Study Guide · CISSP

CISSP Cheat Sheet

1127 entries · 62 chapters · 8 domains

Security & Risk Management

Professional Ethics

Read full chapter
  • Adherence to the ISC2 Code of Ethics is a condition of certification
  • Memorize the four Canons in order: Society, Honor, Principals, Profession
  • When Canons conflict, the lower-numbered Canon wins
  • The published Code lists the Canons in order but does not print a 'precedence' sentence
  • A principal in Canon 3 means an employer or a client
  • Canon 2 forbids dishonesty and illegality regardless of who orders it
  • Accepting work beyond your competence breaches Canon 3
  • The Code expects the highest ethical standard, not merely the legal minimum
  • Even the appearance of impropriety violates the Code
  • An ethics complaint is accepted only from someone claiming injury
  • Complaint standing follows the Canon order: public for 1-2, principals for 3, peers for 4
  • The Ethics Committee reviews; the ISC2 Board holds final disciplinary authority
  • A CISSP is bound by both the ISC2 Code and any organizational code of ethics
  • Company policy can never authorize an act that breaches a Canon
  • On 'what do you do first' ethics items, escalate and document through proper channels
  • CISSP maintenance: Group A vs B CPEs, AMF, and the grace period

Unlock with Premium — includes all practice exams and the complete study guide.

Security Concepts (CIA)

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The five pillars are CIA plus authenticity and nonrepudiation

Information security preserves five properties: confidentiality, integrity, and availability (the CIA triad) plus authenticity and nonrepudiation. CIA is the historic core codified in U.S. law and FIPS 200; (ISC)2 adds authenticity (data is genuine and its origin verifiable) and nonrepudiation (an actor cannot deny an action) as the fourth and fifth pillars. Each is a property to preserve, so a control earns its place only by strengthening one or more of them for a defined asset.

Confidentiality preserves authorized restrictions on access and disclosure

Confidentiality is preserving authorized restrictions on information access and disclosure, explicitly including protecting personal privacy and proprietary information. It is preserved primarily by encryption (data at rest and in transit), access control, and data classification. The point is who is allowed to see the data, not whether the data is correct or reachable.

Trap Equating confidentiality with privacy, when privacy is the subset concerned specifically with personal data while confidentiality covers any restricted information.

Integrity guards against improper modification and, in the federal sense, includes authenticity and nonrepudiation

Integrity is guarding against improper information modification or destruction; the FIPS 200 wording adds that it includes ensuring information nonrepudiation and authenticity. It is preserved by hashing (detects change), digital signatures (binds change to a signer), and change/version control. That nesting is why a single digital signature can satisfy integrity, authenticity, and nonrepudiation at once.

Trap Treating integrity as only 'data isn't changed' and forgetting the FIPS 200 definition folds authenticity and nonrepudiation inside it.

2 questions test this
Availability ensures timely and reliable access to information

Availability is ensuring timely and reliable access to and use of information. It is preserved by redundancy, backups, capacity planning, and denial-of-service defense. Its distinguishing trait is that it fights loss of access, not loss of secrecy, so a perfectly encrypted backup you cannot restore in time has failed availability while still serving confidentiality.

Authenticity is the property of being genuine with verifiable origin

Authenticity is the property of being genuine and verifiable and trusted, confidence in the validity of a transmission, message, or originator. It answers 'did this truly come from the claimed source?' and is preserved by origin authentication: digital signatures, message authentication codes (MACs), certificates, and mutual authentication. Encryption alone does not provide it, because a confidential channel can still carry data from a forged sender.

Trap Assuming encryption establishes authenticity, when a confidential channel can still carry data injected by a forged or impersonated sender.

Nonrepudiation stops an actor from credibly denying an action

Nonrepudiation assures that the sender is given proof of delivery and the recipient proof of the sender's identity, so neither can later deny having processed the information. It is preserved by asymmetric digital signatures over content plus secure, tamper-evident logging and trusted timestamps. Its defining requirement is third-party verifiability: an outside arbiter can attribute the action to one party.

1 question tests this
DAD is the inverse of CIA: disclosure, alteration, destruction

The DAD triad names the failure of each CIA property: Disclosure breaks confidentiality, Alteration breaks integrity, and Destruction or denial breaks availability. It is not a separate theory but CIA read as outcomes, and it is the fastest way to classify what an incident actually broke. A leaked database is disclosure, a tampered transfer amount is alteration, and a ransomware-locked server is destruction.

Match the threatened pillar to the control whose primary effect IS that property

Control selection means naming the dominant or threatened pillar first, then choosing the control class whose primary effect is that property: confidentiality maps to encryption and access control, integrity to hashing and signatures, availability to redundancy and backups. The exam-correct answer is the control that fits the threatened pillar, not the strongest control overall. Reversing the order, picking an impressive control before identifying the pillar, is how candidates choose a mis-targeted answer.

Trap Choosing a strong control for the wrong pillar, e.g. a digital signature when the requirement is confidentiality (which needs encryption).

Encryption provides confidentiality, not authentication of the sender

Encryption protects confidentiality by making data unreadable to unauthorized parties, but on its own it proves nothing about who sent the data, which is authenticity. A TLS certificate authenticates the server, yet encrypting a payload does not authenticate the payload's origin. When a stem says data was encrypted and asks whether the recipient can trust its source, the missing piece is an origin-authentication mechanism.

Trap Assuming an encrypted message is therefore proven to come from the stated sender, conflating confidentiality with authenticity.

A MAC gives authenticity but not nonrepudiation; only a signature gives both

A message authentication code proves data came from someone holding the shared secret key, so it provides integrity and authenticity between two parties. It cannot provide nonrepudiation because both parties hold the same key and either could have produced the tag, so no third party can attribute the action to one of them. Asymmetric digital signatures, where the private key is held by exactly one party, are required for nonrepudiation.

Trap Selecting a MAC or shared-secret HMAC to satisfy a nonrepudiation requirement, when only an asymmetric signature can defeat a later denial.

Authenticity vs nonrepudiation: 'genuine source' vs 'cannot deny to a third party'

Authenticity answers whether a message genuinely came from its stated sender; nonrepudiation adds that the sender cannot later deny it to an auditor, arbiter, or court. The cue words 'deny', 'dispute', 'prove to a third party', and 'legally binding' signal nonrepudiation, whereas 'confirm the sender is genuine' signals authenticity alone. Both can be satisfied by a digital signature, so the answer hinges on which property the stem is actually demanding.

Trap Picking nonrepudiation when the stem only asks to confirm the sender is genuine, a requirement that authenticity alone satisfies.

FIPS 199 rates confidentiality, integrity, and availability independently

FIPS 199 categorizes a system by rating the potential impact of losing each objective, confidentiality, integrity, and availability, independently as LOW, MODERATE, or HIGH. Assets value the pillars unequally: a public price list needs integrity and availability but little confidentiality, while a draft merger needs confidentiality above all. Rating them separately stops you from over-protecting a pillar the asset does not need.

5 questions test this
Impact levels: LOW is limited, MODERATE is serious, HIGH is severe or catastrophic

FIPS 199 grades each objective's potential impact by the magnitude of adverse effect on operations, assets, or individuals: LOW is a limited adverse effect, MODERATE is a serious adverse effect, and HIGH is a severe or catastrophic adverse effect. These three levels, applied per pillar, are what later drive the strength of the control baseline.

1 question tests this
High-water-mark: a system's overall impact is the highest of its three ratings

Under the FIPS 199 high-water-mark rule, the overall impact level of a system equals the highest of its confidentiality, integrity, and availability impact ratings. A system rated (LOW, LOW, HIGH) is a HIGH-impact system overall and selects controls accordingly. This is why an asset whose availability alone is critical still inherits a strong baseline even if its confidentiality need is trivial.

Trap Averaging the three impact ratings instead of taking the maximum, which understates the required baseline.

3 questions test this
Pillars are weighed and traded off, not all maximized at once

Strengthening one pillar routinely costs another: mandatory signing and immutable logs (integrity) can slow availability, heavy encryption and tight access (confidentiality) can impede legitimate users' availability, and wide replication for availability enlarges the surface confidentiality must defend. A security leader sets each pillar's target to the asset's real impact rating and accepts the residual trade-off deliberately, rather than turning every dial to maximum.

Trap Assuming all three pillars should be maximized for every asset, ignoring that raising one pillar routinely degrades another.

First identify the asset's value and dominant pillar, then select a control

When a stem asks for the FIRST or BEST step to protect an asset, the manager-altitude answer is to determine the asset's value and which pillar it most needs, that is, categorize impact, before choosing any technology. Jumping to a specific mechanism before the impact is understood is the classic distractor. Identify the dominant pillar and its impact level first; the control follows from that.

Trap Picking a specific technology as the FIRST step before the asset's value and dominant pillar have been determined.

Security Governance

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Governance directs and oversees; management executes

Security governance is the leadership system that sets direction and accountability: it fixes the risk appetite, assigns authority, approves policy, and oversees results. Management is the separate function that plans, builds, and runs the controls within that direction. COBIT draws the line explicitly, placing governance in the Evaluate-Direct-Monitor (EDM) domain at the board level and management in the Plan-Build-Run-Monitor domains. Classify an act by the kind of decision (direct/oversee versus operate), not by the seniority of who performed it.

Trap Treating an operational act as governance because a senior executive performed it: governance is defined by directing and overseeing, not by rank.

1 question tests this
Security strategy must align to business strategy and mission

Governance's first job is alignment: the security function's goals, objectives, and mission must trace back to the organization's business strategy, mission, and risk appetite. A control or program with no line to a business objective is misallocated spend even if it is technically excellent, and a program that blocks legitimate business has failed at governance. This is also why winning management support starts with demonstrating business value, not technical sophistication.

Trap Basing security strategy on the latest threat or newest technology rather than on the business mission, objectives, and risk appetite.

1 question tests this
Senior management owns the program and is ultimately accountable

The board and senior management are ultimately accountable for the security program: they set risk appetite, approve strategy and policy, fund the program, and formally accept residual risk. They delegate the work but never the accountability. Senior-leadership ownership and sign-off are what make a security strategy authoritative and funded rather than a wish list from the security team.

Trap Assuming the CISO or security team, rather than senior/executive management, holds ultimate accountability for the program.

2 questions test this
Accountability cannot be delegated; responsibility can

The governing rule of the role chain is that you can hand down the responsibility to perform work but never the accountability for the outcome. A data owner stays accountable for data classification even when an IT custodian implements the controls, and senior management stays accountable for the program even when teams operate it. The same holds for outsourcing: you can transfer the work and the operational responsibility to a third party, but the accountability remains yours.

Trap Believing that outsourcing a function to a vendor transfers accountability: only the work and responsibility move; accountability stays with the organization.

Data owner classifies and sets requirements; custodian implements them

The data (information) owner is a senior business official who classifies data and defines its protection and access requirements, and is accountable for it. The data custodian, usually IT/operations, implements and maintains those protections (backups, access enforcement, patching) and is responsible for day-to-day care, not for the classification decision. The system owner operates a specific system within the owner's requirements. When a stem asks who is accountable, name the owner; who implements, name the custodian.

Trap Naming the custodian (IT) as accountable for the data: the custodian only implements; the business data owner is accountable and sets the requirements.

1 question tests this
Mergers, acquisitions, and divestitures are governance triggers

Acquisitions, mergers, and divestitures each force a governance review because each reshapes assets, obligations, and risk posture. Before an acquisition, perform security due diligence on the target so you inherit its risk knowingly; after, integrate its assets under your policy. On a divestiture, revoke access, separate or sanitize data, and unwind shared obligations cleanly. Governance committees are the venue where leadership reviews and approves these decisions.

Trap Skipping security due diligence on an acquisition target and treating the deal as purely a financial and legal matter, so its inherited risks surface only after close.

Governance committees are where oversight actually happens

Standing bodies (a security steering committee plus board-level oversight) are the organizational structures where leadership reviews risk, approves strategy and policy, allocates resources, and holds the program accountable. They turn governance from an abstract responsibility into a recurring, documented process, and they are the answer when a stem asks where strategy and policy get ratified or how the board exercises oversight.

Trap Expecting a steering committee to perform operational security work rather than to set direction, approve policy, and oversee the program.

NIST CSF 2.0 added Govern as a sixth, cross-cutting function

The NIST Cybersecurity Framework 2.0 (2024) is organized around six Functions: Govern, Identify, Protect, Detect, Respond, Recover, where Govern was newly added in version 2.0. Govern establishes and monitors the organization's risk-management strategy, expectations, and policy, and it informs how the other five functions are prioritized and carried out. CSF is a voluntary outcomes framework for communicating and organizing risk, not a control catalog and not certifiable.

Trap Listing only the original five functions (Identify, Protect, Detect, Respond, Recover) and omitting Govern, which CSF 2.0 added as the sixth.

2 questions test this
ISO/IEC 27001 is certifiable; ISO/IEC 27002 is control guidance

ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS) and is the standard an organization actually certifies against. ISO/IEC 27002 is its companion code of practice that gives implementation guidance for selecting and applying the controls, and is not certifiable on its own. When a stem says "certify our ISMS," the answer is 27001; 27002 is the trap.

Trap Choosing ISO/IEC 27002 when the requirement is to certify a management system: 27002 is guidance only; you certify against 27001.

3 questions test this
NIST RMF and SP 800-53 underpin US federal authorization

The NIST Risk Management Framework (SP 800-37) provides the seven-step risk lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor, and SP 800-53 supplies the control catalog and baselines it draws from. Together they are the mandatory basis for authorizing a U.S. federal information system to operate (the ATO). CSF organizes outcomes; SP 800-53 supplies the actual controls.

Trap Confusing NIST CSF (an outcomes/communication framework) with SP 800-53 (the control catalog): CSF does not enumerate the controls.

FedRAMP standardizes cloud authorization on SP 800-53

FedRAMP provides a standardized, government-wide approach to security assessment and authorization for cloud services used by U.S. federal agencies, built on NIST SP 800-53 baselines selected by impact level (low/moderate/high). Its value is reuse: one authorization package can be accepted by many agencies, instead of each agency reassessing the same cloud service. Reach for FedRAMP specifically when the obligation is a cloud service serving federal agencies.

Trap Reaching for FedRAMP to authorize a federal on-premises system, when FedRAMP applies specifically to cloud services and a non-cloud system runs on plain RMF and SP 800-53.

3 questions test this
COBIT governs all of enterprise IT and separates govern from manage

COBIT (ISACA) is a framework for the governance and management of enterprise information and technology, with 40 governance and management objectives across five domains. Its defining principle is separating governance (the EDM domain: Evaluate, Direct, Monitor) from management (APO, BAI, DSS, MEA). Choose COBIT when the obligation is to govern enterprise IT end to end, especially when a stem stresses distinguishing governance responsibilities from management responsibilities.

Trap Picking COBIT when the obligation is a certifiable ISMS or a concrete control catalog, when COBIT is a governance framework rather than ISO/IEC 27001 or SP 800-53.

1 question tests this
SABSA traces security architecture to business risk

SABSA is a business-driven, risk- and opportunity-led methodology for enterprise security architecture. Every architectural decision is traceable back to a business requirement, so the program is justified by business need rather than technology. Reach for SABSA when the stem asks for a framework that ties security architecture to business risk and drivers, as opposed to a control catalog or a certifiable management system.

Trap Picking TOGAF for security architecture traceable to business risk, when TOGAF is a general enterprise-architecture framework and SABSA is the security-specific, risk-driven one.

1 question tests this
Pick the control framework by obligation, not preference

Control frameworks are not interchangeable; match the framework to the named obligation. Cardholder data points to PCI DSS; a U.S. federal system ATO to NIST RMF/SP 800-53 and, for cloud, FedRAMP; a certifiable ISMS to ISO/IEC 27001; end-to-end IT governance to COBIT; business-traceable architecture to SABSA; and communicating risk outcomes across six functions to NIST CSF 2.0. The wrong answer is usually the most familiar framework rather than the one the obligation requires.

Due diligence is investigating risk; due care is acting on it

Due diligence is doing your homework: investigating and understanding the risk, such as assessing a vendor or researching legal obligations. Due care is acting on that knowledge to the prudent-person standard: implementing reasonable controls and maintaining them over time. Diligence is knowing; care is doing. Both are the governance evidence that an organization behaved reasonably, and failing either can amount to negligence.

Trap Swapping the two: calling ongoing operation of a control "due diligence" when continuing maintenance is due care, and the upfront investigation is due diligence.

1 question tests this
The prudent-person standard defines what "reasonable" means

Due care is measured against the prudent-person (reasonable-person) standard: would a careful, sensible person in a similar role have taken the same protective action. It sets the bar for what counts as reasonable security and is the yardstick courts and regulators apply when judging whether an organization was negligent. Governance demonstrates the standard by documenting that controls were both selected (care) and chosen after investigation (diligence).

Trap Reading the prudent-person standard as a demand for perfect or maximum security, when it asks only for what a reasonable person in a similar role would do.

Investigation Types

Read full chapter
  • Classify the investigation type before touching evidence
  • There are exactly five investigation types: administrative, criminal, civil, regulatory, industry-standards
  • Administrative investigations use the lowest bar: internal management judgment
  • Civil cases are decided on a preponderance of the evidence
  • Criminal cases require proof beyond a reasonable doubt, the highest standard
  • The standard of proof rises with what the subject stands to lose
  • Regulatory and industry-standards investigations sit at agency- or framework-defined levels, not a new higher bar
  • PCI DSS is the industry-standards example, not a government regulation
  • Chain of custody is the unbroken documented record proving evidence was not altered
  • Chain-of-custody rigor scales with the standard of proof; criminal is strictest
  • Preserve evidence to the highest standard that might plausibly apply
  • Employers gain search authority through acceptable-use policy and warning banners, not a warrant
  • When an incident may be a crime, preserve evidence and involve counsel before remediating
  • Forensic technique is shared across types; only the legal process differs
  • Civil parties exchange evidence through discovery, not seizure
  • The five types are not mutually exclusive and can run in parallel
  • Acquire forensic evidence with a write blocker and verify with a hash

Unlock with Premium — includes all practice exams and the complete study guide.

Security Documentation

Read full chapter
  • Standards, baselines, and procedures are mandatory; only guidelines are discretionary
  • Policy is high-level and technology-neutral: it states what and why, never how
  • A standard mandates uniform use of a specific technology or parameter
  • A baseline is the mandatory minimum configuration a system must meet
  • A procedure is the mandatory, ordered step-by-step that implements a standard
  • A guideline recommends with should, not must
  • The documents derive top-down: policy first, then standard/baseline, then procedure
  • Specificity is altitude; obligation is force, and they are independent
  • NIST sorts policy into program, issue-specific, and system-specific types
  • Issue-specific policy must be reviewed regularly because technology changes
  • Program policy covers purpose, scope, responsibilities, and compliance
  • High-level policy authorizes a compliance structure rather than listing every penalty
  • Organizational standard means internal, not a FIPS or ISO standard
  • A bundled security manual still classifies statement by statement
  • CIS Benchmarks and DISA STIGs are the standard hardening baselines
  • A baseline configuration changes only through change control and is held by continuous monitoring

Unlock with Premium — includes all practice exams and the complete study guide.

Business Continuity Requirements

Read full chapter
  • The BIA is the first step of continuity planning, before any recovery choice
  • The BIA has three ordered steps: criticality, resources, then priorities
  • MTD is a business tolerance set by leadership, not an IT number
  • RTO is the maximum time a resource may be unavailable, derived to stay under MTD
  • RPO is the maximum tolerable data loss, measured backward to the last good backup
  • RTO measures time-to-restore; RPO measures data loss. Never swap them
  • MTD = RTO + WRT, so RTO must be shorter than the MTD
  • Work Recovery Time is the catch-up phase after the system is back
  • The BIA must map external dependencies, not just internal components
  • An external continuity dependency becomes an SLA requirement
  • Shorter RTOs cost disproportionately more, so balance recovery cost against downtime cost
  • Conduct the BIA in the Initiation phase and revisit it as the system changes
  • FIPS 199 impact level feeds BIA recovery priority
  • COOP Mission Essential Functions carry a hard 12-hour MTD
  • BIA outputs are requirements; recovery strategy and DR testing are downstream

Unlock with Premium — includes all practice exams and the complete study guide.

Personnel Security

Read full chapter
  • Personnel security manages trust across the whole employment lifecycle
  • Screening depth follows the position's risk designation, not a flat standard
  • Screen the candidate before authorizing access, never after
  • Access agreements are signed before access is granted
  • The hiring order is fixed: designate risk, screen, sign agreements, then grant
  • On termination, run the PS-4 checklist immediately: disable, revoke, exit interview, retrieve
  • The exit interview reminds the departing employee of continuing NDA obligations
  • For a for-cause termination, disable access before notifying the person
  • Treat a transfer as re-onboarding to stop privilege creep
  • Separation of duties stops fraud that would otherwise need no collusion
  • Whoever administers access control must not also administer the audit logs
  • Mandatory vacation and job rotation detect fraud by trusted insiders
  • Contractors and consultants are bound to your personnel security through the contract
  • Personnel control of a contractor is distinct from supply-chain risk of the supplier
  • Personnel sanctions must run through a formal, documented process
  • Background-check scope is bounded by law and privacy, not just by role risk

Unlock with Premium — includes all practice exams and the complete study guide.

Risk Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Risk is likelihood times impact on a paired threat and vulnerability

Risk is the likelihood that a specific threat exploits a specific vulnerability, multiplied by the resulting impact. A vulnerability with no credible threat, or a threat with no exploitable weakness, carries no risk, which is why risk is always assessed on the threat-vulnerability pair rather than on a weakness alone. NIST frames it as a function of the likelihood of an event and the adverse impact if it occurs.

Trap Treating a discovered vulnerability as a risk on its own, without asking whether any threat can credibly exploit it.

Single Loss Expectancy is asset value times exposure factor

SLE is the money lost in one occurrence of a risk event, computed as SLE = AV x EF, where AV is the asset's value and EF is the fraction of that value destroyed in a single event (a percentage). For example a $200,000 asset with a 25% exposure factor has an SLE of $50,000. EF is expressed as a decimal in the formula, so 25% becomes 0.25.

Trap Reading the exposure factor as a flat dollar loss instead of a percentage of asset value, which inflates SLE.

1 question tests this
Annualized Loss Expectancy is SLE times the annual rate of occurrence

ALE is the expected yearly loss from a risk, computed as ALE = SLE x ARO, where ARO is the expected number of occurrences per year. It is the single number that justifies safeguard spend: a control is cost-effective only when its annual cost is below the ALE reduction it produces. ARO can be fractional (a once-in-ten-years event has an ARO of 0.1).

Trap Confusing SLE (loss from one event) with ALE (loss per year) when a stem asks for annual exposure.

1 question tests this
Fund a safeguard only when its cost is below the ALE it removes

A control is justified when its annual cost is less than the reduction in Annualized Loss Expectancy it delivers; you compare ALE-before minus ALE-after against the control's yearly cost. Spending more to mitigate than the risk is worth is itself a risk-management failure, even if the control is technically the most secure option. This cost-benefit test is what turns quantitative analysis into a budget decision.

Trap Selecting the most secure control regardless of cost, when a cheaper option already drives ALE below the control's price.

3 questions test this
Quantitative analysis yields dollars; qualitative yields ranked bands

Quantitative analysis assigns monetary values (SLE, ALE) and needs reliable asset values and event frequencies, producing figures you can compare directly against control costs. Qualitative analysis rates likelihood and impact on ordinal bands plotted on a risk matrix; it is fast and needs no hard loss data but its outputs cannot be summed or expressed in money. Choose quantitative when spend must be defended in dollars, qualitative when data is scarce.

Trap Claiming qualitative analysis produces a dollar figure, when it only produces relative low/medium/high ratings.

Hybrid analysis triages qualitatively, then quantifies the top risks

A hybrid (semi-quantitative) approach ranks the whole risk register with fast qualitative bands, then spends the effort of a full quantitative model only on the few risks that justify it. This balances the speed of qualitative against the precision of quantitative and is the common real-world choice for a large register. It avoids both the paralysis of quantifying everything and the imprecision of quantifying nothing.

Trap Assuming a hybrid approach must produce dollar figures for every risk, when it reserves the full quantitative model for only the top-ranked few.

Every risk gets one primary response: avoid, transfer, mitigate, or accept

After analysis, each risk is treated with one primary response. Avoid eliminates the risk by stopping the activity; transfer (share) shifts the financial impact to a third party; mitigate (reduce) applies controls to lower likelihood or impact; accept knowingly retains the residual risk because treatment costs more than the exposure. Mitigate is the most common and the only response that uses the safeguard-cost-versus-ALE math.

Trap Treating mitigate as if it eliminates the risk, when only avoid removes it and mitigation merely lowers likelihood or impact.

5 questions test this
Insurance transfers the cost of a loss, it does not avoid the risk

Buying cyber-insurance or signing a contractual indemnity is risk transfer (sharing): it shifts the financial consequence to a third party but the incident still happens to you, and you keep the reputational and legal fallout. Risk avoidance is different: it means not doing the risky activity at all, so the risk cannot occur. Transfer moves cost; avoidance removes the activity.

Trap Labeling cyber-insurance as risk avoidance; insurance only moves the financial impact, so it is transfer.

3 questions test this
Residual risk must be formally accepted by senior management

Residual risk is what remains after a control is applied, conceptually total risk minus the portion the control removes. The owning senior or executive management must formally accept it; the security team, analyst, or IT operations cannot accept risk on the business's behalf. This formal acceptance is the same act the NIST RMF calls Authorize.

Trap Having a security engineer or analyst accept residual risk, when acceptance is a business-owner authority.

5 questions test this
Doing nothing about a known risk is rejection, not acceptance

Risk acceptance is a deliberate, documented management decision to retain a risk after weighing the cost of treatment. Silently ignoring a known risk is risk rejection, which is explicitly not a legitimate response and is indefensible if the risk materializes. The difference is documentation and authority: acceptance is signed off, rejection is neglect.

Trap Treating an organization that ignores a documented risk as having accepted it, when unowned inaction is rejection.

Classify controls by category and by type at the same time

Controls have a category describing how they are implemented (administrative/managerial, technical/logical, physical) and a type describing what they do relative to an event (preventive, detective, corrective, deterrent, recovery, directive, compensating). A single control can hold one category and several types, so a question asking you to classify a control usually wants both axes named. For instance an audit log is a technical control that is primarily detective.

Trap Answering a control's category (technical, physical, administrative) when the stem is asking for its type (preventive, detective, corrective), or vice versa.

A compensating control substitutes when the primary control is infeasible

A compensating control is an alternative safeguard used when the intended primary control cannot be implemented, providing comparable protection by another means. It is the answer when a stem says a required control is impractical (cost, legacy system, business constraint) yet the risk must still be addressed. PCI DSS, for example, allows documented compensating controls in place of a specific requirement.

Trap Calling any backup or secondary control compensating; the term specifically means a substitute for an infeasible required control.

The NIST RMF runs seven steps and loops back to monitoring

The NIST Risk Management Framework (SP 800-37 Rev. 2) is a seven-step system lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. Categorize sizes the system's impact, Select chooses SP 800-53 controls, Authorize is senior-official sign-off to operate, and Monitor feeds findings back into the cycle for continuous improvement. The order is testable, so memorize the sequence.

Trap Placing Select or Implement before Categorize, when categorization of system impact must come first to drive control selection.

1 question tests this
SP 800-30 is the assessment guide; SP 800-37 is the management framework

NIST SP 800-30 Rev. 1 is the Guide for Conducting Risk Assessments and defines the assessment methodology (prepare, conduct, communicate, maintain) across three tiers: organization, mission/business process, and information system. NIST SP 800-37 is the broader Risk Management Framework that wraps assessment inside a full system lifecycle. A stem about how to assess risk points to 800-30; one about the end-to-end governance lifecycle points to 800-37.

Trap Citing SP 800-37 for the risk-assessment methodology, when 800-30 is the assessment guide and 800-37 is the broader lifecycle framework.

NIST CSF 2.0 added Govern to make six functions

The NIST Cybersecurity Framework is organized around functions; version 2.0 added Govern, giving six: Govern, Identify, Protect, Detect, Respond, Recover. Govern was elevated to make risk governance and organizational context a first-class function alongside the operational ones. CSF is a voluntary, outcome-based framework, distinct from the RMF's prescriptive control lifecycle.

Trap Listing only the original five CSF functions (Identify, Protect, Detect, Respond, Recover) and omitting Govern, which CSF 2.0 added.

ISO/IEC 27005 is the international information-security risk standard

ISO/IEC 27005 provides guidance on managing information-security risk and complements an ISO/IEC 27001 information security management system (ISMS). Where 27001 specifies the ISMS requirements and 27002 lists control guidance, 27005 governs the risk-management process within that system. It is the standards-based alternative to the NIST publications for organizations aligned to ISO.

Trap Picking ISO/IEC 27001 or 27002 as the risk-management standard, when 27001 specifies the ISMS and 27002 lists controls, leaving 27005 for the risk process.

A KRI signals rising exposure; a KPI measures performance

A Key Risk Indicator is a leading metric that warns of increasing risk exposure before a loss occurs, such as the percentage of systems past their patch deadline. A Key Performance Indicator is a lagging metric of how well a control or process is performing, such as mean time to detect. A stem describing an early-warning signal wants KRI; one describing how effective a control already is wants KPI.

Trap Calling a backward-looking performance measure a KRI; an early-warning exposure metric is the KRI, the performance measure is the KPI.

7 questions test this
Assess the risk before selecting any control

When a newly discovered risk asks what to do first, the answer is to assess and analyze it before buying or deploying any safeguard, because you cannot rationally treat a risk you have not sized. Jumping straight to a control skips the analysis that tells you whether the control is even cost-justified or correctly targeted. Identify and analyze, then respond.

Trap Choosing to deploy a specific control as the first action, before the risk has been assessed and prioritized.

Risk maturity models chart the climb from ad-hoc to optimized

A risk maturity model describes an organization's progression from ad-hoc, reactive risk handling through defined and managed stages to an optimized, metrics-driven program. It frames continuous improvement as moving up maturity levels rather than treating each risk in isolation. Higher maturity means risk decisions are consistent, measured, and integrated into governance rather than improvised per incident.

1 question tests this
The asset owner is accountable even when a custodian operates the control

Accountability for a risk and its asset rests with the owner, typically senior or business management, even when a custodian or third party operates the safeguard day to day. Operating a control or processing data does not transfer accountability; responsibility for daily handling can be delegated, but accountability cannot. This is why residual-risk acceptance is an owner decision.

Trap Assuming a managed-service provider or IT custodian becomes accountable for the risk because it runs the control.

Defense-in-depth layers diverse controls because no single control suffices

Defense-in-depth integrates people, technology, and operations into multiple overlapping layers so that if one control fails or is bypassed, others still protect the asset - the core rationale being that no single mechanism stops every threat. Strength comes from heterogeneity (e.g., firewalls from different vendors) and segmentation (network zones/conduits or micro-segmentation) that limit lateral movement and align with zero-trust principles.

Trap Stacking several copies of the same vendor's product is not true defense-in-depth; one shared flaw defeats every identical layer at once.

5 questions test this
Risk appetite is set by the board; risk tolerance is the operational threshold

Senior leadership/the board declares the enterprise risk appetite - the broad amount of risk it is willing to pursue - and management translates it into risk tolerance: specific, often quantitative thresholds for business processes. A residual risk (computed as probability times impact after controls) is acceptable when it falls within the established appetite/tolerance; otherwise further treatment is required.

Trap Risk appetite is the high-level, strategic statement; risk tolerance is the measurable operational limit derived from it - they are not interchangeable.

3 questions test this

Threat Modeling

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Threat modeling is risk assessment done during design, not after deployment

Threat modeling is a form of risk assessment that models the attack and defense sides of an entity (data, application, host, system, or environment) to spend limited security resources where they reduce the most risk (NIST SP 800-154). It pays off because a design flaw found on a diagram is far cheaper to fix than the same flaw found in production. It is proactive and iterative, revisited whenever the architecture, data, or threat landscape changes.

Trap Treating threat modeling as a post-deployment or one-time activity done during penetration testing. Its value is during design, and the model must be kept current.

Every threat-modeling method answers the same four questions

Regardless of methodology, threat modeling answers four questions: what are we working on, what can go wrong, what are we going to do about it, and did we do a good enough job. The acronyms (STRIDE, PASTA, DREAD) are just disciplined ways to answer 'what can go wrong' and rank the answers. Keeping the four questions in mind prevents mistaking a tool for the whole process.

Trap Treating an acronym like STRIDE or DREAD as the entire threat-modeling process rather than as one disciplined way to answer the 'what can go wrong' question.

Threats concentrate at trust boundaries on a data-flow diagram

A data-flow diagram (DFD) models external entities, processes, data stores, and the data flows between them; a trust boundary is the line where the level of trust changes, such as between the internet and an internal service. Threats cluster at trust boundaries because that is where an attacker crosses from a less-trusted to a more-trusted context, so data crossing a boundary is scrutinized first. Decomposing the system this way (not any acronym) is what turns vague worry into an enumerable list of threats.

Trap Assuming an acronym like STRIDE is what decomposes the system, when it is the DFD and its trust boundaries that produce the enumerable list of threats the acronym then categorizes.

