CISSP Exam Traps Master Guide

The English-language CISSP uses CAT , which adapts in real time to your demonstrated ability level. Unlike a fixed exam, CAT presents harder questions when you answer correctly and easier ones when you don't — always seeking to confirm whether you are above or below the passing threshold.

These foundational terms appear throughout all 8 domains. Learn them precisely — the exam exploits imprecise understanding.

The CISSP exam is heavily focused on who owns what in a security governance structure. These roles must be understood precisely.

Within any legal system, laws fall into categories that determine who can bring a case, what remedies are available, and what the burden of proof is.

Key points: Novel: Not previously known or used before the filing date; Non-obvious: Not an obvious next step to a person having ordinary skill in the field; Useful: Has some practical utility (very low bar); Patent-eligible subject matter: Laws of nature, abstract ideas, and natural phenomena cannot be patented (highly contested in software — Alice Corp v. CLS Bank , 2014)

The secret must have commercial value AND the owner must take reasonable steps to maintain secrecy. Courts examine: Key points: Cryptographic keys and algorithms; Customer/prospect lists and pricing data; Manufacturing processes and formulas (Coca-Cola recipe is the most famous example); No disclosure required: Patents require full public disclosure; trade secrets remain completely hidden; No expiration: Trade secrets last indefinitely if maintained; patents expire after 20 years

The Health Insurance Portability and Accountability Act (1996) governs the protection of health information in the United States. While covered in more detail on Day 3 (Compliance), the privacy aspects warrant deeper treatment here. Protected Health Information (PHI) = any information that relates to: ... AND can be used to identify the individual. The 18 HIPAA identifiers include: name, geographic data, dates, phone/fax numbers, email, SSN, medical record numbers, health plan numbers, account numbers, certificate/licence numbers, device IDs, URLs, IP addresses, biometric identifiers, photographs, and any unique identifying number or code. Key points: The individual's past, present, or futur

Moving personal data across borders (e.g., from EU to US) requires legal mechanisms because different countries have different protections. GDPR Chapter V governs transfers of personal data to third countries.

ISO/IEC 27001 defines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It is structured around Plan-Do-Check-Act (PDCA) continual improvement. ISO/IEC 27002 is the supporting code of practice — it provides detailed guidance on implementing the 93 controls referenced in ISO 27001 Annex A. It is guidance , not a certifiable standard. Think of it as the "how-to" companion to ISO 27001's "what". Key points: Organisations can be certified to ISO 27001 (third-party audit); Certification demonstrates to customers, partners, and regulators that a formal ISMS is in place; Covers 11 clauses — Clauses 4-10 are mandator

A vendor offers a backup and ransomware protection solution for $150,000 per year. The vendor claims it will reduce the ransomware exposure factor from 50% to 10% (the remaining 10% represents cases where the backup fails or recovery takes time).

Risk Transfer shifts the financial consequences of a risk to another party, typically through insurance or contractual arrangements. Key points: Cyber Insurance: Covers costs of breach (incident response, legal fees, notification costs, ransom payments, business interruption). Policy limits, exclusions, and sub-limits are critical to understand — policies often exclude acts of war, unpatched vulnerabilities, or nation-state attacks.; Contractual Transfer: Indemnity clauses, hold harmless agreements, and SLAs that assign liability to vendors. Common when outsourcing security functions.; Cloud Service Agreements: CSP agreements define what the cloud provider is responsible for (shared responsi

Risk Acceptance is the deliberate, documented decision to live with a risk because the cost of mitigation exceeds the benefit, or because the risk is within acceptable tolerance levels.

