isc2 cc exam

CC Exam Format

A multiple choice, computer-based test taken at a Pearson VUE Testing Center. The exam lasts two hours and contains between 100 and 125 questions. You need a score of at least 700 out of 1,000 possible points to pass.

CC Exam Domain 1 - Security Principles

Makes up 26% of the exam questions. Covers basic concepts of information assurance, the risk management process, different types of security controls, security governance, and the ISC2 Code of Ethics.

CC Exam Domain 2 - Business Continuity, Disaster Recovery, and Incident Response

The smallest domain, making up 10% of the test questions. Covers the purpose, importance, and components of business continuity, disaster recovery, and incident response.

CC Exam Domain 3 - Access Control Concepts

Makes up 22% of the CC exam. Tests knowledge of physical and logical access controls.

CC Exam Domain 4 - Network Security

Accounts for 24% of the test. Requires basic knowledge of computer networking, network threats and attacks, and network security infrastructure.

CC Exam Domain 5 - Security Operations

Makes up 18% of the exam questions. Tests knowledge of the ways IT professionals protect data security, harden systems, apply best practice security policies, and use security awareness training.

Computerized Adaptive Testing

The CC exam uses adaptive testing technology, meaning the test adapts or adjusts to your skill and knowledge level as you answer questions correctly or incorrectly. If you answer correctly, questions get harder

Information Security Analyst Job Growth

The U.S. Bureau of Labor Statistics projects job growth of 33% through 2030 for the information security field — more than double the growth rate of computing jobs in general and more than quadruple the growth rate across all fields.

Information Security Analyst Median Salary

The median salary for an information security analyst in 2020 was more than $100,000. The top 10% earn more than $140,000 a year.

CC Certification

An entry-level certification for information security professionals. There is no experience requirement for the CC certification. It provides broad exposure to the entire information security field.

SSCP Certification

The System Security Certified Practitioner certification. A mid-career certification covering a wide range of security topics. Requires at least one year of full-time work experience in security.

CISSP Certification

The ISC2 Certified Information Systems Security Professional certification. Considered the gold standard of security certifications. Often a requirement for senior-level security positions, including becoming a firm's chief information security officer.

Value of Certification - Three Benefits

(1) Demonstrates your commitment to information security as a profession. (2) Can help you get a job — many employers consider a security certification a minimum requirement and use keyword screening. (3) Can increase your earning potential. In the 2021 Global Information Security Workforce Study, members without certification earned about $58,000/year while those with certifications earned about $91,000/year on average.

ISC2 Code of Ethics - Canon 1

Protect society, its infrastructure, and the common good. The actions you take should give the public confidence in our profession and support the betterment of society. Example violation: using your skills to engage in unethical hacking activities.

ISC2 Code of Ethics - Canon 2

Your actions must be ethical. You must act with honor, justice, and responsibility and work within the bounds of the law. You may not break the law, lie, or commit any other dishonorable, unjust, or irresponsible action. Example violation: covering up and lying about a mistake that led to a compromise.

ISC2 Code of Ethics - Canon 3

The professional services you provide to principals must be both diligent and competent. Whoever you are working for (employer or client) has the right to expect your diligent and competent service. Example violation: failing to carry out your assigned and agreed-upon duties.

ISC2 Code of Ethics - Canon 4

Your actions as a security professional should advance and protect the information security profession. Example violations: providing unauthorized assistance on exams, violating the ISC2 non-disclosure agreement, or providing false information on an endorsement application.

ISC2 Code of Ethics - Reporting Violations

You must report violations of the code. Failure to report a violation is itself a violation of the code of ethics. To report, you must submit a written, notarized affidavit using the form on the ISC2 website, including the name of the accused, the nature of the violation, the specific canon(s) breached, the reason you have standing, and any corroborating evidence.

ISC2 Code of Ethics - Standing

Standing means the alleged behavior must harm you or your profession in some way. Canon 1 and 2: any member of the public has standing. Canon 3: only employers or clients of the individual have standing. Canon 4: other professionals (anyone certified or licensed in any field who subscribes to a code of ethics) have standing.

ISC2 Code of Ethics - Enforcement

Once a complaint is filed, the ISC2 Ethics Committee allows the accused individual to respond, gathers additional evidence, and reaches a determination. If found in violation, they may revoke that individual's certification.

CIA Triangle

The three main goals of cybersecurity: Confidentiality, Integrity, and Availability. Each side of the triangle covers one of these three main goals.

Confidentiality

Ensures that only authorized individuals have access to information and resources. It is how security professionals spend the majority of their time.