3 questions test this
An attack vector is the path or means used to reach and exploit a target

On the attack side, a vulnerability is a weakness, an exploit is the technique that takes advantage of it, and an attack vector is the path or means an attacker uses to reach the target and deliver the exploit. NIST SP 800-154's data-centric method works by selecting which attack vectors to include, then characterizing controls that mitigate those vectors. Distinguishing the vector (the route) from the vulnerability (the weakness) and the threat (the potential) is core threat-modeling vocabulary.

Trap Confusing the attack vector (the route used to reach a target) with the vulnerability (the weakness itself) or the exploit (the technique that takes advantage of the weakness).

Pick a threat-modeling methodology by its center of gravity

Methodologies differ by what they put at the center of the analysis: STRIDE is threat-centric (per DFD element), PASTA is risk- and attacker-centric (business-aligned), attack trees are goal-centric (one objective), and DREAD is a rating model rather than an enumeration. The data-centric method of NIST SP 800-154 puts high-value data at the center and works outward to its attack vectors. There is no single right choice: pick by whether you need coverage, business alignment, or protection of a specific crown-jewel asset.

Trap Matching the methodology to the wrong center of gravity, such as treating STRIDE as business-risk-centric or PASTA as a per-element checklist, when STRIDE is threat-centric and PASTA is risk- and attacker-centric.

Each STRIDE category is the violation of one security property

STRIDE (Microsoft) names six threat categories, each defeating exactly one property: Spoofing defeats authentication, Tampering defeats integrity, Repudiation defeats non-repudiation, Information disclosure defeats confidentiality, Denial of service defeats availability, and Elevation of privilege defeats authorization. The mapping is bidirectional: if a design must guarantee integrity, STRIDE says Tampering is the threat and a hash or signature is the countermeasure. STRIDE gives systematic coverage but says what can go wrong, not how likely or how severe.

Trap Calling unauthorized modification of data 'information disclosure'. Modification is Tampering (integrity); information disclosure is reading data you should not (confidentiality).

Tampering is unauthorized change; information disclosure is unauthorized read

Within STRIDE the two most-confused categories are Tampering and Information disclosure. Tampering is the malicious modification of data and violates integrity; Information disclosure is exposing data to someone not authorized to see it and violates confidentiality. Anchor on the verb in the stem: change/modify points to Tampering, read/expose points to Information disclosure.

Trap Labeling the unauthorized reading or exposure of data as Tampering, when reading points to Information disclosure (confidentiality) and only modification is Tampering (integrity).

2 questions test this
Repudiation is countered by logging and signatures, not by encryption

Repudiation is a user denying an action with no way to prove otherwise; it violates non-repudiation (accountability). The countermeasures are secure audit logging and digital signatures that bind an action to an identity, because they create the evidence that defeats a later denial. Encryption protects confidentiality, not accountability, so it does not address repudiation.

Trap Picking encryption as the countermeasure to repudiation, when encryption protects confidentiality and it is audit logging plus digital signatures that provide the accountability evidence.

1 question tests this
PASTA is a seven-stage, risk-centric methodology tied to business impact

PASTA (Process for Attack Simulation and Threat Analysis) is a heavier, seven-stage methodology that starts from business objectives and carries each technical threat through to its business impact, and it is attacker-centric in that it simulates a realistic adversary. Reach for PASTA when leadership needs threats expressed as business risk rather than a list of technical issues. The cost is that it needs business context and far more effort than a single STRIDE pass.

Trap Choosing PASTA when you only need quick per-component coverage during design. That is STRIDE's job; PASTA's weight is justified only when business-risk alignment matters.

An attack tree decomposes one attacker goal into the paths to reach it

An attack tree is goal-centric: the attacker's objective is the root and branches decompose it into the alternative sub-goals and steps needed to achieve it, often with AND/OR logic showing which steps must combine. Use it when you must understand every path to one specific objective in depth. Its scope is that single goal, not the whole system, so it complements rather than replaces a system-wide method like STRIDE.

Trap Expecting an attack tree to give system-wide threat coverage, when its scope is one specific attacker goal and a method like STRIDE is what covers the whole system.

4 questions test this
DREAD ranks threats you already found; it does not discover them

DREAD is a rating model, not an enumeration method: its five factors are Damage, Reproducibility, Exploitability, Affected users, and Discoverability, scored and combined into a relative priority so the costliest threats are mitigated first. It needs another method (STRIDE, PASTA) to find the threats first. Its known weakness is that scores are subjective and inconsistent between raters, which is why many teams replaced it with a simpler high/medium/low scheme.

Trap Picking DREAD when a stem asks how to enumerate or discover threats. DREAD only rates, so a discovery question wants STRIDE or PASTA.

1 question tests this
DREAD produces a relative priority, not an objective risk measurement

DREAD's output is a relative ranking derived from subjective scores, not a precise or objective measure of risk. Different raters score the same threat differently, so its reliability is limited. The defensible claim is that DREAD prioritizes threats; calling it an objective or precise risk metric is wrong.

Trap Treating a DREAD score as an objective or precise risk measurement, when its rater-dependent scores yield only a relative ranking for prioritization.

TTPs describe how an adversary operates; IOCs are the artifacts left behind

Tactics, techniques, and procedures (TTPs) describe how an adversary operates: tactics are the goals (why), techniques are the methods (how), procedures are the specific implementations. Indicators of compromise (IOCs) are observable artifacts an attack leaves, such as malicious IPs, file hashes, and domains. Hunting on TTPs is more durable than hunting on IOCs because an attacker can swap a hash or IP far more easily than change how they operate.

Trap Treating IOCs as the more durable detection signal. IOCs are trivially changed by the attacker, so behavior-based TTPs are the more resilient basis for detection.

1 question tests this
The Cyber Kill Chain models an intrusion as seven sequential phases

The Lockheed Martin Cyber Kill Chain breaks an intrusion into seven sequential phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Its value is that placing a control to break the chain at the earliest phase is cheaper than responding at Actions on Objectives. Its limitation is that it is linear and perimeter-oriented, fitting classic malware intrusions better than insider abuse or fast lateral movement.

Trap Assuming the linear, perimeter-oriented Cyber Kill Chain models insider abuse or fast lateral movement well, when those scenarios fit it poorly and are better reasoned about with a matrix like ATT&CK.

MITRE ATT&CK is a matrix knowledge base of real-world adversary behavior

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, organized as a matrix where tactics are columns (adversary goals like Initial Access, Persistence, Privilege Escalation) and many techniques and sub-techniques sit under each. It supplies realistic TTPs to test a threat model against and serves as a common language for mapping detections and gaps. Use the kill chain to reason about where in the lifecycle to place a control, and ATT&CK to reason about which concrete techniques the control must counter.

Trap Calling MITRE ATT&CK a linear chain or the Cyber Kill Chain a technique catalog. ATT&CK is a matrix of techniques, the kill chain is a linear lifecycle.

Threat-model during design, before code is written

Threat modeling delivers the most value during the design phase, before code exists, because flaws are cheapest to fix on a diagram. Testing (penetration testing, code review, scanning) validates the model against the real system but does not replace it. Because the attack and defense sides change, the model is a living artifact that is revisited as the system and threat landscape evolve.

Trap Assuming penetration testing or code review can replace threat modeling, when those activities validate the model against the running system but do not substitute for design-phase modeling.

Threat modeling identifies and prioritizes; it does not compute dollar loss

Threat modeling enumerates and ranks what can go wrong; it does not produce SLE/ALE dollar figures. Quantitative loss math belongs to the risk-management process, which consumes the threat model as an input. A threat model is also one activity within a secure development lifecycle, not a substitute for secure coding, testing, or the full SDLC.

Trap Expecting a threat model to output SLE/ALE dollar figures, when quantitative loss math belongs to the risk-management process that consumes the threat model as an input.

NIST data-centric threat modeling runs four steps from data to controls

NIST SP 800-154's data-centric method has four steps: identify and characterize the system and data of interest, identify and select the attack vectors to include, characterize the security controls that mitigate those vectors, and analyze the threat model. It puts high-value data at the center, so it is the method to reach for when protecting a specific crown-jewel asset rather than a whole system. It is meant to supplement, not replace, existing methodologies.

Trap Reaching for the NIST SP 800-154 data-centric method to model a whole system broadly, when it is purpose-built to center on a specific high-value data asset and is meant to supplement existing methodologies.

DREAD rates five factors to prioritize a threat

DREAD scores a threat on five factors - Damage, Reproducibility, Exploitability, Affected users, and Discoverability - and combines them into an overall priority. Microsoft's original model rated each factor on a small scale and summed them; a widely used later variant rates each 1-10 and averages them (sum of the five divided by five) for a 1-10 score, so the exact combining method varies by source. Damage = severity of harm, Reproducibility = how reliably the attack works, Exploitability = effort/skill to pull it off, Affected users = scope of impact, and Discoverability = how easily the flaw is found, which is often rated high since any flaw is assumed to be discoverable eventually.

7 questions test this

Supply Chain Risk

Read full chapter
  • You inherit your suppliers' risk the moment you deploy what you bought
  • Cite NIST SP 800-161 as the authoritative C-SCRM reference
  • Counterfeit, tampering, and malicious implants are the core acquisition risks
  • Perimeter controls miss supply-chain threats because they ship inside trusted components
  • Assess a supplier before you commit, but never treat it as a one-time gate
  • Continuous monitoring catches a supplier whose risk rises after you bought
  • The contract is your only enforceable leverage over a third party
  • Minimum security requirements set the baseline controls a supplier must meet
  • For SCRM, SLAs are security obligations with deadlines, not just uptime
  • Flow-down clauses push your requirements onto the supplier's sub-suppliers
  • A right-to-audit clause lets you verify compliance instead of trusting it
  • An SBOM is a machine-readable list of the components inside software
  • Know the seven NTIA SBOM data fields and the three standard formats
  • An SBOM gives transparency, not protection
  • A hardware root of trust anchors integrity that misbehaves silently if it fails
  • A silicon root of trust is the technical answer to firmware tampering and implants
  • A PUF gives each chip an unclonable fingerprint to fight counterfeiting
  • SCRM owns the supplier relationship; neighbors own staff and code testing
  • Prefer a SOC 2 Type 2 report and read its system-description scope
  • Know counterfeit component types and non-destructive detection methods

Unlock with Premium — includes all practice exams and the complete study guide.

Security Awareness

Read full chapter
  • Awareness, training, and education are three rungs of one ladder: what, how, why
  • Awareness is recognition for everyone; training is competency for a role
  • Education is the professional, multidisciplinary rung the CISSP itself represents
  • SP 800-50 Rev 1 (2024) folds the three terms into one learning continuum
  • An awareness program is a managed, repeating life cycle, not a one-time deck
  • Review content periodically and refresh it for emerging tech and threats
  • Measure behavior change and outcomes, never attendance alone
  • Phishing report rate and click-rate trend are the canonical effectiveness signals
  • Click-through and report rates need context, not a bare percentage
  • Quantitative measurements give numbers; qualitative explain why
  • Test knowledge before, immediately after, and ~3 months later to gauge retention
  • Role-based training tailors content to a role's specific duties and threats
  • Phishing simulations are experiential learning, not the live-incident response
  • Gamification is an engagement technique, never the objective
  • Security champions embed advocacy to scale culture into business units
  • "Champion" means two different things: executive sponsor vs embedded peer
  • Deliver baseline awareness at onboarding before users touch sensitive systems
  • The program should drive behavior change toward a security culture, not mere compliance
  • Social-engineering placement depends on context: training topic vs active attack

Unlock with Premium — includes all practice exams and the complete study guide.

Asset Security

Data Classification

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify data so protection is proportional to the harm its compromise would cause

Data classification ranks each information type by the impact of losing its confidentiality, integrity, or availability, then lets that label drive every downstream control: access, storage, transmission, marking, retention, and destruction. The purpose is proportionality: you cannot protect everything to the maximum, so grading once turns an open-ended "how hard should we protect this?" into a policy lookup. A classification with no defined handling rules per level protects nothing: the label must map to required controls to be useful.

Sensitivity and criticality are separate axes: judge the one the loss event threatens

Sensitivity measures the harm from unauthorized disclosure or modification (a confidentiality/integrity concern); criticality measures the harm from the data or system being unavailable when needed (an availability concern). They do not move together: a public price list is low-sensitivity but can be high-criticality if it drives live transactions, while archived personal notes can be high-sensitivity but low-criticality. Decide which objective the scenario's loss threatens before assigning a level.

Trap Treating low-sensitivity data as unimportant. A low-sensitivity but high-criticality asset still needs strong availability controls.

You can delegate the work of protecting data, but never accountability for it

Responsibility to perform a task can be delegated or outsourced; accountability cannot. The data owner stays accountable for the classification and for whether the data is adequately protected even after handling is handed to a custodian or a cloud provider. This is why outsourcing storage does not transfer the owner's duty for the label.

Trap Assuming that outsourcing storage to a custodian or cloud provider transfers accountability along with the work, when only the responsibility to perform moves.

1 question tests this
Classifying a new dataset is the first step before selecting any control

When new data or a new system is onboarded, have its owner classify it before granting access or choosing safeguards, because the label is the input every protection decision depends on. Selecting a control before you know the classification is choosing a solution before you know the requirement.

Trap Reaching for encryption or access controls as the FIRST step on new data. Categorization must precede control selection, since the label sizes the control.

2 questions test this
U.S. government classified tiers are defined by expected damage to national security

The national-security scheme grades the three classified levels by the damage unauthorized disclosure could reasonably be expected to cause: Top Secret = exceptionally grave damage, Secret = serious damage, Confidential = damage (per Executive Order 13526). Unclassified is not a classified level and carries no damage standard. Learn each tier by its damage definition rather than the word alone.

Trap Counting Unclassified as a fourth classified tier, when it carries no damage standard and is not a classified level at all.

In the government scheme, Confidential is the LOWEST classified tier

Among the three classified government levels, Confidential ranks below Secret and Top Secret. Its disclosure standard is plain "damage," the least severe of the three. This collides with everyday commercial usage, where "Confidential" often labels the most sensitive data, so the same word means opposite ends of the scale depending on the scheme.

Trap Ranking government Confidential as the most sensitive classified level. It is the least sensitive of the three classified tiers, below Secret and Top Secret.

A common commercial scheme runs Confidential, Private, Sensitive, Public

Commercial organizations grade by business impact rather than national-security damage. A widely taught four-tier model is Confidential (most sensitive; serious harm if disclosed), Private (internal personnel/financial data), Sensitive (harm if disclosed or altered; above public, below private), and Public (no harm on disclosure). The number of levels is a policy choice (others use Restricted/Internal/Public) but each level must be a defined band of expected harm.

Trap Treating one commercial label set as the single mandated standard, when the number and names of levels are a policy choice as long as each is a defined harm band.

FIPS 199 rates confidentiality, integrity, and availability impact independently

NIST FIPS 199 assigns an information type three separate impact ratings, one each for confidentiality, integrity, and availability, every one valued LOW, MODERATE, or HIGH. The ratings are independent, so a record can be HIGH for confidentiality yet LOW for availability; there is no single combined score for an information type.

Trap Collapsing C, I, and A into one overall impact score. FIPS 199 keeps the three objectives separate, each with its own level.

FIPS 199 impact levels map to limited, serious, and severe-or-catastrophic harm

FIPS 199 defines LOW as a loss expected to have a limited adverse effect, MODERATE as a serious adverse effect, and HIGH as a severe or catastrophic adverse effect on organizational operations, assets, or individuals. HIGH includes loss of a primary mission function, major financial loss, or loss of life. The verbal anchors (limited / serious / severe-or-catastrophic) are the testable distinction.

FIPS 199 records a category as SC = {(C, impact), (I, impact), (A, impact)}

The FIPS 199 security category (SC) notation lists the impact for each objective in a fixed triple, e.g. investigative information categorizes as {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}. For an information type, an objective may be NOT APPLICABLE, but NOT APPLICABLE is allowed only for confidentiality, never for integrity or availability.

Trap Assuming NOT APPLICABLE may be assigned to integrity or availability, when FIPS 199 permits it only for the confidentiality objective.

A system's category is the high-water mark across all its information types

When a system holds several information types, FIPS 199 sets its category by taking the highest impact in each objective independently across all resident types: the high-water mark. You do not average the levels and you do not apply a single type's whole triple to the system; each objective is maxed separately. This system category becomes the input that drives the control baseline selected next.

Trap Averaging the information types' impact levels, or copying one type's SC to the system. The system takes the maximum per objective, not a mean or a single type.

3 questions test this
A system's minimum category is LOW. NOT APPLICABLE cannot apply at the system level

Unlike an individual information type, an information system can never carry NOT APPLICABLE for any objective; its floor is LOW (the low-water mark). FIPS 199 reasons that the system must always protect its own processing functions and system information regardless of the data it happens to hold, so confidentiality, integrity, and availability each have at least a LOW minimum impact.

Trap Carrying NOT APPLICABLE up to the system level the way it is allowed for an information type, when a system's floor is always at least LOW for every objective.

SP 800-60 maps information types to their provisional impact levels

NIST SP 800-60 Volume 1 is the Guide for Mapping Types of Information and Information Systems to Security Categories; it catalogs information types (privacy, financial, investigative, and so on) and recommends a provisional confidentiality, integrity, and availability impact for each, which the owner then adjusts to context. It is the lookup that feeds the categorization, distinct from FIPS 199 which defines what the levels mean.

Trap Crediting SP 800-60 with defining what LOW, MODERATE, and HIGH mean, when it only maps types to provisional levels and FIPS 199 defines the levels themselves.

Attribute the standards: FIPS 199 defines levels, SP 800-60 maps types, SP 800-53 supplies controls

Keep the three roles separate: FIPS 199 defines the impact levels and the categorization rules, SP 800-60 maps an information type to its provisional impact, and SP 800-53 is the control catalog selected after categorization to build the baseline. Categorization (FIPS 199 / SP 800-60) precedes control selection (SP 800-53). Naming the source document correctly is a recurring exam discriminator.

Trap Citing SP 800-53 as the categorization method. It is the control catalog applied after the category is set, not the tool that determines impact levels.

Asset classification inherits the sensitivity of the data the asset holds or the function it supports

Classification extends from information to the things that hold it: hardware, systems, software, and media are graded by the sensitivity of the data they process or store, or the criticality of the function they support. A laptop handling HIGH-confidentiality data inherits that grade and earns the matching controls. The asset usually takes its level from the data on it, so reclassifying or wiping the data can change the asset's required handling.

Trap Grading hardware on its own cost or specs rather than inheriting the sensitivity of the data it holds or the criticality of the function it supports.

Higher classification justifies stronger and costlier controls, not blanket maximum protection

The label sets the bar: more sensitive or more critical classifications warrant stronger access, encryption, monitoring, and destruction controls, while lower tiers get lighter handling so resources are not wasted. The economic argument for classifying at all is that uniform maximum protection is unaffordable and uniform minimum protection is unsafe: graded labels let spend track risk.

Trap Applying the strongest controls uniformly across every tier to be safe, when the economic point of classifying is to let lower tiers receive lighter, cheaper handling.

A workable classification scheme has a few self-descriptive levels and is reviewed periodically

Most schemes run three to five levels: enough to differentiate sensitivity yet few enough that users apply them consistently. Use self-descriptive, ordered names (e.g. Confidential, Highly Confidential) so the relative sensitivity is obvious, and revisit classifications periodically or when significant business/system change occurs.

3 questions test this

Asset Handling

Read full chapter
  • Handling rules are derived from the classification level, never set per-asset
  • Handling standards must get stricter as classification rises
  • A security marking is human-readable; a person reads it and applies the rule
  • A security label is part of the object's data structure; a system enforces it
  • Pick marking when a person enforces, labeling when a system enforces
  • The sanitization category is chosen by data confidentiality first, media type second
  • Clear resists simple recovery; the media stays reusable
  • Purge resists laboratory recovery, yet keeps the media usable
  • Destroy resists lab recovery AND renders the media itself unusable
  • Media leaving organizational control is the moment that escalates everything
  • Media moving outside a controlled area needs a controlled transport path
  • Storage protection rises by classification tier
  • Sanitization is incomplete until you validate and document it
  • Map the MP control family to the handling actions it governs
  • Cryptographic erase sanitizes the key, not the ciphertext-bearing media
  • Mixed-classification media and documents take the HIGHEST level present

Unlock with Premium — includes all practice exams and the complete study guide.

Secure Provisioning

Read full chapter
  • Provision to a hardened baseline before deploy, not after
  • A baseline configuration changes only through change control
  • Least functionality means provision only essential capabilities
  • The information owner is accountable for setting an asset's controls
  • The system owner is responsible for the system across its whole life
  • The custodian implements the controls the owner specifies
  • Accountability cannot be delegated, only the responsibility to perform
  • An asset is anything of value, tangible or intangible
  • Inventory intangible assets too. Licenses and IP carry compliance risk
  • CM-8 requires a complete, accurate, non-duplicating component inventory
  • Update the inventory on every install, removal, and system update
  • The inventory carries the owner field that makes accountability queryable
  • A CMDB is the system of record tying identity, owner, and baseline together
  • You cannot protect what you cannot see. Inventory is the foundation
  • Ownership is the gate that makes a secure build possible
  • Provision from a standardized hardened image (golden / CIS Hardened Image)

Unlock with Premium — includes all practice exams and the complete study guide.

Data Lifecycle

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The data owner sets classification; the custodian implements the controls

The data owner (information owner) is a senior business role that assigns the data's classification and defines its protection requirements, while the data custodian (typically IT) implements and maintains those controls: backups, access enforcement, patching, and the actual destruction. The split matters because a scenario asking who decides sensitivity is always the owner, and one asking who configures the safeguard is always the custodian. The owner directs; the custodian executes.

Trap Assigning the classification decision to the custodian or IT. They implement protections but never set the classification.

8 questions test this
Under GDPR the controller sets purposes and means; the processor only follows instructions

The data controller determines the purposes and means of processing personal data and bears primary accountability to the supervisory authority, whereas the data processor processes that data only on the controller's documented instructions. A cloud, payroll, or email provider is the classic processor. The exam parallels this with the internal owner/custodian split, but they are different lenses: owner/custodian is internal governance, controller/processor is the GDPR legal split for personal data. Accountability to the regulator rests with the controller, not the processor.

Trap Treating a cloud or SaaS vendor (a processor) as accountable to the regulator. Accountability stays with the controller.

2 questions test this
The data subject is the person the data describes and holds the privacy rights

A user is anyone who accesses data to do their job, but when the data is about a person, that person is the data subject: the holder of rights such as access, rectification, erasure (right to be forgotten), and portability under the GDPR. Distinguishing the two matters because privacy rights attach to the subject, not to every user who happens to read the record. The subject is who the controller must serve when a rights request arrives.

Trap Assigning the privacy rights to the user who accesses the record rather than to the data subject the record describes.

Manage data across its whole lifecycle, and match the control to the stage

Data passes through stages (commonly collect, store, use, share, archive, then destroy) with maintenance spanning the active stages, and each stage raises a different control question. Minimize what you collect, protect data at rest while stored, enforce least privilege while in use, secure the channel and bind agreements while sharing, preserve integrity and apply retention while archived, and sanitize verifiably at destroy. Identifying which stage a scenario is in tells you which control family it is really testing.

Collect only what the purpose needs. Data minimization

At the collection stage the governing principle is minimization: gather only the data the stated purpose actually requires, because data you never collect cannot be breached, mis-shared, or subpoenaed. Over-collection raises retention cost, expands the attack surface, and creates compliance exposure with no offsetting benefit. The cheapest data to protect is the data you chose not to hold.

Trap Reaching for retention limitation when the issue is at collection. Minimization governs what you gather, retention governs how long you keep it.

Data location decides which laws apply, so residency is a control decision

Where data physically lives governs the jurisdiction over it, and personal data carries the location of the data subject rather than the company. The GDPR reaches organizations outside the EU that offer goods or services to, or monitor, people in the EU. Moving regulated data across a border therefore needs a lawful transfer mechanism: an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs) for intra-group transfers. The owner or controller chooses acceptable storage and processing locations as part of defining protection requirements.

Trap Assuming the applicable privacy law follows the company's home country rather than the data subject's location.

Encryption is a protective control, not a lawful transfer mechanism

When a cross-border transfer of personal data is proposed, the legal question is whether a transfer mechanism (adequacy, SCCs, or BCRs) is in place: encrypting the data does not by itself make the transfer lawful. Encryption protects confidentiality in transit and at rest, but it does not satisfy the legal basis a regulator requires for the data to leave the jurisdiction. The two questions are separate: encryption answers how the data is protected, the transfer mechanism answers whether it may move.

Trap Citing strong encryption as the reason a cross-border transfer is compliant. Encryption is a control, the legal basis still needs adequacy, SCCs, or BCRs.

Deleting or formatting leaves data remanence. The data is still recoverable

A logical delete only unlinks the file and a quick format only rewrites the file-allocation metadata, so the underlying bits remain on the media and are recoverable with ordinary tools. That residual data persisting after a nominal erasure is data remanence, and eliminating it (not just hiding the pointers) is the entire point of media sanitization. Treat any drive that was merely deleted or reformatted as still holding its data until it is actually sanitized.

Trap Treating a deleted file or a quick-formatted disk as sanitized. Both leave recoverable data remanence.

1 question tests this
NIST SP 800-88 defines three sanitization levels by the recovery effort each resists

NIST SP 800-88 Rev. 1 grades sanitization by the effort it defeats: Clear applies logical techniques (typically an overwrite via standard read/write commands) that resist simple non-invasive recovery and leaves the media reusable internally; Purge applies physical or logical techniques that render recovery infeasible even with state-of-the-art laboratory techniques; Destroy makes recovery infeasible and leaves the media unusable for storage. The categories escalate along one axis (how hard recovery is to defeat) rather than being unrelated methods.

Trap Assuming Purge leaves the media unusable like Destroy. Purge defeats laboratory recovery yet can still leave the media reusable.

Choose the sanitization method by confidentiality first, then media type

NIST SP 800-88's selection rule is to think first in terms of the data's confidentiality (its classification), then apply considerations based on the media type. Lower-confidentiality media reused inside the organization warrants Clear; higher-confidentiality data, or any media leaving your control, warrants Purge or Destroy. Confidentiality sets how thoroughly you must sanitize; media type then decides which technique actually achieves that level.

Trap Selecting the sanitization level from the media type first when the data's confidentiality is what sets how thoroughly you must sanitize.

Overwriting is unreliable on flash/SSD because wear-leveling hides cells

Software overwriting works on rewritable magnetic media but fails on flash and SSDs: wear-leveling and spare cells mean the device may not let standard write commands reach every area where data was stored, so old data can survive an overwrite. For that reason Purge-level SSD sanitization uses the drive's built-in sanitize command or cryptographic erase, not a software overwrite pass. The physics of flash, not the software, is what breaks the overwrite.

Trap Overwriting an SSD as if it were a magnetic disk. Wear-leveling can leave data in cells the overwrite never reaches.

5 questions test this
Degaussing only works on magnetic media and usually destroys the drive

Degaussing exposes magnetic media (hard disk drives, tapes) to a strong magnetic field and renders the data unrecoverable when the degausser strength is matched to the media's coercivity, typically leaving the drive inoperable afterward. Because flash and SSDs store data electrically, not magnetically, degaussing does nothing to them, and NIST warns it should never be relied on for flash-based devices. Match the method to the media's physics: degauss is a magnetic-only technique.

Trap Degaussing an SSD or flash drive expecting it to wipe the data. Flash is not magnetic, so degaussing has no effect.

Cryptographic erase sanitizes by destroying the key, leaving only ciphertext

Cryptographic erase (CE) sanitizes self-encrypting media by destroying the encryption key so that only unreadable ciphertext remains; without the key the data is unrecoverable. CE executes in a fraction of a second, which makes it ideal for large SSDs and for leased or cloud storage you cannot physically destroy. Its assurance is bounded by the strength of the encryption and the certainty that every copy of the key is gone.

Trap Picturing cryptographic erase as overwriting the stored data when it only destroys the key and leaves the ciphertext in place.

9 questions test this
Cryptographic erase is only valid if the data was encrypted from the start and all key copies are gone

CE is trustworthy only when the media was encrypted before any sensitive data was written and you can confirm every copy of the key (including escrowed or backed-up copies) has been destroyed. If encryption was enabled after plaintext was already stored, that earlier data was never encrypted and CE leaves it recoverable; if a key copy survives in escrow, the ciphertext can later be decrypted. In those cases CE must be combined with another sanitization method rather than relied on alone.

Trap Using cryptographic erase on a drive that stored plaintext before encryption was turned on. That earlier data was never encrypted, so CE does not sanitize it.

3 questions test this
Destroy when the media cannot be Purged or holds the highest-confidentiality data

Physical destruction (shredding, disintegrating, pulverizing, incinerating, or melting) is the answer when the data confidentiality is highest, when the media cannot be reliably Purged, or when no reuse is needed. It guarantees recovery is infeasible at the cost of the media itself, which can never store data again. Destroy is chosen over Purge precisely when reuse is not required and the assurance of total loss is worth the hardware.

Trap Choosing Destroy when the media must be reused. Purge already renders recovery infeasible while keeping the media usable.

5 questions test this
Sanitization is not done until it is verified and recorded on a certificate

After sanitizing, verify the result (a full read-back of accessible locations or representative sampling) and complete a certificate of sanitization (certificate of media disposition) for each piece of media. The certificate records the manufacturer, model, serial number, media type, the sanitization category used (Clear, Purge, or Destroy), the specific method (degauss, overwrite, block erase, crypto erase), the verification method, and the person who performed it. That document is the auditable evidence that data leaving the organization was actually destroyed.

A key's cryptoperiod ends its active use; a deactivated key still decrypts archived data

The cryptoperiod is the span a key is authorized for active (e.g. encrypting) use. When it expires the key moves to the deactivated state: no longer used to protect new data but retained to process (decrypt) data already protected with it. Keys needed for the full retention period must therefore be preserved in a key archive that remains recoverable across technology changes.

Trap Cryptoperiod expiry does not mean destroy the key. Deactivate and archive it so archived ciphertext stays decryptable

4 questions test this

Asset Retention

Read full chapter
  • Retention periods are set by external obligation, not storage convenience
  • Over-retention is a liability, so dispose on schedule once the period ends
  • Retention follows the data even after it leaves the system
  • Retention is set with legal and records management, not by IT alone
  • A legal hold suspends the retention schedule and overrides routine destruction
  • Held data returns to the normal schedule only after the hold is released
  • Defensible disposal requires a scheduled, consistent, hold-aware, evidenced process
  • A certificate of destruction closes the audit loop on disposal
  • Retention decides when to dispose; data-lifecycle decides how to destroy
  • End-of-support, not end-of-life, is the security event
  • "It still runs" is not a security position for an EOS asset
  • For an unsupported component, SA-22 allows only replace or provide alternative support
  • When replacement is infeasible, isolate the EOS asset and apply compensating controls
  • Running an unsupported asset means formally accepting documented residual risk
  • Vendors publish lifecycle dates so you manage against them, not get surprised
  • The BEST answer for an EOS asset is the risk-managed middle, not either extreme
  • Record-retention is a legal clock; MTD/RTO/RPO are continuity tolerances
  • A mandatory legal-retention obligation can override an erasure request, and conflicts default to the longest period
  • Place an eDiscovery/legal hold before terminating access, and confirm the hold's scope

Unlock with Premium — includes all practice exams and the complete study guide.

Data Security Controls

Read full chapter
  • Choose the control by the data's state, not once for the whole asset
  • Data at rest is protected by storage encryption layered over access control
  • At-rest encryption only protects data while the volume is locked
  • Data in transit is protected by transport encryption: TLS or IPsec
  • Data in use is the hard state because the CPU needs cleartext
  • Start control selection from a baseline keyed to the impact level
  • The FIPS 199 high-water-mark picks which baseline applies
  • Scoping removes controls that don't apply to your system
  • Tailoring is the whole process of adjusting a baseline to fit
  • Organization-defined parameters are the values a control leaves to you
  • Document every deviation from the baseline with its rationale
  • Standards selection picks the catalog the data's obligations demand
  • Map one control catalog to overlapping standards instead of rebuilding each
  • DRM binds usage policy to the object so control survives the perimeter
  • DLP stops sensitive data leaving by inspecting content against policy
  • DLP can only act on content it can read
  • A CASB is the policy control point between users and cloud services
  • Know the CASB four pillars: visibility, compliance, data security, threat protection
  • CASB inline mode blocks in real time; API mode acts out-of-band
  • Envelope encryption wraps a data key (DEK) with a key-encryption key (KEK)
  • TLS 1.3 makes forward secrecy mandatory via ephemeral key exchange
  • IPsec tunnel mode protects the entire original packet, including its IP header
  • Exact Data Match and document fingerprinting beat pattern matching on precision
  • Roll DLP out in simulation mode first, then tune enforcement with policy tips and overrides

Unlock with Premium — includes all practice exams and the complete study guide.

Security Architecture & Engineering

Secure Design Principles

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Secure design principles are chosen before any product is

Secure design principles are durable, vendor-neutral rules an engineer applies while designing a system, before a specific control is selected, so security becomes a built-in property rather than a later patch. On the exam they decide the "what should you do FIRST / what design is BEST" questions: the right answer reflects a principle, not the most impressive product. Treating security as a bolt-on added after a breach is the failure these principles exist to prevent.