Counterfeit hardware — from networking chips to servers — can be manufactured with altered functionality, reduced reliability, or embedded malicious capabilities. This is particularly concerning for military, critical infrastructure, and high-security environments. Hardware can be modified at the manufacturing or transit stage to include malicious capabilities (eavesdropping, remote access). The 2018 Bloomberg "Big Hack" article (Supermicro servers with implanted chips) — while disputed — prompted significant industry scrutiny and hardware integrity programmes. Key points: Source hardware from authorised distributors and manufacturers; Use hardware with tamper-evident seals and chain-of-cust

A sophisticated BIA maps not just individual function criticality but interdependencies — how the failure of one function triggers failures in others. This is the "upstream" problem: if your authentication service goes down, everything that requires authentication fails with it, regardless of their individual MTD. Key points: Technical dependencies — Application A requires Database B to function. B must recover before A.; Process dependencies — The invoicing process requires completed orders from the Order Management system. Orders must resume before invoicing can.; Third-party dependencies — Payment processing requires the acquirer network. Failure there prevents recovery regardless of inte

Key points: Security awareness orientation and training; Signing of NDA, AUP, code of conduct; Access provisioning based on role and least privilege; Assignment of security classification clearance appropriate to role; Physical access provisioning (badge, building access)

SoD prevents both fraud and unintentional errors. Classic implementations: Key points: No one can both initiate AND approve financial transactions above a threshold; No one can both write code AND approve it for production deployment (Dev ≠ Change Approver); No one can both create user accounts AND assign them permissions; No one can both process payroll AND create/modify payroll records

Phishing simulations send fake phishing emails to employees to test and train real-world recognition skills. They are the most widely used security awareness tool and provide measurable behavioural data. Key points: Real-world measurement of click rate, credential submission rate, and reporting rate; Immediate, contextual training at the moment of failure (teachable moment); Tracks improvement over time — demonstrates programme ROI; Identifies high-risk individuals and departments requiring targeted training; Do not use simulations purely as a punishment exercise — the goal is learning, not blame

Common situations triggering reclassification: Key points: A merger plan is announced publicly → classified financial projections may be declassified; A new privacy regulation expands the definition of PII → some previously unclassified data now requires classification; A product design patent expires → formerly trade secret data may be declassified; A security incident exposes data → reclassification and damage assessment required

When organisations operate in both sectors, they must map classification levels to ensure consistent protection:

GDPR (General Data Protection Regulation) introduced two key roles that apply to organisations handling personal data of EU/EEA residents:

Data has met its retention period or is no longer needed. It must be destroyed in a manner commensurate with its classification. Key points: Secure sanitisation: Use NIST SP 800-88 methods: Clear, Purge, or Destroy based on media type and data sensitivity (covered in depth on Day 30).; All copies: Destruction must include all copies — backups, archives, shadow copies, cloud replicas.; Certificate of destruction: Documented evidence that destruction occurred, including method used, media description, date, and authorised witness.; Remove from inventory: Update data inventory/asset registry to reflect destruction.; Vendor verification: If a third-party custodian handles destruction, require ce

Key points: Generalisation: Replace specific values with ranges (age 34 → age range 30-40; postal code 12345 → region: North-East); Suppression: Remove data fields entirely (delete the Name column from a dataset); Noise addition: Add random variation to numerical values to prevent identification while preserving statistical properties; Data aggregation: Report only group-level statistics (average salary by department, not individual salaries); k-Anonymity: A formal model ensuring that each record in the dataset is indistinguishable from at least k-1 other records on quasi-identifier fields — limits re-identification risk

Key points: The obligation arises when litigation is reasonably anticipated — not when it formally begins. A threatening letter from a lawyer can trigger a hold.; Once a hold is in place, any data within the hold's scope must be preserved — even if the normal retention schedule says destroy it; Hold must cover all relevant data locations: email servers, backup tapes, cloud storage, mobile devices, employee personal devices used for work; HR, Legal, IT, and Records Management must all coordinate on hold execution

