Expert Reference Series of White Papers

1-800-COURSES www.globalknowledge.com
Five Tips To Help
You Prepare for the
Updated
2012 CISSP Exam
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 2
Five Tips to Help You Prepare for the
Updated 2012 CISSP Exam
Michael Gregg, CISSP, SSCP, CISA, CISM, GSEC
Introduction
The CISSP exam is scheduled for an update in January 2012. This is the rst major update in several years, and it
will offer new challenges for those preparing for the exam. This white paper will discuss ve tips that can help
you pass the updated exam, including:
2012 CISSP domain name changes and an in-depth look at each domain
CISSP exam question structure and types
Tips for excelling on the day of the CISSP exam.
Lets get started by looking at what domains have been updated.
Tip One Know the New 2012 CISSP Domain Names
One of the things many exam candidates are curious about is how the 2012 version of the CISSP exam will be
different from the previous version. While changes can sometimes cause some anxiety, they are needed as tech-
nology continues to advance. As an example, consider all the changes in technology over the last several years,
from advances in cloud computing to the growth of convergence.
The 2012 domains include:
Access Control
Telecommunications and Network Security
Information Security and Governance and Risk Management
Software Development Security
Cryptography
Security Architecture and Design
Security Operations
Business Continuity and Disaster Recovery Planning
Legal Regulations Investigations and Compliance
Physical (environmental) Security
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 3
Three of these domains have updated names that better reect their current focus. These include: Information
Security and Governance and Risk Management, Software Development Security, and Security Operations. Now
that you know what the new domain names are, lets examine each domain in greater detail.
Tip 2 Understand Required Knowledge of Each Domain
I will go through each domain and discuss changes to the Common Body of Knowledge (CBK) and important
knowledge areas.
Access Control
This domain will continue to focus on authentication, authorization, and accountability; however, there are also
some topics that will most likely see additional coverage.
One expanded area is the effectiveness of access control. Access controls are not all created equally. Access con-
trol mechanisms, such as passwords, swipe cards, smart cards, USB devices, and biometrics, differ greatly in their
ability to provide strong authentication. You should understand the differences. As for threats to access control,
candidates should understand how to address them.
Access aggregation is another topic you may be tested on. In some organizations, its possible that employees
may continue to gain access as they move from department to department. This can cause real security prob-
lems over time.
Another item to understand is threat modeling, which can be described as a method to assess a set of possible
attack vectors to consider when assessing computer security.
Telecommunications and Network Security
Even before any update, this is already a huge domain. This is the domain that addresses networking protocols,
equipment, LAN, WAN, and routing.
Its very possible that new questions will focus on items such as Multiprotocol Label Switching (MPLS). MPLS
can encapsulate packets of various WAN protocols that direct data from one network node to the next based on
short path labels rather than long network addresses.
Do you allow your users to connect personal devices to the corporate network? As networks continue to change,
there is an increasing consumerization of IT. This requires an increased focus on endpoint security. Whois.com
defnes endpoint security as an approach to network protection that requires each computing device on a
corporate network to comply with certain standards before network access is granted.
One nal item to watch for in this domain is secure communications. Todays computing environment is lled
with threats from screen scrapers and keyloggers, to spyware. A CISSP candidate must understand the ways to
provide secure end-to-end communication.
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 4
Information Security and Governance and Risk Management
This domain was formerly titled Information Security and Risk Management. The three core elements of security
are discussed in this domain. These three elements are summarized by the acronym, CIA. CIA, simply put, re-
fers to condentiality, integrity, and availability. These three elements are something that a security professional
will seek to protect by administrative, technical, and physical controls.
This domain will also continue to focus on qualitative and quantitative risk. Knowing the steps to both, the ap-
propriate formulas, and hybrid risk techniques will continue to be important.
You can also look for increased coverage of third-party governance. Just take a moment to consider how cloud
computing adds additional concerns for compliance. As an example, CISSP candidates should understand what
compliance issues they are responsible for versus those of the cloud service provider. Such issues are of vital
importance as hackers will continue to try to clobber the cloud with attacks.
Software Development Security
This domain has not only had a name change from Application Security, but also has updated topics. The CISSP
candidate should understand the environment in which the software will be developed, the security controls
built into the software, and that good coding practices are used.