Trap Picking the most feature-rich or expensive product as the BEST answer instead of the design principle it should follow - on principle questions the right choice reflects the principle, not the strongest tool.

Least privilege grants only the minimum access a function needs

Least privilege gives each subject the minimum system resources and authorizations required to perform its function and nothing more, so a misused or compromised account can damage only a narrow slice of the system. It is a design-time decision about scope, not a runtime monitoring control. Per NIST it is a property the architecture is designed to enforce, not something added once over-broad access already exists.

Trap Treating least privilege as identical to need-to-know - least privilege limits all access an identity holds, while need-to-know specifically limits which information within a clearance level a person may see.

1 question tests this
Separation of duties forces collusion before fraud is possible

Separation of duties (SoD) splits a sensitive task so no single person can complete it alone, reducing the risk of malevolent activity without collusion - the person who authorizes a payment must not also be able to issue it. It can be static (conflicting roles are never assigned to the same user) or dynamic (the conflict is enforced at execution, as in a two-person rule). A specific SoD example NIST calls out: those who administer access-control functions must not also administer the audit functions that would catch them.

Trap Giving the same person a second account to "separate" the duties - if one individual still controls both halves of the task, no duties are actually separated.

4 questions test this
Job rotation and mandatory vacations expose single-seat fraud

Job rotation and mandatory vacations are companion controls to separation of duties: they surface fraud schemes that depend on one person continuously occupying one role, because a substitute taking over the seat would notice irregularities. Mandatory vacation forces a break long enough for a concealed scheme to come to light. They are detective and deterrent controls, distinct from SoD which is preventive.

Trap Classifying job rotation and mandatory vacation as preventive controls like separation of duties - they uncover a scheme already running, so they are detective and deterrent, not preventive.

Defense in depth requires independent layers, not just many

Defense in depth places multiple layers of control across people, technology, and operations so defeating one layer still leaves the attacker facing the next. The load-bearing requirement is independence: two layers sharing a single chokepoint or one credential store fail together and count as one layer, not two. Stacking redundant copies of the same control is not defense in depth.

Trap Counting two controls that fail the same way (same credential store, same single gateway) as two layers - shared failure modes collapse them into one effective layer.

1 question tests this
Keep it simple and small to shrink the attack surface

Economy of mechanism (keep it simple and small) holds that the smaller and simpler a mechanism, the fewer flaws it can hide and the easier it is to verify, because complexity is where vulnerabilities live. A minimal, auditable control is preferable to a feature-rich one you cannot fully reason about. It is the principle behind preferring a small trusted computing base.

Trap Reading economy of mechanism as security through obscurity - it calls for a simple, openly verifiable design, not a hidden one whose safety depends on secrecy.

Fail securely means deny the protected action on failure

Fail securely (fail-closed / fail-safe) means that when a component crashes or a check errors out, it denies the protected action rather than allowing it through. It is the default for access control and data protection because it preserves confidentiality and integrity when the system can no longer make a sound decision. NIST defines fail-safe as a termination mode that prevents damage to system resources when a failure occurs.

Trap Choosing fail-open to preserve availability on a normal access-control component - fail-open is correct only when loss of availability is itself the greater harm, such as a safety-of-life system.

4 questions test this
Fail-open is correct only when availability is the greater harm

Fail-open keeps a function available through failure and is the right choice only where loss of availability would cause more harm than loss of control - a fire-exit door must unlock when its controller dies. The decision between fail-open and fail-closed is therefore a CIA trade-off resolved by which property dominates: confidentiality/integrity favors fail-closed, safety/availability of life favors fail-open. For ordinary access control, fail-closed wins.

Trap Defaulting an ordinary access-control or data-protection component to fail-open to maximize uptime - fail-open is reserved for cases where lost availability is the greater harm, such as a physical safety system.

2 questions test this
Secure defaults ship denying access until it is explicitly granted

Secure defaults mean a system ships in its most-protected state, denying access until access is explicitly granted, so a forgotten configuration leaves you safe rather than exposed. It is the same instinct as fail securely applied at a different moment: secure defaults govern the initial out-of-the-box state, fail-closed governs the failure state. Both default toward denial.

Trap Equating secure defaults with fail-closed - both default to denial, but secure defaults govern the out-of-the-box initial state while fail-closed governs behavior during a failure.

Zero trust assumes the network is already compromised

Zero trust (NIST SP 800-207) grants no implicit trust based on physical or network location, because it assumes an attacker is already present inside the environment - being on the corporate LAN earns nothing. It is the "never trust, always verify" posture, defined as minimizing uncertainty in per-request, least-privilege access decisions in the face of a network viewed as compromised. The focus shifts from defending a perimeter to protecting individual resources.

Trap Answering a perimeter-less or breached-network scenario with a bigger perimeter firewall - zero trust's premise is that the perimeter is already breached, so reinforcing it misses the point.

Zero trust evaluates every request per-session on dynamic policy

In zero trust, access is authenticated, authorized, and granted per-session with least privilege, and the decision is driven by dynamic policy weighing identity, device security posture, and context such as time and behavior. Authenticating to one resource does not automatically grant access to a different resource. A policy decision point (PDP) judges each request and a policy enforcement point (PEP) allows or blocks it.

Trap Assuming a single successful authentication grants ongoing access to other resources - zero trust re-evaluates each request per-session, so one login never carries trust to a different resource.

1 question tests this
Trust but verify is the legacy stance zero trust replaces

Trust but verify extends trust up front - often from network location or a single login - and checks behavior afterward, leaving an implicit trust zone in which a subject is trusted until the next check. That window is exactly what an attacker who has breached the perimeter exploits for lateral movement, which is why zero trust shrinks it toward zero by re-evaluating each request. NIST notes most enterprises run a hybrid of zero-trust and perimeter modes during migration rather than switching all at once.

Trap Treating trust but verify as a synonym for zero trust because both mention verification - trust but verify grants trust up front and checks later, the implicit-trust window zero trust eliminates.

SASE delivers zero-trust access from the cloud edge, but is not zero trust itself

Secure access service edge (SASE) is a cloud-delivered model that converges networking (SD-WAN) with security functions such as secure web gateway, cloud access security broker, and firewall-as-a-service, and enforces zero-trust network access at the edge close to the user. Zero trust is the principle (verify every session); SASE is one architecture that operationalizes it for a distributed, perimeter-less workforce. They are related but not synonyms.

Trap Treating SASE as a replacement for zero trust rather than a delivery vehicle for it - SASE enforces zero-trust access, it does not substitute for the principle.

Privacy by design builds data protection into defaults, not into a late add-on

Privacy by design embeds data protection into a system's defaults and full lifecycle from the outset - data minimization, purpose limitation, and retention limits baked into the data model - rather than adding a consent banner or anonymization step at the end. The exam contrast is disclosure versus design: a privacy notice tells users what happens to their data, whereas privacy by design changes what the system collects and keeps in the first place.

Trap Answering a new-personal-data design question with "add a privacy notice before launch" - a notice is disclosure, not the up-front data-minimizing design the principle requires.

Shared responsibility splits security OF the cloud from security IN the cloud

Under the cloud shared-responsibility model the provider secures OF the cloud (physical facilities, hardware, the hypervisor) while the customer secures IN the cloud (their data, identity, and configuration). The boundary shifts toward the provider as you move from IaaS to managed and abstracted services, but data classification and access control almost always stay the customer's job. Knowing which side owns a given control is the recurring exam decision.

Trap Assuming the provider secures your data because it secures the infrastructure - data protection, identity, and configuration remain the customer's responsibility in nearly every cloud service model.

Security Models

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A security model formalizes one policy goal so it can be proven, not just tested

A security model is a precise, often mathematical, statement of the rules a system must follow to uphold a policy goal, almost always one CIA pillar. It sits between the abstract policy and the implementation, so you can reason that the policy holds across every reachable state rather than checking access decisions case by case. On the exam the recurring task is to name which pillar a model protects and recite its rules in the correct direction.

Trap Equating the security model with the security policy itself. The policy states the goal in the abstract, while the model is the formal rule set that makes that goal provable.

Bell-LaPadula protects confidentiality with no read up and no write down

Bell-LaPadula's Simple Security Property forbids reading above your clearance (no read up) and its Star (*) Property forbids writing below your level (no write down), so classified data cannot flow downward to a lower level. It is a lattice-based multilevel model used to specify Mandatory Access Control. The "no write down" rule protects the data, not the writer: it stops a high-clearance subject from copying secrets into a low container that uncleared users could read.

Trap Reading "no write down" as protecting the author's work from being overwritten: it actually prevents secrets leaking to a lower classification.

4 questions test this
Biba protects integrity and is the exact inverse of Bell-LaPadula

Biba's Simple Integrity Axiom forbids reading below your level (no read down) and its Star Integrity Axiom forbids writing above your level (no write up), so low-integrity data cannot corrupt high-integrity data. Because its write rule points opposite to Bell-LaPadula's, the mnemonic is "BLP keeps secrets from leaking down; Biba keeps garbage from flowing up." A system cannot enforce both on the same labels at once since their write rules conflict.

Trap Pairing "no read up" with "no write up": that mixes one BLP rule with one Biba rule and is internally inconsistent for either model.

6 questions test this
Clark-Wilson enforces integrity through well-formed transactions, not clearance levels

Clark-Wilson keeps commercial data consistent by forbidding direct access: subjects change constrained data items (CDIs) only through certified transformation procedures (TPs), and integrity verification procedures (IVPs) confirm the data is in a valid state. Its central construct is the access triple (subject to program to object) so a user never operates on data except through an authorized program. This suits fraud and error prevention in financial systems, where clearance levels (BLP/Biba) are the wrong tool.

Trap Assuming Clark-Wilson assigns integrity levels and read/write rules like Biba. It governs integrity through certified programs and the access triple, not a lattice of labels.

3 questions test this
Clark-Wilson bakes in separation of duties so no one both creates and approves a change

Clark-Wilson requires separation of duties: the subject who initiates a transaction cannot be the one who approves it, so fraud needs collusion rather than a single actor. NIST defines separation of duty as the principle that no user is given enough privilege to misuse the system alone, enforced statically or dynamically (the two-person rule is the dynamic case). This is why exam stems about "a user may not both create and approve" point to Clark-Wilson.

Trap Attributing a separation-of-duties requirement to Biba or Bell-LaPadula. Those control read/write by level and say nothing about splitting a transaction across two people.

1 question tests this
Brewer-Nash (Chinese Wall) blocks conflict of interest using access history

Brewer-Nash, the Chinese Wall policy, walls off data sets that present a commercial conflict of interest: once a subject reads data for one company in a conflict class, they are barred from competitors in that same class. It is dynamic and history-based: past access decides future access, so the accessible set narrows with each read. Despite often being grouped with integrity models, its goal is confidentiality: preventing illicit information flow across the wall.

Trap Classifying Brewer-Nash as an integrity model because it is taught alongside Biba and Clark-Wilson. Its actual goal is confidentiality, stopping information flow between conflicting clients.

Graham-Denning and HRU govern the protection state, and HRU proves safety is undecidable

Graham-Denning defines primitive rights and rules for securely creating and deleting subjects and objects and transferring rights: it administers the protection matrix itself rather than reads and writes of data. Harrison-Ruzzo-Ullman (HRU) extends this and famously proves the safety problem (can a given right ever leak to a subject) is undecidable in the general case. The takeaway is that these answer how rights are administered and whether leakage is provable, which the data-flow models do not.

Trap Crediting the undecidable safety-problem proof to Graham-Denning. The proof that the general safety problem is undecidable belongs to Harrison-Ruzzo-Ullman.

The reference monitor must be tamperproof, always-invoked, and verifiable

A reference monitor is the abstract control that mediates every access attempt against the policy; NIST requires three properties simultaneously: always invoked (complete mediation, nothing bypasses it), tamperproof (protected from modification), and verifiable (small enough to be analyzed for correctness). It is the enforcement concept every model assumes: a model is inert without something that actually checks each access.

Trap Naming the security model itself as what enforces access: the model is the rulebook; the reference monitor is what mediates against it.

The security kernel implements the reference monitor; the TCB is the full trusted boundary

The security kernel is the concrete hardware, firmware, and software that implements the reference monitor concept, and it must mediate all access, resist modification, and be verifiable. The Trusted Computing Base (TCB) is the totality of protection mechanisms (hardware, firmware, and software) responsible for enforcing the security policy, so it is the boundary you evaluate for assurance. Keep the three straight: reference monitor (concept), security kernel (implementation), TCB (whole trusted boundary).

Trap Treating the security kernel and the TCB as the same thing. The kernel is the component that implements the reference monitor, while the TCB is the entire trusted boundary that contains it.

State-machine, information-flow, and noninterference describe HOW a model reasons

These three are reasoning frameworks, not pillar choices, so one named model can be several at once. A state-machine model proves the system is secure in every reachable state and transition; an information-flow model tracks data movement between levels and blocks disallowed flows; a noninterference model requires that a higher-level subject's actions have no observable effect on a lower-level subject. Bell-LaPadula is simultaneously a state-machine and an information-flow model.

Trap Treating state-machine, information-flow, and noninterference as mutually exclusive labels. They describe how a model reasons, so a single model like Bell-LaPadula can be more than one at once.

Noninterference defeats covert channels and inference that level-based MAC leaves open

A noninterference model goes beyond blocking direct flows: it requires a high-level subject's behavior to be unobservable to a low-level subject, closing covert channels and inference. This matters because even strict MAC leaks: NIST warns information of a higher class can be deduced by assembling and combining lower-class information. A stem describing a low user indirectly deducing high data is testing this gap, and the answer is a noninterference model, not BLP or Biba.

Trap Assuming Bell-LaPadula's no-read-up / no-write-down already closes covert channels and inference. Those block direct flows but leave the indirect leakage that noninterference is meant to address.

3 questions test this
Bell-LaPadula and Biba are lattice models specifying Mandatory Access Control

Both Bell-LaPadula and Biba are multilevel security models that label every subject and object with a level drawn from an ordered lattice, used to express Mandatory Access Control. Under MAC the system enforces protection decisions over the object owner's wishes (the owner cannot override the policy) which is what distinguishes it from owner-controlled discretionary access control. The lattice ordering is what gives "up" and "down" their meaning in the read/write rules.

Trap Thinking the object owner can grant or override access under these lattice models. That is discretionary access control; MAC enforces the policy regardless of the owner's wishes.

5 questions test this
Match the model to the scenario's pillar, not to a keyword

Choose the model from the goal in the stem: confidentiality with clearance levels selects Bell-LaPadula; integrity with levels selects Biba; integrity via controlled transactions and separation of duties selects Clark-Wilson; conflict of interest among competing parties selects Brewer-Nash. The common distractor is the other CIA pillar's model: offering Biba when the scenario is about secrecy, or BLP when it is about preventing corruption.

1 question tests this
The classic models address confidentiality and integrity, never availability

None of Bell-LaPadula, Biba, Clark-Wilson, or Brewer-Nash addresses the availability pillar: they govern who may read or write what, not whether the system stays reachable. Availability is handled through resilience, redundancy, and continuity design instead. A stem that frames any of these models as protecting uptime or availability is using a framing trap.

Trap Selecting a confidentiality or integrity model as the answer to an availability requirement: these models say nothing about uptime.

Bell-LaPadula's tranquility property governs whether labels can change during operation

Bell-LaPadula adds a tranquility property about label stability: strong tranquility means security labels never change while the system runs, whereas weak tranquility allows labels to change only in ways that do not violate the security policy. This matters because allowing a subject or object to be relabeled mid-operation could otherwise sidestep the no-read-up / no-write-down rules.

Trap Swapping the definitions so that weak tranquility forbids all label changes. It is strong tranquility that bars any change during operation, while weak tranquility permits policy-safe relabeling.

1 question tests this

Controls Selection

Read full chapter
  • Control selection is requirements-driven: categorize impact, then choose a baseline
  • Pick the SP 800-53B baseline that matches the system's impact level
  • FIPS 199 impact is the high-water mark across C, I, and A
  • A baseline is a starting point; tailoring produces the system's real control set
  • An overlay is reusable tailoring shared across a community of interest
  • The privacy baseline applies regardless of impact level
  • Common Criteria (ISO/IEC 15408) evaluates a product, the TOE
  • Protection Profile states class requirements; Security Target states the product's claim
  • An EAL rates evaluation rigor, not how secure the product is
  • Know the EAL scale: EAL4 is the common commercial and mutual-recognition cap
  • Certification is the assessment; accreditation is the decision to accept the risk
  • The authorizing official owns risk acceptance, not the assessor
  • Modern RMF renames C&A to Assessment and Authorization, output is an ATO
  • RMF has seven steps; Select and Authorize are where control selection lives
  • Tie a product's EAL to its requirements, not to an absolute security score

Unlock with Premium — includes all practice exams and the complete study guide.

System Security Capabilities

Read full chapter
  • The TCB is everything the system trusts unconditionally, so keep it small
  • The reference monitor must be always-invoked, tamperproof, and verifiable: all three
  • The security kernel is the implementation; the reference monitor is the concept
  • Process isolation gives each process its own virtual address space
  • Protection rings put the kernel in Ring 0 and user code in Ring 3
  • DEP/NX stops code from executing in data regions
  • ASLR randomizes load addresses so attackers cannot predict where to jump
  • DEP and ASLR are complementary, not substitutes
  • Memory protection assumes a trustworthy kernel and falls once Ring 0 is compromised
  • A secure cryptoprocessor keeps keys inside a tamper-resistant boundary
  • A TPM binds trust to one platform: keys, boot measurements, and attestation
  • TPM sealing requires a specific platform state; binding only requires the TPM
  • An HSM is the high-volume, shared, high-assurance key store
  • FIPS 140-3 defines four increasing security levels for crypto modules
  • Secure boot enforces by refusing unsigned code; measured boot records what ran
  • A hardware root of trust is trusted unconditionally because its misbehavior cannot be detected
  • A TEE isolates code from a compromised OS by shrinking the TCB
  • Code placed in a TEE becomes part of the TCB and must stay small and verified
  • Capabilities enforce a policy; a security model decides it
  • Encryption is the capability for confidentiality on media or infrastructure you don't control

Unlock with Premium — includes all practice exams and the complete study guide.

Architecture Vulnerabilities

Read full chapter
  • Recognize the architecture first, then map it to its signature vulnerability and the matching mitigation
  • A shared component is a shared blast radius
  • Never treat logical separation as equal to physical or hardware separation
  • VM escape lets a guest break out to the hypervisor and reach every other VM
  • A bare-metal (Type 1) hypervisor has a smaller attack surface than a hosted (Type 2) one
  • VM sprawl leaves dormant, unpatched VMs as live attack surface
  • Containers share the host kernel, so they isolate more weakly than VMs
  • Pull container images only from trusted registries and scan them before deployment
  • Run a minimal, container-specific host OS to shrink the shared attack surface
  • Cloud shared responsibility splits the stack: provider secures OF the cloud, customer secures IN the cloud
  • The cloud responsibility line slides with the service model: IaaS > PaaS > SaaS for customer-owned layers
  • Misconfiguration of the customer-owned cloud layer is the dominant breach cause, not provider failure
  • Inference deduces protected facts from data you are allowed to see
  • Aggregation assembles a sensitive whole from individually harmless pieces
  • Polyinstantiation defeats inference by storing same-key records at different classification levels
  • A cryptographic system's architectural weakness is key management, not the math
  • OT/ICS prioritizes availability and safety over confidentiality, inverting the IT order
  • Do not actively scan or reflexively patch fragile OT: use passive monitoring and compensating controls
  • Segment OT from IT with security zones and conduits, isolated behind a DMZ
  • IoT and embedded devices fail on default credentials, no patch path, and lifespans that outlast support
  • In microservices the API is the exposed attack surface: authenticate every call, never trust the internal network
  • Scope serverless functions to least-privilege execution roles and validate event inputs
  • Edge and HPC lose the single perimeter: treat each node as untrusted and protect physically exposed ones
  • STRIDE categorizes threats into six types, mapped per DFD element
  • DREAD rates and prioritizes a threat by five factors
  • ABAC is the answer to RBAC role explosion
  • DAC lets owners delegate access, which exposes it to Trojan horses

Unlock with Premium — includes all practice exams and the complete study guide.

Cryptographic Solutions

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Pick the cryptographic class by the property the asset needs, not by strength

Cryptography splits into three classes that preserve different properties: symmetric and asymmetric ciphers give confidentiality, hash functions give integrity, and a digital signature gives integrity plus authenticity plus non-repudiation together. Reason from the required property first, then choose the class whose primary effect is that property. The recurring exam trap is offering a strong control for the wrong property, so fit beats strength.

Trap Choosing the strongest-sounding algorithm rather than the one whose property matches the requirement, e.g. answering with encryption when the question asks for integrity.

AES is a symmetric block cipher specified in FIPS 197

The Advanced Encryption Standard (AES) is a symmetric block cipher (one shared secret key both encrypts and decrypts) specified in NIST FIPS 197 and used for bulk confidentiality such as full-disk, database, and transport encryption. Symmetric is fast, which is why it carries the data payload rather than asymmetric crypto. Its weakness is not the math but distributing the shared key safely.

Trap Classifying AES as an asymmetric algorithm because it is the headline standard, when the same secret key both encrypts and decrypts.

1 question tests this
Symmetric key distribution does not scale, which is the problem asymmetric solves

A symmetric cipher needs both endpoints to hold the same secret, and there is no safe way to hand that secret across an open channel; n parties talking pairwise need about n(n-1)/2 keys, which explodes. Asymmetric cryptography exists precisely to break this: a published public key lets anyone encrypt while only the private key decrypts, so no secret crosses the wire. That is the single reason real protocols pair the two.

Trap Picking weak algorithm strength as symmetric crypto's main weakness when the actual scaling problem is safely distributing the shared secret.

2 questions test this
Never use ECB mode; it leaks plaintext structure

A block cipher needs a mode of operation, and Electronic Codebook (ECB) is the wrong choice because it encrypts identical plaintext blocks to identical ciphertext, leaking patterns in the data. Prefer an authenticated mode such as GCM, which provides confidentiality and integrity at once. The fact that two ciphertext blocks match should never reveal that the underlying plaintext matched.

Trap Treating ECB as acceptable because the cipher (e.g. AES) is strong: the mode, not the cipher, leaks repeating-block structure.

1 question tests this
ECC gives RSA-equivalent security at a far smaller key size

Elliptic-curve cryptography (ECC) reaches the same security level as RSA with much shorter keys (roughly a 256-bit ECC key matches a 3072-bit RSA key) so it costs less compute and bandwidth and is preferred on mobile and constrained devices. Both are asymmetric and far slower than symmetric ciphers, so both are used on small data like keys and hashes, not bulk payloads.

Trap Reading ECC's shorter key as weaker than RSA, when a 256-bit ECC key matches a 3072-bit RSA key at the same security level.

Diffie-Hellman exchanges a shared secret without sending it

Diffie-Hellman is an asymmetric primitive that neither encrypts nor signs; it lets two parties derive a shared symmetric secret over a public channel. Using ephemeral Diffie-Hellman keys per session provides perfect forward secrecy, meaning a later compromise of a long-term private key cannot decrypt previously recorded sessions. That property is why modern TLS favors ephemeral key exchange.

Trap Treating Diffie-Hellman as an encryption or signing algorithm, when it only establishes a shared secret and neither encrypts nor signs data.

4 questions test this
Real systems are hybrid: asymmetric ships the key, symmetric carries the data

A hybrid cryptosystem like TLS generates a random one-time symmetric session key, encrypts the bulk data with that fast key, and encrypts only the small session key with the recipient's public key. The recipient uses its private key to recover the session key, then decrypts the data symmetrically. Asymmetric crypto touches just the tiny key, never the payload: that is how systems get both safe key distribution and speed.

Trap Believing asymmetric encryption protects the whole file: it encrypts only the session key; the symmetric cipher encrypts the data.

1 question tests this
A hash gives integrity, not confidentiality

A cryptographic hash (SHA-2 or SHA-3) is a one-way function producing a fixed-length digest, so any change to the input changes the digest: that is integrity. It uses no key, so on its own it proves nothing about who produced the data, and being one-way it does not hide data from someone who already has it. Use encryption when secrecy is the goal and a hash when tamper detection is.

Trap Selecting hashing to keep data secret, when a keyless one-way digest provides integrity and does nothing for confidentiality.

A MAC proves authenticity but cannot provide non-repudiation

A Message Authentication Code (MAC), including its hash-based form HMAC, uses a secret key shared by both parties to prove integrity and authenticity between them. But because both hold the same key, either could have produced the tag, so a MAC cannot give non-repudiation: an outside party can't attribute the act to one signer. Reach for a MAC when two known parties just need to trust each other's messages.

Trap Crediting a MAC or HMAC with non-repudiation, when the shared key means either party could have produced the tag and a third party cannot attribute it.

Only an asymmetric digital signature provides non-repudiation

A digital signature hashes the message and encrypts the hash with the signer's private key; a verifier checks it with the signer's public key. Per FIPS 186-5 it delivers data integrity, origin authenticity, and signatory non-repudiation at once, and non-repudiation holds only because the private key is held by exactly one party, letting a third party attribute the act. When a question wants the signer unable to deny it to an auditor or court, the answer is a digital signature.

Trap Answering MAC or HMAC for non-repudiation: the shared key means either party could have produced the tag, so it fails third-party attribution.

1 question tests this
FIPS 186-5 approves RSA, ECDSA, and EdDSA for signatures

The Digital Signature Standard, FIPS 186-5 (2023), specifies the approved signature algorithms RSA, ECDSA, and EdDSA, and supersedes FIPS 186-4. It exists to detect unauthorized modification, authenticate the signatory, and provide non-repudiation. Knowing the standard's name and that signatures are asymmetric is the testable core, not the algorithm internals.

Encryption, hashing, and encoding are three different things

Encoding such as Base64 is reversible and keyless and is not a security control; encryption is reversible with a key and gives confidentiality; hashing is one-way and gives integrity. Conflating them is a classic distractor, especially treating Base64 or a hash as if it were encryption. Name the operation by whether it is reversible and whether it uses a key.

Trap Calling Base64 encoding or a hash digest 'encryption': neither hides data with a key.

Most cryptographic failures are key-management failures, so govern the lifecycle

Algorithms rarely break in practice; keys do, through poor handling. Treat every key as moving through generation, distribution/exchange, storage, use, rotation, and destruction, and put a control on each phase. Generate from a vetted random source, distribute without exposing the secret, store private keys in hardware separated from the data, rotate on schedule, and destroy retired keys so they cannot be recovered.

Trap Hardening the algorithm or key length when the BEST control is governing the key's whole lifecycle, where real-world failures happen.

A key is authorized only for its cryptoperiod, then it must be rotated

A cryptoperiod is the time span during which a specific key is authorized for use (NIST SP 800-57); at its end the key is retired and replaced. Bounding the cryptoperiod limits the damage of a compromise to a single window of data rather than everything the key ever protected. This is why key rotation is a policy requirement, not an optional hygiene step.

1 question tests this
Store private keys in an HSM, separated from the data they protect

A Hardware Security Module (HSM) generates and holds keys inside tamper-resistant hardware so the private key never leaves it in the clear, and keys are kept separate from the data they encrypt so one compromise does not yield both. When a question asks the BEST way to protect keys, the lifecycle answer (HSM storage, rotation, destruction) beats simply picking a longer key.

Trap Fixating on a larger key size while leaving the private key poorly stored. Key handling, not key length, is usually the weak point.

1 question tests this
Key escrow and split knowledge govern recovery and custody

Key escrow stores a copy of a key with a trusted third party so the organization, or law enforcement under proper authority, can recover encrypted data if the key is lost. Split knowledge with M-of-N control requires several custodians to act together to use a critical key, so no single person can wield or expose it alone. The two address different risks: escrow is about recoverability, split knowledge about insider control.

Trap Reaching for key escrow to stop a single insider from misusing a key, when recoverability is escrow's purpose and split knowledge is what enforces dual control.

2 questions test this
A public key becomes trustworthy only through a PKI-issued certificate

A public key is just a number; trust comes from an X.509 certificate that binds the key to an identity and is signed by a Certificate Authority the relying party already trusts. Public Key Infrastructure (PKI) is the framework that issues, maintains, and revokes those certificates, with a Registration Authority vetting identity before the CA signs. Without a trusted issuer in the chain, the binding means nothing.

Trap Trusting a public key on its own because it works mathematically, when trust requires a CA-signed certificate binding that key to a verified identity.

Trust flows down a chain from a protected root through intermediate CAs

PKI layers its authorities: a tightly guarded, usually offline root CA signs intermediate (subordinate) CAs, which in turn sign end-entity certificates. A relying party trusts a certificate by validating the chain up to a root already in its trust store. The layering means a root compromise stays rare and an intermediate can be revoked without reissuing every certificate beneath it.

Trap Assuming the root CA directly signs end-entity certificates, when it signs intermediate CAs and stays offline so a compromise can be contained at the intermediate level.

A valid certificate must chain to a trusted root, be unexpired, and not be revoked

A verifying signature alone is not enough; a certificate is trustworthy only if all three hold: it chains to a trusted root, has not expired, and has not been revoked. Because a private key can be lost or stolen before expiry, revocation checking is mandatory, not optional. A self-signed certificate fails the first condition and should not be accepted as proof of identity.

Trap Accepting a certificate because its signature verifies, while ignoring that it is expired, self-signed, or revoked.

Use OCSP for real-time revocation; a CRL is the periodic-download fallback

A Certificate Revocation List (CRL) is a CA-signed list of revoked serial numbers that clients download, but it goes stale between publications and grows large at scale. The Online Certificate Status Protocol (OCSP) answers the status of a single certificate in real time, and OCSP stapling has the server attach a recent signed status so the client need not contact the CA. Choose OCSP when freshness matters.

Trap Picking a CRL when the requirement is real-time revocation status, since a downloaded list goes stale between publications and OCSP answers per certificate.

1 question tests this
Quantum breaks asymmetric crypto but only weakens symmetric and hashing

Shor's algorithm on a large quantum computer efficiently factors integers and solves discrete logs, defeating RSA, ECC, and Diffie-Hellman. Grover's algorithm only roughly halves the effective strength of symmetric ciphers and hashes, which is countered by doubling key or output size, so AES-256 and SHA-384 stay strong. The asymmetric algorithms are the ones that need replacing.

Trap Assuming a quantum computer breaks AES and SHA outright, when Grover only halves their strength (fixed by larger sizes) while Shor defeats RSA, ECC, and DH.

2 questions test this
Migrate to NIST post-quantum standards now against harvest-now-decrypt-later

NIST finalized its first post-quantum standards in August 2024: ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for signatures. Because adversaries can record encrypted traffic today and decrypt it once quantum computers arrive (the harvest-now-decrypt-later threat), data with a long confidentiality lifetime should adopt these algorithms now rather than waiting for a quantum computer to exist.

Trap Deferring post-quantum migration until quantum computers exist, when harvest-now-decrypt-later means long-lived secrets are already at risk from recorded traffic.

4 questions test this
QKD detects eavesdropping but does not replace authentication

Quantum key distribution (QKD) uses quantum physics rather than math to detect any eavesdropper on a key exchange, but it requires special hardware and provides no source authentication on its own. NIST and NSA guidance therefore favor post-quantum algorithms over QKD for general use. Treating QKD as a drop-in replacement for the whole cryptographic stack is the misconception to avoid.

Trap Assuming QKD by itself replaces authentication or post-quantum algorithms. It only secures key exchange and needs dedicated hardware.

Store passwords with a slow, memory-hard, per-user-salted hash

Fast general-purpose hashes (MD5, SHA-1, SHA-256) are unfit for passwords because GPUs compute billions per second and unsalted ones fall to precomputed rainbow tables. Use a deliberately slow, memory-hard algorithm (Argon2id, bcrypt, scrypt, PBKDF2) with a unique random salt per password. A salt defeats rainbow tables and forces one-at-a-time cracking; a pepper (a secret added via a keyed derivation step and held separately, e.g. in an HSM) adds protection if only the database is stolen.

Trap Salt defeats precomputation (rainbow tables) but does NOT slow brute force. Only a slow/memory-hard function does; both are needed.

8 questions test this

Cryptanalytic Attacks

Read full chapter
  • Classify a cryptanalytic attack by attacker access, not by the algorithm
  • The analytic attacks form a ladder of increasing attacker access
  • Known-plaintext means captured pairs; chosen-plaintext means the attacker controls the input
  • Brute force sets the floor, defeated by adequate key length
  • Frequency analysis breaks classical substitution ciphers
  • A birthday attack finds a hash collision in about 2^(n/2) work
  • Meet-in-the-middle is why double encryption barely helps
  • Side-channel attacks read physical leakage, not the ciphertext
  • Fault-injection attacks force errors so the faulty output reveals the key
  • Put keys an attacker can physically reach in a FIPS 140-validated module
  • A man-in-the-middle attacker relays and alters traffic between two parties
  • Replay attacks resend captured messages; freshness defeats them
  • Pass-the-hash authenticates with a stolen hash, never cracking the password
  • A golden ticket forges TGTs from the KRBTGT secret
  • Kerberoasting cracks service-account passwords offline from service tickets
  • Ransomware uses strong cryptography against you, so recoverability is the defense
  • A system's strength is the cheapest known attack, not its key length
  • SPA reads one trace by eye; DPA correlates many traces statistically

Unlock with Premium — includes all practice exams and the complete study guide.