Key points: Overwriting (DoD 5220.22-M / Gutmann method): Writing known patterns (e.g., all zeros, all ones, random data) over existing data multiple times. Suitable for magnetic HDDs and SSDs (though overwriting SSDs is less reliable due to wear leveling — see Day 30). The DoD 5220.22-M 3-pass method and the Gutmann 35-pass method are well-known standards.; Cryptographic erasure: Destroying the encryption keys that protect encrypted data. If the data is encrypted with AES-256 and the key is securely destroyed, the encrypted data is permanently unreadable — effectively destroyed without physically destroying the media. Ideal for cloud storage and SSDs where physical overwriting is impractic

Key points: Overt (visible) watermarks: Visible to the user — "CONFIDENTIAL" overlay text on a document; a company logo stamped on an image. Deters casual copying but can be cropped or removed.; Covert (invisible/steganographic) watermarks: Hidden within the digital content without visible distortion; detectable only by the watermarking software or algorithm; survives format conversion and printing-and-scanning. Used for forensic investigation — if a document leaks, extracting the watermark reveals the specific copy that was distributed and who received it.

Data in transit (also called data in motion ) is data that is actively being transmitted from one location to another — across a LAN, WAN, the internet, or a cloud provider's internal network. The dominant protocol for encrypting application-layer traffic. TLS wraps application protocols to create encrypted equivalents: TLS 1.3 (current standard): Removed weak cipher suites (RC4, DES, 3DES, MD5-based MACs); mandatory Perfect Forward Secrecy (PFS); 1-RTT handshake (faster than TLS 1.2). TLS 1.0 and 1.1 are deprecated and should not be used. IPSec (IP Security) operates at Layer 3 (Network layer) and provides authentication, integrity, and encryption for IP traffic. Two critical modes for the

Data in use is data that is currently being processed by a CPU — loaded into RAM, CPU registers, cache memory, or GPU memory. To be processed, most encryption must first be decrypted, creating a temporary window of exposure. A hardware-isolated, secure processing area within the main processor where sensitive code and data can execute with confidentiality and integrity guarantees — even if the host OS, hypervisor, or firmware is compromised. ARM's equivalent of SGX — divides the CPU into a Secure World and a Normal World . The Secure World runs a trusted OS (e.g., OP-TEE) that handles sensitive operations (fingerprint processing, mobile payments). The Normal World runs the standard OS (Andro

Purge applies techniques that render data unrecoverable even with state-of-the-art laboratory forensic techniques — including signal processing equipment and magnetic force microscopy. Required when media leaves the original security domain. A degausser generates a powerful alternating magnetic field that randomises the magnetic orientation of all domains on the medium, destroying all recorded data including servo tracks. Effective only on: Key points: ✅ Magnetic tape (LTO, DAT, DLT); ❌ SSDs — NO EFFECT (SSD stores data as electrical charge in NAND cells, not as magnetic domains); ❌ USB flash drives — NO EFFECT (identical technology to SSDs); ❌ Optical media (CDs, DVDs, Blu-ray) — NO EFFECT

A DLP rule that triggers on every document containing a 16-digit number will block legitimate purchase order numbers, employee IDs, and product codes in addition to credit card numbers. Managing false positives is the central operational challenge of DLP implementation. Key points: Increase specificity: Add additional conditions (e.g., 16-digit number + Luhn validation + expiration date pattern nearby); Whitelist trusted pathways: Finance team emailing to payment processors may be an approved exception; Use fingerprinting over regex: Fingerprinting known sensitive documents has near-zero false positives; Scope by classification label: Only trigger DLP rules on documents labeled Confidential

Key points: Processing carried out by a public authority or body (except courts acting in judicial capacity); Core activities require regular and systematic monitoring of data subjects on a large scale; Core activities involve large-scale processing of special categories (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation, criminal convictions)

A DPA is a legally binding contract between controller and processor that must include: GDPR prohibits transferring personal data outside the EU/EEA unless an adequate level of protection is ensured. Current mechanisms: Key points: Subject matter, duration, nature, and purpose of processing; Type of personal data and categories of data subjects; Controller's obligations and rights; Processor must: process only on documented instructions; ensure confidentiality; implement appropriate security measures; assist with data subject requests and DPIAs; delete or return data at end of service; make available all information to demonstrate compliance and allow audits