Five Major Confidentiality Threats

(1) Snooping, (2) Dumpster Diving, (3) Eavesdropping, (4) Wiretapping, (5) Social Engineering.

Snooping (Confidentiality Threat)

An individual wanders around your office or facility and simply looks to see what information they can gather. Protection: enforce a clean desk policy — employees should maintain a clean workspace and put away any sensitive materials whenever they step away.

Dumpster Diving (Confidentiality Threat)

The attacker looks through the trash trying to find sensitive documents that an employee threw in the garbage or recycling bin. Protection: use a paper shredder to destroy documents before discarding them.

Eavesdropping (Confidentiality Threat)

In physical eavesdropping, the attacker positions themselves where they can overhear conversations and listens for sensitive information. Protection: put rules in place limiting where sensitive conversations can take place — sensitive conversations should take place in a closed office or conference room, not in the cafeteria.

Wiretapping (Confidentiality Threat)

Also known as electronic eavesdropping. Occurs when an attacker gains access to a network and monitors the data being sent electronically within an office. Protection: use encryption to protect information being sent over the network.

Social Engineering (Confidentiality Threat)

The attacker uses psychological tricks to persuade an employee to give them sensitive information or access to internal systems. They might pretend to be on an urgent assignment from a senior leader, impersonate an IT professional, or send a phishing email. Protection: educating users to recognize the dangers of social engineering and empowering them to intervene whenever they suspect an attack.

Integrity

Means that we do not allow any unauthorized changes to information. Unauthorized changes may come from an attacker intentionally altering information or from a service or technology disruption that accidentally affects stored data.

Four Types of Integrity Attacks

(1) Unauthorized modification of information, (2) Impersonation attacks, (3) Man-in-the-middle (MITM) attacks, (4) Replay attacks.

Unauthorized Modification of Information (Integrity Attack)

Occurs when an attacker gains access to a system and makes changes that violate a security policy. Could be external (e.g., intruder issuing themselves checks) or internal (e.g., employee increasing their own salary). Protection: follow the principle of least privilege.

Impersonation Attack (Integrity Attack)

The attacker pretends to be someone other than who they actually are — a manager, executive, or IT technician — to convince someone to change data in a system. Protection: strong user education.

Man-in-the-Middle (MITM) Attack

The attacker intercepts network traffic as a user is logging into a system and then pretends to be that user. They sit in the middle of the communication, relaying information between the user and the system while monitoring everything. The attacker may steal a user's password and use it later to log in themselves. Protection: use encryption such as TLS.

Replay Attack

The attacker does not need to get in the middle of the conversation but only observes a legitimate user logging in, captures the information used to log in, and later replays it on the network to gain access themselves. Protection: use encryption such as TLS.

Availability

Controls ensure that information and systems remain available to authorized users when needed. They protect against disruptions to normal system operation or data availability.

Five Availability Threats

(1) Denial-of-Service (DoS) attacks, (2) Power outages, (3) Hardware failures, (4) Destruction of equipment, (5) Service outages.

Denial-of-Service (DoS) Attack

Occurs when a malicious individual bombards a system with an overwhelming amount of traffic, making it unable to answer any requests from legitimate users. Protection: use firewalls that block illegitimate requests and partner with internet service providers to block attacks before they reach the network.

Power Outage (Availability Threat)

Can occur on a local or regional level due to increased demand, natural disasters, or other factors. Protection: have redundant power sources and backup generators that supply power to systems when commercial power is not available.

Hardware Failure (Availability Threat)

Servers, hard drives, network gear, and other equipment all fail occasionally, disrupting access to information. Protection: build systems with built-in redundancy so that if one component fails, another is ready to pick up the slack.

Destruction of Equipment (Availability Threat)

May result from intentional or accidental physical damage, or from a larger disaster such as a fire or hurricane. Protection: use redundant systems for small-scale destruction

Service Outage (Availability Threat)

May be due to programming errors, the failure of underlying equipment, or many other reasons. Protection: build systems that are resilient in the face of errors and hardware failures.

Access Control Process - Three Steps

(1) Identification: the individual makes a claim about their identity without presenting proof. (2) Authentication: the individual proves their identity to the satisfaction of the access control system. (3) Authorization: the access control system determines the privileges that individual has to access resources and information.

Identification (Access Control)

The first step of the access control process. An individual makes a claim about their identity. The person does not present any proof at this point — they simply make an assertion. The identification step is only a claim and the user could be making a false claim.

Authentication (Access Control)

The second step of the access control process. An individual proves their identity to the satisfaction of the access control system. In the electronic world, commonly done using a password.

