My 2024 ISC2, Certified Information Systems Security Professional CISSP Certificate
My CISSP Certification credly badge
- Watch youtube videos and make notes, see playlist later in section below.
- Do the official study questions 4th edition and official study guide 10th edition questions.
- Use chatgpt latest version paid subscription as study buddy to upload documents, images and ask questions to provide detailed explanation of answers wrong and correct.
- Make memory mnemonics stories whiteboards drawings of each CISSP security domain, see mine below.
- Update notes more redoing questions and answers repeatedly.
- Repeat all above steps and rewatching the youtube videos again, and yes update study notes more.
Note:
My work employment roles & experience as a security engineer, security analyst and penetration tester in cybersecurity helped,
also my years before security provided my foundation skills,
but studying for the 2024 CISSP I learned a tremendous volume of data that filled in knowledge gaps.
- CISSP Domain 1 Risk Management
- CISSP Domain 2 Asset Security
- CISSP Domain 3 Architecture
- CISSP Domain 4 Communication Network Security & OSI Model
- CISSP Domain 5 Identity and Access Management
- CISSP Domain 6 Assessment & Testing
- CISSP Domain 7 Operations
- CISSP Domain 8 Software Development Security
The following list of videos I watched several times, making my own notes directly from their content, questions and explanations for the ISC2 CISSP 2024 exam.
CISSP questions often involve distractors and complexity to challenge the understanding of the nuances in security principles.
The key is to read questions carefully, focus on what is being asked, and consider all answer choices critically, looking for the one that aligns most closely with the best practices or principles within the domain of the question.
When analyzing CISSP questions, several key phrases and techniques are used to create ambiguity and challenge the test-taker.
These elements are designed to test your critical thinking and ability to apply concepts rather than just recall information.
Here’s a list of key phrases and techniques:
- Purpose: Forces you to prioritize or evaluate multiple correct answers.
- Examples:
- “Select the best answer.”
- “Indicate the most correct answer.”
- “Which of the following best describes...”
- Challenge: Requires you to assess which option most fully or accurately represents the concept being tested.
- Purpose: Introduces an element of probability, making you consider what generally applies rather than what is always true.
- Examples:
- “Which of the following is most likely to...”
- “Typically used in...”
- Challenge: These terms can make answers seem less definitive and require deeper understanding of typical use cases or behaviors.
- Purpose: Tests your attention to detail by asking for exceptions.
- Examples:
- “Which of the following is NOT likely to...”
- “All of the following are true EXCEPT...”
- “Which technology uses this standard BUT is not maintained by...”
- Challenge: These questions often trip up those who skim and assume they’re looking for something that matches rather than something that doesn’t.
- Purpose: Narrows focus to the most important aspect or main responsibility.
- Examples:
- “What is the primary goal of...”
- “Mainly responsible for...”
- Challenge: These terms require you to identify the most central role or function, which may be nuanced.
- Purpose: Tests your understanding of absolute outcomes in security controls.
- Examples:
- “What can be implemented to ensure...”
- “Which control prevents...”
- Challenge: You need to choose the option that provides the most definitive or strongest solution, often ruling out softer or less absolute answers.
- Purpose: These basic interrogatives introduce a scenario that requires specific knowledge.
- Examples:
- “Which of the following...”
- “What is most appropriate...”
- Challenge: They often lead into complex scenarios where multiple factors must be considered, forcing you to synthesize knowledge.
- Purpose: Tests understanding of systems or processes that operate under concurrent conditions.
- Examples:
- “Simultaneously handles information...”
- Challenge: Requires recognition of environments or technologies that support or enforce concurrent conditions.
- Purpose: Focuses on processes rather than results, testing your knowledge of methodologies.
- Examples:
- “Which process evaluates the effectiveness...”
- “What assesses the risk...”
- Challenge: You must distinguish between different methods or processes that have similar goals but are applied differently.
- Purpose: Tests your understanding of aligning strategies with specific systems or business needs.
- Examples:
- “Which activity best matches this task?”
- “What best aligns with the business goals?”
- Challenge: Requires synthesis of information about both strategic goals and specific systems or controls.
- Purpose: Presents a scenario where several answers may seem plausible, requiring deep analysis to identify the most correct answer.
- Examples:
- “James is working with a system...”
- “Ron is investigating a security incident...”
- Challenge: The scenario is often complex, with subtle clues leading to the best answer. This tests both knowledge and application.
- Purpose: Focuses on roles and responsibilities within security frameworks.
- Examples:
- “Which role is primarily responsible for...”
- “Who should ensure that...”
- Challenge: Requires knowledge of specific roles (e.g., security administrator vs. system administrator) and their distinct responsibilities.
- Purpose: Introduces answers that are technically correct but not comprehensive.
- Examples:
- “This process may result in...”
- Challenge: These options might be tempting because they’re correct, but they’re not the best or most complete answers.
