CISSP for Dummies

The fun and easy way to study for the exam — all the rewards in half the time!

Here's the CISSP test-prep you've been waiting — a For Dummies book-and-software package that actually makes studying fun. Prepared by two CISSP-certified experts and packed with proven tips and practice exams, it's all you need to get up to speed on all ten domains of the (ISC)² Common Body of Knowledge — and pass the test!

Part I: Exam Basics

1. (ISC)² and the CISSP Certification
• About (ISC)² and the CISSP Certification
• You Must Be This Tall to Ride (And Other Measurements)
• Registering for the Exam
• Developing a Study Plan
  • Self-study
  • Getting hand-on experience
  • Attending an (ISC)² CISSP review seminar
  • Are You ready for the Exam?
• About the CISSP Examination
• Waiting for Your Results
2. The Common Body of Knowledge(CBK)
• Access Control Systems and Methodology
• Telecommunications and Network Security
• Security Management Practices
• Applications and Systems Development Security
• Cryptography
• Security Architecture and Models
• Operations Security
• Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
• Laws, Investigations, and Ethics
• Physical Security
• Part II: Domains
3. Access Control Systems and Methodology
• Uncovering Concepts of Access Control
  • Control types
  • Access control services
• Categories of Access Control
  • System access controls
  • Data access controls
• Additional Reference
4. Telecommunications and Network Security
• Data Network Types
  • Local area network (LAN)
  • Wide area network (WAN)
• The OSI Reference Model
  • Physical Layer (Layer 1)
  • Data Link Layer (Layer 2)
  • Network Layer (Layer 3)
  • Transport Layer (Layer 4)
  • Session Layer (Layer 5)
  • Presentation Layer (Layer 6)
  • Application Layer (Layer 7)
• The TCP/IP Model
• Network Security
  • Forewalls
  • Virtual private networks (VPNs)
  • Intrusion detection systems (IDSes)
  • Remote access
• E-Mail, Facsimile and Telephone Security
  • E-mail security
  • Facsimile security
  • PBX fraud and abuse
• Network Attacks and Countermeasures
  • SYN flood
  • ICMP flood
  • UDP flood
  • Smurf
  • Fraggle
  • Teardrop
  • Session hijacking (Spoofing)
• Additional References
5. Security Management Practices
• Security Management Concepts and Principles
  • Confidentiality
  • Integrity
  • Availability
• Data Classification
  • Commercial data classification
  • Government data classification
• Employment Policies and Practices
  • Background checks/security clearances
  • Employment agreements
  • Hiring and termination practices
  • Job descriptions
  • Roles and responsibilities
  • Separation of duties and responsibilities
  • Job rotations
• Policies, Standards, Guidelines, and Procedures
  • Policies
  • Standards
  • Guidelines
  • Procedures
• Principles of Risk Management
  • Risk identification
  • Risk analysis
  • Risk control
• Security Awareness
  • Awareness
  • Training
  • Education
• Additional References
6. Applications and Systems Development Security
• Distributed Applications
  • Security in distributed systems
  • Agents
  • Applets
• Object-Oriented Environments
• Data and Information Storage
  • Primary storage
  • Secondary storage
  • Real and Virtual
• Databases
  • Database security
  • Data dictionaries
  • Data warehouses
• Knowledge-Based Systems
  • Expert systems
  • Neural networks
• System Development Lifecycle
  • Conceptual definition
  • Functional requirements
  • Functional specifications
  • Design
  • Coding
  • Code review
  • System test
  • Certification
  • Accreditation
  • Maintenance
  • Notes about the lifecycle
  • Change Management
  • Configuration Management
• Application Security Controls
  • Process isolation
  • Hardware segmentation
  • Separation of privilege
  • Accountability
  • Defense in depth
  • Abstraction
  • Data hiding
  • System high mode
  • Security kernel
  • Reference monitor
  • Supervisor and user modes
  • Service Level Agreements
• Malicious Code
  • Virus
  • Worm
  • Trojan horse
  • Hoaxes