Authorization (Access Control)

The third step of the access control process. The access control system determines whether the authenticated user is allowed to access the system. In the electronic world, often takes the form of access control lists that itemize specific permissions granted to an individual user or group of users.

AAA - Triple A

Authentication, Authorization, and Accounting. Accounting functionality allows administrators to track user activity and reconstruct that activity from logs. This may include tracking user activity on systems and even logging user web browsing history. Any tracking should fit within the boundaries set by law and the organization's privacy policy.

Password Length

The minimum number of characters that must be included in a password. Best practice is to require at least eight characters. The longer a password, the harder it is to guess.

Password Complexity Requirements

Force users to include different types of characters in their passwords — such as uppercase and lowercase letters, digits, and special characters. The more character types included, the harder the password is to guess.

Password Expiration Requirements

Force users to change their passwords periodically (e.g., every 180 days). Many organizations no longer have expiration requirements and instead only require a change if there is reason to believe the password has been compromised.

Password History Requirements

Designed to prevent users from reusing old passwords. Systems remember previous passwords used by each user and prevent reuse of those old passwords.

Password Managers

Secure password vaults, often protected by biometric security mechanisms. Allow users to create and store unique passwords for each site and automatically fill those passwords into sites when visited, enabling unique strong passwords for every site without having to remember them all.

Three Authentication Factors

(1) Something you know (e.g., passwords, PINs, security question answers). (2) Something you are (e.g., biometric authentication — fingerprint, iris, face, voice). (3) Something you have (e.g., smartphone running a software token app, or a hardware authentication token key fob).

Something You Know (Authentication Factor)

The most common authentication factor. Includes passwords, PINs, and answers to security questions. Weakness: an attacker can steal that knowledge, such as through a phishing attack.

Something You Are (Authentication Factor)

Biometric authentication techniques that measure a physical characteristic such as a fingerprint, iris, face, or voice.

Something You Have (Authentication Factor)

Requires the user to have physical possession of a device such as a smartphone running a software token application or a hardware authentication token key fob. These devices generate one-time passwords. Weakness: the user might lose the device.

Multifactor Authentication (MFA)

Combines authentication techniques from multiple different factors (e.g., something you know + something you have). Combining factors makes it much more difficult for an attacker to gain access because stealing one factor is not sufficient. Important: combining two techniques from the same factor (e.g., password + security question = both something you know) is NOT multifactor authentication.

Single Sign-On (SSO)

Technology that shares authenticated sessions across systems. Users log on to the first SSO-enabled system they encounter and that login session persists across other systems until it expires. If the expiration period is set to the length of a business day, users only need to log in once per day.

Non-Repudiation

A security goal that prevents someone from falsely denying that something is true. Physical signatures provide non-repudiation on paper documents. Digital signatures use encryption technology to provide non-repudiation for electronic documents. Biometric controls and video surveillance can also provide non-repudiation.

Digital Signatures

Use encryption technology to provide non-repudiation for electronic documents.

Personally Identifiable Information (PII)

All information that can be tied back to a specific individual.

Protected Health Information (PHI)

Healthcare records that are regulated under the Health Insurance Portability and Accountability Act (HIPAA).

Reasonable Expectation of Privacy

A legal principle on which privacy programs are based. Many laws governing whether information must be protected are based upon whether the person disclosing the information had a reasonable expectation of privacy when they made that disclosure and whether the disclosure would violate that expectation.

Employee Privacy on Employer Systems

When using a computer or network that belongs to your employer, you generally do not have a reasonable expectation of privacy. Your employer owns that equipment and is normally legally entitled to monitor your use of their systems.

Internal Risks

Risks that arise from within the organization. Example: processing checks in a way that creates an opportunity for employees in accounting to commit fraud. Can often be addressed by adding internal controls (e.g., two-person control on the issuance of checks).

External Risks

Risks where the threat originates outside of the organization. Example: the risk of an attacker targeting the organization with a ransomware attack. Controls can reduce the likelihood of success (e.g., multifactor authentication, social engineering awareness campaigns).

Multi-Party Risks

Risks that are shared among many different organizations. Example: if a Software as a Service provider is compromised, that poses a risk to all of the provider's customers.

Legacy System Risk

Older systems, especially those no longer supported by the manufacturer, are often difficult to secure. Organizations using legacy systems should consider replacing them with a modern solution or carefully designing security controls to mitigate the risk.

Intellectual Property Theft Risk

If attackers are able to alter, destroy, or steal intellectual property, it would cause significant damage to information-based businesses.

Software License Compliance Risk

Businesses often perform audits and assess significant fines to organizations violating their license agreements. Use license monitoring software to manage software license compliance.