Depending on the programming language used, these concerns can vary. As an example, in C, some C standard
library functions can be used inappropriately or in ways that may cause security problems. Some C functions can
be exploited as they do not check for proper buffer size including strcat(), sprintf(), vsprintf(), bcopy(), scanf(),
and gets().
Cryptography
This domain is considered difcult by some exam candidates. The 2012 exam stays close to the previous areas
of knowledge. The cryptography domain includes topics such as symmetric encryption, asymmetric encryption,
hashing, and digital signatures; each with specic attributes and solutions.
You may be tested on a wide area of concepts, terms, and cryptographic technologies. As an example, you may
be asked about perfect forward secrecy (PFS). PFS is based on the concept that the exposure of a single key will
permit an attacker access to only data protected by a single key.
Security Architecture and Design
This domain also remains close to the previous version. One item that has been added is the Open Web Applica-
tion Security Project (OWASP), which is an open-source application security project that includes best-practice
guides, code review documentation, and practice tools such as WebGoat and WebScarab.
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 5
Security Operations
This domain was previously known as Operations Security. This domain has undergone some other changes
as well. You should understand the need to implement preventive measures against attacks such as zero day
exploits. A zero day exploit is one in which the attack takes place before or immediately after a security vulner-
ability is announced. Such attacks are of great concern since a patch has not yet been released to address the
vulnerability.
Business Continuity and Disaster Recovery Planning
This domain is important for the CISSP to understand. Consider all the disasters that have occurred in the last
few years: oil spills, hurricanes, earth quakes, and tsunamis. Good governance requires the creation of a disas-
ter recovery plan. While this is important, it is only a start. Please keep in mind that there is no demonstrated
recovery until the disaster recovery plan has been tested. There are many ways to test a plan such as a checklist,
structured walk through, simulation, parallel, or full interruption. You need to understand each of these.
Legal Regulations Investigations and Compliance
Have you read the ISC2 code of ethics? Its one of the testable topics in this domain. Along with ethical stan-
dards, you will also need to understand how to ensure security in contractual agreements. Incident response and
forensics are two more potential topics. Make sure you know the importance of forensics and the different types
of analysis, such as media, network, and software.
Physical (environmental) Security
This domain remains the same, but do not underestimate the importance of physical security. You may have
great logical controls, yet if someone can walk in and access equipment, you are still vulnerable. You will need
to know about everything from the height of fences needed to deter determined intruders to various fre sup-
pression systems. You should also understand the importance of supporting the implementation and operation
of facility security, which includes locks, controls, data center security, and work area security.
Please note that these are only examples of the types of topics that might be seen on the exam. Now, lets dis-
cuss how exam questions are structured.
Tip 3 Understand How the CISSP Exam Is Structured
The CISSP exam is considered a somewhat difcult test. It was created for security professionals with at least
fve years of security experience. Part of what makes this exam diffcult is that it expects you to know more
than just basic security facts. It requires you to have a practical understanding of the application of IT security
concepts.
The exam is also very broad in nature. Its made up of the ten domains previously introduced and covers a wide
range of security concepts. The paper-based test is six hours in length and comprises 250 questions. Twenty-fve
of these questions are used for statistical purpose; however, these are scattered throughout the exam, and youll
have no way of knowing which questions they are. This means the you must answer all 250 questions as if each
one counts.
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 6
One of the best ways to prepare for this exam is to make sure you spend plenty of time going through practice
questions so that you are comfortable sitting through 250 questions in one sitting. I often describe this to individu-
als as similar to planning for a race. While its nice to think I would do well in the New York City marathon, the
truth is that it would require some preparation for me to expect to excel. The same can be said for the CISSP exam.
While it is important that you understand the structure of CISSP questions, you also need to understand the
types of questions you might see on the 2012 CISSP exam.
Tip 4 Know the Types of CISSP Exam Questions
CISSP exam questions follow a standard format: four possible answers, only one of which is correct. While the
format has remained standard, CISSP test questions have been evolving so you can expect to see different types
of test questions on the exam.