  • Logic bomb
  • Malicious updates
  • Trap doors
  • Anti-virus software
• System Attack Methods
  • Denial of service
  • Dictionary attack
  • Spoofing
  • Hidden code
  • Social engineering
  • Pseudo flaw
  • Remote maintenance
  • Sniffing and eavesdropping
  • Traffic analysis and inference
  • Brute force
• Perpetrators
  • Hackers
  • Script kiddies
  • Virus writers
  • Phreakers
• Additional References
7. Cryptography
• The Role of Cryptography in Information Security
• Cryptography Basics
  • Classes of ciphers
  • Types of ciphers
  • Key clustering
  • The science of crypto: Cryptanalysis, cryptography, and cryptology
  • Putting it all together: The cryptosystem
  • Encryption and decryption
  • He said, she said: The concept of non-repudiation
  • A disposable cipher: The one-time pad
  • Plaintext and ciphertext
  • Steganography: A picture is worth a thousand (hidden) words
  • Work factor: Force x effort = work!
• Not Quite the Metric System: Symmetric and Asymmetric Key System
  • Symmetric key cryptography
  • Asymmetric key cryptography
• Message Authentication
  • Digital signatures
  • Message digests
• Public Key Infrastructure (PKI)
  • Certification Authority (CA)
  • Registration Authority (RA)
  • Repository
  • Archive
• Key Management Functions
  • Key generation
  • Key distribution
  • Key installation
  • Key storage
  • Key change
  • Key control
  • Key disposal
• Key Escrow and Key Recovery
• E-Mail Security Applications
  • Secure Multipurpose Internet Mail Extensions (S/MIME)
  • MIME Object Security Services (MOSS)
  • Privacy Enhanced Mail (PEM)
  • Pretty Good Privacy (PGP)
• Internet Security Applications
  • Secure Electronic Transaction (SET)
  • Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
  • Secure Hypertext Transfer Protocol (HTTPS)
  • IPSec
  • Multi-Protocol Label Switching (MPLS)
  • Secure Shell (SSH-2)
  • Wireless Transport Layer Security (WTLS)
• Methods of Attack
  • Analytic attacks
  • Brute force attacks
  • Implementation attacks
  • Statistical attacks
  • Specific methods of attack
• Additional References
8. Security Architecture and Models
• Computer Architecture
  • Hardware
  • Firmware
  • Software
• Security Architecture
  • Trusted Computing Base (TCB)
  • Open and close systems
  • Protection rings
  • Security modes
  • Recovery procedures
• Access Control Models
  • Bell-LaPadua
  • Access Matrix
  • Take-Grant
  • Biba
  • Clark-Wilson
  • Information Flow
  • Non-interference
• Evaluation Criteria
  • Trusted Computer System Evaluation Criteria (TCSEC)
  • Trusted Network Interpretation (TNI)
  • European Information Technology Security Evaluation Criteria (ITSEC)
  • Common Criteria
• Certification and Accreditation
  • DITSCAP
  • NIACAP
• Additional References
9. Operations
• Security Operations Concepts
  • Anti-virus management
  • Backups of critical information
  • Need-to-know
  • Least privilege
  • Privileged functions
  • Privacy
  • Legal requirements
  • Illegal activities
  • Record retention
  • Handling sensitive information
• Threats and Countermeasures
  • Errors and Omissions
  • Fraud
  • Theft
  • Employee sabotage
  • Industrial espionage
  • Loss of physical and infrastructure support
  • Hackers and crackers
  • Malicious code
  • Inappropriate worker activities
• Security Operations Management
  • Job requirements and specifications
  • Background checking
  • Separation of duties
  • Job rotation
  • Mandatory vacations
  • Security violations
  • Termination
• Security Controls
  • Resource protection
  • Privileged entity controls
  • Change controls
  • Media controls
  • Administrative controls
  • Trusted recovery
• Security Auditing
• Audit Trails
  • Anatomy of an audit record
  • Types of audit trails
  • Finding trouble in them thar logs
  • Problem management and audit trails
  • Retaining audit logs
  • Protection of audit logs
• Monitoring
  • Penetration testing
  • Intrusion detection
  • Violation analysis
  • Keystroke monitoring
  • Traffic and trend analysis