Threat

Some external force that jeopardizes the security of your information and systems. Threats may be naturally occurring (e.g., hurricanes, wildfires) or manmade (e.g., hacking, terrorism). You cannot normally control what threats exist — they exist independently of your organization.

Threat Vector

The method that an attacker uses to get to their target. This might be a hacker toolkit, social engineering, or even physical intrusion.

Vulnerability

A weakness in your security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of your information or systems. Examples: missing patches, promiscuous firewall rules, or other security misconfigurations. You do have control over vulnerabilities in your environment.

Risk

Occurs when your environment contains both a vulnerability and a corresponding threat that might exploit that vulnerability. There is no risk if either the threat or the vulnerability factor is missing.

Risk Assessment

The process of identifying and triaging the risks facing an organization based upon the likelihood of their occurrence and their expected impact on the organization.

Likelihood (Risk Assessment)

The probability that a risk will actually occur.

Impact (Risk Assessment)

The amount of damage that will occur if the risk materializes.

Qualitative Risk Assessment

Uses subjective judgment to assess risks, typically categorizing risks as low, medium, or high on both the likelihood and impact scales.

Quantitative Risk Assessment

Uses objective numeric ratings to assess likelihood and impact. Involves math to figure out the exact amount of financial damage expected from a given risk in any typical year.

Risk Treatment - Four Options

(1) Risk Avoidance, (2) Risk Transference, (3) Risk Mitigation, (4) Risk Acceptance.

Risk Avoidance

Changing your organization's business practices so that you are no longer in a position where a risk can affect your business. Example: relocating a data center to a facility with no risk of flood damage.

Risk Transference

Attempting to shift the impact of a risk from your organization to another organization. The most common example is an insurance policy. Note: you cannot always transfer a risk completely — for example, insurance can cover financial damage from a breach but cannot repair your business's reputation.

Risk Mitigation

Taking actions designed to reduce the likelihood and/or the impact of a risk. Example: engaging a flood control specialist to install systems that divert water away from a facility.

Risk Acceptance

Deciding to continue operations and deal with the consequences if the risk materializes. Should only occur as part of a thoughtful analysis determining that the cost of another risk management action outweighs the benefit of controlling the risk.

Inherent Risk

The initial level of risk that exists in an organization before any controls are put in place.

Residual Risk

The risk that remains after the inherent risk is reduced by controls.

Control Risk

New risks introduced by the controls themselves. Example: installing a firewall reduces risk but adds the new risk that the firewall itself may fail.

Risk Tolerance

The process of business leaders determining how much risk they choose to accept. The goal of risk management is to ensure that the combination of residual risk and control risk is below the organization's risk tolerance.

Security Controls

Procedures and mechanisms that an organization puts in place to address security risks. May try to reduce the likelihood of a risk materializing, minimize the impact if it does occur, or detect security issues that take place.

Defense in Depth

Applying multiple overlapping controls to achieve the same objective, so that the system remains secure even if one control fails. Example: using both a burglar alarm and security cameras to detect intruders.

Preventive Controls

Designed to stop a security issue from occurring in the first place. Example: a firewall that blocks unwanted network traffic.

Detective Controls

Identify potential security breaches that require further investigation. Example: an intrusion detection system that searches for signs of network breaches.

Recovery Controls

Remediate security issues that have already occurred. Example: restoring data from backup after a ransomware infection.

Technical Controls (Logical Controls)

Use technology to achieve security objectives. Examples: firewalls, intrusion prevention systems, encryption, data loss prevention, and antivirus software. Note: logical controls and technical controls are the same thing.

Administrative Controls

Processes put in place to manage technology in a secure manner. Examples: user access reviews, log monitoring, performing background checks, conducting security awareness training.

Physical Controls

Controls that impact the physical world. Examples: locks, cameras, security guards.

Configuration Management

Tracks the way specific devices are set up, including operating system settings and the inventory of software installed on a device.

Baseline (Configuration Management)

A snapshot of a system or application at a given point in time. Used to assess whether a system has changed outside of an approved change management process. Administrators compare a running system to the baseline to identify all changes.

Versioning

Assigns each release of a piece of software an incrementing version number. Frequently written as three-part decimals: the first number represents the major version, the second represents a major update, and the third represents minor updates.

Standard Naming Conventions

Help technologists quickly understand the nature and purpose of a device. Maintaining a standard IP address schema helps identify a system's location on the network by its IP address.

GDPR

The European Union's General Data Protection Regulation. Applies to the personal information of all EU residents wherever they may be located.