+1,'What are the different functionalities of access controls?', 'preventive, detec- tive, corrective, deterrent, recovery, compensating, and directive',4,'list')) a.append(TestBank(len(a)+1,'What are purposes of the different access control functionalities?', '\n Deterrent - Intended to discourage a potential attacker ;\n Preventive -Intended to avoid an incident from occurring ;\n Corrective - Fixes components or systems after an incident has occurred ;\n Recovery - Intended to bring controls back to regular operations ;\n Detective - Helps identify an incident’s activities ;\n Compensating - Controls that provide for an alternative measure of control ;\n Directive - Mandatory controls that have been put in place due to regulations or environmental requirements',4,'list')) a.append(TestBank(len(a)+1,'What is object re-use?', 'Object reuse issues pertain to reassigning to a subject media that previously con- tained one or more objects. ',4,'defn')) a.append(TestBank(len(a)+1,'What is TEMPEST and for what is it used?', 'TEMPEST started out as a study carried out by the DoD and then turned into a standard that outlines how to develop countermeasures that control spurious electrical signals emitted by electrical equipment.',4,'defn')) a.append(TestBank(len(a)+1,'What is a faraday cage?', 'Outer metal coating for emission control.',4,'defn')) def anotherSearch(firstRun): if (firstRun == True): return True else: pass print() print('Another search? (Yes/No)', end = " ") while True: again = input() if (again in ['y','ye','yes','YES','Yes','Ye','1']): return True elif (again in ['n','no','NO','No','0']): return False else: print('Input not valid. Would you like to use the program again?', end = " ") def getQ(x): i=0 yn = '' again = True while again == True: try: os.system('clear') print() print() print(a[i].q) b = input() print('Answer is: ', a[i].a) print() print() yn = input('Another? (Press enter for yes, enter input for no.)') if yn == '': pass else: #print('Invalid, exiting.') print() again = False i = i + 1 except IndexError: break return def oneCh(z): z = int(z) c = [] i=0 yn = '' again = True while again == True: try: if a[i].c == z: os.system('clear') print() print() print(a[i].q) b = input() print('Answer is: ', a[i].a) print() print() yn = input('Another? (Press enter for yes, enter input for no.)') else: i = i + 1 if yn == '': pass else: #print('Invalid, exiting.') print() again = False i = i + 1 except IndexError: break return def mainMenu(): import os os.system('clear') # This clear the screen and returns the cursor to the top. print('======================================') print('============= Main Menu =============') print('======================================') print() print('Please select from one of the following options. Type the number of the \ corresponding option desired.') print() print('[1]: Practice all questions.') print('[2]: Practice a particular chapter.') print('[3]: Add new questions to bank.') print('[4]: Check new questions for bank.') print('[5]: Practice a particular question type (not finished).') print('[6]: N/a.') print('[7]: N/a.') print('[0]: Exit the program.') print() valid = False while(valid == False): print('User input:', end = " ") option = input() if (option == '0'): valid = True elif (option == '1'): valid = True elif (option == '2'): valid = True elif (option == '3'): valid = True elif (option == '4'): valid = True elif (option == '5'): valid = True elif (option == '6'): valid = True elif (option == '7'): valid = True else: print() print('Input rejected. Please input a valid option. Ex: 1, 2, 3, 4, 0.') print() # Insert error handling here for options other than the provided. return option def addNew(): #Created to generate formatted test questions for cissp.py script again = True f = open('ncqs.txt', 'a') outf = '' while again == True: q = input('What is the question? ') a = input('What is the answer to the question? ') check = True while check == True: c = input('What chapter did the question come from? ') check = noInt(c) t = input('What is the type of the question? (Ex: defn, list, tf, eq) ') print() print() # print('@' * 20, ' Code for questions ', '@' * 20) print() print() # print('a.append(TestBank(len(a)+1,\'', q, '\', \'', a, '\',', c, ',\'', t, '\'))') print() print() out = 'a.append(TestBank(len(a)+1,\'' + q + '\', \''+ a+ '\','+ c+ ',\''+ t+ '\'))' outf = outf + '\n' + out yn = input('Another? (y or n)') if yn == 'y': pass elif yn == 'n': again = False else: print('Invalid, exiting.') print() again = False #print('again is ', again) f.write(outf) f.close() # Start program def noInt(x): try: x = int (x) return False except: print('Invalid') return True def menu2(): print('Questions per chapter:') print() for a in range (1,13): print('Chapter ', a, ': ', countQuestionsPerChapter(a)) print () check = True while check == True: z = input('What chapter would you like to review? ') check = noInt(z) z = str(z) oneCh(z) #trash = input() return def readBank(): f = open('ncqs.txt', 'r') inf = f.read() print('Code to add to beginning.') print() print() print(inf) return def countQuestionsPerChapter(z): b = len(a) count = 0 for item in range(0,b): if a[item].c == z: count = count + 1 else: pass return count firstRun = True x = firstRun while anotherSearch(x): userSelect = mainMenu() if (userSelect == '0'): exit() elif (userSelect == '1'): getQ(x) elif (userSelect == '2'): menu2() #oneCh(z) elif (userSelect == '3'): addNew() elif (userSelect == '4'): readBank() elif (userSelect == '5'): check = True while check == True: z = input('What chapter? ') check = noInt(z) countQuestionsPerChapter(z) elif (userSelect == '6'): blarg = input('Input: ') blarg = noInt(blarg) print('Returned: ', blarg) elif (userSelect == '7'): pass else: print ('Error handling is in mainMenu; user should never see this line.') x = False #os.system('clear') #print()Apologies if that doesn't help much. By far and away the best study resource I used was the Shon Harris book. I can't emphasize enough how helpful that was.
Also, I would say that Sec+, while nice, is even more rudimentary compared to CISSP; while not hurtful, it is like stepping on a step-stool to try to ascend to the roof of a two story building. Hopefully that makes sense.
Thanks for all the info.
Know everything network security related from switches, (layer 2 and 3) to routers (layer 3) to IDS/IPS to Web Application Firewalls (WAF layer 7).
Get to know SSL from front to back, as well as its former TLS. (We need competent security people at the helm to help us make the rest of the world understand why keeping legacy SSL and older Operating Systems on-line for too long does not equal an acceptable risk...Go look up POODLE malware and you'll get a better understanding of what I am talking about).
DEEP dive into white papers and articles (MANY are free when you join groups and forums on LinkedIn) about how we are tacking security issues, Risk Management, Risk Acceptance, Compliance and Governance.
KNOW the subtle differences between SDLC and ITILv3. Both are process driven, and have the same number of steps, but depending on the project, you'll need to know when and how to use one or the other.
THEN, and only then should you really decide to try and take on this beast of a test. There is nothing wrong with being an associate for ISC, but outside of cheating the exam--and yourself--, experience is key to passing this test for most people.
There are a lot more people taking and passing the CISSP, so you need to know your stuff if you plan on interviewing after getting the cert for mid-senior level positions. CISSP is not as coveted as it was. Where it was once the crown jewel of InfoSec, it's now more of the Industry standard, as I am seeing 50-60K per year jobs out there that require or 'prefer' a candidate to have it. And it goes without saying that the six-figure jobs out there definitely require the cert PLUS at least 5-7 years of verifiable InfoSec experience, so don't expect this job to make your wallet instantly thicker, unless you already have the requisite time in the field prior to.