Site & Facility Design

Read full chapter
  • Physical security is layered defense-in-depth, with the site as the outermost ring
  • Design the environment first so purchased controls reinforce a plan, not patch a bad site
  • CPTED designs the built environment to reduce both crime and the fear of crime
  • Natural surveillance makes legitimate occupants able to observe a space without effort
  • Natural access control channels movement through deliberate, limited entry points
  • Natural territorial reinforcement signals ownership so a space reads as watched
  • Maintenance sustains CPTED because visible neglect invites intrusion
  • In CPTED, "natural" means surveillance and access control as a by-product of layout
  • Site selection weighs hazards, surroundings, and visibility
  • A high-value facility is usually safest when it does not advertise its function
  • NIST PE-23 requires planning the facility location considering physical and environmental hazards
  • NIST PE-18 places system components to minimize damage and unauthorized access
  • Defensible space arranges the facility as concentric zones of decreasing public access
  • Put the secure core at the interior, never against an exterior wall or public corridor
  • For a new facility, assess site and hazards FIRST, before specifying controls
  • Site and facility design stays at the layout altitude; specific controls are a separate subtopic

Unlock with Premium — includes all practice exams and the complete study guide.

Facility Security Controls

Read full chapter
  • Facility environmental controls protect availability first
  • Lock and log wiring closets (IDF/MDF) even though they're unstaffed
  • Evidence storage adds chain of custody on top of media storage's environmental controls
  • Combustion needs four things. The fire tetrahedron
  • The class of fire dictates the only safe agent
  • De-energize or use a non-conductive agent before fighting an electrical fire
  • Prefer a clean agent over water around live electronics
  • Halon was banned for ozone depletion; FM-200 and inert gas replaced it
  • Pre-action sprinklers are the data-center default because they guard against accidental discharge
  • Know the four sprinkler pipe configurations by their pipe state
  • Match the fire detector to the fire signature you need caught earliest
  • Hot-aisle/cold-aisle keeps supply and exhaust air from mixing
  • Keep server-room humidity in band. Both extremes damage hardware
  • Low humidity means static; high humidity means condensation
  • Maintain positive air pressure to keep contaminants out
  • Raised floors route power and chilled air but hide water
  • Build power in three layers: condition it, ride the gap with a UPS, then run the generator
  • A UPS is bridge power, not long-run power. It buys time for the generator
  • Express power redundancy as N+1 up to 2N
  • Use the exact power-anomaly term. Under-voltage, over-voltage, or loss, momentary or prolonged
  • Plan facility controls against natural, man-made, and political threats
  • Tune biometrics by FAR vs FRR; compare systems by CER
  • Dual-technology motion sensors cut false alarms with AND logic
  • Counter vehicle-borne attacks with crash-rated standoff barriers

Unlock with Premium — includes all practice exams and the complete study guide.

System Lifecycle

Read full chapter
  • The system life cycle is an ordered set of stages, and security is engineered into each one
  • Security requirements are fixed before architecture because late defects cost far more to fix
  • Verification asks whether you built the system right; validation asks whether you built the right system
  • NIST defines verification as meeting specified requirements and validation as meeting the intended use
  • Retirement/disposal is a security stage, not a logistics task
  • Operation and maintenance (sustainment) is where security is kept, not established
  • ISO/IEC/IEEE 15288 defines the process framework; SP 800-160 Vol. 1 adds the security-engineering view
  • Architecture design is where security mechanisms and trust boundaries are selected and the design is threat-modeled
  • Trace every control back to a requirement during implementation
  • Integration must confirm that composing components introduces no new weaknesses
  • Transition/deployment establishes a secure baseline and obtains authorization to operate before go-live
  • The systems-engineering life cycle is not the software development life cycle
  • Life-cycle stages are concurrent and iterative, not a strict one-pass waterfall
  • Place a security activity in the stage that owns it, and prefer the earliest correct stage
  • The system disposal stage triggers media sanitization; the data lifecycle owns the sanitization mechanics

Unlock with Premium — includes all practice exams and the complete study guide.

Communication & Network Security

Secure Network Architecture

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Map any protocol, threat, or control to its OSI layer first

The OSI model's seven layers - Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7) - exist so you can place any protocol, attack, or control at the layer it operates on. CISSP questions pair a threat to its layer and ask for the countermeasure that belongs there, so naming the layer is the move that selects the answer. Lower-numbered layers are closer to the physical medium; higher-numbered are closer to the application.

The four-layer TCP/IP model is what the wire actually uses

TCP/IP collapses OSI's seven layers into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The protocols you run follow TCP/IP, but the exam phrases threats and controls in OSI's seven-layer vocabulary, so you must hold both models and the mapping between them. The Internet layer is where IP and IPsec live; the Application layer absorbs OSI's session, presentation, and application functions.

Trap Mapping the TCP/IP Application layer to OSI Layer 7 alone - it actually absorbs OSI's Session, Presentation, and Application layers (5-7).

A control at a lower layer protects everything carried above it

Encapsulation means each layer wraps the data of the layer above, so security added at a lower layer covers all the protocols riding on top of it without per-application changes. That is exactly why network-layer IPsec protects every application's packets while transport-layer TLS protects only one application's session. The corollary for attackers: a filter that inspects only an outer wrapper cannot see traffic hidden in an inner layer.

Trap Assuming a higher-layer control protects the layers beneath it - protection flows upward from a lower layer, so a higher-layer control covers only its own session, not the traffic carrying it.

Defense-in-depth layers only count if they fail independently

Defense in depth places controls across multiple layers so defeating one does not defeat the rest, but the CISSP qualifier is that the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two, so adding a second firewall that trusts the same management plane buys little real depth. Genuine depth puts controls that fail for different reasons in the attacker's path.

Trap Counting two controls behind one shared credential store or management plane as two layers - one compromise drops both, so they are really one layer.

1 question tests this
IPsec secures at Layer 3, so it covers all IP traffic between endpoints

IPsec operates at the Network layer, so it protects every IP packet between two endpoints or gateways regardless of the application that produced it - that breadth is why it underpins site-to-site VPNs. When a requirement is to protect all traffic between two locations transparently to applications, IPsec is the layer-correct answer. Per-application encryption cannot deliver that transparent, all-traffic coverage.

Trap Reaching for per-application TLS to cover all traffic between two sites - only network-layer IPsec protects every IP packet transparently regardless of the application.

Use ESP when you need confidentiality; AH gives integrity only

IPsec has two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no encryption, while ESP (Encapsulating Security Payload) provides confidentiality plus optional integrity. So a requirement for confidentiality forces ESP, never AH. RFC 4301 even downgraded AH to optional because ESP alone meets most needs.

Trap Choosing AH to encrypt traffic - AH never provides confidentiality, only integrity and authentication; ESP is the encrypting protocol.

IPsec tunnel mode hides the original IP header; transport mode keeps it

Tunnel mode adds a new outer IP header and encapsulates the entire original packet, hiding the inner addresses - this is the gateway-to-gateway VPN case. Transport mode adds no new IP header and protects only the payload, leaving the original IP header exposed, which fits host-to-host protection where the endpoints route the packets themselves. The deciding question is whether the original addressing must be concealed across an intermediate link.

Trap Assuming transport mode hides the original IP header - it does not add an outer header, so the original source and destination remain visible; tunnel mode is what conceals them.

TLS protects one application's session above the Transport layer

TLS sits just above the Transport layer and secures a single application session - HTTPS is TLS protecting HTTP - giving per-application confidentiality and integrity with no change to the underlying network. It is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does not transparently protect every protocol the way network-layer IPsec does.

Trap Picking TLS to secure all traffic between two sites - TLS only protects per-application sessions, so blanket site-to-site protection is IPsec's job at the network layer.

Segmentation contains a breach by limiting lateral movement

Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who compromises one zone cannot freely reach the next. It is the architectural answer to limiting lateral movement after an initial foothold. The design heuristic is that the higher a zone's value or the lower its trust, the finer the segmentation it warrants.

Trap Expecting segmentation to prevent the initial breach - it contains and limits lateral movement after a foothold, it does not stop the first compromise.

1 question tests this
Logical segmentation shares hardware; physical segmentation shares nothing

Physical segmentation uses separate hardware or an air gap and shares no common component, giving the strongest isolation at the highest cost. Logical segmentation - a VLAN splitting one switch into separate broadcast domains - is cheaper and far more common but rides shared hardware, so a compromise or misconfiguration of that device (for example VLAN hopping) can defeat it. When a stem demands true isolation of a high-value system, physical separation is the stronger answer because there is no shared component to subvert.

Trap Treating a VLAN as equivalent to physical isolation for a high-value system - the VLAN shares switch hardware an attacker could subvert via VLAN hopping or a device compromise.

2 questions test this
Micro-segmentation pushes the boundary down to a single workload

Micro-segmentation enforces policy at the granularity of an individual host or workload rather than a whole subnet, so even server-to-server traffic inside one zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center, because there is no implicitly trusted inside if every workload-to-workload flow is mediated. The cost is the larger number of policies to define and maintain compared with subnet-level rules.

Trap Equating micro-segmentation with ordinary subnet or VLAN segmentation - micro-segmentation mediates every workload-to-workload flow, not just traffic crossing a zone boundary.

4 questions test this
Zero trust grants no access based on network location

Zero trust assumes the network is already compromised and grants nothing based on where a request originates, so being inside the perimeter earns no access. NIST SP 800-207 frames it as least-privilege, per-request access decisions made in the face of a network viewed as compromised; every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context. Authenticating to one resource never automatically grants access to another.

Trap Assuming a request from inside the firewall is trustworthy - zero trust explicitly removes location-based trust and verifies every session regardless of origin.

Zero trust enforces with a Policy Decision Point and a Policy Enforcement Point

NIST SP 800-207 structures zero-trust enforcement as a Policy Decision Point (PDP) that evaluates each access request against policy and a Policy Enforcement Point (PEP) that actually allows or blocks the connection. Separating the decision from the enforcement lets one policy engine govern many enforcement points consistently. The standing design goal is to keep any implicit-trust zone as small as possible.

Trap Swapping the roles of the PDP and PEP - the Policy Decision Point evaluates the request against policy, while the Policy Enforcement Point is what actually permits or blocks the connection.

2 questions test this
SDP and ZTNA hide a resource until the requester is verified

A software-defined perimeter (SDP), the mechanism behind zero-trust network access (ZTNA), hides resources from the network and brokers a connection only after the requester is authenticated, so an attacker cannot even see a resource they have not authenticated to, let alone attack it. This shrinks the attack surface to nearly nothing for unauthenticated parties. It contrasts with a traditional VPN that places a verified user broadly onto a network segment.

Trap Treating a traditional VPN as equivalent to ZTNA - the VPN drops a verified user broadly onto a network segment, whereas SDP keeps each resource hidden and brokers access per request.

2 questions test this
SASE is a delivery architecture for zero trust, not the principle itself

SASE (Secure Access Service Edge) is a cloud-delivered model that converges SD-WAN networking with security functions such as secure web gateway, CASB, and firewall-as-a-service to enforce zero-trust access at the edge near the user. It is a way to deliver zero-trust controls, so adopting the zero-trust principle does not require buying a SASE product, and buying SASE is not the same as having implemented zero trust. Treat SASE as the convergence of networking and security at the edge, not as a synonym for zero trust.

Trap Equating buying a SASE product with having achieved zero trust - SASE is a delivery architecture; the zero-trust principle still has to be designed and enforced.

SDN splits the control plane from the data plane, centralizing risk

Software-defined networking decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices that forward it), centralizing policy in a controller so the network is programmable from one place. This enables consistent, automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, making the controller a crown-jewel asset to protect. SD-WAN applies the same control-plane abstraction across wide-area links and is the networking half of SASE.

A VPC is a logically isolated software-defined network in the cloud

A virtual private cloud (VPC) is the cloud expression of a logically isolated network carved from a provider's shared infrastructure, which you then segment with subnets and security groups. It is software-defined and logical, so the same logical-vs-physical caution applies: isolation is enforced by the provider's software, not by separate hardware you own. You design VPC segmentation the way you would design VLAN and zone boundaries on premises.

Trap Treating VPC isolation as physical, dedicated-hardware separation - it is logical isolation enforced by the provider's software over shared infrastructure, carrying the same caveats as a VLAN.

Multilayer protocols enable tunneling but also let traffic be smuggled

Multilayer protocols such as TCP/IP permit encapsulation, carrying one protocol inside another, which is what makes tunneling and VPNs possible. The same property lets an attacker smuggle disallowed traffic inside an allowed protocol or evade a filter that inspects only the outer layer. Each layer of encapsulation is therefore a layer your controls must be able to inspect through, not assume is benign.

Trap Trusting a filter that inspects only the outer protocol - encapsulation lets disallowed traffic ride inside an allowed protocol, so controls must inspect through each layer.

Converged protocols inherit the data network's threats and must be segmented

Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. Once voice or storage rides the data network it inherits every threat of that network, so it must be segmented from general data traffic rather than trusted as a separate medium. Convergence is a reason to add segmentation and inspection, not a reason to assume the carried traffic is safe.

Trap Treating VoIP or iSCSI storage traffic as a trusted, separate medium once it shares the IP network - it now carries the same exposure as any other data traffic and needs segmenting.

Private VLAN isolated ports reach only the promiscuous port, never each other

A private VLAN gives Layer 2 isolation inside one IP subnet. Isolated ports can talk only to promiscuous ports (where the gateway, DHCP, or shared services sit) and never to other isolated or community ports, ideal for multi-tenant or web-server hosting where peers must not see each other but all need the gateway.

Trap VLAN-to-VLAN separation alone does not stop same-subnet peer traffic; that is what isolated private-VLAN ports add.

8 questions test this
VLANs are Layer 2 only; restrict inter-VLAN traffic with a routed firewall, ACLs, or VACLs

VLANs segment broadcast domains at Layer 2 but do nothing to filter traffic routed between them. Unauthorized cross-VLAN reachability means a Layer 3 device is routing without controls; the fix is to route inter-VLAN traffic through a firewall or apply ACLs / VLAN ACLs (VACLs) that default-deny and log, so traffic between segments is explicitly authorized.

Trap Traffic crossing VLANs without passing a router points to a Layer 2 leak (e.g. trunk misconfiguration), but the standard control to enforce policy is still a VACL or routed ACL.

4 questions test this
Pick uRPF mode by routing symmetry: strict for symmetric, loose/feasible for asymmetric

Unicast Reverse Path Forwarding drops spoofed packets by checking the source address against the FIB. Strict mode requires the source route to point back out the arrival interface (best anti-spoofing, symmetric routing only). Loose mode accepts the packet if any route to the source exists, and feasible-path mode accepts it via any valid alternate path, both tolerate the asymmetric routing of multihomed networks.

Trap Strict uRPF will drop legitimate traffic on asymmetric/multihomed links; that is when loose or feasible-path mode is required.

7 questions test this
SDP has three components: Controller, Initiating Hosts, and Accepting Hosts

Per the CSA Software-Defined Perimeter spec, the Controller makes the policy/authentication decisions, Initiating Hosts (clients) request access, and Accepting Hosts (protected resources/gateways) reject all connections until the Controller authorizes them. This delivers zero-trust 'authenticate first, connect second' access.

Trap Resources stay invisible to scanning via Single Packet Authorization (SPA). The Accepting Host stays dark until it receives a valid SPA packet.

4 questions test this
A DMZ sits between two firewalls; DMZ hosts may reach out but never initiate into the internal network

Place public-facing servers (web, mail) in a DMZ between an external and an internal firewall. Permitted flows are external-to-DMZ and internal-to-DMZ; DMZ hosts may only initiate connections outward to the external network, never inward to the internal network, so a compromised DMZ host cannot pivot to internal systems.

5 questions test this

Network Components

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Securing a network component means hardening the hardware layer, not the topology

Network Components owns the physical and near-physical pieces inside a network (power and support, transmission media, the NAC gate, and the endpoint) while segments, zones, and protocol layers belong to Secure Network Architecture. Treat each component as both a defense-in-depth layer and a potential single point of failure, so the goal for each is to make it resilient (keeps working through faults) and trustworthy (only authorized, healthy devices and signals pass). The exam tests these as engineering and operational decisions, not device configuration.

Redundancy runs from N+1 to 2N, and the level is a cost-versus-downtime call

Component redundancy is expressed from N+1 (one spare beyond what the load actually needs) up to 2N, a fully duplicated and independent path with no shared single point of failure. The level you pick is a cost-versus-availability decision driven by the cost of downtime, not a fixed standard, with intermediate options like N+2 or 2N+1. At the device level the same idea appears as high-availability clustering with failover (a partner takes over when the active unit dies) and load balancing (traffic spread so no one device is a bottleneck or sole failure point).

Trap Picking N+1 redundancy believing it removes the single point of failure, when only 2N gives a fully independent path with no shared component to fail.

A UPS bridges seconds to minutes; only a generator survives a prolonged outage

Redundant power is built in order: dual feeds and redundant supplies remove single-feed failure, power conditioning smooths noise and clamps spikes, a UPS (uninterruptible power supply) carries the load on battery through the seconds-to-minutes gap until the generator spins up, and the generator supplies sustained power for a prolonged outage from stored fuel. The UPS is bridge power, not long-run power, so its job is only to keep things alive until the generator takes over.

Trap Installing a larger UPS to ride out a prolonged blackout. More battery still cannot replace a generator, because a UPS only bridges the brief gap until sustained power arrives.

An out-of-support device is an unpatchable vulnerability. Plan its replacement

Once a vendor reaches end-of-life / end-of-support for a device, it stops receiving security patches and firmware, so it becomes an unfixable vulnerability no matter how high its uptime. The security-driven action is to plan the replacement before that date rather than wait for it to fail, which makes support contracts and lifecycle planning security controls, not just procurement hygiene. A maintained warranty matters because it guarantees an SLA-bound response window and a supply of spare parts.

Trap Keeping a high-uptime appliance in service past end-of-support because it still works. Uptime says nothing about whether it can still be patched against new vulnerabilities.

Copper carries electricity, so it radiates, suffers EMI and crosstalk, and attenuates

Twisted-pair copper carries an electrical signal, which has three security consequences: it radiates electromagnetic emanations a nearby attacker can read without touching the wire (the concern behind the U.S. TEMPEST emanation-security program), it is susceptible to electromagnetic interference (EMI) and to crosstalk where one pair's signal bleeds into an adjacent pair, and it attenuates so an unrepeated run is limited to roughly 100 meters. It can also be tapped by splicing the conductor.

Fiber carries light, so it emits nothing, ignores EMI, and is hardest to tap

Fiber-optic cable transmits pulses of light, inverting copper's weaknesses: it emits no electromagnetic signal (nothing to read at a distance), is immune to EMI and crosstalk, carries far greater bandwidth over far greater distance (kilometers for single-mode versus copper's ~100 m), and is the hardest medium to tap because intercepting the light means bending or breaking the fiber, which degrades the signal and is detectable. That makes fiber the strongest confidentiality and availability choice for backbone runs and links crossing space you do not physically control.

Trap Choosing shielded copper (STP) for an eavesdropping-sensitive run because shielding cuts emanation. It still carries an electrical signal and can be spliced, whereas a fiber tap degrades the light and is detectable.

STP and coax reduce EMI but stay electrical and tappable; only the shield differs from UTP

Unshielded twisted pair (UTP) has no electromagnetic shield, while shielded twisted pair (STP) and coaxial cable add a conductive shield that reduces EMI, crosstalk, and emanation at higher cost and stiffness. The shield is the only real difference: all of them still carry an electrical signal that can be tapped by splicing the conductor, so shielding hardens copper against interference and eavesdropping but never makes it tap-proof the way fiber is.

Trap Assuming shielded copper (STP or coax) is tap-proof because the shield blocks emanation, when the conductor still carries an electrical signal that can be spliced.

Cabling is a confidentiality control, so its physical plant is locked and logged

Because the medium itself carries data, its physical security is a control: cabling terminates in the central MDF (main distribution facility) and floor-level IDF (intermediate distribution facility) closets, and an open patch panel is an unmonitored tap onto the network, so those closets are locked, access-logged restricted areas. Runs through uncontrolled space go in locked conduits; NIST calls a hardened wireline/fiber cabling run with electromagnetic, acoustical, and physical safeguards a protected distribution system (PDS). Signal propagation quality (keeping runs within distance limits, away from EMI sources, and properly terminated) is both an availability and an integrity control.

1 question tests this
NAC admits a device only after it answers two questions: who are you and are you healthy

Network Access Control (NAC) is the gate that decides whether a device may join the network at all, and it enforces two independent checks at connection time: authentication (who/what is this device?) and posture assessment (is it healthy?). A device must satisfy both to reach production resources; passing one is not enough. NAC admits devices, which is distinct from Identity & Access Management proving a human user's identity.

Trap Admitting a device the moment it authenticates, when NAC also requires a passing posture check and authentication alone is not enough to reach production.

1 question tests this
802.1X holds the port closed until the supplicant authenticates through the RADIUS server

IEEE 802.1X port-based network access control authenticates a device before its switch port or wireless association opens. Three roles cooperate: the supplicant (software on the connecting device), the authenticator (the switch or access point controlling the port), and the authentication server (typically RADIUS, holding policy and credentials). Until the supplicant authenticates (carried over EAP (Extensible Authentication Protocol)) the authenticator keeps the port closed to everything except the authentication exchange, moving the trust decision to the network edge.

4 questions test this
A device that authenticates but fails its health check goes to a quarantine VLAN, not denied

Authentication proves identity but says nothing about hygiene, so posture assessment separately evaluates patch level, antivirus/EDR state, firewall status, and configuration against policy. A device that authenticates yet fails the health check is steered into a quarantine / remediation VLAN with access limited to what it needs to fix itself (patch and AV servers), then re-checked and admitted once compliant, neither locked out entirely nor let onto production dirty.

Trap Outright blocking a known corporate device that fails its health check. It is owned and authenticated, so the correct move is remediation in a quarantine VLAN, not denial.

4 questions test this
Use agent-based NAC for managed fleets and agentless NAC for devices that can't run an agent

NAC reads posture two ways. Agent-based NAC installs a client (persistent or dissolvable) on the endpoint, giving deep, continuous posture data, the right call for managed corporate devices. Agentless NAC reads the device from the network (scanning, fingerprinting, DHCP/RADIUS attributes) with no software on it, which is the only option for unmanaged, BYOD, or IoT devices that cannot run an agent, at the cost of shallower, point-in-time inspection. Match the method to what you control, not to which inspects more.

Trap Mandating an agent for IoT or BYOD devices to get deeper posture. Those devices often cannot run one, so agentless inspection is the only way to admit them under policy.

2 questions test this
Posture is checked at the door, so strong NAC re-assesses continuously

Posture is assessed at connection time, which means a device healthy when admitted can drift out of compliance afterward, a time-of-check versus time-of-use gap. Strong NAC deployments therefore re-assess continuously rather than only at admission, which is where NAC overlaps with the continuous-verification spirit of zero trust, though the zero-trust model itself belongs to Secure Network Architecture.

Trap Treating the admission-time posture check as sufficient, when a device can drift out of compliance after it is admitted and only continuous reassessment closes the time-of-check to time-of-use gap.

2 questions test this
Hardening reduces attack surface up front via the least-functionality principle

Hardening is the provisioning-time work of removing what an attacker could use: uninstall unnecessary software, disable unused ports and services, close default accounts, and apply a secure configuration baseline such as a CIS Benchmark or DISA STIG. This is the least-functionality principle (configure a system to provide only mission-essential capabilities) and it pays off before any monitoring is installed because fewer enabled features means fewer flaws to exploit.

Trap Reaching for monitoring or detective controls to lower risk when the scenario calls for reducing attack surface up front, since hardening removes the vulnerable feature rather than just watching it.

1 question tests this
A host-based firewall enforces rules at the device, even when network segmentation is bypassed

Where network firewalls and segmentation police traffic between zones, a host-based (personal) firewall enforces traffic rules at the individual device. That keeps a host protected when it is moved to an untrusted network or when internal segmentation is bypassed by a threat already inside. It is a per-device layer that complements the network firewall rather than replacing it.

Trap Treating a host-based firewall as redundant once network segmentation is in place, when it still protects the device on an untrusted network or after internal segmentation is bypassed.

EDR records and analyzes endpoint activity to catch what signature antivirus misses

Traditional antivirus matches files against signatures of known malware and misses novel or fileless attacks. Endpoint Detection and Response (EDR) instead continuously records endpoint activity (process, file, network, and registry events) and applies behavioural analytics to detect, investigate, and respond, giving responders the telemetry to isolate a compromised host and reconstruct what happened. The escalation questions reward: signature antivirus → EDR (behavioural, single endpoint) → XDR / managed detection (correlated across endpoints, network, and cloud).

Trap Reaching for signature antivirus when the scenario describes a novel, fileless, or behaviour-only threat. Signatures only catch known malware, so EDR is the tool that detects and contains the unknown.

The endpoint is the last independent layer, so it must defend itself after the network is crossed

Defense in depth only counts layers that fail independently. NAC controls whether a device joins, segmentation controls where its traffic goes, and endpoint controls protect the device after both have been crossed, which is exactly why endpoint security is not redundant with them. The endpoint terminates the connection and is where most compromise lands, so hardening, a host firewall, and EDR together make it a self-defending last hop rather than a soft target behind the perimeter.

Trap Treating endpoint controls as redundant with NAC and segmentation, when they fail independently and defend the device after both of those layers have already been crossed.

A stateful firewall lets return traffic in via its state table, not an inbound rule

Stateful inspection records each permitted outbound connection (source/destination IP, ports, connection state) in a state table. Reply packets are allowed because they match an existing session entry, and packets that falsely claim to belong to an established connection are dropped because no entry exists. State entries also let the firewall enforce HA failover via session-state replication and expire on idle timeout.

Trap If permitted return traffic is suddenly blocked, the state-table entry likely timed out (idle timeout). For UDP there is no handshake, so the firewall tracks only addresses/ports as a pseudo-session.

10 questions test this
A correct firewall ends in implicit deny. Anything not explicitly permitted is blocked

Best practice is deny-by-default: the firewall blocks all inbound and outbound traffic not expressly permitted by an allow rule, implementing least privilege. This implicit deny sits at the end of the ruleset, so only traffic matching a specific permit statement passes.

Trap Default-deny is the policy; rule ordering is separate. A too-broad permit placed before a specific deny can still let unwanted traffic through despite the final implicit deny.

8 questions test this
Firewall and ACL rules are terminating and evaluated top-down. Order specific before general

Rules are processed sequentially (or by priority, lowest number first) and the first match wins, stopping further evaluation. Place specific rules (e.g. deny a malicious IP) before broader permits, and put high-hit rules early for performance. Layered firewalls also process by rule type (NAT first, then network, then application) so an early network-rule match can prevent Layer 7 application rules from ever running.

Trap A general permit placed above a specific deny silently overrides it; and a network-rule match terminates processing before application-layer filtering applies.

7 questions test this
Signature detection catches known attacks; anomaly detection catches the unknown

Signature-based IDS/IPS matches traffic against a database of known attack patterns, so it has low false positives but cannot see zero-day or novel attacks with no signature. Anomaly-based detection flags deviations from a learned baseline, catching unknown attacks at the cost of more false positives. Combine both for the best coverage; counter known signature evasions with protocol normalization (decode encodings) and packet reassembly (defragment) before matching.

11 questions test this
Anomaly detection only works after a representative training baseline

Anomaly-based detection compares activity to a profile of normal behavior built during a training period. Excessive false positives usually mean the baseline was too short or unrepresentative. Extending the training period to capture more legitimate variation is the fix before disabling alerts.

Trap A dynamic/auto-adjusting profile is exploitable: an attacker can ramp malicious activity slowly so the baseline drifts and accepts it as normal (baseline poisoning).

4 questions test this
Stateful protocol analysis detects protocol misuse using vendor profiles

Stateful protocol analysis tracks the state of network, transport, and application protocols against vendor-developed profiles of how each protocol should behave, flagging deviations such as malformed requests or over-long arguments that span multiple events. It is the most resource-intensive detection method because of the per-session state tracking and deep inspection.

Trap It is not the same as a stateful firewall's connection table. Protocol analysis understands Layer 7 protocol semantics, not just connection state.

4 questions test this
WPA3-Personal uses SAE (dragonfly) to stop offline dictionary attacks and give forward secrecy

Simultaneous Authentication of Equals (SAE), the dragonfly handshake, replaces WPA2's PSK four-way handshake. Because authentication is interactive rather than derived from a captured handshake, attackers cannot run offline password guessing, and SAE provides forward secrecy so a later password compromise cannot decrypt previously captured traffic.

Trap SAE protects the password exchange and gives forward secrecy; protecting management frames against deauth is a separate WPA3 feature (PMF).

5 questions test this
WPA3 makes Protected Management Frames mandatory, blocking deauth/disassociation attacks

Protected Management Frames (PMF, IEEE 802.11w) are mandatory in WPA3 (optional in WPA2). PMF adds integrity protection to management frames so attackers cannot forge deauthentication or disassociation frames to knock clients off the network or force a WPA2 downgrade.

Trap PMF defends management frames; offline-dictionary and forward-secrecy protection come from SAE, not PMF.

4 questions test this
Harden SSH: disable v1, set PermitRootLogin no, use 3072-bit+ RSA keys

SSH v1 has known cryptographic weaknesses, so disable it and use only SSH v2 (modern OpenSSH supports protocol 2 only). Set PermitRootLogin no to force admins to log in as named users and escalate with sudo (accountability + least privilege), and use minimally 3072-bit RSA host keys (CISA/NSA guidance; FIPS requires at least 2048-bit) with SHA-2 signatures.

11 questions test this
Prefer SSH key authentication: PubkeyAuthentication yes, PasswordAuthentication no

Replace passwords with key-based auth by setting PubkeyAuthentication yes and PasswordAuthentication no, which eliminates brute-force password attacks since the private key never crosses the network. Store public keys in the user's ~/.ssh/authorized_keys (recommended 0600), and protect private keys with a passphrase so a stolen key is still useless without it.

Trap If the authorized_keys file, the ~/.ssh directory, or the home directory is group- or world-writable, sshd's StrictModes refuses key auth as a precaution against key injection.

7 questions test this
802.1X dynamic authorization places the same port into a VLAN by identity and posture

After 802.1X authentication, the RADIUS server returns Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID (the VLAN ID) so the switch dynamically assigns the port to a VLAN based on user identity and device compliance. The same physical port can land staff, students/guests, or non-compliant devices in different access levels; a failed or non-compliant device is steered to a guest/auth-fail/remediation VLAN rather than simply denied.

Trap Per-device certificates (not a shared network password) are what bind admission to enrolled, approved devices and stop credential sharing.

6 questions test this

Secure Communication Channels

Read full chapter
  • Pick the channel control whose layer matches the traffic you must cover
  • Encrypt the channel AND mutually authenticate both endpoints, not just one
  • A tunnel VPN leaves data on the client device; it only protects data in transit
  • For untrusted BYOD, present the session with VDI instead of copying data to the device
  • VDI still exposes the rendered screen to screen-scraping and shoulder-surfing
  • A confidentiality requirement forces ESP, never AH
  • IPsec tunnel mode adds an outer IP header and hides the inner addresses; transport mode does not
  • IKE negotiates and maintains the IPsec security associations
  • Map the scenario to gateway-to-gateway, remote-access, or host-to-host VPN
  • The four remote-access methods differ in where the data and app client live
  • An 'SSL VPN' really uses TLS and comes in portal and tunnel forms
  • SSH can tunnel but is less common and harder to operate than IPsec or TLS VPNs
  • Secure VoIP by encrypting signaling with SIP over TLS and media with SRTP
  • Vishing is voice-channel social engineering, defended by process not encryption
  • A legacy PBX/POTS is a physical-access and toll-fraud problem, not a network one
  • Encrypt end-to-end across a carrier's link; do not trust link encryption alone
  • Evaluate a third-party-managed VPN gateway against your own security policy
  • The VPN tunnel protects client-to-gateway, not gateway-to-internal-resources
  • IKE Phase 1 builds the protected channel; Phase 2 negotiates the IPsec SA for data
  • Perfect Forward Secrecy runs a fresh Diffie-Hellman exchange for every SA
  • IKEv2 establishes a tunnel in four messages with built-in NAT traversal

Unlock with Premium — includes all practice exams and the complete study guide.

Identity & Access Management

Access Control

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Access control is one process governing both information and physical facilities

Access control is the process of granting or denying specific requests to obtain and use information and processing services, and to enter specific physical facilities. The reason it spans both is that a request to read a file and a request to badge into a data center are the same kind of event: each is evaluated against an authorization decision before the resource is reached. So a security leader runs one access program with one control vocabulary, not separate logical and physical regimes that can leave one surface open.

Trap Treating logical access control and physical access control as two unrelated programs governed by separate teams and policies, when CISSP frames them as one access-control process applied to different surfaces.