One question type is knowledge-based questions that have you answer a knowledge-based fact. As an example
of this type of question, how high of a fence do you need to deter a determined intruder? These questions
expect you to know facts and are some of the easiest to answer as memorization of material will help you
answer them successfully. While you may have a few of these questions, expect to see a certain number of hard
questions.
A more diffcult question type is the complex scenario, which places you in a specifc situation and then ques-
tions what should be done or accomplished. These questions can be diffcult as they require you to apply your
experience.
Another question type is the subset question; these questions will show two answers that appear to be correct,
yet one is more correct than the other. You will need to select the most correct question.
Some questions may have you solve a mathematical equation. These questions will present you with some
values and expect you to calculate a value. These questions might involve risk calculation or the computation of
single loss expectancy. As an example, you may be given an asset value and an exposure factor then be asked to
calculate the single loss expectancy.
Another possible question type is the too much information question. These questions may run a half page
in length and expect you to extract the correct information to arrive at the correct answer. While this type of
question can be challenging, it does mimic real life in a way. Just think about all the times you are fooded with
information and must extract whats needed to arrive at a suitable solution. These questions can require some
time to work through. The best approach is to determine what is unneeded and get to the heart of the problem.
Finally, some questions may simply appear to be poorly worded. As the CISSP exam is a global certifcation,
there is always the possibility that some questions may have been written in other languages or in different
regions of the world, or it could be that the question creator believes this type of question separates those who
know the material from those who dont.
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 7
Tip 5 Be Prepared on the Day of the Exam
Now that we have covered some of the information about the test, lets discuss the actual test date.
After you have registered for the exam, you will receive an email detailing the location and time of the exam.
You will want to pay special attention to the start time as individuals that arrive late to the exam, may be barred
from entry and not allowed to take the exam. Best practice would be to try to arrive early. If nothing else, it
relieves stress and gives you a few minutes to gather your thoughts before the test is scheduled to start. It also
provides some extra time should there be trafc or other events that delay your arrival to the testing location.
While you will not be allowed to bring any study guides or materials into the test area, you can bring pencils, an
eraser, and a highlighter.
The test will be delivered by means of a Scantron and test booklet. The score is additive so you are better off
flling in all answers rather than leaving any blank. As you start to record you answers onto the Scantron, verify
that you have entered them correctly and that you are not off track with your alignment.
One approach is to make several passes on the exam.
1. On the frst pass, answer all the questions you know, this will help build your confdence and should
help you fll in 30% or more of the questions. There is also the possibility that you will read something
in one question that will help you answer another one.
2. On the second pass, spend some time on the longer questions, look for key words such as least, most,
best, worst, and double negatives.
3. On the fnal pass, try to eliminate answers you know are incorrect.
Conclusion
While changes to the CISSP exam may cause concern for some test candidates, this change will not prevent you
from passing the exam. Start by spending plenty of time studying. Consider attending a CISSP training course
and reading a study guide like the CISSP Exam Cram. There are over 60,000 CISSP-certifed professionals world-
wide and you, too, can be successful. The key to passing the 2012 CISSP exam is knowing the material, under-
standing the test format, being prepared on the exam date, arriving early, and going through plenty of practice
questions. The more practice questions you go through, the better!
Learn More
Learn more about how you can improve productivity, enhance efciency, and sharpen your competitive edge
through training.
CISSP Prep Course
Certifed Ethical Hacker
CISM Prep Course
Cyber Security Foundations
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 8
Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global
Knowledge training advisor.
About the Author
Mr. Michael Gregg is the president of Superior Solutions, Inc. (www.thesolutionfrm.com), a Houston-based IT
security consulting rm. His organization performs security assessments and penetration testing for fortune
1000 frms. Michael has authored / co-authored / contributed to more than 15 books. Michael is frequently cited
by major and trade print publications as a cyber security expert and has appeared as an expert commentator for
network broadcast outlets and print publications such as FOX, CBS, NBC, ABC, CNBC, and local broadcast televi-
sion. Michael has spoken at major security, technology, and educational conferences, including ISC2s Security
Leadership Conference, ChicagoCon, Hacker Halted, Fusion, and others.
Michael enjoys giving back to the community through teaching and other public service activities. He focuses
on presenting topics in ways that help people understand the complex issues surrounding IT security. Michael
serves as a board member for Habitat for Humanity of Brazoria County.