This course provides a primary resource for anybody preparing for the brand new CISSP (2024) exam from ISC2.
Overview
Syllabus
Introduction
- Earning your CISSP
- What you should know
- Study resources
- The CISSP exam
- Is the CISSP right for you?
- Careers in information security
- Value of certification
- Registering for the exam
- Exam environment
- Question types
- Computerized adaptive testing
- Passing the exam
- Exam tips
- Practice tests
- Meeting the experience requirement
- Continuing education requirements
- Overview of the Security and Risk Management domain
- The five pillars of information security
- Confidentiality
- Integrity
- Availability
- Authenticity and nonrepudiation
- Aligning security with the business
- Organizational processes
- Security roles and responsibilities
- Control and risk frameworks
- Legal and compliance risks
- Data privacy
- General Data Protection Regulation (GDPR)
- California privacy law
- National data privacy laws
- Computer crimes
- Software licensing
- Intellectual property
- Import and export controls
- Data breaches
- Ethics
- Security policy framework
- Security policies
- Business continuity planning
- Business continuity controls
- High availability and fault tolerance
- Personnel security
- Security in the hiring process
- Employee termination process
- Employee privacy
- Social networking
- Risk analysis, assessment, and scope
- Quantitative risk assessment
- Risk treatment
- Security control selection and implementation
- Continuous monitoring, measurement, and tuning
- Risk management frameworks
- Risk visibility and reporting
- Threat intelligence
- Managing threat indicators
- Intelligence sharing
- Threat research
- Identifying threats
- Automating threat intelligence
- Threat hunting
- Managing vendor relationships
- Vendor agreements
- Vendor information management
- Cloud audits
- Security awareness training
- Compliance training
- User habits
- Measuring compliance and security posture
- Overview of the Asset Security domain
- Understanding data security
- Data security policies
- Data security roles
- Limiting data collection
- The data lifecycle
- Developing security baselines
- Leveraging industry standards
- Customizing security standards
- Cloud storage security
- Information classification
- Digital rights management
- Data loss prevention
- Change management
- Configuration and asset management
- Physical asset management
- Supply chain risks and mitigations
- Overview of the Security Architecture and Engineering domain
- Secure design principles
- Security models
- Security evaluation models
- Segregation of duties
- Privacy by design
- Secure defaults
- Information system lifecycle
- What is the cloud?
- Cloud computing roles
- Drivers for cloud computing
- Security service providers
- Multitenant computing
- Virtualization
- Desktop and application virtualization
- Cloud compute resources
- Containerization
- Cloud activities and the cloud reference architecture
- Cloud deployment models
- Cloud service categories
- Edge and fog computing
- Memory protection
- Hardware encryption
- Hardware and firmware security
- Server and database security
- NoSQL databases
- Distributed and high-performance computing
- Industrial control systems and operational technology
- Internet of things
- Securing smart devices
- Secure networking for smart devices
- Embedded systems
- Communications for embedded devices
- Understanding encryption
- Symmetric and asymmetric cryptography
- Goals of cryptography
- Codes and ciphers
- Cryptographic math
- Choosing encryption algorithms
- The perfect encryption algorithm
- The cryptographic lifecycle
- Data encryption standard
- 3DES
- AES, Blowfish, and Twofish
- RC4
- Cipher modes
- Steganography
- Rivest-Shamir-Adelman (RSA)
- PGP and GnuPG
- Elliptic curve and quantum cryptography
- Key management practices
- Key exchange
- Diffie-Hellman
- Key escrow
- Key stretching
- Hardware security modules
- Trust models
- PKI and digital certificates
- Hash functions
- Digital signatures
- Digital signature standard
- Create a digital certificate
- Revoke a digital certificate
- Certificate stapling
- Certificate authorities
- Certificate subjects
- Certificate types
- Certificate formats
- Brute-force attacks
- Knowledge-based attacks
- Eavesdropping attacks
- Implementation attacks
- Limitations of encryption algorithms
- Ransomware
- Site and facility design
- Data center environmental controls
- Data center environmental protection
- Power control
- Physical access control
- Visitor management
- Physical security personnel
- SOAP and REST
- SOA and microservices
- Introducing the Communication and Network Security domain
- Introducing TCP/IP
- IP addresses and DHCP
- Network traffic
- Domain name system (DNS)
- Network ports
- ICMP
- Multilayer protocols
- Public and private addressing
- Subnetting
- Security zones
- Isolating sensitive systems
- VLANs and logical segmentation
- Security device placement
- Software defined networking (SDN)
- Transmission media