In practice: A database application user account should have SELECT permission only on the tables it needs, not DBA-level access. An employee in HR should not have access to engineering source code repositories. Key distinction: Least privilege applies to both users and processes . A web server process should run under a minimal service account, not root/SYSTEM. In practice: A firewall should deny all traffic by default and only allow explicitly permitted flows. If an authentication server is unreachable, users should be denied access — not granted it. In practice: A single, well-tested authentication library is preferable to five different authentication mechanisms scattered across an appli

BLP also incorporates a discretionary access control matrix (like an ACL) that operates within the mandatory rules. Even if BLP allows access based on clearance levels, the DAC matrix can further restrict it.

Biba uses integrity levels (not confidentiality levels) assigned to subjects and objects. Higher integrity levels indicate more trustworthy/reliable data. The model prevents corruption of high-integrity data by lower-integrity sources.

HRU addresses: "Can the system ever reach an unsafe state?" — known as the safety problem .

Each asymmetric algorithm's security relies on a specific mathematical problem that is computationally infeasible to reverse:

Key points: 127.0.0.0/8 — Loopback (127.0.0.1 = localhost). Not a Class A usable range.; 0.0.0.0 — "This host" / default route; 255.255.255.255 — Limited broadcast (local subnet only); 169.254.0.0/16 — APIPA (Automatic Private IP Addressing) — assigned when DHCP fails

Key points: Dual-stack risks: Running IPv4 and IPv6 simultaneously means two attack surfaces; if IPv6 isn't monitored, attackers can use it to bypass IPv4 security controls; IPv6 tunneling: Protocols like Teredo and 6to4 can tunnel IPv6 over IPv4, potentially bypassing firewalls; Router Advertisement (RA) spoofing: Attackers can send rogue RAs to redirect traffic (mitigated with RA Guard); Large address space: Traditional scanning is impractical, but this makes asset discovery harder for defenders too

When BGP has multiple paths to the same prefix, it selects using these attributes in order (the "Big Wins" order ):

Modern GPUs can test billions of MD5 hashes per second. Defense: account lockout policies, long/complex passwords, MFA, rate limiting, CAPTCHA. Uses a pre-compiled wordlist of common passwords, phrases, and variations (e.g., "password1", "Welcome123"). Far faster than pure brute force because it targets human password patterns. Tools: Hashcat, John the Ripper. Pre-computed tables mapping plaintext passwords to their hash values. Allows instant lookup of common passwords from a captured hash — trading storage for speed. Defense: cryptographic salting. A salt is a random value unique per credential, prepended to the password before hashing, making pre-computation impractical. Attackers use bre

Fraudulent email impersonating a trusted entity to steal credentials. Variants: spear phishing (targeted, personalized), whaling (targeting executives/C-suite), smishing (SMS), vishing (voice/phone). Defenses: SPF/DKIM/DMARC (email authentication), security awareness training, hardware MFA (phishing-resistant: FIDO2/passkeys), anti-phishing gateways, simulated phishing exercises. Attacker creates a fabricated scenario (pretext) to manipulate the victim — e.g., impersonating IT support ("We need your VPN credentials to fix your account"). Defense: callback verification procedures, strict identity verification protocols. Phone calls impersonating IT helpdesk, banks, or law enforcement. The 202

Applications must store only a one-way hash of the password, never the plaintext. If a database is compromised, hashed passwords cannot be directly used (unlike plaintext). Reversible encryption is inadequate because the decryption key may also be compromised.

