Updated 8 CISSP Domains are not more Difficult to Pass, and here is a detailed list of Topics and how to Easily Cover them…
Domain 1 of CISSP syllabus is this Security and Risk management and in itself is a very vast concept and can be divided into many subtopics
the first topic which I want to discuss is the CIA Triad
The CIA triad consists of three basic elements that are the confidentiality integrity and availability. Now in some old books it was the CIA Triad and it is basically called CIA from a very beginning but a proper term which I want to say is AIC instead of CIA because that also stands for the Central Intelligence Agency and that’s why is always confusing for students.
Now confidentiality is all about preventing the unauthorized disclosure of anything it can be any information or any data. The integrity all about the alteration of data and to make sure that there is no unauthorized modification in data and also it provides the way to verify that the data has not been altered. The availability component provides the timely access which means that anything should be available to you when you needed, for example, this website is available to you when you need it right?
After CIA there comes that the IAAA which has four components that are the identification authentication authorization and accountability. Now the identification is just like you login to a website you have your username and your password. So the website is identifying you using your username and the website is authenticating you use the using your password it means your identity is your username and your password is the way through which the website will know that you are the real owner of the account. Authentication has a lot of types which you will have to learn in this concept and I strongly suggested to remember them very deeply because you can expect a lot of questions from them. After authentication, that website will give you some right for example if I am authenticated as an Admin of this website I will have all the rights of this website. Not just a website but it can be anything you may want to consider. If authorization give you write access to some data and you write something then finally it will make you accountable so if you have followed all the three steps you are accountable for anything that happens from that authorisation the simply means Non Repudiation which is established when you are authorised then you cannot deny that you were not the one who made any changes.
The third concept in this domain will be the Security Governance Principle and Frameworks and it is again a very vast topic, however, there are three basic elements in this as well which I want to highlight. The first one is the Due Care, The second one is the Due Diligence and the third one is the Negligence. Now the due diligence is all about the research, So as a security professional you should do proper research, you should be updated with the latest trends, you should know what is going on in your system, that is due diligence you are performing your work properly as you are up to date. Next concept was the due care which means that you should do everything that a wise person will do. The Third element was the negligence which means that you are neglecting the situation and not performing due care. There are a lot of topics as well as you might have to learn for example some frameworks but they are not that much important in case we compare between the concept and terms.
This Domain also revolves around the Evidence and Crime, so you should consider topics that are the related to types of evidence, How to handle the evidence, chain of custody etc. and you can expect one or two questions easily from this topic and you should give 2 or 3 hours reading about it
After type of evidence there are so few laws which you will need to understand but before that, you need to understand the types of laws, criminal law, civil law, administrative law, standard, and regulation, etc. You need to understand Entrapment versus Enticement and how Entrapment is totally Illegal and enticement is legal. so you will need to understand what these are a how they work. There are some few laws which are Important like CFAA, ECPA, Fourth Amendment of US Constitution, The Security Breach Notification law, Sarbanes Oxley Act, GBLA, HIPPA, the PCI DSS, Intellectual Property, Professional Ethics, etc.
Now Intellectual Property is in itself a big concept but I just think that you can add in the laws only and the professional ethics they are two major ones which I want you to remember the Official ISC2 Code of Ethics and the internet accountability board that is IAB Ethics.
Once you understand all of these laws and regulations, You need to start with the Risk Management when I was doing my certified financial planning, Risk was a domain in itself and risk is a very big topic. There are automated software that can do your risk analysis and there is the physical assessment. The Question is which is the most effective one, The most Effective Risk Assessment would be the one that is done by a software not by a human only due to one fact that is that you can add as many as situations you may want to on the same data again and again in a software however if you want to do this manually you will need is doing the same thing again and again.
You need to understand three Basic concepts in Risk Management, The first one would be what exactly is Risk and How do you Calculate Risk then you will need to understand what are the different Ways to counter risk and always remember one thing that risk can never be zero. however it can be minimized to the minimum possible and after all of this, the third concept is to understand the Risk Analysis Process. You need to understand All the steps of that process and most important what are the ways to assess the risk, a major component in this process comes out to be asset evaluation because if you don’t know the value of your assets you can never calculator risk on them so make sure you also understand the Asset evaluation, its criteria and its method for the exam
The most important part in the whole CISSP syllabus, as well as this domain, is the Business Continuity Planning and Disaster Recovery Planning. Now, this is majorly a part of Domain 7 which is the security operations however they have tried to give a brief in this Domain.
I recommend you to understand all the essential Terms related to BCP and DRP and then you should understand what these concepts are and how do you perform a Business Impact Analysis, Make sure you understand the concept not the terms because you will do the terms in the Domain 7.
