CISSP Certification: What It’s All About
(ISC)²®, the International Information System Security Certification Consortium, Inc., was founded in 1989. This not-for-profit organization manages the CISSP (Certified Information Systems Security Professional) certification. This advanced-level certification is meant for IT security professionals with the following level of experience: a minimum of four years of PROFESSIONAL experience in the field of information security. A bachelor’s degree can substitute for one of these required years. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year towards the four-year requirement. This experience requirement essentially forms the prerequisite for this vendor-neutral certification, although (ISC)²®’s other, lower-level certification, the SSCP (Systems Security Certified Practitioner), is recommended. In June 2003, (ISC)²® introduced an Associate program that allows candidates to take the exam before they meet the experience requirement. Here’s more on that: After passing the selected exam and signing (ISC)²®’s Code of Ethics, the Associate must garner the requisite work experience and successfully complete a professional endorsement process before he/she becomes officially certified as CISSP or SSCP.
In terms of recertification, the term ‘CPE’ is an acronym for Continued Professional Education credits. After a candidate becomes certified, he/she is required to perform continuing education per 3-year certification period to become recertified.
A CISSP must submit 120 CPEs during the 3-year recertification period. Of the 120 CPEs that are required, at least 80 must be ‘A’ credits and as many as 40 can be ‘B’ credits. The CISSP certification is well suited to IT professionals who aim to be IS (Information Security) professionals, network security professionals, or systems security professionals. The CISSP® designation is achieved by passing one exam.
The CISSP® is an extremely advanced certification meant for IT professionals who want to achieve "mastery of an international standard for information security and understanding of a Common Body of Knowledge (CBK®)." Earning the CISSP® certification requires a candidate to pass a single exam and meet the exam vendor’s prerequisites. The two prerequisites for this exam are for the candidate to: "execute the candidate agreement, attesting to the truth of the candidate’s experience assertions and legally commit to adhering to the Code of Ethics"; and successfully "answer four questions regarding criminal history and related background." Users that attain this exam commonly carry the titles of Security Auditor or Network Security Analyst. Find out all of the essentials you need for your CISSP with our free CISSP 15-Minute Guide. Free CISSP Study Guide.
CISSP Security Glossary
As you study for your CISSP exam, you’ll need to master the terms and tools of the trade. This useful glossary will help you find the definitions for important CISSP
terms in a single, convenient location.
ACL An access control list is a list that specifies which subjects can access which objects.
Administrative Detective Control Policy or rule that detects when something has occurred by using auditing or performance reviews to see the actions that subjects have taken.
Asynchronized Device A token device which uses a challenge-response approach to generate a password.
Authentication A system for validating that the subject or object is really who or what they say or appear to be.
Authentication Service The part of the KDC that actually authenticates the subjects and objects.
Authorization Creep Accidentally giving a subject access to objects that are not intended for them to have access to.
Biometrics The most expensive and secure authentication type which uses physical characteristics to authenticate a person. Biometrics use characteristics such as retina and iris scans, fingerprint and handprint characteristics, voice patterns, keystroke patterns, and signatures to authenticate a subject.
Brute Force An attack that attempts to gain access many times using different input types. Examples of brute force attacks are password guessing and war dialing.
CER Crossover Error Rate is the value or system based upon the point at which the FRR and the FAR cross if it were graphed. The CER allows two different biometric methods to be compared.
Centralized Authentication Authentication type where a single identity controls all access to certain objects. It is a strict control with a single point of failure that allows for easy administration.
Control A safeguard that lessens risk once a high probability of a loss has been realized.
DAC Discretionary Access Control is an identity-based access control. This means that the user must be authenticated as a specific user, and, based on those privileges, can specify who else can access that object. DAC gives the owner the ability to specify access restrictions.
Decentralized Authentication An authentication type in which administrative access is handled closer to the objects that are being controlled, such as multiple machines with information like a security domain.
Dictionary Attack A selective attack where a dictionary of common words, identification credentials, or frequently used user IDs are submitted to the authentication device.
DoS Attack A Denial of Service attack attempts to stop a network by flooding it with useless traffic. A DoS system is used as a master to communicate with, and host hacking tools from the Internet allowing the hacker to send out attacks using a single command.
Domain A group of computers on a network that share a Security Accounts Manager database and security policies.
FAR False Acceptance Rate is the rate at which a biometrics system accepts an invalid subject.
FRR False Rejection Rate is the rate at which a biometrics system would reject a valid subject.
Hacker Also referred to as a cracker, a hacker is a person who is well skilled in a programming language and often considered an expert on the subject. Can be a complimentary or derogatory term.
Honeypot A monitoring process that segments an area or entire machine onto a portion of the network, opening ports to entice a hacker to find and attack the machine.
Hybrid Model A combination of centralized and decentralized authentication.
IDS An intrusion detection system inspects all network activity and identifies any suspicious patterns indicative of an attack.Identification A claim to be a valid subject.
KDC Key Distribution Center is a component of the Kerberos system which holds all cryptographic keys. The KDC must be communicated with at every phase in order to initiate any type of authentication.