Key points: Header: Algorithm type (e.g., HS256, RS256) and token type; Payload (Claims): Asserted data — e.g., sub (subject/user ID), exp (expiration), iss (issuer), custom roles; Signature: HMAC-SHA256 of header+payload using a shared secret, or RSA/ECDSA signed; Access tokens in browser: Memory (JavaScript variable) preferred over localStorage (vulnerable to XSS) or cookies (if not HttpOnly); Refresh tokens: HttpOnly cookies (not accessible to JavaScript) or secure server-side storage

Key points: HR system triggers: New hire in Workday → SCIM creates accounts in Entra ID, Slack, Salesforce, GitHub automatically; Termination: HR terminates employee in Workday → SCIM disables/deletes all downstream accounts within seconds; Attribute sync: Department, title, manager changes propagate to all apps automatically; Just-in-time provisioning (JIT): SAML-based alternative — account created on first login from IdP assertion, using SAML attributes

Key points: ZTA does NOT eliminate the need for firewalls or network security — it supplements and refines them; ZTA is NOT a single product — it's an architectural philosophy requiring multiple coordinated technologies; ZTA does NOT mean zero security — it means zero implicit trust (explicit, verified trust on every request); ZTA does NOT prevent all breaches — it minimizes blast radius and increases attacker difficulty

Key points: Simulates: External attacker with no credentials; Finds: Network-exposed service vulnerabilities, open ports, SSL/TLS weaknesses, HTTP misconfigurations; Misses: Internal vulnerabilities (missing patches, application flaws, privilege configuration) that require login to detect; Advantage: Can be run without system access negotiation; simulates real attack surface; Simulates: Insider or attacker who has gained initial access

Penetration testing is a services-based engagement — organizations either employ internal red teams or hire external firms. A typical enterprise pen test costs $15,000–$100,000+ depending on scope and duration. PCI DSS Requirement 11.4 mandates annual penetration testing of the CDE. HIPAA requires periodic testing of "technical controls" (often interpreted as pen testing). The output is a findings report with exploitation evidence — screenshots, proof-of-concept (PoC) code, network captures showing successful attacks. This differentiates pen test output from vulnerability scan output (which only shows what was found, not what is actually exploitable).

Key points: HackerOne: Largest bug bounty platform; used by US DoD, major tech companies; Bugcrowd: Alternative platform; also offers "managed" programs with vetting; Synack: Vetted, trusted researcher pool (combines crowdsourced + curated)

Key points: No financial interest: Auditor must not hold stock in or have financial ties to the auditee; No management role: Auditor must not have made management decisions for the auditee (cannot audit what you built); Rotation: Lead audit partners must rotate off engagements periodically (SOX requires every 5 years for public company auditors); Reporting line: Internal audit must report to the audit committee or board — NOT to the CIO or CISO; Scope authority: Auditors must have unrestricted access to all systems, records, and personnel within scope

NIST SP 800-55 provides a framework for developing, selecting, and implementing security metrics. It defines three types of measures:

Key points: Process: Distribute plan to all responsible parties; each reviews independently; submit comments; Verifies: Contact lists are current; roles are assigned; procedures are documented; equipment lists are up to date; Limitation: Does not test whether procedures actually work — only that they exist on paper; Best for: Initial review; annual plan currency check; onboarding new team members; Process: Facilitator presents a disaster scenario; participants talk through their responses; identify gaps and dependencies

Two-person control (also called dual control or two-man rule) is a stricter form of SoD where two individuals must act together simultaneously to complete a critical action. Neither person alone can complete the task. Key points: Nuclear launch codes require two officers turning keys simultaneously; Bank vault access requires two key holders present; Encryption key ceremonies require multiple key custodians; M-of-N key splitting: M out of N custodians must combine their key fragments to reconstruct the master key

CyberArk, BeyondTrust, Thycotic (now Delinea), HashiCorp Vault, AWS IAM + STS for cloud.