  • Facilities monitoring
  • Responding to events
• Additional References
10. Business Continuity Planning and Disaster Recovery Planning
• Defining Disastrous Events
  • Natural disasters
  • Man-made disasters
• The Differences between BCP and DRP
• Understanding BCP Project Elements
• Determining the BCP Scope
• Defining the Business Impact Assessment
  • Vulnerability Assessment
  • Criticality Assessment
  • Identifying key players
  • Setting Maximum Tolerable Downtime
  • Defining the Resource Requirements
• BCP Recovery Plan Development
  • Emergency response
  • Personnel notification
  • Backups and off-site storage
  • Software escrow agreements
  • External communications
  • Utilities
  • Logistics and supplies
  • Fire protection
  • Documentation
  • Data processing continuity planning
• Development of the BCP Plan
  • Identifying success factors
  • Simplifying large or complex critical functions
  • Documenting the strategy
• Implementing the Business Continuity Plan
  • Securing senior management approval
  • Promoting organizational awareness
  • Maintaining the plan
• Disaster Recovery Planning
• Developing a Disaster Recovey Plan
  • Preparing for emergency response
  • Notifying personnel
  • Facilitating external communications
  • Maintaining physical security
• Testing the Disaster Recovery Plan
• Additional References
11. Law, Investigations, and Ethics
• Major Categories and Types of Laws
  • US common law
  • International law
• Major Categories of Computer Crime
  • Terrorist attacks
  • Military and intelligence attacks
  • Financial attacks
  • Business attacks
  • Grudge attacks
  • "Fun" attacks
• Types of Law Relevant to Computer Crime
  • Intellectual property
  • Privacy laws
  • Computer crime laws
• Investigations
  • Evidence
  • Conducting investigations
  • Incident handling (Or response)
• Ethics
  • (ISC)² Code of Ethics
  • Internet Activities Board (IAB) — "Ethics and the Internet" (RFC 1087)
• Additional References
12. Physical Security
• Physical Security Threats'
• Facility Requirements Planning
  • Choosing a secure location
  • Designing a secure facility
• Physical Security Controls
  • Physical access controls
  • Technical controls
  • Environmental and life safety controls
  • Administrative controls
• Additional References
• Part III: The Part of Tens
13. Ten Security Domains
• Access Control Systems and Methodology
• Telecommunications and Network Security
• Security Management Practices
• Applications and Systems Development Security
• Cryptography
• Security Architecture and Models
• Operations Security
• Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
• Law, Investigations, and Ethics
• Physical Security
14. Ten More Security Certifications
• Check Point
• Cisco
• CIW
• CompTIA
• DRII
• ISACA
• (ISC)²
• Microsoft
• SAIR Linux/GNU
• SANS/GIAC
15. Ten Security Web Sites
• (ISC)²
• CISSP Open Study Guide
• Cissps.com
• Network Security Library
• The SANS Institute
• The Shmoo Group
• www.simovits.com
• Carnegie Mellon SEI CERT Coordination Center
• Common Vulnerabilities and Exposures
• HierosGamos Guide to Computers and the Law
16. Ten Test Preparation Tips
• Get a Networking Certification First
• Register NOW!
• A 60-Day Study Plan
• Get Organized and READ!
• Join a Study Group
• Take Practice Exams
• Take a CISSP Review Seminar
• Develop a Test-Taking Strategy
• Practice Drawing Circles!
• Plan Your Travel
17. Ten Test Day Tips
• Get a Good Night's Rest
• Dress Comfortably (And Appropriately)
• Eat a Good Breakfast
• Arrive Early
• Bring Your Registration Letter and ID
• Bring Snacks and Drinks
• Bring Prescription or Over-the-Counter Medications
• Bring Extra Pencils and a BIG Eraser
• Leave Your Cell Phone, Pager, PDA, and Digital Watch at Home
• Take Frequent Breaks
18. Ten Essential Reference Books
• Part IV: Appendices
1. Practice Exam
2. Glossary
3. About the CD-ROM
• System Requirements
• Contents
• If You Have Problems (Of the CD Kind)
• End-User License Agreement

Extremely simplified overview of the CISSP domains.

I can't recommend it.