The Pursuit of Integrity, Honor and Trust in Information Security.
Spending all my free time lately to prepare for the CISSP examination, and determined to pass the exam and get the certification, though I can not get the certificate while not having a “sponsor” to vouche for me that I work with it in an isolated or dedicated fashion, meaning having a security working title, which I do not at present time. But of course it is a huge aspect of my job in the Danish Police and I use the knowledge every day in my solutions, decisions and interactions with my colleagues. Nor can I show on my CV that I have 5 years of experience working directly with security, though it’s always been within scope of my work as an Infrastructure developer, and within scope of my interests.
Nonetheless, I am driven to get this certificate and becoming a Certified Information Systems Security Professional. Why? Because it makes sense .. The more I read into it and study it, the more it makes sense to me, of course that may seem logical, but there is a huge difference in defining ..let’s say collusion and understanding how to detect and prevent collusion from taking place. In contrast to the many MCSE certifications I have taken, all exams only requires me to be able to define the terms and how to initiate it, never have I been questioned to put it into a deeper perspective or why it makes sense to be capable of using that particular technology advancement, of course you should know why it makes sense to use an Active Directory architectural and security model and using best practice doing so. However you can not study for best practices as a static goal of accomplishment. Best practise is the sum of many factors in your environment. Pretty much like the CISSP, an eight legged monster where you have to master eigth different disciplines to be able to tie up each leg in different manners in order to tame it.
The eight domains are:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communication and Network Security
- Identity and Access Mangement
- Security Assement and Testing
- Security Operations
- Software Development Security
Another hard fact about the examination itself, is sitting for 6 hours answering 250 questions, going through the 8 domains that makes the CISSP.
Below random questions from each domain to give you an idea what it is about, of course I can not reveal the answer as I then will violate the rules, but maybe you have gained some interest in finding out yourself.
Which is the most valuable technique when determing if a specific security control should be implemented?
- Risk analysis
- Cost/benefit analysis
- ALE results
- Identifying the vulnerabilities and threats causing the risk
Which of the following is the most important criterion in determining the classification of data?
- The level of damage that could be caused if the data were disclosed
- The likelihood that the data will be accidently or maliciously disclosed
- Regulartory requirements in jurisdictions within which the organization is not operating
- The cost of implementing controls for the data
In secure computing systems, why is there a logical form of separation used between processes?
- Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their ressources
- Processes are contained within their own security perimeter so they can only access protection levels above them
- Processes are contained within their own security perimeter so they can only access protection levels equal to them
- The separation is hardware and not logical in nature
Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes?
- Network convergence
- Security as a service
- Unified threat management
- Integrated convergence management
How is a challenge/response protocol utilized with token device implementations?
- This protocol is not used. Cryptography is used
- An authentication service generates a challenge, and the smart token generates a response based on the challenge
- The token challenges the user for a username and password
- The token challenges the user’s password against a database of stored credentials
An assesment whose goal is to access the susceptibilities of an organization to social engineering attacks is best classified as
- Physical testing
- Personal testing
- Vulnerability testing
- Network testing
What is a common problem with vibration-detection devices used for perimeter security?
- They can be defeated by emitting the right electrical signals in the protected area
- The power source is easily disabled
- They cause false alarms
- They interfere with computing devices
Which of the following techniques or set of techniques is used to deter database inference attacks?
- Partitioning, cell suppression, and noise pertubation
- Controlling access to the database dictionary
- Partitioning, cell suppression and small query sets
- Partitioning, noise and pertubation, and small query sets
Once the certification is obtained you commit yourself to the (ISC)² Code of Ethics, whereas a holder of the certificate who violates any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification.