Certified Information Systems Security Professional (CISSP)
Welcome to the Certified Information Systems Security Professional (CISSP) certification course! To obtain the CISSP certification, candidates need to pass an exam that consists of mostly multiple choice questions. The purpose of this course is to prepare you for the certification exam by introducing you to the concepts and terminology you need to know to pass. This course is designed to provide you with extensive knowledge, learning strategies, and instructor support along the way. In addition to the exam, you must meet a few other requirements in order to become a Certified Information Systems Security Professional. You must demonstrate that you follow the CISSP Code of Ethics, have a minimum of five years’ full-time paid work experience in the systems security field, and hold an IS or IT degree. With that in mind, before enrolling in this course, be sure that this is the right course for you. This course is designed for people who want to become certified security professionals and are looking for jobs that require the CISSP certification. Sometimes companies also require their systems security employees to obtain this certification. The prerequisites for this course are basic knowledge in networking and some knowledge of systems operations. Throughout this course, you will learn about the basics of asset security, cryptography, security and risk management, and various threats and attacks. This is a theoretical course — not a practical one — and we will cover many regulations, laws, policies, standards, and encryption protocols. With the flash cards, interactive diagrams, video lessons, and instructor support included with this course, you should be equipped with everything you need to successfully pass the exam and earn your CISSP certification.
In this video we will learn about what this course will cover and what it will not. We'll see how it's structured overall, and take a look at the tools and learning methods that will be used throughout the course.
About the Training Architect
In this video you will get to meet your instructor for this course. The instructor will talk a bit about himself, his skills and experience, and his passion about learning new things and helping others do the same.
To follow the course, and prepare for the exam, you should be familiar with operating systems and networking. Having experience in system security is a plus, but not a requirement. Throughout this course, you will use charts, labs, flashcards, and quizzes to learn and improve your knowledge.
How to Get Help
Here I will briefly explain the nest way to ask for help.
Security and Risk Management
CIA Triad: Confidentiality
In this video, we'll learn what CIA Triad represents and will introduce confidentiality. Confidentiality ensures that sensitive information is only available to people who are authorized to access it. We'll cover security controls for confidentiality protection, causes of unintentional data disclosure, violation of confidentiality attacks, and countermeasures that ensure confidentiality. We'll also look at some concepts: sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, and isolation.
CIA Triad: Integrity
Integrity refers to the prevention of unauthorized alterations to data. This video will explain why the integrity of data is important. You will get acquainted with integrity violation attacks, and learn countermeasures to deal with them.
CIA Triad: Availability
Availability ensures that resources are available whenever authorized users need them. In this video, we will go over availability concepts, attacks and threats, and countermeasures.
Identification, Authentication, Authorization, Auditing, and Accounting
This lesson thoroughly explains concepts like identification, authentication, authorization, auditing, and accounting. We need a grasp on these important core terms during this course.
Threat modeling is the process of identifying all possible threats to a system, so that they can be categorized and analyzed. We will go over the seven stages of attack simulation and threat analysis, as well as the STRIDE scheme used for application threats.
Security policies define the rules and requirements that protect an organization’s information system. It is yet another crucial part of systems security. Here we will see what concepts security policies address.
Risk Management: Part 1
This video gets us acquainted with risk management, which is the process of identifying and addressing security risks that could damage or disclose data. We'll cover essential terminology related to risk management such as risk analysis, exposure, safeguards, and more.
Risk Management: Part 2
Picking up from where we left off in the previous video, in this one we'll see what quantitative risk analysis is. We'll learn to recognize the many elements that are tied to it, like annualized rate of occurrence, exposure factor, annualized loss expectancy, and more.
Risk Management: Part 3
The previous video covered the topic of quantitative risk analysis. Here, we will talk about qualitative risk analysis in the same way. We will see what it is, and what it is composed out of.
Laws, Regulations, and Ethics
Laws, Standards and Regulations
This lesson’s aim is to introduce to some important laws, standards, and regulations that various organizations have to comply with. The type of organization determines which laws apply. Here is a list of standards and regulations that we will talk about in more detail:PCI DSSISO/IEC 27001:2013HIPAASOXDMCAFISMA
Following a Code of Ethics is mandatory when it comes to information systems security, in order to ensure safety and protection for all individuals involved. There are many activities that are considered unethical, according to the RFC 1087 document that we will examine.
Laws, Regulations, and Ethics
Data and Asset Security
Classifying Data and Assets
Here we will look at the existing data classification levels, and how they are used to classify data depending on how sensitive it is. These classifications are based on how harmful to an organization it would be if the information leaked. We'll also learn some other common terms and categorizations of data that you will often come across.
Let's get familiarized with some more useful terminology that is related to data and asset ownership. We will go over seven privacy shield principles:NoticeChoice AccountabilitySecurityData Integrity and Purpose LimitationRecourse, Enforcement and LiabilityAccess
Storing and Disposing of Data
This video covers the topics of storing and disposing data. We'll see what different states data can be in, as well as some important things to keep in mind when storing sensitive data. Destroying sensitive data, as simple as it may seem, is also a very significant and law-defined process that, if not done properly, can have negative outcomes.
Data and Asset Security
Security Architecture and Engineering
This is an introductory video on the subject of cryptography. Learn what Cryptography is, what it is used for, and why it is important. This videos also discusses the objectives of cryptography which are strongly tied to four following terms:Confidentiality IntegrityAuthenticationNon-Repudiation
Asymmetric and Symmetric Encryption
This lecture’s aim is to get you familiar with symmetric and asymmetric encryption. Learn the main difference between these encryption types, and find out when one is preferred over the other.
This lecture explains one of the most basic terms in cryptography ciphers. We'll see the various types of ciphers that have been used both in the past and in modern times.
Public Key Infrastructure (PKI)
PKI, Public Key Infrastructure, is something we all use on a daily basis. But maybe we haven’t thought about or known of it before. In this video, we will see what Public Key Infrastructure is, and go over the multiple elements and processes out of which PKI’s are composed.
Here we'll see several hashing algorithms, like DSA, Diffie-Hellman, SHA, Blowfish, and others.
In this lecture, we'll see what Cryptanalysis is and look at some of the existing Cryptanalysis methods. We're going to stick mostly to the different code-breaking techniques used to for decrypting ciphers such as brute force, trickery and deceit, and frequency analysis.
Security Models and Design
Security Design Principles
Here we will look into a few things regarding system types and security design principles. These are things like confinement, bounds, isolation, controls, trusted system and assurance. We'll also cover composition theories that define how a system interacts with another system.
A security model is an abstract concept that is used to translate and formalize a security policy. It is required for building software and hardware. This lesson displays the many types of security models, like the Bell-LaPadula model, Clark-Wilson model, and the Sutherland model.
System Security Requirements
In order to ensure the safety and security of a system, there need to be some established security requirements. Also, it must be possible to check to see if those requirements are satisfied or not. This determines the overall security of a system. The video will teach about the Trusted Computer System Evaluation Criteria (TCSEC) and the Information Technology Security Evaluation Criteria (ITSEC). Those are both standards that define sets of basic requirements for system security. Other things the video delves into are proactive countermeasures like virtualization, memory protection, and fault tolerance.
Physical Security: Part 1
When providing security for a system, software security isn't the only consideration. Physical security is also a concern. This lesson illustrates several physical security concepts like site selection, equipment failure anticipation, and technical physical security controls. These and more need to be evaluated in order to achieve successful system security.
Physical Security: Part 2
Continuing on the subject of physical security, in this video we will talk about how to maintain security despite the occurrence of natural disasters (fires, floods), external incoming signals (control zone), and intruders (fences, locks, alarms).
Security Models and Design
Threats and Attacks
Threats vs. Attacks
The goal of the chapter is to explain the main difference between a threat and an attack, in order to better secure a system. We'll see that threat is potential to do harm to a system, while attack is a realization of that potential.
In this lecture, you will learn about motives behind security attacks and why it is important to find a motive, because it can help in the investigations of attacks. We'll learn about the the most common motives behind attacks:RevengeData manipulationStealing valuable informationInterrupting the flow of business activities and processesRansomStealing money
Attack vectors are means by which hackers deliver a payload to systems and networks. In this video, the we'll see the most common attack ones:Cloud computing threatsPhishingBotnetsRansomwareInsider threatsMobile threatsAdvanced persistent threatsInternet of Things threatsViruses and WormsWeb application threats
In this introduction video, you will learn about the three main threat classifications: network threats, host threats, and application threats. We'll also go over some different types of attacks:Denial of ServicePassword-based Man in the middle SpoofingMalwareSQL injectionSession hijackingCryptography attacksPhishing
In this video, you will learn about attack classification and its four main categories: operating system attacks, application-level attacks, misconfiguration attacks, and shrink-wrap code attacks.