- Purpose: Tests your ability to differentiate between direct control effects and broader monitoring or insight functions.
- Examples:
- “Which provides insight into risk tolerance?”
- Challenge: Forces you to think about indirect vs. direct impacts of controls or assessments.
During my CISSP studies I used paid for subscription of ChatGPT to play the role of my study partner. ChatGPT was my soundboard and playback audio assistant to enhance my learning retention of knowledge. I provided the following type of prompts to the model to aid in my studies and test my knowledge and skills:
Assume the role of CISSP study partner that asks me questions, based on the updated study notes attached provided.
Ask me questions in the form of multiple choice, with the options all answer options very similar, almost all correct.
Make the questions in the form that a manager in the security department will select the one from the multiple answers,
that are more correct then the other choices.
Ask me one question and give the multiple choices answers, but do not move to the next question until I provide an answer.
If I answer incorrectly then, give me an explanation of the valid answer when I answer incorrectly.
Then only pose a new question after my answer provided from the same CISSP domain until I get 3 correct,
from one of the 8 domains based on the CISSP domain sections.
Use the follow list of words in building the questions,
to make it more difficult to determine the most correct answers from choices:
Goal
Primary goal
endpoint
Most
Mostly
Most important
Most appropriate
Most critical
Most effective
Unlikely
Incorrect
Not typically
not commonly
not normally
Not one
not true
not an essential process
not an effective
not a consideration
not a common step
Least
LEAST likely
is least likely
avoid
advantage
shouldn’t
In the sample ChatGPT prompt screenshot below, I provided and uploaded image of CISSP drawing lifecycle and asked to give scenarion question:
These are not questions from the CISSP exam, but merely examples that ChatGPT generated to aid me in preparing for the exam.
A company is performing an enterprise-wide risk assessment and must consider the impact of both tangible and intangible assets. Which of the following best describes the primary risks associated with intangible assets?
A. Theft of physical property
B. Unauthorized access to proprietary software
C. Damage to brand reputation and loss of intellectual property
D. Natural disasters impacting physical infrastructure
Intangible assets refer to non-physical assets that are valuable to an organization, such as intellectual property (IP), brand reputation, customer trust, and proprietary data. These assets, while not physical, are often some of the most critical to an organization's success and long-term sustainability.
- Brand Reputation: Damage to a company's reputation can have significant long-term impacts, potentially reducing customer loyalty, market share, and revenue.
- Loss of Intellectual Property (IP): Theft or unauthorized use of (e.g., patents, trade secrets) can severely damage a company's competitive advantage.
Key Risk Areas for Intangible Assets:
- Cyberattacks: Data breaches can lead to IP theft, and public exposure of such incidents can harm reputation.
- Regulatory Non-compliance: Failing to comply with regulations (e.g., GDPR) can result in legal penalties and reputational damage.
- Supply Chain Attacks: Third-party vendors that mishandle data could compromise the integrity of an organization’s proprietary information.
The most comprehensive approach to protecting intangible assets involves strategies such as IP protection, encryption, incident response planning, and maintaining strong regulatory compliance. Option C captures both major risk factors—brand reputation and intellectual property—making it the most correct and comprehensive answer.
- A. Theft of physical property: This relates to tangible assets like hardware and facilities, which are outside the scope of intangible assets.
- B. Unauthorized access to proprietary software: While important, this only covers a specific area of intellectual property and does not address broader intangible assets like brand reputation.
- D. Natural disasters impacting physical infrastructure: This focuses on risks to physical assets, which do not apply to intangible asset risk management.
Your organization is implementing a microservices-based architecture and wants to ensure the infrastructure is immutable while maintaining the integrity of system and application logs. Which of the following best aligns with the principles of immutable infrastructure and supports the integrity of logs in this environment?
A. Regularly update and patch the operating system of microservices to ensure security.
B. Use containers to host microservices and rotate new images instead of modifying existing ones.
C. Allow administrators to modify log files to correct erroneous data and maintain accuracy.
D. Keep all logs locally on the microservices host to avoid latency in log aggregation.
Correct Answer: B. Use containers to host microservices and rotate new images instead of modifying existing ones.
In a microservices architecture, immutable infrastructure refers to the practice of never modifying a running system. Instead of updating or patching existing servers or services, a new version of the service or server is built, deployed, and the old version is destroyed. This ensures consistency and predictability, making it easier to manage and scale infrastructure.
Additionally, log integrity is critical to ensure security, auditability, and accountability. Immutable systems ensure that logs remain unchanged once recorded, preventing malicious actors or administrators from altering the log data.
- Containerization: Using containers to host microservices aligns with the idea of immutability. Containers are deployed as new images whenever updates are needed. Once deployed, these containers are not modified; instead, they are replaced with new versions.
- Log Integrity: In an immutable infrastructure, logs must remain unchanged to maintain integrity. This often involves ensuring logs are written to a centralized logging system, ensuring they cannot be tampered with or deleted after being recorded.