A subject is the requester; an object is the thing being protected

The subject is the active entity requesting an operation (usually a user, but possibly a process or device acting for one); the object is the passive entity being protected from unauthorized use: a file, record, device, process, facility, or service. The distinction is load-bearing because the authorization models are defined by who controls the subject-to-object permission, so mislabeling the data as the subject inverts the whole picture.

Trap Treating the data or resource as the subject. The data is the object; the subject is whoever or whatever is requesting access to it.

Every access reduces to subject, object, and an access-control system between them

Between the subject and object sits the access-control system: a policy stating allowable operations, a decision point that evaluates each request against that policy, and an enforcement point that admits or blocks it. This model is universal: identification, authentication, authorization, and accountability are stages within that decision, and DAC/MAC/RBAC/ABAC are simply different policies the decision point applies. Anchoring every mechanism to a place in this picture is what keeps the IAM domain coherent.

Trap Confusing the policy decision point that evaluates a request with the policy enforcement point that admits or blocks it. The PDP decides, the PEP enforces, and conflating them obscures where a control actually lives.

AAA runs in fixed order: identify, authenticate, authorize, then account

An access decision proceeds as identification (the subject claims an identity), authentication (it proves the claim with one or more factors), authorization (the now-proven subject is granted specific operations on the object), and accountability (the action is logged and attributed). The first three are the classic AAA triad; accountability is the fourth pillar that makes them auditable. The order is not arbitrary: it is strictly forward-dependent.

Trap Reading the AAA triad as authentication, authorization, accounting and dropping identification, or reordering the stages. Identification must precede authentication, which must precede authorization, which must precede accountability.

You cannot authorize an identity you have not authenticated

Authorization decides what a subject may do, but only after authentication has proven the subject is who it claims to be. Granting permissions to an unproven claim is precisely the gap that impersonation exploits, which is why authentication always precedes authorization in the sequence. Identification merely asserts an identity; it carries no trust until authentication validates it.

Trap Treating a presented identifier (a username or claimed identity) as sufficient to grant access. Identification asserts who you are but proves nothing, so authorization must wait until authentication validates the claim.

Accountability requires unique identification, so shared accounts defeat it

Accountability is the ability to tie an action back to one individual through logging, and it depends on each subject having a unique, authenticated identity. When several people share one credential, the logs attribute every action to the account rather than to a person, so attribution (and therefore accountability) is lost. A scenario demanding traceability to an individual must use unique identities, not a strong password on a shared account.

Trap Hardening a shared account with a stronger password or MFA to satisfy an accountability requirement. Strength does not restore attribution; only unique per-person identities do.

Default-deny means a policy gap is safe, not permissive

A sound access posture starts closed: absent an explicit grant, the request is denied (default-deny, also called fail-closed). The benefit is that a missing or incomplete policy results in no access rather than open access, so gaps fail safe instead of exposing the asset. New systems and new rules should therefore inherit a deny baseline before any allow is added.

Trap Assuming an unconfigured or undefined access rule defaults to allow. A secure access-control system denies by default, so the absence of a grant is a denial.

1 question tests this
Privilege creep is a least-privilege failure fixed by access reviews, not stronger auth

When subjects change roles and keep their old access, permissions accumulate beyond what any current task needs: privilege creep, a direct violation of least privilege. The remedy is periodic access reviews and recertification that strip access no longer justified, plus removing access at role change. Stronger authentication does not help, because the problem is excess authorization, not a weak login.

Trap Reaching for stronger authentication or more frequent password changes to fix privilege creep. The defect is accumulated authorization, remedied by access reviews and recertification, not by a tougher login.

1 question tests this
Controls are classified on two independent axes: function and type

Any access control carries one label for what it does (function) and one for how it is implemented (type), and the two are independent. Function is preventive, detective, or corrective; type is administrative, technical (logical), or physical. A question asking to categorize a control is testing whether you can place it on the correct axis, so read whether the stem wants function or type before answering.

Trap Answering with a function label (e.g. preventive) when the stem asks for the implementation type (e.g. physical), or vice versa. The answer set deliberately mixes the two axes.

Preventive stops before, detective reveals after, corrective restores after

On the function axis, a preventive control stops an unwanted action before it happens (a lock, a deny rule, separation of duties); a detective control reveals an action after it happens (an access log, IDS alert, CCTV recording); and a corrective control restores the expected state after an incident (revoking a credential, restoring from backup). The defining question is timing relative to the event: before, after-to-reveal, or after-to-restore.

Trap Picking a stronger preventive control (a better lock) when the stem asks what would best detect access after the fact. Detection calls for a log, review, or alert, not prevention.

Administrative, technical, and physical name how a control is implemented

On the implementation-type axis, administrative (managerial) controls are policies, procedures, standards, training, and screening; technical (logical) controls are software and hardware mechanisms such as authentication, access-control lists, and encryption; physical controls are tangible barriers such as locks, fences, mantraps, guards, and badge readers. NIST SP 800-53 organizes safeguards into families and tags each as managerial, operational, or technical: the same dimension.

Trap Classifying a security-awareness training program or background screening as a technical control because it concerns computer use. Staffing, training, and policy are administrative controls regardless of what they govern.

One mechanism carries one label per axis, so the same control is named twice

Because the two axes are independent, a single mechanism is described by both at once. A badge reader at a door is a preventive, physical control; the recording it feeds is a detective, physical control; the policy requiring badges is a preventive, administrative control. So the correct answer often depends entirely on which axis the question is probing, not on the mechanism alone.

Trap Assuming a mechanism has only one fixed category, so that a CCTV camera is always just detective. The same device can be deterrent, preventive, or detective depending on which axis and role the stem is asking about.

Defense in depth layers controls across functions and types

Defense in depth deliberately spreads controls across different functions and implementation types so no single failure exposes the asset: for example a preventive technical control (authentication) backed by a detective technical control (logging) and a preventive physical control (a locked room). The two-axis classification is useful precisely because it shows which cells of the grid are not yet covered. Layering, not any one perfect control, is the goal.

Trap Treating several instances of the same control (more firewalls, more passwords) as defense in depth. Layering means diverse controls across different functions and types, not redundant copies of one mechanism.

Logical and physical objects need the same access process on different surfaces

A logical object (record, application, service, API) is reached through software, so its enforcement is a technical control; a physical object (building, cage, equipment) is reached through space, so its enforcement is a physical control. An asset with both attack paths (a server holding regulated data in a colocation cage) must be protected on both surfaces at once. Securing only one surface leaves the other fully open.

Trap Assuming strong logical controls (encryption, authentication) on a server make its physical placement irrelevant. An attacker with physical access to the cage bypasses or undermines the logical surface, so both must be enforced.

RFID asset tracking: metal causes interference, passive tags can't protect data, segment the readers

In metal-dense data centers, detuning and multipath interference cause RFID false positives and negatives, addressed with anti-metal tags plus power-mapping to find dead zones. Passive tags have too little compute/storage to support authentication or encryption, leaving them open to eavesdropping and cloning (replica tags that fool the reader); active tags can carry mutual authentication. NIST advises firewalling RFID databases off from other IT systems so IP-enabled readers can't become a network entry point.

Trap assuming passive RFID tags can be secured with encryption/authentication, or ignoring metal-environment interference

8 questions test this

Identification & Authentication

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Identification is a claim; authentication is the proof. They are separate, ordered steps

Identification is presenting an identifier the system already knows (a username, account number, employee ID), and it carries no trust on its own because an identifier is usually public and guessable. Authentication is then proving that the claimed identity belongs to you by presenting evidence the system can verify. The exam tests these as distinct, ordered steps: you identify first, then authenticate, and only a proven identity feeds authorization.

Trap Treating a presented username, email, or account number as having authenticated the subject. An identifier is a public claim, never proof.

Keep the chain straight: identify, authenticate, authorize, account

The full access sequence is identification (claim who you are) then authentication (prove it) then authorization (decide what the proven subject may do) then accounting/auditing (the logged record tying actions back to the identity). Accounting is what makes accountability and ultimately non-repudiation possible. The chain only holds if the first links are sound, because a weak authentication step makes every downstream authorization decision and audit record attribute actions to the wrong person.

Trap Placing authorization before authentication, or treating accounting as an optional add-on rather than the link that delivers accountability and non-repudiation.

Authentication evidence comes in three classic factor types: know, have, are

The three classic factors are something you know (a password, PIN, or passphrase; NIST's neutral term is a memorized secret), something you have (a token, smart card, registered phone, or FIDO2 key; a possession factor), and something you are (a biometric such as fingerprint, iris, face, or voice; an inherence factor). Two weaker modern categories are sometimes added: somewhere you are (geolocation/network context, useful as a risk signal in adaptive authentication) and something you do (behavioral biometrics like keystroke dynamics).

Trap Classifying 'somewhere you are' (location) as one of the three classic factors, when the canonical three are only know, have, and are.

2 questions test this
Multi-factor authentication is defined by combining different factor CATEGORIES, not by counting secrets

MFA requires evidence from two or more different factor categories, so a password plus a one-time code from a possession device (know + have) is genuine two-factor. Stacking two secrets of the same category is still single-factor no matter how many you add. This is the single most-tested distinction in the subtopic because candidates instinctively count secrets instead of categories.

Trap Calling a password plus a security question (or password plus PIN) multi-factor. Both are 'something you know,' so it is still single-factor.

4 questions test this
A leaked biometric cannot be revoked the way a password or token can

Each factor type fails differently, which is why a leader combines categories so one breach does not defeat the whole login. Knowledge factors are phished, guessed, reused, and shared; possession factors are lost, stolen, or cloned; inherence factors carry a unique liability: a compromised biometric template cannot be revoked or reissued because you cannot change your fingerprint. That irrevocability is why biometrics are usually paired with a possession factor (a fingerprint unlocking a key on a device) rather than used as the sole credential.

Trap Assuming a compromised biometric can simply be reset or reissued like a leaked password or replaced token, when the trait itself cannot be changed.

A false ACCEPT is the security-critical biometric error, not a false reject

A biometric matcher can fail two opposite ways. A false accept admits an impostor and is the Type II error, measured as the False Acceptance Rate (FAR); a false reject wrongly denies a legitimate user and is the Type I error, measured as the False Rejection Rate (FRR). The false accept is the security breach because an impostor has been authenticated as someone else, while a false reject is merely an inconvenience the user retries, so a security-conscious deployment accepts a higher FRR to keep FAR low.

Trap Swapping the Type numbers. False accept is Type II / FAR, false reject is Type I / FRR; the exam reverses them to catch you.

4 questions test this
Compare biometric systems by the lower Crossover Error Rate (CER / EER)

Because FAR and FRR both depend on the matching threshold and trade off against each other, you cannot compare two systems by quoting one rate. The single comparison metric is the Crossover Error Rate (CER), also called the Equal Error Rate (EER): the threshold setting where FAR equals FRR. A lower CER means a more accurate system overall, independent of how any one deployment is tuned, so the more-accurate system is the one with the lower CER.

Trap Claiming a low FRR alone proves a system is more accurate. Only the CER compares systems independent of how the threshold is tuned.

4 questions test this
Tightening the matcher lowers FAR but raises FRR. You cannot minimize both at once

FAR and FRR are linked by one tunable threshold and move in opposite directions: tighten the matcher and false accepts fall while false rejects rise; loosen it and the reverse happens. On a fixed system you choose where on the curve to sit, not how to zero out both. A separate enrollment metric, the failure-to-enroll rate (FER), counts users whose trait cannot be captured well enough to enroll at all: a usability and inclusivity concern distinct from the two matching errors.

Trap Loosening the threshold to drive false rejects to zero so users stop being annoyed. That raises FAR, the security-critical error, and is the wrong call for a high-security gate.

7 questions test this
Identity proofing runs resolution, validation, then verification, before any credential is issued

Identity proofing (also called registration or enrollment), governed by NIST SP 800-63A, establishes the real-world identity before an authenticator is bound to it. It has three ordered steps: resolution uniquely distinguishes the person within a population, validation confirms the presented evidence is genuine and current against its issuing source, and verification binds the live person to that validated evidence (e.g. by biometric or physical comparison). Strong authentication on a weakly-proofed account is worthless because you are confidently authenticating the wrong person.

Trap Reordering the steps so verification (binding the live person) comes before validation (confirming the evidence is genuine), when validation must establish the evidence is real first.

Identity Assurance Level (IAL) grades how rigorously the identity was proofed

IAL measures proofing rigor under NIST SP 800-63A: IAL1 attributes are self-asserted with no evidence, IAL2 requires validated evidence collected remotely or in person, and IAL3 requires in-person or supervised-remote proofing by an authorized representative. The higher the IAL, the more confident you are that the account maps to a real, distinct person. IAL governs enrollment, not the strength of any individual login.

Trap Treating IAL as a measure of how strongly the user logs in, when IAL grades proofing rigor at enrollment and AAL grades login strength.

Authenticator Assurance Level (AAL) grades login strength and is set independently of IAL

AAL, defined in NIST SP 800-63B, grades how strongly the login proves possession of the authenticator: AAL1 permits single-factor, AAL2 requires two distinct factors and approved cryptography, and AAL3 requires a hardware-based authenticator plus verifier-impersonation (phishing) resistance proven by possession of a cryptographic key. The exam-critical point is that IAL and AAL are independent: a self-asserted IAL1 account can still demand AAL2 login, and an IAL3-proofed identity can carry an AAL1 credential.

Trap Assuming a strong login (AAL3) implies a well-proofed identity (IAL3) or vice versa. They are set separately from the transaction's risk.

AAL3 requires a hardware authenticator AND verifier-impersonation resistance

AAL3 is the phishing-resistant tier: it demands a hardware-based authenticator and proof against verifier impersonation, demonstrated by proving possession of a cryptographic key through a protocol bound to the verifier. A software-only or push-approval second factor does not reach AAL3 because it can be relayed by an attacker-in-the-middle. When a stem requires resistance to credential phishing or verifier impersonation, the answer points to a hardware FIDO2/WebAuthn authenticator.

Trap Picking a push-approval or app-generated TOTP second factor as AAL3-compliant, when those can be relayed by an attacker-in-the-middle and only a hardware key bound to the verifier qualifies.

4 questions test this
Passwordless FIDO2/WebAuthn binds the credential to the origin, so a phished credential cannot be replayed

Passwordless authentication replaces the memorized secret with a possession factor: a cryptographic key held in a hardware authenticator or device secure element, typically unlocked locally by a biometric or PIN so the biometric authorizes local use and never travels. FIDO2/WebAuthn is the canonical model: the private key never leaves the authenticator and each credential is bound to a specific relying-party origin, so a signature captured on a look-alike phishing site will not validate against the real origin. This origin-binding is exactly the verifier-impersonation resistance NIST requires at AAL3.

Trap Assuming the local biometric or PIN that unlocks a FIDO2 authenticator is transmitted to the server, when it only authorizes local key use and never travels off the device.

8 questions test this
NIST now discourages forced periodic password expiry and composition rules

Modern NIST SP 800-63B guidance overturns two legacy password habits: verifiers should not force memorized secrets to be changed arbitrarily (e.g. periodically) but must force a change on evidence of compromise, and they should not impose composition rules requiring mixed character classes. Instead, screen candidate passwords against lists of known-compromised secrets and allow long passphrases. When a stem asks the BEST modern password practice, the breach-list-screening answer beats the old rotation/composition habits.

Trap Choosing '90-day rotation' or 'mandate mixed character classes' as best practice. NIST now advises against both absent evidence of compromise.

3 questions test this
NIST classifies SMS/PSTN one-time codes as a RESTRICTED authenticator

One-time codes delivered over SMS or the public telephone network are usable but RESTRICTED under NIST SP 800-63B because of SIM-swap and number-porting risk; a verifier using them must warn subscribers and offer a non-restricted alternative. SMS codes also provide no phishing resistance, so they are the wrong answer when a question asks for verifier-impersonation-resistant or AAL3 authentication. Treat SMS OTP as a weak possession factor, not a phishing-resistant one.

Trap Offering an SMS one-time code as a phishing-resistant or AAL3 answer, when it is a RESTRICTED authenticator exposed to SIM-swap and provides no verifier-impersonation resistance.

Session management bounds how long a single authentication stays valid

A successful authentication produces a session that must not live forever, because a long-lived session is an authentication that can be hijacked long after the user left. NIST SP 800-63B sets concrete bounds tied to AAL: at AAL2, reauthenticate at least every 12 hours regardless of activity and after 30 minutes of inactivity (a single factor may resume); at AAL3 the inactivity limit tightens to 15 minutes and resuming the session requires both factors. Sound session management also means binding the session to the subject, regenerating the session identifier on privilege change, and invalidating it server-side on logout.

Trap Allowing a single factor to resume an AAL3 session after inactivity, when AAL3 tightens the inactivity limit to 15 minutes and requires both factors to resume.

1 question tests this
Single sign-on trades reduced password fatigue for concentrated blast radius

SSO lets a user authenticate once to a central identity provider and reach many connected applications without re-entering credentials, which reduces password fatigue, centralizes MFA enforcement, and gives one switch to disable an account everywhere on termination. Its risk is concentration: a stolen SSO session is access to every connected system at once, which is why SSO is always paired with strong authentication at the identity provider and disciplined session controls. The wire protocols that carry SSO assertions belong to authentication-systems; this subtopic owns the strategy and the risk trade-off.

Trap Selecting SSO as a control that reduces the blast radius of a credential compromise, when it concentrates risk so one stolen session reaches every connected system.

3 questions test this
Just-in-time provisioning issues short-lived credentials so there is no standing target

A credential management system governs the full authenticator lifecycle: issuance, binding to a proofed identity, renewal, rotation, suspension, and revocation. The lifecycle principle a leader applies is to minimize standing credentials: just-in-time (JIT) provisioning grants access only at the moment of need and for a bounded time, so no long-lived privileged credential sits idle to be stolen. JIT is most valuable for privileged or rarely-used access, where a standing administrator credential is a high-value, always-available target.

Trap Issuing a permanent standing administrator credential and relying on rotation alone, when JIT provisioning removes the always-available target entirely.

Regenerate the session ID at login to defeat session fixation

Session fixation occurs when an application keeps the same session identifier before and after authentication, letting an attacker who planted or knows the pre-login session ID ride the authenticated session. The mandatory remediation is to generate a fresh session ID immediately upon successful authentication, invalidating any pre-set value.

Trap confusing session fixation (reuse of a pre-set ID) with session hijacking of a token already in use

4 questions test this
Use a slow memory-hard KDF, and store any pepper in an HSM/vault separate from the database

Salting (a unique per-password random value stored with the hash) defeats precomputed rainbow tables but not targeted cracking. For offline-cracking resistance use a deliberately slow function: Argon2id (memory-hard, resists GPU/ASIC) when there is no FIPS constraint, or PBKDF2 with HMAC-SHA-256 at a high iteration count when FIPS-140 validation is required. A pepper is a single secret shared across all hashes, so it must live in an HSM or secrets vault, never alongside the password database.

Trap storing the pepper with the hashes like a salt, or picking a fast general-purpose hash (MD5/SHA-256) instead of a tuned KDF

6 questions test this
Sessions end at whichever timeout hits first; zero trust adds continuous evaluation

Configure both an inactivity timeout and an overall (absolute) reauthentication timeout; the session terminates when either limit is reached first. NIST SP 800-63B sets AAL2 limits of reauthentication at least once every 12 hours regardless of activity, and reauthentication after any inactivity period of 30 minutes or longer. Beyond static timers, zero trust uses continuous access evaluation, reassessing session validity at each access point on live risk signals.

Trap treating the two timeouts as alternatives (only one applies) or relying on static timeouts alone under a zero-trust mandate

3 questions test this

Federated Identity

Read full chapter
  • Federation lets an RP accept the authentication a separate organization's IdP performs
  • Identity provider asserts, relying party consumes: the two federation roles
  • Federation is SSO across an organizational boundary; plain SSO stays in one domain
  • The RP must validate the assertion signature against the IdP's pre-registered key
  • Audience restriction stops an assertion for one RP being replayed at another
  • Release only the attributes each RP needs: minimize what the IdP shares
  • On-premises, cloud IDaaS, and hybrid are deployment choices, not different trust models
  • On-premises federation keeps the IdP and directory inside the perimeter
  • Cloud IDaaS outsources the IdP but adds a third party to the trust chain
  • Hybrid keeps the on-prem directory authoritative while a cloud IdP brokers federation
  • Federating concentrates risk in the IdP: its compromise impersonates everyone everywhere
  • The IdP's concentration is also the benefit: one place to deprovision everywhere
  • Protect the IdP signing key in hardware and rotate it
  • A federation contract does not substitute for technically verifying and monitoring the IdP
  • A federated assertion proves earlier authentication, not present authentication
  • NIST SP 800-63C grades assertion protection as a Federation Assurance Level (FAL)
  • Don't federate when there is no boundary or no trustworthy IdP
  • OIDC ID-token validation: verify signature, audience, issuer, and nonce
  • Federated ABAC requires mapping partner attribute schemas to a common meaning

Unlock with Premium — includes all practice exams and the complete study guide.

Authorization Mechanisms

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Authorization decides what an already-authenticated subject may do

Authorization is the access decision a system makes after authentication has proven the subject's identity, determining whether that subject may take a requested action on an object. Authentication answers who you are; authorization answers what you may do. A scenario where a logged-in user still cannot open a resource is an authorization problem, not an authentication one.

Trap Treating a denied-access-after-login symptom as a failed login. The identity was already proven, so the fix is the authorization policy, not the credential.

The reference monitor enforces the policy; the model only defines the rules

A security model such as RBAC, MAC, or ABAC is a set of access rules and does not enforce anything by itself: enforcement is the job of the reference monitor, the conceptual mediator that must be always invoked (non-bypassable, giving complete mediation), tamperproof, and verifiable. Every authorization model assumes some reference-monitor implementation underneath it. Distinguishing the rule set from its enforcer is a recurring exam framing.

Trap Picking the access model itself as what enforces the decision when a question asks for the always-invoked, tamperproof mediator; the model is only the rule set, and the reference monitor is the enforcer.

The authorization models differ on who holds the discretion to set the permission

The single discriminator that separates the models is who decides the permission and on what basis: the owner (DAC), the system via labels (MAC), an administrator via roles (RBAC), an administrator via global rules (rule-based), a policy over attributes (ABAC), a live risk score (RAdAC), or a time-boxed grant at moment of need (JIT). Identifying who owns the decision in a scenario resolves most model-selection questions. Reading each model as an answer to who-decides-and-how keeps similar choices distinct.

DAC lets the resource owner grant access at their discretion via ACLs

Discretionary access control puts the access decision in the hands of the object's owner, who grants or revokes permissions, typically through an access control list attached to the object enumerating which subjects get read, write, or execute. Standard commercial operating-system file permissions are DAC. Its weakness is structural: any owner can pass access to anyone, so a compromised owner or a Trojan running with the owner's rights can leak data, which is why DAC is unsuitable for data that must be protected regardless of an owner's choices.

Trap Choosing DAC when the requirement says data must be protected regardless of the owner's wishes. Owner discretion is exactly what that requirement forbids.

5 questions test this
MAC enforces access from system-set labels and clearances that no owner can override

Mandatory access control removes owner discretion: the system decides access by comparing a subject's clearance against an object's classification under a central policy that not even the data's creator can override. This is the model for classified, military, and multilevel-secure systems holding data at several sensitivities at once. The exam tell is system-enforced labels plus the explicit absence of owner control.

Trap Confusing MAC with DAC because both deal with file access. The discriminator is discretion: MAC is system-enforced and non-overridable, DAC is owner-controlled.

3 questions test this
A security label is machine-enforced; a security marking is human-applied metadata

MAC runs on labels, not markings: a security label is the machine-readable association between a sensitivity level and a subject or object that the system parses and enforces, whereas a security marking is human-applied metadata that informs people but is not self-enforcing. Marking is human-enforced; labeling is system-enforced. MAC's mechanism depends on labels because the reference monitor must read sensitivity programmatically to mediate every access.

Trap Assuming a human-applied marking is what the reference monitor mediates on; only a machine-readable label is system-enforced, whereas a marking merely informs people.

Bell-LaPadula is MAC's confidentiality model: no read up, no write down

The formal confidentiality model behind MAC is Bell-LaPadula, whose Simple Security Property forbids reading above one's clearance (no read up) and whose Star property forbids writing below one's level (no write down), so classified data cannot flow down to a lower classification. For the authorization decision, the practical takeaway is that MAC enforces these label comparisons; the lattice mathematics itself is studied under security models. The pairing of 'no read up' with 'no write down' is the most testable detail.

Trap Swapping the two rules: 'no write down' is the Star property (protects against leaking down), and 'no read up' is the Simple Security Property; reversing them is a classic distractor.

3 questions test this
Even MAC can leak through covert channels by inference

Mandatory access control constrains explicit information flows between labels but does not stop covert channels, where higher-classified information is deduced by combining lower-classified observations. Labels govern direct access, not every inference a subject can draw. This is why a multilevel system needs covert-channel analysis beyond its label policy, and why 'MAC fully prevents data leakage' is an overstatement.

Trap Assuming label enforcement alone makes a multilevel system leak-proof; MAC controls explicit flows but not covert channels or inference, which need separate analysis.

RBAC assigns permissions to roles that mirror job functions, and users inherit them

Role-based access control grants permissions to roles modeled on job functions, and a subject acquires exactly the permissions of the roles they are assigned, nothing more. The administrative payoff is scale: a hire, transfer, or departure is handled by changing role assignments rather than editing thousands of individual permissions, making RBAC the default for large enterprises with stable job functions. Managed by role, it is also the natural control against privilege creep when assignments are reviewed.

Trap Assigning permissions directly to individual users and calling it RBAC; in RBAC permissions attach to roles and users inherit them through role membership, never via one-off grants.

1 question tests this
RBAC role hierarchies and separation-of-duty constraints are part of the standard model

The authoritative RBAC standard (ANSI/INCITS 359) defines role hierarchies, where senior roles inherit the permissions of junior roles, and separation-of-duty constraints, which forbid one user from holding a conflicting pair of roles such as create-vendor and approve-payment. Separation of duty can be enforced statically at assignment time or dynamically at role-activation time. These constraints are how RBAC encodes least privilege and anti-fraud controls beyond simple role assignment.

Trap Treating separation of duty as only an assignment-time check; RBAC also supports dynamic SoD enforced at role-activation time, so a user may hold conflicting roles but not activate both at once.

10 questions test this
Rule-based access control applies the same global conditions to everyone, ignoring identity

Rule-based access control decides by whether a request matches a global rule, applied uniformly to all subjects regardless of who they are: a firewall ACL like 'deny inbound port 23 from any source' or a 'no logins outside business hours' policy gates everyone identically. Its defining trait is that the decision does not depend on the subject's identity, only on the request matching a rule. That identity-independence is the discriminator separating it from role-based control.

Trap Mistaking rule-based for role-based because the acronyms rhyme. Role-based decides by who you are (your role), rule-based decides by what the request is, ignoring identity entirely.

ABAC evaluates a policy over subject, object, action, and environment attributes

Attribute-based access control makes the decision by evaluating a policy over attributes of four categories: the subject (clearance, department), the object (classification, type), the action (read vs. delete), and the environment (time, location, device posture). Combining many attributes in one rule makes ABAC the most granular and dynamic model, able to express decisions like 'a nurse may read records of patients on her ward, on a managed device, during her shift' without RBAC's role explosion. NIST frames RBAC and ABAC as complementary, with a role usable as one attribute among many.

Trap Treating ABAC and RBAC as mutually exclusive; NIST frames them as complementary, with a role usable as just one subject attribute inside an ABAC policy.

5 questions test this
ABAC and zero trust enforce via a Policy Decision Point and Policy Enforcement Point

ABAC and zero-trust authorization are architected around two components: a Policy Decision Point (PDP) that evaluates the policy against the request's attributes and returns a verdict, and a Policy Enforcement Point (PEP) that actually allows or blocks the access. Separating the decision from the enforcement lets one policy engine govern many enforcement points. The PDP/PEP split is the same pattern NIST SP 800-207 uses for zero-trust access.

Trap Swapping the PDP and PEP roles; the PDP evaluates the policy and returns the verdict, while the PEP is the component that actually allows or blocks the access.

7 questions test this
Risk-based (RAdAC) access adapts the decision to a live risk score within a session

Risk-adaptive access control computes a real-time risk score from contextual signals (device health, anomalous location, behavior deviation, sensitivity of the request) and adapts the decision moment to moment: permit, deny, or step up to additional authentication. Its distinguishing property is adaptivity within a single session: the same user with the same role can be allowed one moment and challenged the next because the computed risk changed. RAdAC is typically realized as ABAC with risk treated as a first-class environmental attribute, underpinning adaptive authentication and zero-trust designs.

Trap Reading RAdAC as a one-time decision fixed at login; its defining trait is re-evaluating risk within a live session, so access can change moment to moment for the same user.

2 questions test this
Just-in-time access grants privilege only for the task and revokes it automatically

Just-in-time access control grants elevated or privileged rights only for the duration of a specific task and removes them automatically afterward, so accounts hold no standing privilege for an attacker to hijack. It is least privilege applied to time and the foundation of zero standing privilege, where a privileged role carries no rights at rest until a scoped, time-boxed, usually approved activation. JIT layers over whatever base model is in use, shrinking the exposure window rather than changing who may decide access.

Trap Believing permanent least-privilege admin roles solve the standing-privilege risk. A never-revoked role is still standing privilege; JIT's point is to remove the standing part, not just shrink the role.

3 questions test this
Least privilege caps the maximum; need-to-know decides which specific data within it

Least privilege restricts each entity to the minimum access required to accomplish its assigned tasks, and need-to-know is least privilege applied to information: a clearance sets the ceiling of what a subject could see, and need-to-know decides which specific data within that ceiling they actually require. The two work together: a Top Secret clearance does not grant access to every Top Secret document, only those the subject needs. Every authorization model is a mechanism for implementing least privilege.

Trap Assuming a clearance level alone grants access to all data at that level; clearance sets the ceiling, but need-to-know still gates which specific items the subject may see.

ABAC, RAdAC, and JIT extend an underlying model rather than replace RBAC

The modern models are additive, not rival: ABAC adds attribute-level granularity, RAdAC adds session-level adaptivity, and JIT adds a time limit, each layered on top of an underlying grant rather than substituting for RBAC or MAC. Treating them as mutually exclusive alternatives misreads how real systems combine them, e.g., roles expressed as ABAC attributes, with JIT controlling when privileged roles activate. The exam contrasts them on their distinct contribution, not as either/or.

Trap Reading ABAC, RAdAC, and JIT as either/or replacements for RBAC; they are additive layers that combine, such as roles expressed as ABAC attributes with JIT gating activation.

ABAC roles: PIP supplies attributes, the Context Handler orchestrates, obligations are mandatory

In an ABAC/XACML pipeline the Policy Information Point (PIP) acts as the source of attribute values the PDP lacks, drawn from directories and other sources, and the Context Handler coordinates the workflow, building the request context and requesting attributes from the PIP. The PDP returns Permit/Deny plus directives: an obligation MUST be carried out by the PEP (which denies access if it cannot discharge it), while advice MAY be safely ignored; if required attributes cannot be obtained the decision is Indeterminate.

Trap confusing the PIP (fetches attributes) with the PDP (decides) or treating advice as mandatory like an obligation

11 questions test this
ABAC cures RBAC role explosion by deciding on attributes at request time

Role explosion happens when an organization mints thousands of narrow roles to cover every combination of department, location, time, and project. ABAC eliminates this by evaluating subject, object, and environment attributes dynamically at access time, so no capability has to be pre-assigned to a subject or role before the request, collapsing many static roles into a few attribute policies.

Trap trying to fix role explosion by adding still more fine-grained RBAC roles instead of switching to attribute-based decisions

5 questions test this
Capability tables are matrix rows (subject-centric); ACLs are matrix columns (object-centric)

An access control matrix can be stored two ways: a capability table is a row attached to a subject listing every object it may access, so it answers 'what can this user reach?' efficiently. An ACL is a column attached to an object listing every subject that may access it, so it answers 'who can reach this file?' and makes object-centric revocation/decommissioning simple.

Trap swapping the two: ACLs are object-centric (columns), capability tables are subject-centric (rows)

9 questions test this
In DAC/ACL systems, explicit deny beats group allow, and the creator owns the object

ACL evaluation is order-sensitive: an explicit deny ACE for an individual overrides an allow granted via group membership (canonical order: explicit deny, explicit allow, inherited deny, inherited allow). Under DAC the creator of a new object becomes its owner regardless of the parent's owner. On Windows the DACL holds the access permissions while the SACL configures audit logging of access attempts.