Communication and Network Security
OSI vs. TCP/IP
The topic of this video is the Open Systems Interconnection (OSI) model, which consists of seven distinct layers. We will talk about each layer individually and cover their most important characteristics and roles.
Here you will learn about the Transmission Control Protocol/Internet Protocol (TCP/IP) model, which is composed of four separate layers: application, transport, network access, and internet. Each layer corresponds to one or more layers from the OSI model that we talked about in the previous video. This video will explain more about these layers, and about the TCP and UDP protocols.
Wireless Access Point
Wireless access points have over a dozen features that we'll learn about in this video. Some WAP features that will be covered are Beacon Frames, Wireless Channels, SSIDs, WPAs, LEAPs, PEAPs, etc.
Wireless Network Attacks
Wireless Access Points are susceptible to numerous types of wireless network attacks. In this lecture you will learn about these attacks, the dangers they pose, and why people perform them. Some of the attacks we'll discuss are War Driving, Evil Twin Attacks, Rogue Access Point attacks, and more.
In this video we are going to talk about firewalls. We'll learn what firewalls are and what they are used for. Many types of firewalls exist that are utilized in different situations for different purposes. During the course of this video we will go over and compare these types to see how they are similar, and where they vary.
In order for a network to function, several different hardware components are necessary. To assure communication, we need parts such as routers, modems, proxies, cables, etc. In this lecture we talk about these hardware network devices, see what they are, and what roles they play in networks.
Network hardware and connections can be configured in various ways, which is what we are going to talk about in this video. These physical layouts are called network topologies. The type of topologies we will address are the ring, bus, star, and mesh topologies.
Network Security Mechanisms
Continuing on the topic of network security, in this video we'll discuss some mechanisms and protocols that help in securing networks. We'll examine Tunneling, IPsec, Kerberos, Secure Shell (SSH), Signal Protocol, Secure Remote Procedure Call, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Authentication Protocols.
In order to achieve email security, you need to learn about email security goals and solutions. We talk here about email security goals, like ensuring nonrepudiation, restricting access to messages, verifying sources of messages, and securing sensitive content. We'll also examine email security solutions, like MIME Object Security Services (MOSS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Privacy-Enhanced Mail (PEM), and Sender Policy Framework (SPF).
VPN and Virtualization
Here we will talk about Virtualization and Virtual Private Networks (VPNs), why they are needed, and how they work. OpenVPN, the Point-to-Point Tunneling Protocol and the IP Security Protocol (Authentication Header and Encapsulating Security Payload Protocol) will also be topics of discussion. Virtual Networking and Virtual Software are explained in the later part of the video, along with Terms Virtual Application and Virtual Desktop.
Network Address Translation (NAT)
Network Address Translation, or NAT, is a very important concept for network traffic that this video will explain. The aim of the lesson is to show what happens when a public IP address meets a private IP address. We will also take a look at static and dynamic NATs.
Wide-Area Networks (WANs)
Here we will talk about Wide Area Network (WAN) technologies. We'll look at Integrated Services Digital Networks (ISDN), Primary Rate Interface (PRI), and Basic Rate Interface (BRI). Some of the other technologies discussed in the video are X.25, Frame Relay, Asynchronous Transfer Mode (ATM), and Switched Multimegabit Data Service (SMDS).
Network Attack Mitigation
In this video we'll illustrate several attack vectors like DoS/DDoS (Denial of service) attacks, Eavesdropping, Impersonation, Address Resolution Protocol (ARP) Spoofing, and DNS Poisoning. The main goal of the lesson is to show how to defend against these attacks. We'll look at different defense tools that can be used for the various types of attacks, like firewalls, intrusion detection systems, updates, encryption, and tokens.
