Eight CISSP Domains in cyber security
Olayenikan Michael
Cybersecurity Analyst| Full Stack Web Developer| Virtual Assistant & Remote Administrative Services| Digital Marketing & Social Media Management
What are the 8 CISSP domains?
CISSP is broken into 8 domains that cover the main aspects of information security.
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communications and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security
1) Security and Risk Management
Security and Risk Management comprises about 15% of the CISSP exam.
This is the largest domain in CISSP, providing a comprehensive overview of the things you need to know about information systems management. It covers:
The confidentiality, integrity and availability of information;
Security governance principles;
Compliance requirements;
Legal and regulatory issues relating to information security;
IT policies and procedures; and
Risk-based management concepts.
2) Asset Security
Asset Security comprises about 10% of the CISSP exam.
This domain addresses the physical requirements of information security. It covers:
The classification and ownership of information and assets;
Privacy;
Retention periods;
Data security controls; and
Handling requirements.
3) Security Architecture and Engineering
Security Engineering comprises about 13% of the CISSP exam.
This domain covers several important information security concepts, including:
Engineering processes using secure design principles;
Fundamental concepts of security models;
Security capabilities of information systems;
Assessing and mitigating vulnerabilities in systems;
Cryptography; and
Designing and implementing physical security.
4) Communications and Network Security
Communications and Network Security comprises about 13% of the CISSP exam.
This domain covers the design and protection of an organisation’s networks. This includes:
Secure design principles for network architecture;
Secure network components; and
Secure communication channels.
5) Identity and Access Management
Identity and Access Management comprises about 14% of the CISSP exam.
This domain helps information security professionals understand how to control the way users can access data. It covers:
Physical and logical access to assets;
Identification and authentication;
Integrating identity as a service and third-party identity services;
Authorisation mechanisms; and
The identity and access provisioning lifecycle.
6) Security Assessment and Testing
Security Assessment and Testing comprises about 12% of the CISSP exam.
This domain focuses on the design, performance and analysis of security testing. It includes:
Designing and validating assessment and test strategies;
Security control testing;
Collecting security process data;
Test outputs; and
Internal and third-party security audits.
7) Security Operations
Security Operations comprises about 13% of the CISSP exam.
This domain addresses the way plans are put into action. It covers:Understandingand supporting investigations;
领英推荐
Requirements for investigation types;
Logging and monitoring activities;
Securing the provision of resources;
Foundational security operations concepts;
Applying resource protection techniques;
Incident management;
Disaster recovery;
Managing physical security; and
Business continuity.
8) Software Development Security
Software Development Security comprises about 10% of the CISSP exam.
This domain helps professionals to understand, apply and enforce software security. It covers:
Security in the software development life cycle;
Security controls in development environments;
The effectiveness of software security; and
Secure coding guidelines and standards.
CISSP training and revision materials
Those who sit the CISSP CBK (Common Body of Knowledge) exam will be tested on each of the eight domains.
The exam consists of 100–150 multiple-choice questions and lasts three hours. The pass grade is 70%.
Anyone preparing for that exam should take the take to understand the challenges awaiting you. This might begin by reading the official CISSP study guide. You should also create a consistent study schedule to ensure that you set aside plenty of time to revise for the exam.
During this study period, you should also take practice exams to get used to the sorts of questions you will be asked and how to answer them. Mock exams also help you get to grips with the lengthy examination time.
Three hours is a long time to sit an exam, and some people will struggle to concentrate for the entire time. However, through practice, this will come to you naturally and you can find a system that suits you.
You can find all the guidance you need to pass the exam with IT Governance’s CISSP Blended Online Training Course.
This online course provides the practical and theoretical skills you need to pass the CISSP exam first time. It was developed by industry experts, who use their real-world experience to guide you through the content.
Unlike traditional training courses, blended learning combines instructor-led sessions, guided digital content and one-on-one mentoring, making it ideal for those who want to balance their learning with their work and home schedule.
Blended training is shown to increase engagement, facilitate collaboration and simplify assessment. Find out how IT Governance can help you take advantage of this approach to CISSP training.
Common attacks and their effectiveness
Previously, you learned about past and present attacks that helped shape the cybersecurity industry. These included the LoveLetter attack, also called the ILOVEYOU virus, and the Morris worm. One outcome was the establishment of response teams, which are now commonly referred to as computer security incident response teams (CSIRTs). In this reading, you will learn more about common methods of attack. Becoming familiar with different attack methods, and the evolving tactics and techniques threat actors use, will help you better protect organizations and people.
Phishing
Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.
Some of the most common types of phishing attacks today include:
Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.
Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.
Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.
Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.
Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.
Malware
Malware is software designed to harm devices or networks. There are many types of malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.
Some of the most common types of malware attacks today include:
Viruses: Malicious code written to interfere with computer operations and cause damage to data and software. A virus needs to be initiated by a user (i.e., a threat actor), who transmits the virus via a malicious attachment or file download. When someone opens the malicious attachment or download, the virus hides itself in other files in the now infected system. When the infected files are opened, it allows the virus to insert its own code to damage and/or destroy data in the system.
Worms: Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, a worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.
Ransomware: A malicious attack where threat actors encrypt an organization's data and demand payment to restore access.
Spyware: Malware that’s used to gather and sell information without consent. Spyware can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.
Social Engineering
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to exploit as many people as possible.
Some of the most common types of social engineering attacks today include:
Social media phishing: A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.
Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.
USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network.
Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.
Social engineering principles
Social engineering is incredibly effective. This is because people are generally trusting and conditioned to respect authority. The number of social engineering attacks is increasing with every new social media application that allows public access to people's data. Although sharing personal data—such as your location or photos—can be convenient, it’s also a risk.
Reasons why social engineering attacks are effective include:
Authority: Threat actors impersonate individuals with power. This is because people, in general, have been conditioned to respect and follow authority figures.
Intimidation: Threat actors use bullying tactics. This includes persuading and intimidating victims into doing what they’re told.
Consensus/Social proof: Because people sometimes do things that they believe many others are doing, threat actors use others’ trust to pretend they are legitimate. For example, a threat actor might try to gain access to private data by telling an employee that other people at the company have given them access to that data in the past.
Scarcity: A tactic used to imply that goods or services are in limited supply.
Familiarity: Threat actors establish a fake emotional connection with users that can be exploited.
Trust: Threat actors establish an emotional relationship with users that can be exploited over time. They use this relationship to develop trust and gain personal information.
Urgency: A threat actor persuades others to respond quickly and without questioning.