Trap assuming a group allow grants access despite an individual explicit deny, or confusing the DACL (permissions) with the SACL (auditing)

4 questions test this

Identity Provisioning Lifecycle

Read full chapter
  • Match an account's privileges to its holder's current role across the whole joiner-mover-leaver lifecycle
  • Provision joiners at least privilege, not pre-loaded with access they might need later
  • On transfer, re-baseline access to the new role instead of adding to the old set
  • Deprovision on termination immediately: the leaver step is the most time-sensitive in the lifecycle
  • Disable access first, then delete the account on a later schedule
  • A periodic access review recertifies that every account still needs every privilege it holds
  • The resource or data owner recertifies access, not IT operations or security
  • Privilege creep is fixed by the mover control and access reviews, not by stronger authentication
  • Control privileged access with PAM: just-in-time elevation, vaulted credentials, recorded sessions
  • Auditing sudo turns shared root power into individual accountability
  • A break-glass account is for genuine emergencies only, and every use must alert and be reviewed
  • Service accounts need a named human owner, least privilege, and the same periodic review as users
  • Prefer eliminating a service account's static secret over storing one; if unavoidable, vault and rotate it
  • Personnel security decides whether to trust a person; the provisioning lifecycle is the machinery that grants the access
  • Role definition belongs to the business; review roles so the role itself doesn't become over-broad
  • SCIM provisions and deprovisions; SAML JIT can only create/update, never deactivate
  • Birthright access is auto-granted by role; HR-driven joiners are pre-staged disabled until start date
  • Scale JIT provisioning by mapping policies from CMDB asset metadata, not manual entry
  • Access reviews must be owner-driven, risk-prioritized, and guard against rubber-stamping

Unlock with Premium — includes all practice exams and the complete study guide.

Authentication Systems

Read full chapter
  • An authentication protocol transports a verifiable artifact so the resource trusts the authority instead of re-checking the credential
  • Kerberos issues tickets from a central KDC so the password never crosses the network on each access
  • The KDC has two parts: the AS authenticates the user, the TGS issues per-service tickets
  • A TGT proves identity to the KDC; a service ticket proves authorization to one service
  • Kerberos timestamps every ticket, so it depends on synchronized clocks to reject replays
  • Kerberos provides mutual authentication, so the client verifies the server too
  • The KDC is a single point of failure: compromise it and an attacker forges tickets for anyone
  • SAML carries a signed XML assertion from an IdP to an SP for browser-based web SSO
  • SAML fits browser web SSO but is heavyweight for mobile and API clients
  • OAuth 2.0 delegates authorization; it does not authenticate the user
  • OpenID Connect is an authentication layer on top of OAuth 2.0 that adds an ID token
  • RADIUS and TACACS+ both centralize AAA, but four properties separate them
  • RADIUS runs over UDP and encrypts only the user's password, leaving the rest of the packet in cleartext
  • RADIUS combines authentication and authorization; TACACS+ separates authentication, authorization, and accounting
  • TACACS+ runs over TCP, encrypts the whole packet body, and is the choice for device administration
  • RADIUS is the open IETF standard; TACACS+ originated at Cisco
  • Match the scenario's boundary and resource type to the protocol before reasoning further
  • Certificate path validation chains each signature up to a trust anchor
  • OCSP gives real-time revocation; stapling adds privacy by delivering it in the handshake
  • Mutual TLS with per-device X.509 certificates is the machine-to-machine identity control
  • Windows AD: cross-forest Kerberos trust, NTLM fallback on IP access, GC 3268, LDAPS 636

Unlock with Premium — includes all practice exams and the complete study guide.

Security Assessment & Testing

Assessment Strategies

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Assessment, test, and audit are three altitudes, not synonyms

A security assessment is the broad determination of how effectively an object meets its security objectives, drawing on testing, examination, and interviewing. A test is the narrow act of exercising an object under specified conditions to compare actual versus expected behavior. An audit is a formal, evidence-driven verification of conformance to a standard whose defining trait is independence and a reportable opinion, not technical depth. Designing a strategy means picking the right altitude per objective rather than treating the words as interchangeable.

Trap Calling a thorough internal self-review an audit. Without an independent party rendering a conformance opinion against a standard, it is an assessment, not an audit.

An assessment combines testing, examination, and interviewing because no one method is complete

NIST SP 800-115 names three assessment methods: testing (exercise an object and compare actual vs expected), examination (check, inspect, review, observe, or analyze objects for evidence), and interviewing (discussions with people to clarify or locate evidence). No single method gives a comprehensive picture, so a designed assessment deliberately combines them: examination catches policy and configuration gaps a test misses, and a test proves the exploitability examination only suspects. Knowing which exact word a stem uses is itself testable.

Trap Treating a vulnerability scan or penetration test as a complete assessment by itself, when examination and interviewing must also run to catch the policy and configuration gaps a test alone never surfaces.

Design the strategy before any tool runs: objectives, scope, methodology, frequency

A defensible assessment strategy is a plan authored before execution that fixes four things: the objectives each assessment must satisfy, the scope of objects in and out of bounds, a repeatable documented methodology, and a risk-based frequency. The plan, not the assessor's on-the-day improvisation, decides what gets measured and how often, which is exactly what makes it a strategy rather than a reflex. Objectives trace back to the organization's risks and obligations and drive technique selection downstream.

Trap Reaching for an execution-level fix (buy a scanner, hire a pen tester) when the stem's defect is that nobody decided up front what to measure and how often: that root cause is a missing strategy, not a missing tool.

Assessment is a management responsibility; the assessor executes within the plan

CISSP frames assessment design as a leadership decision: management authors the program (an assessment policy plus a repeatable methodology fixing objectives, scope, roles, frequency, and reporting) and the assessor works inside it. This is why an inconsistent, unrepeatable, or after-the-fact-disputed program signals an absent strategy rather than an unskilled tester. Deriving the methodology from an established source such as SP 800-115 or SP 800-53A keeps the approach recognized and the findings defensible.

Trap Blaming the assessor's skill for an inconsistent or disputable program, when the missing piece is management's repeatable methodology and policy that the assessor is supposed to execute within.

Set assessment frequency by risk and material change, with a regulatory floor

Frequency is risk-based first: higher-risk systems are assessed more often, and any material change triggers reassessment rather than waiting for the next calendar date. Many regimes impose a floor: under FISMA, U.S. federal systems require periodic testing and evaluation of controls no less than annually. The calendar is the backstop, not the driver; a system that changed materially last week needs reassessment now, not at its scheduled annual review.

Trap Treating a fixed annual cadence as sufficient on its own: frequency follows risk and material change first, the calendar only as a minimum.

Who assesses trades depth and context for independence

Internal assessors know the environment and cost the least but assess work they or their peers performed, so their objectivity is structurally limited: no one credibly grades their own homework. External (hired-in) assessors still act on behalf of the sponsor, while an independent third party is a separate firm whose value is precisely having no stake in the result. The single trade-off across all three is depth-and-context versus independence, and the strategy assigns each objective to the assessor whose independence matches the assurance the audience demands.

Trap Assuming the internal team's deeper knowledge of the environment also makes them the most objective choice, when their stake in the work they assess is exactly what limits that objectivity.

4 questions test this
Independent third parties are required when an outside audience must rely on the result

When a regulator, a customer's vendor-risk team, or a board needs credible assurance, the work goes to an independent third party because internal or hired assessors cannot produce a result an outsider can trust. Formal attestations like a SOC 2 report and certifications like ISO/IEC 27001 require an accredited outside party: a self-assessment structurally cannot produce them. Reserve internal self-assessment for continuous internal improvement, where the audience is the organization itself.

Trap Choosing the cheaper, deeper internal team when the stem demands a result credible to an external audience: they have the most context but the least independence, so the finding fails the credibility test.

4 questions test this
Location caps what you are even allowed to assess

Where a system runs legally and contractually limits what the customer may test. On premises the organization owns the whole stack and can assess any layer; in the cloud the shared-responsibility model splits ownership, with the provider securing the infrastructure of the cloud and the customer securing their data, identity, and configuration in the cloud. The boundary slides toward the provider from IaaS to PaaS to SaaS, but data classification and access control almost always remain the customer's responsibility, so the strategy must scope direct testing to the customer-controlled layers.

Trap Assuming a move to the cloud hands data classification and access control to the provider, when those remain the customer's responsibility to assess across IaaS, PaaS, and SaaS alike.

You cannot test the provider's layers: inherit assurance from their attestation

You cannot penetration-test or scan a cloud provider's hypervisor, hardware, or physical facility; that work is out of scope and usually contractually prohibited. For those provider-controlled layers you do not run your own test: you inherit assurance from the provider's own independent third-party attestation, such as their SOC 2 report or ISO 27001 certificate. Moving to the cloud does not remove the assessment obligation; it splits it, leaving the customer accountable for assessing everything on the customer side of the line.

Trap Scheduling your own penetration test or audit of the provider's data center or hypervisor. Review the provider's third-party attestation instead, because that layer is theirs and testing it is prohibited.

A hybrid strategy blends direct assessment with inherited attestation

A hybrid estate spans on-premises and customer-controlled cloud layers you assess directly and provider-controlled layers you cannot touch. The strategy is therefore a blend: direct testing, scanning, and examination for the on-prem and customer-side cloud layers, and inherited third-party attestation for the provider-controlled layers. The recurring point is that the customer-owned data and access configuration must be assessed in every service model, since misconfiguration of that customer layer is the dominant cloud-breach cause.

Trap Applying one uniform approach across a mixed estate, either trying to directly test everything or inheriting attestations for everything, when a hybrid demands direct assessment of customer-controlled layers and inherited assurance for provider-controlled ones.

Validate the strategy itself before trusting its results

Design is not finished until the strategy is stress-tested against reality: does the declared scope actually cover the systems that matter, do the objectives map to real risks and obligations, is the frequency defensible against risk and any regulatory floor, and does the combination of planned methods close the blind spots each single method leaves? A strategy no one has validated can pass every step and still fail to tell leadership whether security works: it is a checklist, not a control.

Trap Trusting a strategy because it passed every documented step, without validating that its declared scope, objectives, and method mix actually cover the systems and risks that matter.

The auditor's value is independence and an opinion, not technical depth

What distinguishes an audit from a deep technical assessment is not how intrusive or expert the work is but that an independent party renders a reportable conformance opinion against an external standard or framework. The same hands-on testing performed by the system owner is an assessment; performed and opined on by an accredited independent party against a defined benchmark, it becomes an audit. Stems that stress an outside party and a formal opinion are pointing at an audit even when the underlying activity looks technical.

Trap Calling the deepest, most intrusive technical test the audit, when what makes work an audit is an independent party's conformance opinion against a standard, not its technical depth.

Objectives and acceptable risk drive technique selection

SP 800-115 is explicit that the assessment objectives and the organization's acceptable level of risk determine which techniques to use, and that because no single technique gives a comprehensive picture, the strategy combines them. This is why the design starts from objectives rather than from a favorite tool: the goal a leader needs answered dictates whether examination, testing, or interviewing (or some mix) is commissioned. A strategy built tool-first instead of objective-first measures what is easy rather than what matters.

Trap Selecting techniques from the team's favorite or most capable tool, when the objectives and the organization's acceptable level of risk are what should dictate which methods are commissioned.

An attestation is the deliverable that proves independent assurance

When the strategy's audience is external, the output that satisfies them is a formal attestation or certificate produced by an accredited outside party: a SOC 2 report attesting to controls, or an ISO/IEC 27001 certificate of a conforming information security management system. These deliverables exist precisely because a self-assessment cannot carry weight with an outside relier. Choosing the assessor therefore also chooses what evidence the engagement can produce, so map the required deliverable back to the assessor's independence when designing the strategy.

Trap Offering an internal self-assessment report to satisfy an external relier, when only a formal attestation or certificate from an accredited outside party carries weight with that audience.

1 question tests this

Security Control Testing

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A vulnerability assessment identifies weaknesses; a penetration test exploits them

A vulnerability assessment enumerates and ranks weaknesses but stops at reporting that a flaw may exist; a penetration test goes further and exploits the flaw to confirm it is real and show how far an attacker reaches. NIST puts it directly: a vulnerability scanner checks only for the possible existence of a vulnerability, while the attack phase of a pen test exploits it to confirm its existence. Pick the assessment by the question asked: "what is exposed?" wants an assessment, "can it be breached?" wants a pen test.

Trap Choosing a penetration test for broad, repeatable enumeration across many hosts: that low-risk coverage is a vulnerability assessment, not an exploit-and-confirm pen test.

6 questions test this
A penetration test runs four phases: Planning, Discovery, Attack, Reporting

NIST SP 800-115 divides a pen test into Planning (set rules of engagement, scope, written authorization, no testing happens here), Discovery (information gathering and scanning to find targets), Attack (exploit the weaknesses), and Reporting (deliver findings and risk ratings). Reporting runs concurrently with the other phases rather than only at the end, and Attack loops back to Discovery whenever a new foothold reveals more targets.

Trap Assuming Reporting happens only at the very end after Attack finishes, when NIST has reporting run concurrently throughout the engagement.

Get written authorization before any penetration test begins

The first action in a penetration test is the Planning phase: obtain documented management authorization and rules of engagement defining scope, timing, and a point of contact before any tool runs. Without that written authorization the same activity is indistinguishable from a real attack and is potentially illegal. No actual testing occurs during Planning.

Trap Starting scanning or exploitation before authorization is signed: in CISSP framing an unauthorized test is an attack, regardless of intent.

4 questions test this
The attack phase loops back to discovery as new footholds appear

When an exploit succeeds, the tester often gains a foothold that exposes new internal targets, so the Attack phase feeds back into Discovery: escalating privileges, pivoting to other systems, and re-scanning from the new vantage point. This loopback is why a pen test measures how far an attacker could chain access, not just whether one isolated flaw is exploitable.

2 questions test this
Black-, white-, and gray-box define how much the tester knows up front

Black-box testing gives the tester zero prior knowledge, simulating an external attacker; white-box gives full knowledge such as architecture, source code, and credentials, for the most thorough coverage; gray-box gives partial knowledge, like a standard user account. More knowledge trades realism of an outsider's view for depth and efficiency of coverage.

Trap Confusing the knowledge levels by picking white-box to simulate an outside attacker, when zero-knowledge black-box is the one that models an external threat.

A red team emulates the adversary; the blue team defends; purple is collaboration

A red team is authorized to emulate a real adversary's attack capabilities against the organization's defenses, while the blue team is the defenders who monitor, detect, and respond. A purple team is not a separate group but a mode where red and blue work together so each attack technique immediately drives a detection or response improvement. The defining feature of a red-team engagement is that, unlike a scheduled scan, it also tests whether defenders can detect and respond.

Trap Calling every penetration test a "red team": the red-team label specifically means adversary emulation that also exercises the blue team's detection and response.

7 questions test this
SAST analyzes code without running it; DAST tests the running app from outside

Static application security testing (SAST) examines source, bytecode, or binaries without executing them, so it runs early and points to the exact vulnerable line, but it misses runtime and configuration flaws and produces false positives. Dynamic application security testing (DAST) tests the running application from the outside with no source access, so it catches runtime and deployment issues but cannot pinpoint the offending code. Interactive testing (IAST) instruments the running app to combine both views.

Trap Picking SAST to catch a runtime or misconfiguration flaw it structurally cannot see, or DAST when the stem wants the exact offending line that only source analysis reveals.

4 questions test this
Fuzzing feeds malformed input to a running target to expose input-handling defects

Fuzz testing submits invalid, unexpected, or random input to a running program to reveal how it responds, surfacing input-handling defects such as buffer overflows and crashes. It is a dynamic technique run by tools called fuzzers, and it is most valuable for code paths that parse external input where validation may be incomplete.

Trap Classifying fuzzing as a static, source-analysis technique, when it is a dynamic technique that requires actually executing the target against malformed input.

Misuse-case testing verifies behavior under abuse, not just intended use

Where a use case describes how a system should behave for a legitimate user, a misuse case models what an attacker would deliberately do to abuse it, and misuse-case testing verifies the system resists that abuse. It complements normal functional testing by asking how the system fails under hostile input rather than only confirming it works under expected input.

Trap Confusing a misuse case with a use case, treating it as just another positive functional scenario instead of the adversary's deliberate abuse of the system.

4 questions test this
Synthetic transactions script known interactions; RUM captures real user activity

Synthetic transactions run scripted, pre-defined interactions (a login, a search, a checkout) against a live system on a schedule to confirm it responds correctly and on time, independent of real traffic. Real user monitoring (RUM) instead passively captures actual user interactions as they happen. Use synthetic transactions to proactively verify availability and behavior even when no real users are active.

Trap Reaching for real user monitoring to proactively verify availability when no real users are active, a job only scheduled synthetic transactions can do.

Interface testing exercises the connection points between components

Interface testing targets the boundaries where components connect (APIs, web service endpoints, and inter-system handoffs) to confirm they accept, reject, and fail securely. These integration points are a common source of defects because each side may assume the other validated the data, so testing them directly catches gaps neither component's internal tests would find.

Trap Reading interface testing as exercising the graphical user interface, when it targets the API and inter-system connection points between components.

2 questions test this
Test coverage analysis measures how much of the target the tests exercised

Test coverage analysis quantifies how much of a target the tests actually exercised (statement, branch, or condition coverage for code, or requirements coverage for controls) so the gaps in what was not tested become visible. It answers "what did we miss?" rather than "did the tested parts pass?"

Trap Treating high test coverage as proof the system is secure: coverage measures only what was examined, not that the exercised code is free of flaws.

Breach-and-attack simulation continuously replays adversary techniques against live defenses

Breach-and-attack simulation (BAS) tools automatically and continuously replay known adversary techniques against production defenses to verify on an ongoing basis that controls detect and block them. BAS closes the gap left by point-in-time penetration tests, which capture only a single moment, by turning detection-and-response validation into a continuous, repeatable check.

Trap Equating breach-and-attack simulation with a point-in-time penetration test, when its defining value is continuous, repeatable validation rather than a single snapshot.

2 questions test this
Log review verifies controls record the right events, not that they block attacks

Log review is an examination technique that determines whether security controls are logging the proper information and whether the organization adheres to its logging policy, for example, confirming that all authentication attempts to critical servers are recorded at the required detail. It can also surface misconfigurations, unauthorized access, and intrusion attempts after the fact, but it evaluates evidence rather than actively exploiting a weakness.

Trap Classifying log review as a testing technique that actively exploits or blocks attacks, when it is an examination method that evaluates recorded evidence after the fact.

3 questions test this
Compliance checks verify the implemented state matches a required baseline

A compliance check compares a system's actual configuration against a mandated baseline or benchmark and reports where they diverge, confirming the implemented state matches the required one. It is a verification of conformance to a defined standard, distinct from a vulnerability assessment that hunts for unknown weaknesses regardless of any baseline.

Trap Treating a compliance check as a vulnerability assessment, when it measures conformance to a defined baseline rather than hunting for unknown weaknesses.

2 questions test this
Testing, examination, and interviewing are the three assessment methods

NIST SP 800-115 defines three assessment methods: testing exercises an object under specified conditions to compare actual against expected behavior; examination checks, inspects, reviews, or analyzes objects to obtain evidence; interviewing holds discussions with people to clarify or locate evidence. Because no single technique gives a complete picture, a sound assessment deliberately combines methods rather than relying on one.

Trap Confusing examination with testing, when only testing actively exercises an object under specified conditions while examination merely inspects and reviews it for evidence.

Credentialed scanning sees patch and configuration state; unauthenticated scanning only probes

A credentialed (authenticated) vulnerability scan logs into the target and reads installed patch levels and configuration, yielding far fewer false positives than an unauthenticated scan that only probes from the network. Either way scanner output flags possible flaws and always needs human triage to separate true findings from false positives before remediation.

Trap Assuming an unauthenticated network scan is more accurate than a credentialed one, when reading patch and configuration state from inside the host is what cuts false positives.

8 questions test this
Combine techniques because no single one gives a complete security picture

NIST is explicit that no individual testing technique provides a comprehensive view of a system's security, so assessments should layer them: review to understand a control, scanning to find candidate weaknesses, and validation to confirm the ones that matter. Relying on a single method (only a scan, or only a pen test) leaves predictable blind spots.

Trap Assuming a single thorough method such as a penetration test gives a comprehensive security picture, when NIST says no individual technique covers all blind spots.

SCAP standardizes machine-readable config and vulnerability checking

The Security Content Automation Protocol (SCAP) is a NIST suite of interoperable specifications that lets tools from different vendors express and check security configuration and vulnerability data in machine-readable form. XCCDF describes the checklist and benchmark of requirements, while OVAL defines the low-level technical checks that determine whether a system meets them.

Trap XCCDF is the human-level checklist language; OVAL is the low-level check logic the scanner executes.

8 questions test this
CIS Benchmark Level 1 is a usable baseline; Level 2 is defense-in-depth

CIS Benchmarks ship two profiles. Level 1 is the base recommendation that lowers attack surface with minimal performance or usability impact, suitable for general systems. Level 2 is intended for environments where security is paramount, adding more stringent settings that may require application changes and can affect functionality.

Trap Level 2 is not 'better and always preferred'; its stricter settings can break functionality, so general workstations use Level 1.

4 questions test this
SIEM correlation requires normalizing logs to a common schema first

Different log sources name and format the same data differently (for example a user as 'jsmith' versus 'john.smith@company.com', or varying timestamp and IP field names). A SIEM must normalize these into a standardized schema or common information model so events can be compared and correlated across sources; without normalization, cross-source correlation rules fail.

Trap Normalization fixes inconsistent field names/formats; out-of-order or skewed timestamps are a separate problem solved by time synchronization (NTP).

6 questions test this
SIEM event correlation turns isolated events into a single incident

Event correlation links related events from multiple sources by common attributes (user, host, IP, time window) so that activity that looks benign in isolation becomes a recognizable incident when combined. It is what enables detection of multi-stage attacks and timeline reconstruction across diverse logs.

Trap An alert that looks weak alone is not necessarily a false positive; the cure is correlation for context, not suppression.

7 questions test this
Tune correlation rules and add exceptions to cut SIEM false positives

When a rule floods analysts with alerts that investigation confirms are benign (for example a service account doing legitimate automated work), the right fix is to tune the rule and add a scoped exception or allow-list for the validated source, adjusting thresholds to the organization's use cases. This preserves detection while reducing alert fatigue.

Trap Tune or scope an exception for the validated source; do not disable the whole rule, which would blind the control.

3 questions test this
Pivoting routes through a compromised host to reach internal segments

After gaining a foothold, a tester uses pivoting to route traffic through the compromised system and reach internal networks that are not directly accessible from the attack platform (for example via a Meterpreter session). In PTES this enumeration of additional subnets and onward access happens in the post-exploitation phase.

Trap Pivoting reaches otherwise unreachable internal segments; it is a post-exploitation activity, not the initial exploitation step.

5 questions test this
Scope defines WHAT is tested; rules of engagement define HOW

In pre-engagement, two distinct documents govern a penetration test. The scope document explicitly identifies which systems, networks, and IP ranges are authorized targets, while the rules of engagement (RoE) set the constraints on how testing is conducted, including the degree of exploitation permitted and procedures after a system is compromised. NIST treats the RoE as the authority that lets the team act without seeking further permission mid-test.

Trap Scope = what; rules of engagement = how. The degree of exploitation allowed belongs in the RoE, not the scope.

7 questions test this
An out-of-scope discovery means stop, document, and notify, not exploit

If a tester encounters a system or vulnerability outside the authorized scope (for example a third-party-owned host), professional standards require ceasing activity against it, documenting only what was already observed without further probing, and notifying the engagement authority so additional authorization or a new statement of work can be obtained before any further testing.

Trap Exploiting an out-of-scope finding to prove impact; testing outside the agreed scope creates legal exposure regardless of intent.

4 questions test this

Security Process Data

Read full chapter
  • Security process data is evidence for oversight, not the act of running a control
  • A metric is a measure compared to a target; raw operational data alone decides nothing
  • Good indicators are SMART so the same data yields the same number
  • KPIs measure control performance and are usually lagging
  • KRIs forecast rising risk and are leading indicators tied to an escalation threshold
  • Leading vs lagging is the KPI/KRI discriminator the exam turns on
  • Activity measures count effort; effectiveness measures prove the outcome changed
  • Awareness effectiveness is measured by behavior change, not attendance
  • Account-management data demonstrates least privilege is maintained over time
  • Backup verification means a tested restore, not a successful backup job
  • DR/BC test fidelity rises from checklist to tabletop to parallel to full-interruption
  • DR/BC test data is measured against the BIA's RTO and RPO targets
  • Management review and approval records are themselves collected oversight data
  • Continuous monitoring (ISCM) shortens the gap between knowing and acting
  • Metrics roll up from operational to program to board level
  • Privilege creep is accumulated access from role changes left un-revoked

Unlock with Premium — includes all practice exams and the complete study guide.

Test Output & Reporting

Read full chapter
  • Every test alert is one of four outcomes; the false negative is the dangerous one
  • Validate an alert into a true positive before it becomes a reported finding
  • No single tool gives the complete picture, so correlate multiple techniques
  • Rank findings by business risk, not by the tool's raw severity score
  • Report at two altitudes: an executive risk summary and a technical detail section
  • The security assessment report (SAR) records each finding, its evidence, and a recommendation
  • Track every open finding to closure on a POA&M
  • Retest after remediation to confirm the fix actually closed the finding
  • The risk owner accepts residual risk, not the assessor or administrator
  • An exception must be documented, time-bounded, and revisited at expiry
  • Use a compensating control when the primary fix is not feasible
  • Coordinated disclosure: notify the vendor first, allow an embargo, then go public
  • Full disclosure is the risky extreme; the embargo is reasonable, not unlimited
  • A published vulnerability disclosure policy operationalizes the ethical duty
  • Reporting silence about a third-party flaw is as wrong as a reckless public dump
  • Use CVSS Environmental metrics to tailor severity to your environment

Unlock with Premium — includes all practice exams and the complete study guide.

Security Audits

Read full chapter
  • An audit is independent assurance against a standard, not a self-assessment
  • The security leader usually facilitates the audit; the independent auditor renders the opinion
  • Classify an audit as internal, external, or third-party by who relies on the result
  • SOC 1 covers financial-reporting controls; SOC 2 covers security; SOC 3 is the public summary
  • SOC 2 measures controls against the five Trust Services Criteria, with security mandatory
  • SOC 1 and SOC 2 are restricted reports; only SOC 3 is general-use
  • Type I opines on design at a point in time; Type II tests operating effectiveness over a period
  • ISO/IEC 27001 certification is a public conformance badge, not a SOC-style report
  • You cannot audit a hyperscale cloud provider directly, so you rely on its attestation
  • The right-to-audit clause must be negotiated into the contract before you sign
  • Match the audit approach to where the system runs: on-prem direct, cloud shared, hybrid combined
  • An external SOC examination is performed by an independent CPA firm

Unlock with Premium — includes all practice exams and the complete study guide.

Security Operations

Investigations

Read full chapter
  • Forensics is one four-phase process: collection, examination, analysis, reporting
  • Consult management and legal before you collect anything
  • Preserve before you analyze: work on a verified copy, never the original
  • Collect in order of volatility: most ephemeral evidence first
  • Image RAM live before shutdown when volatile state holds the evidence
  • Acquire stored media through a write blocker so the original is never modified
  • A forensic image is a bit-for-bit copy, not just the visible files
  • Hash the source and the copy, confirm they match, and preserve the hash
  • Prefer SHA-256 over MD5/SHA-1 for evidence integrity
  • Chain of custody is the unbroken documented history of every handler
  • Evidence storage carries a higher bar than ordinary media storage
  • Preserve to the strictest standard that might plausibly apply
  • Memorize the five rules of evidence: authentic, accurate, complete, convincing, admissible
  • Lawfully collected evidence still fails if it is not admissible
  • Isolate a seized mobile device from the network before extraction
  • Network evidence is mostly volatile, so capture it live or from central logs fast
  • Documentation is a continuous discipline, not a final formality
  • Forensics preserves truth; incident response restores service

Unlock with Premium — includes all practice exams and the complete study guide.

Logging & Monitoring

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Logging records events; monitoring is the review that turns them into detection

Logging writes an event down when it happens, while monitoring is the continuous review of those records and live telemetry to spot what matters: the two form a pipeline, not a synonym pair. Logs that accumulate without anyone analyzing them are the most common detective-control failure, because the control that was supposed to catch the attack (review) never actually runs. The whole subtopic exists to extract signal from logs, so every tool here is a way to analyze records rather than to generate more of them.

Trap Treating exhaustive logging as detection on its own. Collection without review detects nothing.

Centralize logs off the host so a compromise cannot erase the evidence

Logs left on the host that generated them are deleted or altered the moment that host is compromised, so forward them to a central, access-controlled store as close to real time as possible. Centralization also enables correlation: an event that looks innocuous in one server's log is obvious when many sources are read together. NIST SP 800-92 frames this as the core of security log management, and a write-once or append-only store further protects the record so even an intruder with admin rights cannot rewrite history.

Trap Leaving logs only on the originating host because they are also forwarded later in batch, giving an attacker a window to wipe them before they ship.

1 question tests this
Synchronize all clocks with NTP, or correlation and forensic ordering break

Every correlation depends on a shared, trustworthy clock, so synchronize all devices to a common time source using the Network Time Protocol (NTP). If two systems' timestamps disagree, no SIEM can correctly order their events and the true sequence of an attack is lost. Skewed clocks also weaken logs as forensic evidence because the ordering of records cannot be trusted.

Trap Blaming a SIEM's correlation rules for an incoherent timeline when the real cause is unsynchronized clocks.

1 question tests this
Signature detection catches known threats but is blind to anything novel

Signature-based detection matches activity against a database of known-bad patterns (hashes, exploit packet shapes, malicious URLs), making it precise and low-noise for known threats. Its structural weakness is that a zero-day or never-seen variant has no signature, so it passes straight through. Reach for anomaly/behavior-based detection instead when the threat may be previously unseen.

Trap Choosing signature-based detection to catch a zero-day. No signature exists yet for an attack nobody has seen.

1 question tests this
Anomaly detection catches the unknown by modeling normal, at the cost of false positives

Anomaly- (behavior-) based detection first learns a baseline of normal, then flags statistically significant deviations from it, which lets it catch novel attacks that no signature covers. The trade-off is false positives: legitimate activity that drifts outside the baseline triggers alerts that must be tuned out. This is the right side of the signature-vs-anomaly choice whenever a stem says 'detect a previously unseen attack.'

Trap Picking anomaly-based detection for its low false-positive rate, when its strength is catching the unknown and it actually generates more false positives than signature matching, not fewer.

2 questions test this
An IDS detects and alerts; an IPS sits inline and can block

An Intrusion Detection System (IDS) observes activity and raises an alert (a detective control that does not stop the attack) while an Intrusion Prevention System (IPS) sits inline in the traffic path and can drop or reset malicious connections, making it a preventive control. The placement is the whole difference: an IDS can tap a passive span/mirror port out of band, but an IPS must be inline, so a false positive or outage in an IPS can break legitimate traffic. NIST SP 800-94 treats them together as IDPS because most products now do both.

Trap Expecting an out-of-band IDS to stop an attack. It only alerts; only an inline IPS can block.

NIDS sees the wire, HIDS sees the host, so critical environments run both

A network IDS/IPS (NIDS/NIPS) inspects traffic on a segment and catches attacks crossing the wire, but is blind inside encrypted tunnels and to activity that never leaves the host. A host IDS/IPS (HIDS/HIPS) runs on the endpoint and sees local file changes, process behavior, and post-decryption activity, but only for that one machine. Because each covers the other's blind spot, defense in depth places network sensors at chokepoints and host sensors on critical systems rather than choosing one.

Trap Relying on a NIDS alone to detect an attack inside an encrypted session or one confined to the host, where only a HIDS can see it.

1 question tests this
A SIEM aggregates and correlates logs so scattered events become one alert

A Security Information and Event Management (SIEM) platform aggregates logs from many sources, normalizes them to a common format, and correlates them with rules so individually innocuous events combine into one high-fidelity alert. Its value is the centralized cross-source view that reconstructs an attack timeline no single host log reveals, which is exactly why it depends on NTP-synchronized clocks. SIEM correlation rules are usually signature-style, with anomaly analytics (UEBA) layered on for behavioral detection.

Trap Treating a SIEM as a detection engine that finds threats on its own, when its value is correlating the logs other tools generate and its rules are only as good as the sources and clocks feeding it.

9 questions test this
UEBA detects the compromised insider by baselining behavior, not matching signatures

User and Entity Behavior Analytics (UEBA) builds a behavioral baseline per user and per entity (servers, devices, service accounts) and flags significant deviations: a mass download, an off-hours login from a new location, lateral movement never seen before. It is the answer for a compromised credential or malicious insider whose individual actions are authorized but whose pattern is abnormal. Signature tools miss this because no malware is involved; the account is legitimate, only its behavior is wrong.

Trap Reaching for antivirus or signature tools against a compromised valid account. No malware is present, so they see nothing wrong.

2 questions test this
Egress monitoring and DLP watch what leaves, because exfiltration is the loss event

Most monitoring focuses inbound, but the damage in a breach happens when data flows out, so egress monitoring and Data Loss Prevention (DLP) inspect outbound traffic for sensitive content. DLP enforces across data in motion (network), data in use (endpoints), and data at rest (storage). Egress filtering, allowing only expected destinations and protocols outbound, complements DLP by limiting command-and-control channels and blocking traffic to unexpected destinations.

Trap Concentrating monitoring and firewall rules on inbound traffic, leaving outbound exfiltration and command-and-control channels unwatched.