Kerberos A product developed by MIT that provides authentication and message protection using one key to encrypt a message on one side and the same key to decrypt the message on the other side.
Least Privilege A concept that grants subjects only enough access for objects to perform the required tasks. The goal is to limit authorization creep.
Object An entity that contains or controls data.
MAC Mandatory Access Control is a mandatory set of rules that everyone must abide by. It is a rule-based access control in which data owners are granted access based upon rules.
Man-in-the-Middle Attack A network attack where the hacker intercepts a public key exchange and substitutes his own public key for the requested one, thus enabling him to intercept messages from both sides of the communication.
Non-Discretionary Control A role-based access control in which access is granted based upon the subject’s role instead of identity. This type of control is common in an environment with frequent personnel changes.
Penetration Testing A legal hacking process of pretending to be a hacker, scanning and probing the systems to see if it can be accessed. A coordinated set of attacks to judge the vulnerability of a system.
Physical Access Controls Controls which limit physical access to hardware.
Physical Preventative Control A control, such as a badge or access card, which stops something before it occurs.
RADIUS Remote Authentication Dial-In User Server is a centralized authentication protocol that authenticates and authorizes users, generally through dial-up access, and provides the authentication mechanism that allows dial-up subjects to access objects.
SESAME Secure European System for Applications in a Multivendor Environment is an authentication service for use in Europe. SESAME uses public key cryptography to distribute secret keys and a Privilege Attribute Certificate mechanism which contains key information and the necessary authentication packet to pass authentication.
SSO Single Sign-On is a method that allows the users to have a domain of control. SSO simplifies the authentication process by allowing the users to authenticate themselves into an entry point of a domain which signs them into every component of the domain.
Security Label A concept that assigns a classification level to objects.
Shoulder Surfing An observation technique in which information is obtained by looking over someone’s shoulder.
Spoofing A technique used by hackers to gain entry to a system by modifying packet headers so as to appear as a trusted host.
Synchronized Device A token device that generates time-based passwords to correspond with a central server.
TACACS Terminal Access Controller Access Control System is a centralized authentication type that provides single factor authentication and authorization for direct access. The TACACS+ version implements two-factor authentication.
Ticket A multiple component message that is sent back and forth in Kerberos. The message contains the ticket and an authentication message specifying that the subject is authenticated or that a subject has been authenticated and is valid to access a specific object.
Token Device A small device that generates passwords based on synchronous or asynchronous query to a centralized server. An example would be a smart card.
War Dialer A computer program built to seek modems by dialing continuous phone numbers. War Dialers are built to find vulnerable computer systems.
CISSP Certification Training:
Get Ultimate Access to Everything
LearnSmart’s Ultimate Access collection is our Netflix-style training program that gives you open reign to our entire selection of training. It’s a single, affordable package that provides all of our video training, practice exams, audio, Mega Guides and more for every skill, certification and career. To find out how you can get Ultimate Access to everything for your CISSP certification and more, call LearnSmart at 1-800-418-6789.
CISSP — Common Body
The topics covered by this exam come from the CISSP® Common Body of Knowledge (CBK®) and include:
- Access Control Systems & Methodology
- Applications & Systems Development
- Business Continuity Planning
- Law, Investigation & Ethics
- Operations Security
- Physical Security
- Security Architecture & Models
- Security Management Practices
- Telecommunications, Network & Internet Security
Within this Common Body of Knowledge (CBK®), the vendor will ask a series of very challenging questions involving particular extracted from the published information. While the material itself is not considered to be overly complex, the actual amount of information on the exam can be slightly intimidating to users new to the security field. The pass score for this form-based multiple choice exam is a scaled score of 700 points or greater. There are 250 questions and the exam lasts 6 hours.
CISSP Certification Training
The CISSP certification is very difficult to achieve, which is why the rewards are so great. In addition, the exam costs are high in relation to other IT certification exams, so you want to be as prepared as possible. As one blog poster wrote; "at $500 a pop, it’s worth it to overstudy!" LearnSmart can help you get ready for your CISSP exam with high-quality video training, practice exams, audio and more.
See all CISSP training.
Use CISSP® (2008 Edition) LearnSmart Video Training to learn everything that a CISSP® needs to know and pass your CISSP® (2008 Edition) certification exam. When you complete this CBT course, you’ll be an expert on the "must-know" skills for your CISSP® (2008 Edition) certification exam.
CISSP Certification Practice Exams
LearnSmart’s CISSP Practice Exam is the best way to master the skills you need to pass. Get complete, thorough and authentic coverage with a deep pool of questions for all domains of the CISSP exam, including:
- Access Control Systems & Methodology - 75 questions
- Applications & Systems Development - 75 questions
- Business Continuity Planning - 75 questions
- Cryptography - 75 questions
- Law, Investigation & Ethics - 75 questions
- Operations Security - 75 questions
- Physical Security - 75 questions
- Security Architecture & Models - 75 questions
- Security Management Practices - 75 questions
- Telecommunication, Network &
Internet Security - 75 questions