- Cloud networking
- Zero trust and SASE
- Routers, switches, and bridges
- Network topologies
- Transport architecture
- Firewalls
- Proxy servers
- Load balancers
- VPNs and VPN concentrators
- Network intrusion detection and prevention
- Protocol analyzers
- Unified threat management
- Content distribution networks
- Restricting network access
- Network access control
- Firewall rule management
- Router configuration security
- Switch configuration security
- Maintaining network availability
- Network monitoring
- Firewall and network logs
- Network performance metrics
- SNMP
- Isolating sensitive systems
- Deception technologies
- Network support
- Telephony
- Multimedia collaboration
- Storage networks
- TLS and SSL
- IPsec
- Remote network access
- Understanding wireless networking
- Wireless encryption
- Wireless authentication
- Wireless signal propagation
- Wireless networking equipment
- Mobile connection methods
- Mobile device security
- Mobile device management
- Mobile device tracking
- Mobile application security
- Mobile security enforcement
- Bring your own device (BYOD)
- Mobile deployment models
- Operating system security
- Malware prevention
- Application management
- Host-based network security controls
- File integrity monitoring
- Introducing the Identity and Access Management (IAM) domain
- Authentication, authorization, and accounting (AAA)
- Usernames and access cards
- Biometrics
- Registration and identity proofing
- Authentication factors
- Multifactor authentication
- Something you have
- Password authentication protocols
- Single sign-on and federation
- RADIUS
- Kerberos and LDAP
- SAML
- Identity as a service (IDaaS)
- OAuth and OpenID Connect
- Certificate-based authentication
- Passwordless authentication
- Accountability
- Session management
- Understand account and privilege management
- Account types
- Account policies
- Password policies
- Manage roles
- Account monitoring
- Provisioning and deprovisioning
- Understand authorization
- Mandatory access controls
- Discretionary access controls
- Access control lists
- Database access control
- Advanced authorization concepts
- Social engineering
- Impersonation attacks
- Identity fraud and pretexting
- Watering hole attacks
- Physical social engineering
- Introducing the Security Assessment and Testing domain
- What is vulnerability management?
- Identify scan targets
- Scan configuration
- Scan perspective
- Analyzing scan reports
- Correlating scan results
- Penetration testing
- Ethical disclosure
- Bug bounty
- Cybersecurity exercises
- Logging security information
- Security information and event management
- Continuous security monitoring
- Endpoint monitoring
- Code review
- Code tests
- Fuzz testing
- Interface testing
- Misuse case testing
- Test coverage analysis
- Code repositories
- Third-party code
- Software risk analysis and mitigation
- Disaster recovery
- Backups
- Restoring backups
- Disaster recovery sites
- Testing BC/DR plans
- After action reports
- Collect security process data
- Management review and approval
- Security metrics
- Audits and assessments
- Control management
- Introducing the Security Operations domain
- Conducting investigations
- Evidence types
- Introduction to forensics
- System and file forensics
- Network forensics
- Software forensics
- Mobile device forensics
- Embedded device forensics
- Chain of custody
- Reporting and documenting incidents
- Electronic discovery (eDiscovery)
- Need to know and least privilege
- Privileged account management
- Build an incident response program
- Creating an incident response team
- Incident communications plan
- Incident identification
- Escalation and notification
- Mitigation
- Containment techniques
- Incident eradication and recovery
- Validation
- Post-incident activities
- Personnel safety
- Emergency management
- Introducing the Software Development Security domain
- Software platforms
- Development methodologies
- Scaled agile framework
- Maturity models
- Automation and DevOps
- Programming languages
- Acquired software
- OWASP top ten
- Application security
- Preventing SQL injection
- Understanding cross-site scripting
- Request forgery
- Defending against directory traversal
- Overflow attacks
- Explaining cookies and attachments
- Session hijacking
- Code execution attacks
- Privilege escalation
- Driver manipulation
- Memory vulnerabilities
- Race condition vulnerabilities
- Input validation
- Parameterized queries
- Authentication/session management issues
- Output encoding
- Error and exception handling
- Code signing
- Database security
- Data de-identification
- Data obfuscation
- Preparing for the exam
Taught by
Mike Chapple
Related Courses
-
Certified Information Systems Security Professional (CISSP)
-
Certified Information Systems Security Professional (CISSP)
-
CISSP Certification Course – PASS the Certified Information Security Professional Exam!
5.0 -
CISSP Certified Information Systems Security Professional
-
CISSP Crash Course
-
Systems Security Certified Professional (SSCP)