DLP only acts on content it can read, so network DLP must decrypt TLS first

DLP can inspect only content it can actually read, so strong end-to-end encryption or an unrecognized format defeats inspection entirely. That is why network DLP typically performs TLS termination/decryption at the egress point before examining the payload. Without it, an encrypted exfiltration channel passes uninspected. This makes decryption infrastructure, not the DLP engine itself, the usual missing piece when sensitive data still leaks.

Trap Assuming DLP transparently inspects encrypted traffic. It cannot read the payload until TLS is terminated and decrypted.

Continuous monitoring (ISCM) replaces the annual snapshot with ongoing awareness

Information Security Continuous Monitoring (ISCM), defined in NIST SP 800-137, is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions. It replaces the once-a-year audit snapshot so authorization decisions rest on current data and control drift is caught in days rather than at the next assessment. Logging and monitoring are the data sources; ISCM is the governance program that consumes them.

Trap Reading 'continuous' as fully automated and tool-only, when ISCM is a governance program that consumes monitoring data to drive risk decisions, not just a real-time scanner.

IOCs are easy to load but go stale; TTPs are durable, so hunt on behavior

Threat feeds deliver Indicators of Compromise (IOCs), malicious IPs, file hashes, domains, that are easy to load into a SIEM or IDS but trivially changed by the attacker, so they go stale fast. Tactics, Techniques, and Procedures (TTPs), catalogued in frameworks like MITRE ATT&CK, describe how an adversary operates and are far more durable because behavior cannot be rotated as cheaply as an IP. Detection built on TTP behavior is therefore more resilient than detection chasing individual IOCs.

Trap Relying solely on IOC feeds for detection. Attackers change indicators trivially, so IOC-only detection ages out quickly.

Threat hunting is the proactive, hypothesis-driven search for an attacker already inside

Threat hunting is the human-led search for adversaries who already slipped past automated detection, starting from a hypothesis ('if an attacker used this technique, here is the trace it would leave') and querying centralized logs to confirm or refute it. It assumes compromise has already happened rather than waiting for an alert to fire, which makes it the human counterpart to the automated pipeline. Hunting leans on TTP-level intelligence because behavior is what survives an attacker's evasion of indicator-based controls.

Trap Treating threat hunting as waiting for and triaging the alerts the SIEM fires, when it is a proactive hypothesis-driven search that assumes the alert never came.

1 question tests this
Threat intelligence is contextual adversary knowledge that tells detectors what to look for

Threat intelligence is curated, contextual knowledge about adversaries, delivered through threat feeds, that sharpens every detector by supplying what to watch for. It is the input layer to the SIEM and IDS, not a detection method itself: feeds carry both IOCs and TTPs. Good intelligence is timely and relevant to the organization's actual threat landscape, not just a raw firehose of indicators.

Trap Treating threat intelligence as a detection control in its own right, when it is the input that sharpens the SIEM and IDS rather than a tool that fires alerts itself.

Set log retention by the longest applicable requirement, since breaches surface late

Log retention is driven by the longest of the applicable requirements (regulation, contract, and the organization's own investigation needs) because many intrusions are discovered months after the initial breach. A log already rotated away cannot be investigated, so under-retaining destroys evidence you may not know you need yet. Retention is a policy decision that lands in monitoring as the parameter deciding whether the evidence still exists when an incident is found.

Trap Setting retention to the shortest period that satisfies any single regulation, when the controlling figure is the longest of all applicable legal, contractual, and investigative needs.

2 questions test this
Protect log integrity with write-once storage so the record itself is trustworthy

Logs are only useful as evidence if they have not been tampered with, so a central log store is commonly write-once or append-only to prevent alteration even by an administrator or an intruder with admin rights. Integrity protection is what lets a SIEM alert and a forensic timeline be trusted, since an attacker's first move is often to edit or clear logs. This complements centralization: moving logs off-box keeps them, and write-once storage keeps them honest.

Trap Assuming restrictive file permissions or admin-only access protect log integrity, when a privileged admin or an intruder with those rights can still alter them and only write-once/append-only storage prevents it.

2 questions test this
Match DLP inspection to the data: exact data match for known DB values, corroborating context to cut false positives

Exact data match (EDM) compares content against actual values in a sensitive-source table, so it reliably catches specific records (a known SSN, medical-record number, or patient name) that pattern matching would miss. To suppress false positives on generic patterns like an SSN regex, require supporting evidence in proximity (keywords, corroborating identifiers, or a higher confidence threshold) so a match only fires with real context.

Trap Plain regex/pattern matching (or 'keyword only') flags every nine-digit number; it neither pins to known records like EDM nor carries the context that kills false positives.

4 questions test this
Cut alert fatigue by continuously tuning detections to the environment's baseline, not by disabling them

A flood of benign alerts buries real intrusions, so the durable fix is continuous tuning of detection rules and thresholds against the organization's normal baseline. Specific levers: granular per-protocol allowlists/whitelists for known-benign activity, entity exclusions for a specific service account that generates legitimate noise (while still detecting the same behavior from other accounts), and risk-based prioritization so the highest-criticality alerts surface first. The goal is a better signal-to-noise ratio with detection capability intact.

Trap Turning off a noisy rule entirely. That restores quiet by creating a blind spot; tune or scope the exclusion instead.

4 questions test this

Configuration Management

Read full chapter
  • Security-focused configuration management runs in four phases
  • A baseline configuration is a formally approved state changeable only through change control
  • Configuration management is the technical state; change management is the approval process
  • A configuration baseline is not a control baseline
  • Provision new systems from the approved secure baseline, not from defaults
  • Least functionality (CM-7) shrinks attack surface at provisioning time
  • Adopt a recognized secure-configuration benchmark instead of inventing one
  • NIST SP 800-70 runs the National Checklist Program Repository
  • Configuration drift is divergence from the approved baseline
  • Monitoring proves a once-secure system is still secure
  • Automated baseline enforcement is the durable fix for recurring misconfiguration
  • Automation gives baseline uniformity across a fleet
  • You cannot manage the configuration of components you have not inventoried
  • A configuration item is the discrete target of configuration control
  • The Controlling Changes phase analyzes security impact before a change lands

Unlock with Premium — includes all practice exams and the complete study guide.

Security Operations Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Least privilege grants the minimum access a task needs, then revokes it

Least privilege restricts every subject (user, process, or service) to the minimum access required to accomplish an assigned task, and removes that access when the task ends (NIST SP 800-53 AC-6). It is a preventive administrative control: by keeping grants small and temporary, it limits the blast radius of a compromised account or a malicious insider. Think of it as the default posture for every access decision, not a one-time configuration.

Trap Picking 'need-to-know' when the stem only describes holding access down to what a task requires; that broad minimum-access posture is least privilege, while need-to-know is its narrower information-level application.

1 question tests this
Need-to-know is least privilege applied to specific information, not to roles

Need-to-know narrows least privilege to information: a clearance or role sets the ceiling of what a subject could access, and need-to-know decides which specific records within that ceiling they actually require for the job at hand. So a person with the correct clearance can still be denied a particular file because they have no job-related need for it. The exam phrasing 'has the clearance but not the need' is asking for need-to-know, not least privilege in general.

Trap Answering 'least privilege' when a stem says someone with the right clearance is denied a specific file. The precise control being tested is need-to-know, the information-level gate under the clearance ceiling.

2 questions test this
Separation of duties means no one person can complete and conceal a sensitive task

Separation of duties (SoD) splits a critical process across different people so that abusing it requires collusion. Its defining objective (NIST SP 800-53 AC-5) is reducing malevolent activity without collusion. The textbook case is that whoever requests or prepares a payment must not also approve it. SoD is preventive and administrative; it structurally removes any single person's ability to subvert the process alone, rather than detecting abuse afterward.

Trap Calling separation of duties a detective control. It is preventive: it stops a solo actor up front rather than discovering misuse after the fact.

1 question tests this
The access-control administrators must not also administer the audit logs

A specific SoD requirement is that the staff who administer access-control functions must not also administer the audit functions that would catch their misuse (NIST SP 800-53 AC-5). If the same person controls both, they can grant themselves access and then erase the evidence. CISSP stems that put log administration and access administration in one role are testing this exact conflict-of-duties split.

Trap Accepting one person holding both access administration and audit administration as long as their actions are logged; those very logs are what such a person can alter, so the duties themselves must be separated.

SoD can be static (roles never co-held) or dynamic (enforced at execution)

Static separation of duties bars conflicting roles from ever being assigned to the same person, while dynamic separation of duties allows the assignments but blocks the conflicting actions at execution time. For example a two-person rule that prevents one user from performing both halves of a transaction in the same session (NIST SP 800-192). Static is simpler to audit; dynamic is more flexible where one person may hold both roles but must never exercise them together.

Trap Labeling the variant that lets one person hold both conflicting roles but blocks using them together as 'static'; that runtime enforcement is dynamic SoD, whereas static forbids the conflicting assignments outright.

1 question tests this
Dual control requires two authorized people to approve one sensitive action

Dual control (also called two-person control or two-person integrity, and named dual authorization in NIST SP 800-53 AC-3(2)) requires the approval of two authorized individuals before a sensitive action executes, which reduces insider-threat risk. It governs an action: two people must agree for the event to happen. It is the most common concrete mechanism used to enforce a separation-of-duties requirement on an approval step.

Trap Reaching for 'split knowledge' when the stem requires two people to authorize an action; split knowledge fragments a secret, whereas dual control gates an action behind two approvals.

M-of-N control needs any M of N holders so the process survives an absent holder

M-of-N control generalizes dual control: instead of requiring all holders, it requires any M of N trusted parties to agree, for example 3 of 5. This trades a little exclusivity for resilience, because the action still proceeds if one or two holders are unavailable. Reach for M-of-N over plain two-person control when you need the protected action to keep working despite a missing custodian.

Trap Picking plain two-person dual control when the requirement is that the action still proceed despite an unavailable custodian; strict dual control stalls if either holder is absent, which is exactly what M-of-N is built to survive.

Split knowledge divides a secret so no one person holds the whole thing

Split knowledge divides a single secret (an encryption key, a master password, a safe combination) into parts so that no individual holds the complete value and reconstructing it requires the parties to combine their fragments. It protects a secret, which is what distinguishes it from dual control's protection of an action. The two are often combined: split a key into N parts and require M of them to reconstruct it.

Trap Confusing split knowledge with dual control. Split knowledge fragments a secret so no one holds it whole, while dual control requires two people to approve an action; the stem's noun (a key/combination vs. an approval) tells you which.

Job rotation is a detective personnel control that surfaces a predecessor's hidden abuse

Job rotation moves staff between roles so a successor eventually performs the predecessor's duties and would notice an irregularity, and it reduces any one person's long-term lock on a sensitive position. NIST SP 800-53 AC-3(2) explicitly suggests rotating dual-authorization duties to reduce collusion, which is the authoritative basis for rotation as an anti-collusion control. It is administrative and detective: it assumes access was legitimate and creates conditions that expose ongoing misuse.

Trap Classifying job rotation as a preventive control; it does not block the abuse up front, since a successor inheriting the role is what later surfaces it, making it detective.

1 question tests this
Mandatory vacation forces coverage that uncovers a scheme needing daily presence

Mandatory vacation requires an employee to be out of their function for a continuous period (commonly one to two weeks) so a substitute must perform the work. A fraud that depends on the perpetrator's daily presence to stay concealed tends to unravel while they are away and someone else handles the duties. Like job rotation it is an administrative detective control, aimed at exposing abuse of access rather than restricting the access itself.

Trap Treating mandatory vacation as merely an employee-wellbeing or HR perk. On the exam it is a fraud-detection control whose security value is forcing a substitute to cover the role.

Privileged accounts get extra controls because they can override the others

Privileged accounts (administrator, root, domain admin, service, and emergency break-glass accounts) can bypass or disable normal security controls, so they require management beyond ordinary users. The two operational goals are constraining when that privilege is active and watching every use of it. This is why privileged access management and privileged-session monitoring exist as a distinct discipline rather than being folded into routine account administration.

1 question tests this
PAM removes standing admin rights with just-in-time, time-bound, approved activation

Privileged access management (PAM) replaces always-on standing admin rights with access that is requested, time-bound (a defined start and end), approved, and often MFA-gated, so privilege exists only while a task is being performed. The control objective is to eliminate standing privilege: the window an attacker or insider can exploit. A reference implementation grants role activation just-in-time with approval, notifications, and downloadable audit history.

Trap Believing strong passwords and MFA on an always-on admin account remove standing privilege; they harden authentication but the rights stay permanently active, and only just-in-time, time-bound activation eliminates the standing window.

4 questions test this
Naming an admin account fixes attribution, not standing privilege

Assigning a named human owner to an administrator or service account improves accountability because you know who acted, but on its own it does nothing about the account being permanently privileged. A named-but-always-on admin still carries standing privilege and remains a prime attacker target. Removing standing privilege requires PAM's just-in-time activation, not just a better name on the account.

Trap Choosing 'give each admin account a named owner' as the fix for standing privilege. Naming solves attribution only; the account is still always-on until just-in-time PAM activation is applied.

Monitoring privileged use is the inseparable second half of managing it

Constraining privilege is only half the job; every privileged session and every break-glass activation must generate logs and alerts that are actually reviewed, because the whole reason to misuse such an account is to act unseen. Break-glass emergency accounts in particular should alert on every sign-in and get a post-use review to confirm the access was authorized. An unmonitored privileged or break-glass account is standing admin under another name.

Trap Assuming just-in-time PAM activation alone secures privileged accounts; constraining when privilege is active still leaves its use invisible unless every session and break-glass event is logged, alerted, and reviewed.

1 question tests this
An SLA is a measurable, enforceable commitment about how a service will perform

A service level agreement (SLA) documents measurable service commitments (uptime, response and resolution times, breach-notification windows, patch timelines) with remedies when targets are missed. Because you cannot directly configure a third party's systems, the SLA is how security and recovery obligations are enforced on services you do not control. For continuity, external dependencies must carry SLAs aligned to the dependent process's recovery time objective (RTO), so the vendor's promised response fits inside your recovery window.

Trap Accepting a vendor SLA whose response time merely exists, without checking it fits inside the dependent process's RTO; a promised response longer than your recovery window leaves the SLA unable to meet continuity needs.

SLA faces the customer, OLA faces internal teams, UC faces the supplier

Keep three agreements straight by who each one faces: an SLA is the externally-visible promise to the customer about service performance, an operational level agreement (OLA) commits internal supporting teams to the targets that let the SLA be met, and an underpinning contract (UC) holds an external supplier to commitments backing the SLA. The distinguishing axis the exam tests is internal versus external: an OLA is internal team-to-team, a UC is your organization to a third party.

Trap Swapping OLA and UC. An OLA is an internal commitment between teams in your own organization, while an underpinning contract (UC) is the external agreement with a third-party supplier.

Resource Protection

Read full chapter
  • Media that cannot be accounted for cannot be protected
  • The media custodian runs the library; the data owner is accountable for classification
  • Run inventory plus check-in/check-out so any item's whereabouts is always known
  • NIST SP 800-53 MP family is the operational handling chain: mark, store, transport, use, sanitize
  • Media kept inside a controlled area may be exempted from marking
  • For media leaving a controlled area, encryption on the copy is the protection that survives loss
  • MP-5 transport requires documented accountability, not just secure carriage
  • MP-7 Media Use prohibits portable storage with no identifiable owner
  • Treat a VM image or snapshot as sensitive media in its own right
  • Protect hardware through inventory, physical access control, and maintenance discipline
  • Protect software by controlled distribution and integrity verification of the trusted copy
  • Operations triggers sanitization; the destruction mechanics live in asset security
  • Storage and transport controls tighten in lockstep with classification
  • Resource protection guards integrity and custody, not patch level

Unlock with Premium — includes all practice exams and the complete study guide.

Incident Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Recite the (ISC)² incident lifecycle in order: Detect, Respond, Mitigate, Report, Recover, Remediate, Lessons Learned

The (ISC)² seven-step incident management lifecycle runs in a fixed order (Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned) and that order is the single most testable fact in this subtopic. Detection classifies an event as an incident; Mitigation is containment; Remediation is eradicating the root cause; Lessons Learned closes the loop back into preparation. Anchor the sequence cold, because the most common question simply scrambles it and asks you to restore order.

Trap Placing Recovery or Remediation before Mitigation. You contain (Mitigate) before you eradicate or restore.

3 questions test this
Map the (ISC)² seven steps onto NIST's four phases: they are the same lifecycle at two resolutions

NIST SP 800-61's four phases (Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity) are the same work the (ISC)² seven steps describe, just grouped coarser. Detection and Response sit inside NIST Detection and Analysis; Mitigation, Recovery, and Remediation all collapse into the single NIST Containment-Eradication-Recovery phase; Lessons Learned is Post-Incident Activity. Preparation wraps the whole cycle and is the implicit foundation rather than a numbered (ISC)² step.

Trap Treating NIST containment, eradication, and recovery as three separate phases. NIST bundles all three into one phase.

An event is any observable occurrence; an incident is the subset that breaches CIA or policy

NIST defines an event as any observable occurrence in a system or network (a login, a web request, a firewall block) and most events are harmless. An incident is the narrower set: a violation or imminent threat of violation of security policy, or an occurrence that actually or potentially jeopardizes confidentiality, integrity, or availability. Detection is the act that draws this line, which is why it is step one: you cannot respond to something not yet classified as an incident.

Trap Treating every alert, or every adverse event, as automatically an incident. An adverse event is only an incident once it crosses the CIA / policy-violation line.

1 question tests this
On an active compromise, contain first: never eradicate or rebuild while the attacker is still live

When a host is actively compromised, the correct first action is containment: isolate or disconnect the host and disable the abused function to stop the spread before building a considered fix. NIST states containment matters before an incident overwhelms resources or increases damage, and that it buys time to develop a tailored remediation strategy. Eradication and recovery come after the threat can no longer expand.

Trap Jumping straight to rebuilding the server or patching the vulnerability while the attacker still has live access and can spread to other systems.

1 question tests this
Base the containment strategy on predetermined, per-incident-type criteria, not improvisation

NIST says containment decisions are far easier when strategies are predetermined per incident type, because an email-malware containment differs sharply from a DDoS containment. The documented criteria for choosing a strategy are potential damage and theft of resources, need for evidence preservation, service availability, time and resources to implement, effectiveness, and duration of the solution. Defining these in advance turns a crisis decision into a checklist lookup.

Trap Selecting a containment strategy using the prioritization factors (functional impact, information impact, recoverability) instead of the containment criteria such as evidence-preservation need and solution duration.

1 question tests this
Delayed containment (letting a known compromise run to watch the attacker) is dangerous and needs legal sign-off

Some teams redirect an attacker into a sandbox to gather evidence, but NIST warns that any delayed containment is dangerous because the attacker could escalate access or compromise other systems, and that knowingly allowing a compromise to continue can make the organization liable if the attacker pivots to attack third parties. Such monitoring must be cleared with the legal department first; other ways of watching an attacker without containing should not be used.

Trap Leaving a compromised host online to observe the attacker without legal approval. It can create downstream liability if the attacker uses it to hit others.

Prioritize incidents by impact and recoverability, never first-come, first-served

NIST calls prioritization the most critical decision point in incident handling and explicitly rejects first-come, first-served when resources are limited. Rank by three factors: functional impact (effect on business operations), information impact (effect on the confidentiality, integrity, and availability of data), and recoverability (the time and effort recovery will take). A high-impact incident jumps ahead of a low-impact one reported earlier.

Trap Handling the incident reported first, or the technically most interesting one, instead of the one with the highest business impact.

A precursor warns an incident may come; an indicator signals one may be occurring or has occurred

NIST splits the signs Detection feeds on into two: a precursor is a sign an incident may occur in the future (e.g., a vulnerability scan probing your range), while an indicator is a sign an incident may be happening now or already has (e.g., antivirus alerting on malware). Most detection work is reacting to indicators, since precursors are rare. Both are noisy and not guaranteed accurate, which is why analysis and triage live in the Detection step.

Trap Labeling a live antivirus malware alert a precursor, or a vulnerability scan against your range an indicator, when a precursor warns of a future incident and an indicator signals one now.

Reporting runs throughout the lifecycle to a stakeholder list set in advance

Once an incident is analyzed and prioritized, the team notifies the predefined individuals so each plays their role; the IR policy fixes what is reported, to whom, and when. Typical recipients run from the CIO and head of information security internally out to senior management, legal, the privacy/DPO office, public relations, and any external regulators or partners that breach-notification law or contract requires. Although shown as one (ISC)² step, reporting is continuous from detection onward, not a single moment.

Trap Treating reporting as a single notification fired once at the end, when it runs continuously from detection onward to a predefined stakeholder list.

2 questions test this
Recovery restores systems to normal and verifies they work, then hardens against the repeat attack

In recovery, administrators restore affected systems to normal operation, confirm they are functioning normally, and remediate any exploited weaknesses by restoring from known-clean backups, rebuilding from scratch, replacing compromised files, patching, rotating credentials, and tightening the perimeter. NIST notes recovery often raises logging and monitoring on the restored systems, because once a resource is successfully attacked it is frequently attacked again.

Trap Calling the act of identifying and closing the exploited vulnerability part of Recovery, when eliminating the root-cause weakness is Remediation/eradication and Recovery restores and verifies normal operation.

2 questions test this
Remediation (eradication) eliminates incident components and closes the exploited vulnerability

Remediation maps to NIST eradication: deleting malware, disabling breached accounts, and identifying and mitigating every vulnerability the attacker exploited, after first finding all affected hosts. NIST advises a phased approach with prioritized steps; for large-scale incidents recovery can take months, with quick high-value changes first and longer-term infrastructure changes later. For some incidents eradication is unnecessary or folded into recovery.

Trap Assuming eradication is always a mandatory standalone step, when NIST notes it is sometimes unnecessary or folded into recovery.

Hold the lessons-learned meeting within several days of the incident's end and feed fixes back into preparation

Lessons Learned is the structured post-incident review NIST calls one of the most important and most often omitted steps; the meeting should be held within several days of the incident's end while memory is fresh. It reviews what happened, how well staff and procedures performed, what was needed sooner, and what corrective actions prevent recurrence, then those changes update the plan and controls. Multiple lesser incidents can be covered in a single meeting.

Trap Choosing 'add more monitoring' or 'apply another patch' as the recurrence fix when the question is really testing the review step that decides which control to change.

2 questions test this
Skipping lessons learned is the classic process failure that lets the same incident recur

The most common incident-management failure on the exam is omitting the post-incident review, because without it no control, procedure, or detection rule gets updated and the identical incident returns. NIST flags lessons learned as the step teams most often drop. When a question describes a recurring incident with no process change, the gap being tested is almost always the missing lessons-learned loop.

1 question tests this
Build the CSIRT, plan, and contact tree during Preparation, before any incident

The Computer Security Incident Response Team (CSIRT), also called CIRT or CERT, is the standing capability that runs the lifecycle, and the CISSP point is that it, the response plan, the escalation matrix, and the tooling are all established in NIST's Preparation phase. During a live incident the team executes a plan rather than improvising one. NIST notes containment is far easier with predetermined strategies, and the same holds for escalation and notification.

Trap Assembling the team or writing the notification list during the incident. The middle of a crisis is the worst time to decide who responds and who is told.

1 question tests this
Pick the CSIRT structure to fit the organization: central, distributed, or coordinating

NIST lists three team structures. A central incident response team handles all incidents and suits small or geographically concentrated organizations. Distributed incident response teams assign each team a logical or physical segment and suit large or spread-out organizations, but must roll up to one coordinated entity for consistency. A coordinating team advises other teams without authority over them, a CSIRT for CSIRTs. Staffing is separate: in-house, partially outsourced (often 24/7 monitoring to an MSSP), or fully outsourced.

Trap Assuming a coordinating team holds authority over the teams it advises, or that distributed teams need not roll up to one coordinated entity.

Escalation follows a predefined path that moves an incident up the severity and authority ladder

Escalation is the documented path that raises an incident to higher severity tiers and decision-makers when it exceeds the current handler's scope or crosses defined thresholds. Like the team itself, the escalation matrix is set in the IR plan in advance so that no one is deciding who has authority mid-crisis. Reporting then walks the predefined notification list rather than figuring out recipients on the fly.

Trap Conflating escalation with reporting, when escalation raises an incident up the severity and authority ladder while reporting walks the predefined notification list.

2 questions test this
NIST SP 800-61 Rev. 3 re-casts incident response onto the CSF 2.0 Functions, but the four-phase model still teaches the exam

The current revision, NIST SP 800-61 Rev. 3 (2025), drops the four named phases and aligns incident response to the Cybersecurity Framework 2.0 Functions (Govern, Identify, Protect, Detect, Respond, Recover) as a CSF Community Profile. For the exam, the four-phase Rev. 2 lifecycle remains the canonical teaching model and tracks the (ISC)² seven steps; the two revisions describe the same activities and do not conflict.

Trap Assuming Rev. 3's move to the CSF 2.0 Functions invalidates the four-phase lifecycle, when both revisions describe the same activities and do not conflict.

Detective & Preventive Controls

Read full chapter
  • A control's category is the job it does, not its label: preventive stops, detective notices
  • A firewall can only stop what its inspection layer lets it see
  • Packet-filtering firewalls are stateless and cannot tell a real reply from a forged one
  • Stateful inspection tracks connections so it admits only return traffic it saw begin
  • An application proxy terminates and re-originates the connection at Layer 7, hiding internal hosts
  • A WAF reads HTTP bodies to block app attacks a network firewall is blind to
  • A next-generation firewall consolidates app awareness, IPS, and identity into one device
  • IDS detects and alerts; IPS sits inline and blocks
  • Allowlisting is default-deny and blocks the unknown; denylisting is default-allow and fails open
  • Signature-based anti-malware is fast but blind to anything not yet in its database
  • Heuristic catches variants by structure; behavior-based catches the novel by watching it run
  • A sandbox contains and observes an unknown; a honeypot lures and studies an attacker
  • A honeypot may entice but never entrap
  • You can outsource the security operation to an MSSP, but never the accountability
  • ML/AI security tools detect by baseline deviation, and can themselves be attacked
  • Layer preventive and detective controls because no single control suffices

Unlock with Premium — includes all practice exams and the complete study guide.

Patch & Vulnerability Management

Read full chapter
  • Treat patching as preventive maintenance, not firefighting
  • A vulnerability is a risk with four responses: accept, mitigate, transfer, avoid
  • Only a patch or upgrade removes the flaw without removing function
  • When patching can't run now, choose another response on purpose
  • An accurate, continuously-updated asset inventory is the foundation
  • Prioritize patching per asset, using business context, not per software version
  • Know the CVSS severity bands
  • Active exploitation is the sharpest prioritization signal; use the CISA KEV catalog
  • Test before broad rollout via phased deployment to canary assets
  • Every deployment needs a back-out plan
  • Validate a patch's authenticity and integrity before installing it
  • Routine patches reach production through change management
  • Emergency patching is expedited but still validated and documented
  • Verify and monitor: deployed is not the same as fixed
  • Unpatchable assets get compensating controls, not a pass
  • Plan responses in advance so a new flaw triggers a pre-approved play
  • Reduce how much you have to patch by shrinking the attack surface
  • Patch metrics must be actionable, weighing vulnerability and asset importance
  • CVSS has Base, Temporal, and Environmental groups. Use Environmental to localize severity to your context
  • Deferring or accepting a vulnerability needs a formal, time-bound risk acceptance signed by the accountable owner

Unlock with Premium — includes all practice exams and the complete study guide.

Change Management

Read full chapter
  • Change management is the approval process; configuration management is the technical state
  • Run every change through request → impact analysis → approval → test → implement → document → review
  • Run a security-impact analysis before approving any change
  • Never approve a change without a documented back-out (rollback) plan
  • The Change/Configuration Control Board owns the approval decision
  • The approver must be independent of the requester (separation of duties)
  • The CCB is cross-functional, and some members advise without voting
  • Preapprove low-risk routine changes as standard changes against documented criteria
  • Emergency changes are expedited, then governed retroactively, never skipped
  • Test approved changes before they reach the operational environment
  • Do the post-implementation review to confirm the change landed as approved
  • Unmanaged, ad-hoc change is a leading cause of outages and breaches
  • Configuration change control maps to NIST controls CM-3, CM-4, and CM-5
  • An ECAB authorizes genuinely urgent changes fast; objective criteria keep the emergency path from becoming a convenience channel

Unlock with Premium — includes all practice exams and the complete study guide.

Recovery Strategies

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Pick the cheapest recovery option that still meets the RTO, not the fastest one available

A recovery strategy is funded against requirements set upstream by the BIA, so the correct choice is the least expensive solution that still satisfies the RTO. NIST SP 800-34 frames this as a cost-balance point: the cost of disruption rises the longer an outage runs, while the cost to recover rises as the RTO shortens, and the optimum sits where the two curves cross. A hot site for a process whose RTO is a week is wasteful over-provisioning, just as tape-only is negligent under-provisioning for a process needing minutes.

Trap Choosing the fastest-recovering site regardless of cost when the stem only asks for a strategy that meets the stated RTO.

3 questions test this
RTO drives site choice; RPO drives backup cadence: two dimensions, two controls

Time-to-recover is served by the recovery site (cold/warm/hot/mobile/cloud) and is the RTO dimension; data-loss tolerance is served by the backup or replication regime and is the RPO dimension. A durable design names both targets, then picks a site to meet the RTO and a backup frequency to meet the RPO. Over-investing in one while ignoring the other is a common design gap: a hot site with weekly backups still loses a week of data.

Trap Upgrading the recovery site to shrink the RPO when only the backup or replication cadence moves the RPO; a faster site cuts the RTO but recovers no fresher data.

4 questions test this
Cold, warm, and hot sites are one spectrum: cost and recovery speed rise together

The three classic alternate sites differ only in how much you pre-stage. A cold site has space, power, cooling, and connectivity but no installed hardware or current data, so it is cheapest to keep but takes weeks to activate. A hot site is fully equipped and continuously data-synchronized, so it activates in minutes to hours but costs the most. A warm site stages hardware and connectivity while data restores from backups, activating in hours to days at moderate cost. Faster recovery always costs more, moving cold to warm to hot.

Trap Conflating standing cost with activation speed: cold is cheapest to hold but slowest to activate, while hot is the opposite; they move in opposite directions.

8 questions test this
Use a mobile site when the building or location itself is the problem

A mobile site is a self-contained, transportable shell (often a trailer) fitted with the telecommunications and IT equipment a system needs, delivered to a chosen location. It is the right answer when the primary facility is destroyed or inaccessible, the operation must relocate, or the site is remote: situations a fixed cold/warm/hot site does not address. NIST notes a mobile site can often be delivered within about 24 hours, though installation and setup add to that response time.

Trap Reaching for a fixed hot site when the stem's problem is that the location itself is lost or inaccessible; a transportable mobile site is what addresses relocation, not a faster fixed facility.

A mirrored or multi-active-site setup gives near-100% availability at the highest cost

A mirrored site is a fully redundant facility with automated real-time data mirroring, identical to the primary in all technical respects, and is the most expensive option but ensures virtually 100% availability. Running across multiple active processing sites the organization already operates achieves the same near-instant failover and earns its keep daily rather than sitting idle. Reach for this only when the RTO is near zero and the process criticality justifies the standing cost.

Trap Selecting a mirrored site for a process whose RTO is hours or days; its near-100% availability is real but the standing cost is unjustified over-provisioning unless the RTO is near zero.

Cloud and DRaaS are the same site spectrum delivered as pay-per-use capacity

Cloud recovery, including Disaster-Recovery-as-a-Service (DRaaS), is not a separate philosophy but the cold-warm-hot spectrum sold on demand: replicate continuously for a hot-site-like near-zero RTO, or hold images and spin up on failover for a longer RTO, paying mostly for storage until the disaster. Cloud also delivers geographic separation by default through provider regions and zones. The catch is the same as any backup: restore time bounded by network egress must be tested against the RTO.

Trap Assuming cloud or DRaaS guarantees a near-zero RTO by default when a storage-only, spin-up-on-failover tier recovers no faster than the egress and rebuild time it actually takes.

A reciprocal agreement is cheap but unreliable, so it is rarely the BEST answer

A reciprocal agreement (mutual-aid pact) has two organizations agree to host each other's processing in an emergency; it costs little and needs no dedicated facility. But it is fragile at disaster scale: the partner may lack spare capacity, hardware and software may be incompatible, a regional event can hit both parties at once, and hosting a peer's data raises confidentiality concerns. It is widely treated as a last resort, not a primary strategy.

Trap Selecting a reciprocal agreement as the primary recovery strategy when a dedicated alternate site is among the options: its capacity and availability cannot be relied on in a real disaster.

1 question tests this
Store at least one backup copy offsite, because an onsite-only backup dies with the data it protects

It is standard practice, and NIST guidance, to store backed-up data offsite, because an onsite-only copy is destroyed by the same fire, flood, or site-wide ransomware that destroys production. When selecting an offsite facility the first criterion is geographic distance and the probability of the storage site being hit by the same disaster as the primary. Onsite copies still earn their place for fast everyday restores (a deleted file), but they cannot be the only copy.

Trap Adding more onsite backup copies or a bigger disk array as the fix for a site-wide disaster: neither survives an event that destroys the whole facility.