After all of this there are few more concept which you should give some time studying because they are can give you marks in exam, The major concept I want to talk about is the European Laws because we only studied the US laws in that law section but I am seeing a lot of questions from European laws and make sure to study the new laws like GDPR. You should understand that what are Policies, Procedures Rules, Regulations and things which are basically called the Security Documents. You should also understand how Security Approach Works, So there is the top-down approach in which we start with the top management and you go down to the lower level and the bottom-up approach in which start from the bottom which is the employees and then you go to the managers, then head of department, and finally The Senior Management. Always remember that a top-down approach will more likely succeed as you always need Management Support to do anything in your Organization.
Domain 2 of the CISSP syllabus is Asset Security and you have to read about the Sensitive Information and the Media Security, Data Classification, Data Responsibility and Roles, Memory, Data Destruction and Data Security Control Frameworks now you may think that this is a very small Domain and to be honest Yes! it is.
About Data Destructions you will have to at least give it two hours reading about the destruction techniques, About the memory, it will be a major part of Domain 3 but you should read it here only. Data classification and the Responsibility and Roles is something I would say is very important from the practical life point of view as well as for the next domains so it is going to help you a lot in the domain 5 and I would say that give it a special attention rather there are a limited topics in this domain give it the same time which you are giving to others.
Domain 3 revolves around the Security Architecture and Engineering. This was actually three different domains in the old syllabus but now all of these three domains have been combined and this is a giant Domain 3 has been formed. I think that Domain 4 is much more in-depth than the main 3 when it comes to exam questions but if you see the syllabus then Domain 3 is the biggest one. So give special attention to Domain 3 and 4
So what exactly is security architecture and what are the threats to security architecture make sure you give special attention to the threats in any domain. Some concepts which you will need to understand there will be the Trusted Computer Base, Rings of protection, Open and Closed System, Operating States, Recovery Procedures and Process Isolation.
In threat, I would say that you should know the Buffer Overflow, Backdoors, Trojans, Covert Channels and they are quite few but these are the most important ones in Domain 3
after you study what is security architecture, It involves you to know the Security Models and they have to be read in a very detailed manner. There are the basic models which involve the State Machine Model, Non-Interference Model, and Information Flow Model. There is the confidentiality model which contains the Bell-LaPadula. There are the integrity models which contains the BIBA, Clark Wilson Model and Take-Grant Protection Model. Finally, there are other models as well for example The HRU Model. Graham Denning Model at the Lattice Model so make sure you remember all of these.
there are the Security Evaluations which tell us how to evaluate the security of any system. For this, you should remember three basic things that are TCSEC, ITSEC and Common Criteria.
We don’t use TCSEC and ITSEC now but we use common criteria.
Make sure to give special attention to ITSEC also called as Orange book, The Red book, The Green book, The Brown book, and the Purple book from the Rainbow Series of DoD. You don’t need to go in depth but you should know the Core Purpose of each Book.
Last Part of This Section of Domain 3 is to study the New Technologies that are IOT and then Virtualization, Fault Tolerance and some part of the Cloud Security, however, I would recommend to study Cloud Security in the Domain 5, not in Domain 3.
Second Part of Domain 3 is Cryptography and you need to understand 4 basic things. You should know what is cryptography and how it works so Basic Concept behind it and don’t go in modular maths and in the detailed analysis of algorithms. The second thing to understand is, What is symmetric Cryptography and then third concept is Asymmetric Cryptography. Last thing you should know is HASH.
There are a few small concepts which you will need will cover in these 4 basic concepts itself, for example, the PKI, Digital Certificate, etc. You can also Expect Questions on How do you Provide Integrity, Confidentiality, and Non-Repudiation using Cryptography.
Yeah, I saw some people saying that you have to learn things like encryption that how many rounds are there in that encryption. The number of bits and things like that. There is nothing to explain here as you cannot change that you just need to memorize this kind of stuff and Refer to SunFlower Document for this.
Third Part of Domain 3 is the Physical Security, You need to give special attention to four basic things, First is Electrical Power, Second is the Fire, Third is Humidity and Tempest and Fourth are 4 D’s of Physical Security.
I recommend using images.google.com to see how things look. There are a lot of stuff with which if you wo n’t be able to remember if you don’t see them yourself.
After Covering Domain 3 you will reach the Domain 4 that is Networking which is the biggest giant according to me like if you just see the syllabus, it is domain 3 but to be practically honest the exam questions and level of Detail makes Domain 4 Biggest.
You will have to memorize a lot in this Domain but the Major Topics to understand here are, Networking so what exactly is networking, how do we connect systems networking topologies like how do we connect them you in some specific patterns, for example, the star topology, Bus, Mesh, Partial Mesh etc.
There is the difference between the switch, hub, router, and modem so it basically means all the hardware that is used in the networking. You have to understand different routing ways. You have to understand wireless and the wireless security that involves reading about the WPA, WEP, WPA2, and WPA3. After this, there are Firewalls, RAID, Backups, etc which are again a part of Fault Tolerance but just give that a special attention in this Domain and for the backup, a lot of students can get confused in the incremental backup and the partial backup.