Key points: Weingarten Rights (US): Unionized employees have the right to have a union representative present during investigative interviews that may lead to discipline; Miranda Rights: Only required when a suspect is in custody AND being questioned by law enforcement. Corporate investigators are NOT law enforcement — Miranda generally does not apply to internal investigations, but coerced confessions may be inadmissible; EU/GDPR: Employee monitoring and investigation data collection must comply with data protection regulations; employees may have rights to access data collected about them

Key points: When criminal activity is suspected (fraud, data theft, unauthorized access, ransomware); When regulatory requirements mandate reporting (HIPAA breach notification, certain financial crimes); When the organization cannot investigate effectively on its own (nation-state attacks, sophisticated intrusions); When preservation of evidence requires legal authority (warrants for third-party data)

RFC 3227 (Guidelines for Evidence Collection and Archiving) establishes the order in which evidence should be collected — from MOST volatile (lost soonest) to LEAST volatile:

During an active incident, assume the attacker may have access to internal email, messaging, and phone systems. Use out-of-band communication channels : personal phones, encrypted messaging apps, separate communication systems not connected to the compromised network.

Containment is the CRITICAL window for evidence preservation: Key points: Capture volatile evidence (RAM dump, process list, network connections) BEFORE isolation; Create forensic images of affected systems AFTER short-term containment; If the decision to involve law enforcement is likely, engage them BEFORE containment actions alter evidence

The power of CMDB is in relationships between CIs — for example, knowing that Server A hosts Application B, which depends on Database C, connected via Network D. During incident response, these relationships enable rapid impact analysis: "If Server A goes down, what is affected?"

Key points: Individual activity — no group meeting required; Verifies plan completeness: are all systems listed? contacts current? procedures documented?; Does NOT validate that the plan actually works; Good starting point for new or significantly updated plans; Group discussion — team gathers and talks through scenarios

Key points: DR test types — order from least to most disruptive; RTO vs RPO vs MTD — definitions and relationships; Hot/Warm/Cold sites — features, cost, activation time; Backup types — full/incremental/differential and archive bit behavior; RAID levels — 0, 1, 5, 10 particularly

Application builds query: SELECT * FROM users WHERE name = 'USER_INPUT' Resulting query: SELECT * FROM users WHERE name = '' OR '1'='1' — always true, returns all rows.

Key points: Multi-factor authentication (MFA) — ALWAYS the best answer for authentication security on CISSP; Bcrypt/Argon2/PBKDF2 for password hashing (NOT MD5 or SHA alone); Salting — unique random value per password prevents rainbow table attacks; Generic error messages — "Invalid username or password" (don't reveal which is wrong); Account lockout — lock after threshold; auto-unlock after delay (not permanent)

Covers data classification, ownership, handling, privacy, data lifecycle, and data security controls.

Provisioning → Review → Modification → Deprovisioning Key points: Provisioning: Create account, assign minimum permissions (least privilege); Review: Periodic access reviews/recertification (manager attestation); Modification: Role changes; REMOVE old access (prevent privilege creep/aggregation); Deprovisioning: Disable IMMEDIATELY on termination; delete after retention period

Key points: Relies on trusted third party: KDC (Key Distribution Center); TGT (Ticket Granting Ticket) has a finite lifetime (typically 8-10 hours); Requires synchronized clocks (±5 minutes tolerance); Vulnerable to pass-the-ticket, golden ticket, and silver ticket attacks

Q44 tested this directly: when multiple regulations conflict, implement the MORE restrictive requirement . This satisfies all applicable regulations. Never pick one regulation over another.

Q44 tested this directly: when multiple regulations conflict, implement the MORE restrictive requirement . This satisfies all applicable regulations. Never pick one regulation over another.

The CISSP exam uses Computerized Adaptive Testing. Here's how it works: Key points: If you get 125 questions and pass — you demonstrated competence quickly; If you get 175 questions — the algorithm needed more data; it does NOT mean you're failing; Questions getting harder means you're doing WELL; Treat every question the same — you don't know which are scored vs. pretest

Key points: Read carefully, answer deliberately: Spend 60-90 seconds per question on average; Don't overthink: If you've narrowed to two options and spent 2 minutes, go with your gut and move on; Check your pace: At question 50, you should have ~150 minutes remaining; Never rush the last questions: CAT weights later questions heavily since they're at your estimated ability level