1 question tests this
Follow the 3-2-1 rule: three copies, two media types, one offsite

The widely taught backup rule is 3-2-1: keep at least three copies of the data, on two different media types, with at least one copy stored offsite. The offsite copy is the load-bearing element that survives a local disaster; the two-media requirement guards against a single media-type failure mode. Cloud storage is the modern way to satisfy the offsite leg while adding geographic separation by default.

Trap Counting three copies on a single disk array or media type as satisfying 3-2-1; the rule also requires two different media and one offsite copy, which a single array meets neither of.

2 questions test this
A backup is only a recovery capability if its restore is tested against the RTO

NIST is explicit that backup tapes should be tested regularly to confirm data is stored correctly and files can be retrieved without errors or loss. A copy that cannot be restored within the RTO, because the media is unreadable, the job was incomplete, or egress is too slow, is not a recovery capability, only a false sense of one. Restore testing belongs to every backup tier, including cloud.

Trap Treating a successful backup job or a green backup log as proof of recoverability when only a tested restore confirms the data is readable and recoverable within the RTO.

Incremental minimizes backup time but has the slowest restore; differential is the reverse

An incremental backup copies only data changed since the last backup of any kind, so it is the fastest to take but a restore needs the last full plus every incremental replayed in order. A differential copies all data changed since the last full backup, so each one grows over time but a restore needs only the last full plus a single differential. The trade is direct: shortest backup window (incremental) costs the longest restore, and vice versa.

Trap Choosing incremental backups to get a fast recovery: incremental has the slowest restore because you must apply the full plus every increment in sequence.

2 questions test this
Full and incremental backups clear the archive bit; differential does not

The archive bit is the mechanism behind 'since last backup' versus 'since last full.' Full and incremental backups clear the archive bit when they run, so the next incremental only captures what changed afterward. A differential leaves the archive bit set, which is why every differential keeps capturing everything changed since the last full until a new full resets the baseline. A full backup copies everything and gives the fastest, single-set restore.

Trap Assuming a differential backup clears the archive bit like an incremental does; a differential leaves it set, which is exactly why each differential keeps re-capturing everything since the last full.

1 question tests this
RAID protects against disk failure, but it is not a backup

RAID (Redundant Array of Independent Disks) keeps data available across a physical disk failure, but it faithfully replicates deletion, corruption, and ransomware to every mirror in real time, so it cannot stand in for backups. It defends only the disk-hardware layer; logical data loss still requires a restorable, ideally offsite, backup. Treat RAID as availability for disks and backup as the recovery-from-data-loss control: they are not interchangeable.

Trap Treating a RAID array as a substitute for offsite backups: RAID copies a malicious deletion or ransomware encryption to every disk instantly.

Know the common RAID levels, and that RAID 0 has no redundancy

RAID 0 stripes data for performance and provides no redundancy, so losing one disk destroys the array: a deliberate exam trap because the name implies protection. RAID 1 mirrors; RAID 5 stripes with single parity and survives one disk failure; RAID 6 uses double parity and survives two; RAID 10 mirrors then stripes for both speed and redundancy. Match the level to whether the requirement is performance, fault tolerance, or both.

Trap Assuming RAID 0 adds fault tolerance because it is a RAID level: RAID 0 is pure striping with zero redundancy and a single disk loss wipes the array.

Fault tolerance means zero interruption; high availability means minimal downtime

Fault tolerance lets a component fail with zero interruption because a redundant element carries the load transparently (mirrored disks, dual power supplies). High availability (HA) instead restores the service fast, typically through clustering and automatic failover, so downtime is minimal but not strictly zero, which NIST scopes as achieving roughly 99.999% uptime or better. The two are not synonyms: a requirement for no interruption at all calls for fault tolerance, while a requirement for fast recovery from failure calls for HA.

Trap Using fault tolerance and high availability interchangeably: the exam rewards distinguishing zero-interruption (fault tolerance) from minimized-but-nonzero downtime (HA).

Use QoS to keep critical traffic alive when the network is congested

Quality of Service (QoS) is the availability control for the network: it reserves bandwidth for and prioritizes critical traffic so that, under contention, a flood of low-priority traffic cannot starve the systems that must stay up. It protects availability at the transport layer the way RAID and clustering protect it at the storage and compute layers. QoS does not add capacity: it allocates scarce capacity to what matters most.

Trap Reaching for QoS to solve a network that is genuinely under-provisioned; QoS only prioritizes existing bandwidth under contention and adds no capacity, so a saturated link still needs more bandwidth.

Redundancy at one layer does not eliminate a single point of failure at another

True resilience removes the single point of failure (SPOF) at every layer the service depends on, not just the one that is easy to harden. A fault-tolerant RAID array on a server with one power feed and one network uplink is still a SPOF, because the power or the uplink can take the whole system down regardless of the disks. Audit each dependency (disk, power, network, site) and add redundancy wherever a single failure halts the service.

Trap Declaring a system resilient because one layer is redundant; a fault-tolerant disk array still fails entirely on a single power feed or network uplink that was never made redundant.

Write-ahead logging plus transaction logs deliver point-in-time recovery and roll back incomplete transactions

Write-ahead logging (WAL) records each change in the log on durable storage before the data file is modified, which is what guarantees committed transactions survive a crash (the durability in ACID). On restart, recovery analyzes the log from the last checkpoint to find transactions in flight, replays committed log records forward to reach a chosen timestamp (point-in-time recovery), and undoes the operations of incomplete transactions to restore a consistent state. A damaged or un-backed-up tail of the log means everything since the last log backup is unrecoverable.

Trap Assuming a full database backup alone enables point-in-time restore: without the transaction-log chain you can only recover to the backup instant, losing every change since.

6 questions test this

Disaster Recovery

Read full chapter
  • DR restores the technology; the BCP keeps the business mission running
  • Disaster recovery is invoked only when the disruption forces relocation
  • DRP moves the site; each system's own contingency plan then rebuilds it
  • DR plan execution runs in three ordered phases
  • Plan activation is gated by predefined activation criteria
  • A single designated authority declares the disaster, with a named successor
  • Personnel safety always outranks system recovery
  • Damage/outage assessment determines how the plan is implemented
  • A call tree is the canonical manual notification method
  • Recover in BIA-priority order, most-critical systems first
  • Within a system, restore the operating system before the application and data
  • Recovery includes escalation triggers for more staff and resources
  • Reconstitution validates the recovered system, then deactivates the plan
  • The disaster is over at formal deactivation, not when systems power back on
  • Close the loop with an after-action report and lessons learned
  • Only designated, authorized spokespeople talk to the public
  • DR is run by pre-staffed teams under one decision authority
  • DR plans are checklists built in advance, not improvised in the crisis
  • Pre-establish alternate, out-of-band communication channels for use when primary comms fail or are compromised

Unlock with Premium — includes all practice exams and the complete study guide.

DR Testing

Read full chapter
  • Order the DR test ladder cold: read-through, walk-through/tabletop, simulation, parallel, full-interruption
  • Rigor and operational risk rise together up the ladder because proving more means touching more real systems
  • Full-interruption is the most thorough test and the riskiest: it can cause a real outage
  • Full-interruption needs formal management risk acceptance before it is scheduled
  • A parallel test proves the recovery site without ever cutting production over
  • Use full-interruption for maximum assurance; parallel when production must stay safe
  • A read-through (checklist) test is paper review only: cheapest and run most often
  • A tabletop (structured walk-through) test is discussion only: no equipment is deployed
  • A simulation test acts out the scenario in a mock setting but performs no real recovery
  • The deploy-equipment line sits between simulation and the two bottom rungs
  • Every test exists to find weaknesses and feed plan updates: a test with no corrective action is wasted
  • After a test finishes, the next step is to update the plan, not to schedule the next-higher test
  • Match the test rung to the system's criticality: higher availability demands a higher rung
  • Test on a planned cadence and after any significant change: an untested change is an untested plan
  • Start a new or just-changed plan low on the ladder, not with a live test
  • DR testing validates the chosen recovery strategy; it does not select the site or set RTO/RPO
  • DR testing rehearses the recovery process; it is not the live disaster recovery itself
  • DR testing is narrower than business-continuity exercising

Unlock with Premium — includes all practice exams and the complete study guide.

Business Continuity Planning

Read full chapter
  • The BCP is the umbrella that keeps the business running; the DRP is its IT subset
  • Continuity planning protects the business; contingency planning protects the systems
  • BCP is a recurring program, and authoring the plan is its midpoint, not its end
  • A plan is a living document that must be reviewed on a cadence and on significant change
  • Testing, training, and exercises are three distinct activities, not synonyms
  • A tabletop exercise is discussion-based only; a functional exercise has staff perform their duties
  • An unexercised plan is an untested assumption, so exercising surfaces the gaps
  • Train recovery personnel at least annually, and new appointees shortly after appointment
  • Store a plan copy at the alternate site and with the backup media so it survives the disaster
  • Mark and control distribution because the plan holds sensitive information
  • Enforce strict version control by recalling old plan pages when new ones are issued
  • Run the BIA before choosing recovery solutions or sites
  • The ISCP recovers one system regardless of site; the DRP is site-specific relocation
  • Document every exercise in an after-action report and feed lessons learned back into the plan

Unlock with Premium — includes all practice exams and the complete study guide.

Physical Security

Read full chapter
  • Every physical control serves one of five functions: deter, deny, detect, delay, respond
  • CCTV detects and (if visible) deters, but never denies: it stops no one
  • A security guard is the only physical control that exercises judgment and responds
  • A fence only deters and delays: given time and tools, any fence is defeated
  • Bollards and vehicle barriers address the vehicle threat a fence alone does not
  • Lighting is a deterrent and a detection enabler, not a barrier
  • Lay out a facility as concentric zones of decreasing public access
  • No access-control device stops tailgating: it is an enforcement gap, not a device failure
  • An access-control vestibule (mantrap) enforces single-person passage
  • Full-height turnstiles enforce one-person passage; optical turnstiles only detect it
  • A lock is a deny-and-delay control, never absolute: its rating sets the delay
  • Re-key locks and change combinations when a key/combination holder leaves or it is compromised
  • Electronic locks let you grant, revoke, schedule, and log access centrally without re-keying
  • A proximity card is read wirelessly; a smart card carries a chip and resists cloning
  • A reader grants on the credential, not the person, so it logs one entry even when two enter
  • Motion, contact, and glass-break sensors detect intrusion: they never deny it
  • Intrusion alarms work in conjunction with barriers, access control, and guards
  • Escort visitors and keep visitor access records as procedural reinforcement
  • Fire, HVAC, power, and siting are facility-engineering, not perimeter/internal access controls
  • Human life outranks every asset: egress fails safe (unlocked) when people are inside

Unlock with Premium — includes all practice exams and the complete study guide.

Personnel Safety

Read full chapter
  • Human safety is the overriding priority and outranks every asset
  • No one re-enters a dangerous building to retrieve or protect data
  • A life-safety egress door must fail-open, not fail-secure
  • "Fail-safe" flips direction depending on whether the greater harm is to people or assets
  • OT and ICS treat safety as an overarching priority above the CIA ordering
  • An occupant emergency plan documents how people get out safely
  • Evacuate and account for people first; consider property only afterward
  • Safety wardens direct the evacuation and take the headcount at the muster point
  • Emergency power and emergency lighting keep egress usable when normal power fails
  • A duress code signals coercion silently while behaving like the normal code
  • A panic button raises a silent alarm for a coerced or threatened person
  • For risky travel, carry clean burner devices that hold no sensitive data
  • Encrypt, enforce strong MFA, and use privacy screens against shoulder-surfing while traveling
  • MFA-fatigue push-bombing wears a target into approving a malicious prompt
  • Social-media oversharing can expose a traveler's location and itinerary to a threat
  • An insider carrying data abroad is a personnel-safety-relevant insider-threat case
  • A duress control addresses coercion that a lock, camera, or extra factor cannot

Unlock with Premium — includes all practice exams and the complete study guide.

Software Development Security

Security in the SDLC

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Build security into every SDLC phase, never bolt it on at the end

Security is a property engineered into each phase of the Software Development Life Cycle, not a single test before release. Requirements owns security requirements and abuse cases, design owns threat modeling, coding owns secure standards and static analysis, testing owns security and penetration testing, and operation owns patching and monitoring. A program that only reviews security just before go-live has already lost, because gaps in earlier phases have hardened into vulnerabilities by then.

A flaw costs more to fix the later it is found, so shift security left

The cost to correct a defect rises sharply across the life cycle: a missing security requirement is cheapest to fix while it is still a sentence in a document and most expensive once it is live code, because a late fix forces reworking design, code, tests, and a re-release. This cost-of-correction curve is the economic case for shifting security left: moving requirements, threat modeling, and testing earlier so defects surface when they are cheap to fix.

Trap Answering that security is cheapest to address during testing or after deployment: that is the expensive end of the curve.

3 questions test this
Prefer building security in over penetrate-and-patch

Building security in means designing controls into the software proactively from requirements onward; penetrate-and-patch means shipping, waiting to be attacked or scanned, then fixing. Building in is cheaper and safer because it avoids the high end of the cost-of-correction curve and the window of exposure that penetrate-and-patch leaves open. Penetrate-and-patch is reactive and should never be the primary strategy.

Trap Accepting penetrate-and-patch as a legitimate primary strategy because patches still get released, when it is reactive and leaves a window of exposure.

The methodology sets the cadence; security must adapt to it

Development methodologies differ mainly in how they sequence and repeat the SDLC phases: Waterfall runs them once in strict order, Agile repeats them in short sprints, DevOps runs them continuously in a CI/CD pipeline. There is no single 'most secure' methodology; the secure choice depends on requirement stability and release cadence. Security practices are fitted into whichever model is used rather than the model being chosen for security.

Trap Claiming one methodology (e.g. Waterfall) is inherently the most secure: fit depends on the requirements and cadence.

Waterfall runs phases once in sequence; its risk is costly late fixes

Waterfall executes the SDLC phases one time in strict order, each phase completing before the next starts, which suits stable, well-understood, fixed-scope requirements such as regulated work. Its security weakness is that a flaw found in a late phase is very expensive to retrofit, because earlier phases are already closed. Security in Waterfall is a defined activity inside each sequential phase.

Trap Assuming Waterfall lets you freely loop back to revise an earlier phase mid-project, when that iterative reworking is the Agile model, not strict Waterfall.

Agile delivers in sprints, so security must be in each sprint's definition of done

Agile reworks the phases in short iterative sprints, reshaping requirements as feedback arrives, which fits evolving requirements that need frequent delivery. Security can slip between iterations unless it is part of every sprint's definition of done: security user stories, per-sprint review, and testing. The risk is deferring security to a 'later' sprint that never has room for it.

Trap Reading Agile's speed and light documentation as license to skip security activities until a dedicated 'security sprint' later.

1 question tests this
DevSecOps embeds automated security gates into the DevOps pipeline

DevOps fuses development and operations into a continuous integration and delivery (CI/CD) pipeline that releases frequently; DevSecOps is the variant that builds security in as automated, continuous gates inside that pipeline: dependency scanning, static and dynamic analysis, policy checks. The goal is for security to keep pace with a fast release cadence rather than become a manual bottleneck before each release.

Trap Treating DevSecOps as a separate manual security review bolted onto DevOps: its point is automated, in-pipeline, continuous security.

The SSDF (NIST SP 800-218) is methodology-agnostic and added to your existing model

NIST's Secure Software Development Framework, SP 800-218, is deliberately methodology-agnostic: it states that few SDLC models address software security in detail, so its practices are meant to be added to and integrated with whatever model a team already uses. Its four practice groups are Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). It is guidance to integrate, not a methodology that replaces Waterfall, Agile, or DevOps.

Trap Picking the SSDF as a replacement SDLC methodology a team adopts instead of Waterfall or Agile, when it is guidance layered onto whatever model is already in use.

The original SW-CMM has five levels: Initial, Repeatable, Defined, Managed, Optimizing

The Software Engineering Institute's original Capability Maturity Model rates process discipline on five ascending levels: 1 Initial (ad-hoc, hero-driven), 2 Repeatable (basic project management), 3 Defined (standardized organization-wide), 4 Managed (measured quantitatively), and 5 Optimizing (continuous improvement). The ladder climbs from chaos to metrics-driven improvement, and an organization benchmarks itself against it to plan improvement.

Trap Mixing in the CMMI names: the original CMM level 2 is 'Repeatable', not 'Managed'.

1 question tests this
CMMI keeps five levels but renames level 2 to Managed and level 4 to Quantitatively Managed

CMMI, the successor to SW-CMM now maintained by ISACA (formerly the SEI), keeps the five-level ladder but changes two names: level 2 becomes Managed (was Repeatable) and level 4 becomes Quantitatively Managed (was Managed). The shape of the ladder is the same; only the labels at levels 2 and 4 moved. This name collision ('Managed' meaning level 2 in CMMI but level 4 in the old CMM) is a frequent exam trap.

Trap Reading 'Managed' as level 4 when the question is about CMMI, where 'Managed' is level 2 and level 4 is 'Quantitatively Managed'.

OWASP SAMM is prescriptive: it tells you which practices to adopt

OWASP SAMM (Software Assurance Maturity Model) is a prescriptive software-security maturity model: it defines 15 security practices grouped into 5 business functions (Governance, Design, Implementation, Verification, Operations) each with three maturity levels of activities, and tells an organization what to adopt next. It is technology- and process-agnostic, so it works across any methodology. Use it to set target activities and measure progress toward them.

Trap Labeling SAMM as descriptive like BSIMM, when SAMM prescribes target activities to adopt while BSIMM only reports observed practices.

1 question tests this
BSIMM is descriptive: it reports what real firms actually do

BSIMM (Building Security In Maturity Model) is descriptive rather than prescriptive: instead of an ideal to aim at, it observes and reports the activities a large pool of real organizations actually perform, across four domains (Governance, Intelligence, SSDL Touchpoints, and Deployment) so you benchmark your program against peers. SAMM tells you what you should do; BSIMM tells you what others are doing.

Trap Calling BSIMM prescriptive: it documents observed practices for benchmarking, not a target set of best practices.

1 question tests this
Choose a target maturity level by risk and resources, not 'always aim for level 5'

A maturity model lets an organization benchmark and plan improvement, but the right target level is a risk and resource decision, not an automatic climb to the top. Most organizations should not reflexively aim for the highest level; the cost of reaching and sustaining it must be justified by the risk it reduces. The model guides prioritization, not a mandate to maximize.

Trap Choosing the highest maturity level as the universally correct goal, when the right target is the one justified by the organization's risk and resources.

Operation and maintenance is the longest SDLC phase and an active security stage

Once software is released, operation and maintenance is the longest phase of its life, where patching, secure configuration, monitoring, and re-assessment after every significant change keep it secure against new threats. Security work does not stop at deployment; the running system needs continuous attention, including re-running risk assessments when the system or its environment changes materially.

Trap Assuming security work effectively ends once the system is deployed, treating operation and maintenance as passive upkeep rather than an active security stage.

Route every change to released software through change management

During operation, every modification (a patch, a feature, or a configuration tweak) flows through change management: review, test, approve, document, and keep a rollback path, so no change is made without oversight. This prevents a well-meant fix from silently introducing a new vulnerability or breaking an existing control. Skipping change control to ship a fix faster is the wrong move because it deploys unreviewed risk.

Trap Pushing a patch straight to production to fix something fast, bypassing review and testing: that ships unvetted risk.

The Integrated Product Team (IPT) makes security a shared, cross-functional responsibility

An Integrated Product Team is a multidisciplinary group (developers, security, operations, QA, and the business owner) that works a product across its whole life cycle together, so security is a shared responsibility rather than a hand-off to a separate team at the end. The IPT model embeds security expertise alongside development instead of gating it as a late, separate review. It is the staffing pattern behind 'build security in.'

Trap Picturing a standalone security team that receives a finished product to review: the IPT integrates security throughout, not at a hand-off.

2 questions test this
Capture security requirements and abuse cases in the requirements phase

The requirements phase owns security and privacy requirements plus abuse or misuse cases (explicit statements of how the system must resist attack and how an attacker might try to misuse it) alongside an initial risk and data-classification view. Getting these right early is the cheapest point on the cost-of-correction curve, and they drive the threat modeling and control choices made in design. Functional requirements alone, with security added later, is the failure pattern.

Trap Conflating abuse and misuse cases with ordinary functional use cases, when they specify how an attacker tries to break the system, not the intended user behavior.

2 questions test this
Threat modeling belongs to the design phase

Threat modeling (systematically enumerating how a design could be attacked and which controls counter each threat) is a design-phase activity, performed after requirements are set but before code is written, so the architecture can be shaped to resist the identified threats. Done here it is cheap; deferred until after implementation it forces redesign. It feeds the secure-design review and control selection that close out the design phase.

Trap Placing threat modeling in the testing phase alongside penetration testing, when it belongs in design, before code is written, so the architecture can be shaped.

1 question tests this
Disposal is a deliberate security stage, not an afterthought

Retirement and disposal is the final SDLC phase and a deliberate security activity, because a system at end of life still holds data, credentials, keys, and trust relationships. Secure decommissioning sanitizes or destroys media, revokes the system's identities and access, and updates the asset inventory and architecture records. Walking away from a retired system without sanitizing it leaves recoverable data and live trust paths.

Trap Treating disposal as a non-security cleanup step of deleting files and unplugging hardware, skipping media sanitization and revocation of the system's identities and trust paths.

Dev Environment Security

Read full chapter
  • Every tool in the development ecosystem is an attack surface, not just the source code
  • The SSDF (NIST SP 800-218) hardens the environment and artifacts, not just the code
  • Choosing a memory-safe, type-safe language is itself a security control
  • Third-party libraries are inherited risk because a flaw ships inside an already-trusted package
  • Software Composition Analysis inventories dependencies and flags known-vulnerable components
  • An SBOM is a component-transparency layer that speeds response but does not prevent vulnerabilities
  • SAST reads code without running it: earliest, pinpoints the line, but blind to runtime
  • DAST attacks the running app from outside with no source: confirms exploitability but not the line
  • IAST instruments the running app to combine code-level location with runtime confirmation
  • Match the AST method to the flaw class. They are complementary, not interchangeable
  • The SCM repository is the integrity boundary: govern it with least privilege, branch protection, and peer review
  • The CI/CD pipeline is both the enforcement gate and a high-value target
  • Build credentials and signing keys belong in a secrets vault, never hard-coded in pipeline files or source
  • Sign build artifacts so downstream stages and consumers can verify provenance and detect tampering
  • The IDE and developer tool sets are part of the supply chain. Manage and patch them
  • At CISSP altitude, name the control or method and the decision, not the operator keystrokes

Unlock with Premium — includes all practice exams and the complete study guide.

Software Security Effectiveness

Read full chapter
  • Assessing effectiveness means demanding objective evidence, not trusting "no incidents"
  • The authorizing official accepts residual risk, the assessor never does
  • C&A was modernized into A&A: certification became Assess, accreditation became Authorize
  • The Security Assessment Report (SAR) is the assessment deliverable that feeds the risk decision
  • Unresolved weaknesses are tracked on a POA&M, which is not itself a risk acceptance
  • A change must be approved by someone independent of the requestor
  • Emergency changes use an expedited path and are documented retroactively, never skipped
  • Effectiveness is only checkable if the change history is complete and tamper-evident
  • Security metrics must be risk-weighted, not raw counts
  • Defect density normalizes quality so you can compare components and releases
  • Vulnerability recurrence signals that a fix treated symptoms, not root cause
  • SSDF (SP 800-218) groups secure-development practices into PO, PS, PW, RV
  • A CVSS base score is severity, an input to prioritization, not the risk itself
  • Review and test coverage tells you how much your evidence actually speaks to
  • The assessor must be independent of the software's developers and operators
  • Mean time to remediate measures the fix pipeline's responsiveness, not just the find rate
  • A high SAST false-positive rate is a key weakness: it breeds alert fatigue and erodes developer trust
  • Use manual or peer secure code review for business-logic and authorization flaws that automated scanners miss
  • Verify configuration against a baseline with compliance checks; automate them with SCAP

Unlock with Premium — includes all practice exams and the complete study guide.

Acquired Software Security

Read full chapter
  • Acquiring software obtains a capability but never transfers the risk
  • The four acquired-software channels differ by visibility and leverage
  • Match the assessment technique to how much of the software you can see
  • For closed COTS, govern the vendor and still scan the binary yourself
  • A COTS support lifecycle is a security fact, not a procurement detail
  • Open source transfers no liability: there is no vendor and usually no warranty
  • Review the open-source licence before you distribute, not after
  • Transitive dependencies hide most open-source risk, so use SCA
  • An SBOM of what you consume makes "are we affected?" answerable fast
  • For custom-contract software, spend your leverage in the agreement
  • Source-code escrow protects you if a software supplier fails
  • The responsibility boundary slides from IaaS to PaaS to SaaS
  • Data classification, identity, and access stay the customer's in every cloud model
  • For a cloud provider you cannot configure, rely on attestation plus contract
  • Acquired-software assessment and supply-chain risk are different altitudes

Unlock with Premium — includes all practice exams and the complete study guide.

Secure Coding

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Most source-level vulnerabilities are one event: untrusted input reaching a trusting sink

Injection, cross-site scripting, command injection, and buffer overflows are different symptoms of the same root cause: attacker-controlled data is consumed by code that treats it as trusted. The durable fix breaks that chain at the point of consumption (parameterize the query, encode for the output context, bound the write), not by trying to enumerate every malicious payload. Recognizing the shared cause is what lets you pick the structural defense instead of a generic one.

Trap Reaching for a signature filter that enumerates and blocks known malicious payloads instead of breaking the input-to-sink chain at the point of consumption.

2 questions test this
Validate input against an allow-list of known-good, never a deny-list of known-bad

Input validation should accept only input matching the exact expected format, length, and character set (an allow-list / whitelist), because you cannot enumerate every malicious input an attacker might craft, so a deny-list of 'known bad' characters always leaves a gap. Allow-list validation is the cross-cutting first line of defense, but it is defense in depth: it does not replace the sink-specific control (parameterized query, output encoding).

Trap Choosing 'strip or block dangerous characters' (a deny-list) over 'accept only known-good input'. The deny-list is incomplete because not all bad input can be enumerated.

7 questions test this
Defeat SQL injection with parameterized queries, not by escaping characters

OWASP's primary defense against SQL injection is the prepared statement with parameterized queries: it forces the developer to define all SQL code first and bind each parameter later, so the database always distinguishes code from data and an attacker cannot change the query's intent. OWASP's priority order is prepared statements first, then safely-implemented stored procedures, then allow-list validation where a bind variable is impossible (e.g. a table name), and escaping user input is explicitly discouraged as fragile and database-specific.

Trap Selecting 'escape special characters in the input' as the SQL-injection fix. OWASP strongly discourages escaping; parameterized queries are the primary defense.

6 questions test this
Prevent XSS with output encoding matched to the destination context

Cross-site scripting is defeated by encoding untrusted data for exactly the context it lands in: HTML body, HTML attribute, JavaScript, CSS, and URL contexts each have different parsing rules, and using the wrong encoding can itself introduce a weakness. Input validation helps as defense in depth but cannot be the sole XSS control, because the output context is not known at the HTTP request layer where input validation runs; a Content Security Policy is an additional mitigating layer.

Trap Relying on input validation alone to stop XSS. Context awareness is unavailable at the request layer, so output must still be encoded for where it is rendered.

4 questions test this
Defeat command injection by avoiding the shell and using a safe command API

OS command injection occurs when untrusted input is passed to a shell or command interpreter. The root-cause fix is to avoid invoking a shell at all and instead call a parameterized command API with an explicit allow-list of permitted arguments, so attacker input can never be parsed as a new command. The same code-versus-data separation that defeats SQL injection applies here.

Trap Escaping or sanitizing shell metacharacters in the input rather than avoiding the shell entirely and calling a parameterized command API.

Broken access control is the #1 OWASP Top 10:2021 risk: enforce authorization server-side

Broken Access Control moved up to the #1 position in the OWASP Top 10:2021 (from 5th), with 94% of tested applications showing some form of it; access control means users cannot act outside their intended permissions. The coding defenses are structural: deny by default, enforce authorization on the server for every request, and check object ownership before acting, never trust a hidden field, a disabled button, or a client-side check.

Trap Enforcing access control only in the client (hiding a button, disabling a field). The authorization check must run server-side on every request.

Buffer overflows are fixed by bounds checking; canaries, ASLR, and DEP only raise the bar

A buffer overflow writes past a fixed-size buffer because no bounds check constrains the write, and overwriting a return address can let an attacker execute code. The root-cause defenses are bounds checking and memory-safe languages or functions. Compiler and OS mitigations (stack canaries, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP / non-executable stack)) make exploitation harder but do not remove the underlying flaw.

Trap Treating ASLR/DEP/stack canaries as the fix. They are hardening layers that raise the cost of exploitation, not a substitute for bounds checking.

Integer overflow wraps silently and often enables a later buffer overflow

An integer overflow is arithmetic that exceeds the type's range and wraps around silently, frequently producing an undersized allocation or a bypassed length check that then enables a buffer overflow. The defense is to perform range and overflow checks before the value is used to size or index memory, not after.

Trap Validating the arithmetic result after the operation, when the value has already wrapped, instead of range-checking the operands before the computation.

Fix a race condition (TOCTOU) by making check-and-act atomic

A race condition, specifically a time-of-check-to-time-of-use (TOCTOU) flaw, occurs when state changes between a security check and the action that relied on it, so the action operates on conditions that no longer hold. The fix is to make the check and the use a single atomic operation, using locking or atomic APIs, rather than two separable steps an attacker can interleave.

Trap Re-checking the condition immediately before use to shrink the window instead of making check-and-act atomic, since a narrower window is still a window an attacker can interleave.

1 question tests this
Know what each weakness taxonomy is FOR: Top 10, CWE, CVE, ASVS, CERT

The OWASP Top 10 is a ranked awareness document of web-application risk categories, not a checklist. CWE (MITRE's Common Weakness Enumeration) is the dictionary of weakness types, e.g. CWE-89 SQL injection, CWE-79 XSS. CVE is a different thing: one specific vulnerability instance in one product (an instance of a CWE). ASVS is OWASP's tiered catalog of requirements you verify an application against, and CERT/SEI standards give language-specific coding rules.

Trap Answering 'CVE' when the question asks for the weakness type. A CVE is one instance in a product, whereas the weakness category is a CWE.

2 questions test this
NIST SP 800-218 (SSDF) organizes secure development into four practice groups

The NIST Secure Software Development Framework (SSDF), SP 800-218, is a set of high-level secure software development practices meant to be integrated into any SDLC rather than replacing it. Its four practice groups are Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV).

The top API risk is Broken Object Level Authorization: authorize the object, not just the caller

Broken Object Level Authorization (API1 in the OWASP API Security Top 10) is the dominant API failure: an authenticated user reaches another user's object simply by changing an ID in the request, because the server authenticated the caller but never verified that this caller may access that specific object. The fix is an ownership/authorization check on every object reference, performed server-side.

Trap Assuming an authenticated caller may act on any object whose ID they can supply. Authorization must be checked per object, not just at login.

Broken Object Property Level Authorization covers excessive data exposure and mass assignment

Broken Object Property Level Authorization (OWASP API Security Top 10) combines the older 'excessive data exposure' and 'mass assignment' problems: the API returns more object fields than the caller should see, or accepts more fields than the caller should set, then relies on the client to filter. The fix is to authorize access at the property level on the server and return or accept only the fields appropriate to the caller, never filtering in the UI.

Trap Returning a full object and hiding extra fields in the client. The sensitive properties still travel to the caller and can be read directly.

Rate-limit APIs to prevent unrestricted resource consumption and brute force

Rate limiting is a first-class API control because an API request consumes network bandwidth, CPU, memory, and storage; without limits an attacker can drive a denial of service or brute-force credentials and other guessable values. This corresponds to Unrestricted Resource Consumption in the OWASP API Security Top 10, and pairs with schema-based request validation that rejects any body or parameter not matching a declared schema.

1 question tests this
Software-defined security expresses controls as version-controlled code

Software-defined security defines security controls as code and configuration (policy-as-code and infrastructure-as-code for segmentation, identity, and security-group rules) rather than hand-applying settings. The payoff is consistency (the same control everywhere, no drift between a hand-configured box and its twin) and auditability (every change is a reviewable, attributable commit), inheriting code's review, testing, and rollback discipline.

1 question tests this
A WAF is a compensating layer, not the root-cause fix for a code-level flaw

A web application firewall can filter some malicious requests and buy time, but it is a compensating control layered on top of the application, not the root-cause defense. When a scenario describes a code-level vulnerability such as SQL injection or XSS, the correct answer is the secure-coding practice (parameterize the query, encode the output, validate input). The WAF is supplementary.

Trap Selecting 'deploy a WAF' as the fix for a described code-level injection flaw. It mitigates but does not remove the vulnerability; the code-level control does.

Server-side validation is the only authoritative control; client-side checks are trivially bypassable

All security-relevant input validation must be enforced on the server and treat every client input as untrusted, because an attacker can disable JavaScript, use a browser dev tool, or send crafted HTTP requests through a proxy that never run the client-side checks. Client-side validation is for user-experience feedback only, never for security.

Trap Thorough client-side JavaScript validation is NOT a substitute and does not make server-side validation redundant.

5 questions test this