After this learn Denial of Service Attacks and that contains a lot of things like the Ping of Death there are the broadcasting attacks, etc. There are DNS poisoning, DNS Spoofing, ARP Poisoning and ARP Spoofing and at last there are OSI model and TCP IP model of networking. Now always remember that OSI is just a conceptual model and it is not used in the real life but you have to give attention to that and TCP and IP model is the one which we use in the real life. Make sure you even remember all the layers of these models.
Now to be honest there are things like the different cables which can be used to connect computers like Coaxial Cables, Shielded Cables, Optic Fibre etc. but I don’t think there is anything to understand here and go to images.google.com to search for the image of the wire how it looks just remember that. This domain is not about testing your concepts however it is all about the characteristics and memorization. In exam, they will ask you what is the advantage of using cat 5 instead of cat 2 So it’s all about characteristics and memorization. Again Give a Glance to SunFlower Document to Cover up such things.
After all of this we have Domain 5 which is Identity Access Management (IAM) which is also a very small domain and consist of some things which you have to understand and I would say that it is one of my favourite domains because it’s not a lot of theory and not a lot of memorization is needed as it is just the concept that you need to understand.
Here main things to study are Security Model Access Control. You need to know that what are the different access controls and what are the characteristics and how the concept is implemented. You should know that Security Architecture Threats now this was also a topic of the Domain 3 if you remember. After this lecture Categories of Access Control so there are a lot of things for example Fences which is a Deterrent Control, not a Preventative Control. People think these are same but this is wrong, no fences will prevent any Intruder to come in your building but it will just deter them. Anti-virus will just fit in four or five categories so need to understand the concept and then try to fit the given thing in the exam.
Access Control is very important because there is one of the major Essentials which you are going to be tested in the exam after that there are some things like single sign-on and the single sign-on methods which almost every big companies using for example if user login to your Google account you are logged into YouTube, Gmail, Drive, Docs, Sheets and other things which Google offers. That is a single sign-on, You are signing in using at One Place and it is allowing you to all different services and all the method methods involved in that you have to remember that there is this Central authentication this is little different with single sign-on and just pay attention to that as well because it is important. Then there are some things like multi Factor authentication which involves at least two factors of authentication should be used to be secure and after that there is the Biometric Errors and you will surely get a question from biometric errors, there is a one diagram which is very important and you need to understand the Type 1 error and Type 2 errors.
There is the Intrusion Detection System, There is the Cloud Security which I was talking in the Domain 3 but I again recommend to study it right now in Domain 5. In Cloud Security, you have to consider 4 main concepts that are different cloud models, data lifecycle security, storage architecture and Securing the Hypervisor. I recommend you to take the concept from the CCSP book, not the CISSP book that would be much more better if you can.
After all of this there comes the domain 6 which is again very easy and it’s very very easy to remember but there is a lot of practical knowledge needed here. If you are not from a Penetration Testing or Ethical Hacking Background I recommend you to go ahead and search and actually see people doing hacking. You need to understand the types of penetration testing, the classification of hackers, penetration testing process, vulnerability assessment, social engineering elements, and some terms. I would say if you can see a real Penetration test in front of your eyes that’s going to be very very easy for you and there are things you need to understand like this Security Auditing and the Security Logs that are a very important element in this domain.
Now this is all about Security Operations this is the domain 7 and I always fear from this. This Domain Requires a hardcore industry experience and if you are not in this industry it will be very difficult for you and it’s a very challenging one.
You need to understand something like things like the least privileges given to the Employees there should be the need to know etc. and some other concept there is the physical security, personal security, logging and monitoring, preventive measures for all of these things which is just like the access controls.
There is the resource provisioning and protection, The patch and Vulnerability Management and there is the Change management which is a challenging part
There is the business continuity planning and the disaster recovery planning, The Incident response, Investigations, Disaster Recovery strategies and implementation.
You might say that Hey! I know a lot of things… Yes you already covered a lot of the syllabus in previous domains this is just like overlapping and duplicate in all the concepts again here but this time with a practical approach.
So finally did you reach the Domain 8 that is Software Development. Well, Congratulations!
This is the last domain but this is going to be very tough if you are not from a programming background personally I have been working on C + +, Java and things like that for 3 years and I think any beginners who don’t have any experience with programming, it won’t kill him
It’s very hard and you have to memorize all lot of terminology. You will have to understand the system life cycle, software development methods, change control process so it’s all about Change management again which you already covered in the domain 7.
There is security consideration in software development, Some Approaches which you have to give emphasize on, there is the database security that is one of the major Essentials in this domain but it’s all real life theory I cannot say it is purely practical as you don’t have to code and you don’t have to know the syntax of languages but you have to know how do we properly use some predefined models when we are developing a software.
If you like it feel free to leave a comment below and I really like to answer your questions if you have any just feel free to ask them and he is my www.sagarbansal.com/cissp which is going to reduce around 50% of your Efforts.