Identity and Access Management
Identity and Authentication
Identification and Authentication: Part 1
Identity and Authentication are very important concepts for any system. We will mention the three authentication types. We will go through Type 1 and Type 2 and learn about some techniques, policies, and devices. We'll look at things like:Password PolicyPassword HistoryPassphraseCognitive PasswordsSmart CardsTokensToken TypesHMAC-Based One-Time Password (HOTP)Time-Based One-Time Password (TOTP)
Identification and Authentication: Part 2
This video continues on from where the last lesson stopped. We will take look at Authentication Type 3. In particular, we'll examine some authentication techniques like Face, Retina, Iris and Palm Scans, Hand Geometry, Pulse Patterns, Voice Recognition, Signature Dynamics, and Keystroke Patterns. We'll also explore False Rejection Rate and False Acceptance Rate.
Identification and Authentication: Part 3
In this final section, we'll get into Multi-Factor Authentication (MFA). We will explore Kerberos, OAuth 2.0, OpenID Connect, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), Provisioning, Account Revocation, and Scripted Access.
This video discusses different kinds of Access Controls. The types we'll look at are Preventive, Detective, Corrective, Deterrent, Directive, Compensating, Administrative Access Controls, Logical/Technical, and Physical Controls.
Security Assessments and Testing
Security Assessments and Audits
Security assessment and security audit are two terms that often appear together, but they mean very different things. This video explains what they are, and what the differences are. We'll look at the various tests that need to be performed in regards to Security Control Review, and cover a few types of audits. We will also talk about the Security Content Automation Protocol (SCAP) and its many components.
In this video introduces penetration testing. We'll go over penetration testing is, what it is used for, how it works, and its different stages. We'll see what makes good penetration test, and get acquainted with the "Blue team vs Red team" methodologies. Finally, we will go over the pre-attack and attack penetration testing phases.
Vulnerability scans help uncover weak points in a system. It is important to detect these vulnerabilities and assess them before they are exploited by an attacker. This video deals with a number of vulnerability scanning types, including web vulnerability scanning, network vulnerability scanning, TCP connect scanning, and Xmas scanning. We will also talk about Nmaps and port status categories.
Software testing is one of the most crucial parts in the process of developing software, because it consists of many actions that ensure the quality and safety of the software. This video covers several of these actions, including code review, static software testing, dynamic software testing, fuzz testing, and interface testing.
Disaster Prevention, Response, and Recovery
When running a system there are numerous security operations that have to be taken into consideration. The aim of this lesson is for you to learn about some of these security operations like Entitlement, Privileged Account Management, Data Lifecycle Stages, Need to Know and more.
Responding to Incidents
The topic of this video is security incident response. These are the different ways of reacting to different system security bypasses, the steps that we can take to resolve these issues, as well as prevention measures.
Log - Monitor - Audit
In this lecture we will discuss disaster prevention, then look at response and recovery methods that include logging, monitoring and auditing. We will learn about these in detail, with examples.
Security in Software Development
Software Development Security Principles
The Software Development Lifecycle (SDLC)
The goal of this video is to teach software development security principles. Some of the most important concepts discussed here are the systems development lifecycle, lifecycle models, and DevOps. We will walk through each individual step, learning the difference between the spiral and waterfall models and learn about a few DevOps model components.
Data and Information Storage
No matter what kind system we are developing, the data of that system needs to be stored somewhere in some manner. In general, data is easily corruptible and hard to organize in a useful way, which is why data backup and databases are extremely important. Speaking of databases, we'll also touch on both relational databases and NoSQL databases for a bit, then talk about database security, types of storage, and database transaction characteristics.
Malicious Code: Part 1
There are a lot of different kinds of malicious code that exploit systems in different kinds of ways. This video goes over some of these, like encrypted viruses, service injections, macro infections, and stealth viruses. It also talks about common antivirus packages and signature-based virus detection.
Malicious Code: Part 2
In this lesson we will resume our talk about malicious code. This time we will get familiar with some more malicious code types, such as logic bombs, worms, trojan horses, and buffer overflows.
How to Prepare for the Exam
This video will give some insight on the certification exam that this whole course has been preparing you for. We will go over some important things and tips you need to know before you set out to take the exam. These are things like test duration, the concept, and the exam's structure.
What's Next After Certification?
This video concludes our course. Now that you have finished with all the lectures, learn what some other videos and courses might be good look at, moving forward.
Security Processes, Systems and Architecture Practice Exam