Option B is the best choice because it reflects immutable infrastructure practices by using containers that are replaced with new images rather than being updated or modified. This also indirectly supports log integrity by ensuring that logs from old container instances are not tampered with after they are written.
-
A. Regularly update and patch the operating system of microservices to ensure security.
While patching is important, this approach does not align with the principle of immutability. The idea behind immutable infrastructure is that once a system is deployed, it should not be changed—any updates should result in the deployment of a new instance rather than modification of an existing one. -
C. Allow administrators to modify log files to correct erroneous data and maintain accuracy.
This directly violates the principle of log immutability. Logs should never be modified after they are written, as this could introduce vulnerabilities and compromise auditability and integrity. -
D. Keep all logs locally on the microservices host to avoid latency in log aggregation.
This increases the risk of log tampering and reduces visibility into logs, as they are not centralized. For proper log integrity, logs should be forwarded to a centralized log management system to ensure they are protected, aggregated, and cannot be altered locally.
Immutable infrastructure, combined with centralized and immutable log management, is the most comprehensive solution for ensuring the reliability and integrity of microservices-based architectures. Option B correctly reflects these best security practices.
CISSP question, indicate the best or most correct answer:
Juan wants to prevent privilege escalation attacks via his company’s service accounts.
Which of the following security practices is best suited to this?
A. Remove unnecessary rights. B. Disable interactive login for service accounts. C. Limit when accounts can log in. D. Use meaningless or randomized names for service accounts.
Question detailed explanation:
Correct Answer: B) Disable interactive login for service accounts
Detailed Explanation:
Privilege escalation attacks occur when an attacker gains elevated access to resources that are normally protected from an application or user. Service accounts are special types of accounts used to run services, processes, or tasks. These accounts often have higher >privileges and can be a target for attackers seeking to escalate their privileges.
Why Option B is Correct:
B) Disable interactive login for service accounts:
Disabling interactive login for service accounts is a security best practice specifically aimed at preventing privilege escalation attacks. Service accounts typically do not need to log in interactively (i.e., they do not need to be used to log in via a user >interface). By disabling interactive logins, you reduce the risk that an attacker could use a service account to gain interactive access to the system, which could then be used to escalate privileges or perform unauthorized actions.
Explanation of Other Options:
A) Remove unnecessary rights:
While removing unnecessary rights is important for minimizing the attack surface, it does not directly address the specific issue of preventing privilege escalation via service accounts. However, it is still a good security practice to ensure that accounts only have the minimum privileges necessary.
C) Limit when accounts can log in:
Limiting when accounts can log in can be useful for certain scenarios, such as preventing unauthorized access during off-hours, but it does not directly prevent privilege escalation via service accounts, particularly since service accounts often need to run services continuously.
D) Use meaningless or randomized names for service accounts:
Using meaningless or randomized names for service accounts can help obscure their purpose and make it harder for attackers to identify them, but it does not prevent privilege escalation. It is more of a security through obscurity tactic rather than a direct preventive measure.
Conclusion:
The best practice to specifically prevent privilege escalation attacks via service accounts is to disable interactive login for those accounts. This ensures that service accounts cannot be used to log in interactively, reducing the risk of them being exploited by attackers to gain elevated access.
What technology uses request for comments RFC 6749 as a framework but is not maintained by the internet engineering task force (IETF)?
CISSP question, image attached is another CISSP question. Open ID Connect is provided as the correct answer. Do indicate most correct answer that addresses the most comprehensive solution and provide a detailed explanation:
The question asks which technology uses RFC 6749 as a framework but is not maintained by the Internet Engineering Task Force (IETF).
Breakdown of the Options:
OpenID (A):
Framework: OpenID is a decentralized authentication protocol but does not use RFC 6749 as its basis.
Maintenance: Not directly related to RFC 6749.
OAuth 2.0 (B):
Framework: OAuth 2.0 is indeed specified by RFC 6749. Maintenance: OAuth 2.0 is maintained by the IETF.
OpenID Connect (C):
Framework: OpenID Connect is an identity layer built on top of OAuth 2.0, which uses RFC 6749 as its foundation.
Maintenance: OpenID Connect is not maintained by the IETF but by the OpenID Foundation. This aligns with the requirement in the question.
OAuth 1.0 (D):
Framework: OAuth 1.0 is an earlier version of OAuth, not directly linked to RFC 6749.
Maintenance: It is also maintained by the IETF but is an older and less commonly used standard compared to OAuth 2.0.
Conclusion:
The correct and most comprehensive answer is C. OpenID Connect.
Reasoning:
OpenID Connect builds on OAuth 2.0, which is defined by RFC 6749, but it is maintained by the OpenID Foundation, not the IETF. This makes OpenID Connect the correct choice, as it fulfills both conditions outlined in the question.
