Glad that one hit the spot! Did you see the video I released on "the cissp mindset"? Had a couple of testers this week tell me it was absolutely key to their clearing the exam.
Cleared CISSP last friday. Your videos were instrumental in my success. I watched this specific video multiple times and it 100% payed dividends during the exam. Keep up the great content
Just posted a new CISSP video you may appreciate. ua-cam.com/video/qMScJnHaC9s/v-deo.html. Working on a very granular table-of-contents menu of topics I should have ready tomorrow.
I have provisionally passed the CISSP exam just on 100 questions yesterday. Thank you so much for your inspiring videos, slides and the 50 questions. It helped me a lot in summarizing the vast domains of the exam. So keep up the good work.
@@InsideCloudAndSecurity Thank you so much. The steady and assuring flow of information you present through the videos and slides about the vast domains in short still resonates in mind even after passing the exam. It helped me a lot to build my confidence after exhaustive reading of the CBK and Study guide cover to cover. Your slides and videos are to the point and that helped a lot to solidify and focus.
I used your videos on the CISSP exam and the study guide and managed to pass the first try. Thank you for putting these videos out. Wouldn't have been able to do it without you.
Glad that I was able to see this series of CISSP CRAM videos the week before my exam, which clarified some points I was not sure before. and i have passed :) Thanks
Thank you for these videos - I passed the CISSP exam today at the first attempt. Spent 2 months learning the study guide inside out. I watched all of the Exam Cram videos in the days leading up to the exam and they really helped!
After 175 questions, I am pleased to announce that I provisionally passed the CISSP today. May God continue to bless you and everything you do and if I can donate, help, or support your vision and generosity in any way, please let me know. I will be more than happy to help. Take care!
Thank you so much for this video. I took my exam this week (2nd attempt) and this time I had less time to prepare. This video helped me organized my preparation with limited time
Can’t thank you enough for putting out these videos. They were very helpful in helping me prepare for the test. Passed it yesterday first try!!! Thanks again
No reference book says that Clark Wilson is a Biba model which you showed here. The distinctive feature of CW is that it enforces SoD (a definitive clearance) and also Auditing. Integrity are ensured in CW in all sort and is done by Integrity Verification Procedures (IVP). These are missing in Biba.
You said earlier that Biba (at 19:37) was a "state machine model", then at 27:48 you say Biba and Bell-Lapdula are both "information flow models", Which is it??
Both. The Information Flow model is an extension of the state machine concept and serves as the basis of design for both the Biba and Bell-LaPadula models. www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=4
Very useful summary. I still try to wrap my mind around Graham Denning, if it is orthogonal to the confidentiality and integrity properties or if it an integrity model. Similar for the Harrizon-Ruzzo-Ullmann Model.
Could you check with the latest CISSP guide (9th) on patch management steps and SDLC steps, I think they somehow changed them (or maybe I look at the wrong place)....
Small confusion CBK states following classification on basis of severity 1. Confidential 2. Sensitive 3. Private 4. Proprietary 5. Public While other sources illustrate as following 1. Confidential/ Proprietary 2. Private 3. Sensitive 4. Public Which one is the correct classification
Looks like there is a mistake in Clark-Wilson slide, it is not lattice model and properties are taken from Biba model. Was confused to see that two models are almost identical, while I still recall that C-W model shall be using process, that controls data flow between subject and object.
cram = To study for a test in the last remaining hours. www.addthis.com/bookmark.php?lng=en-US&pub=ra-50dc926d011f6845&source=tbx-300&title=Urban+Dictionary%3A+cram&url=http%3A%2F%2Fcram.urbanup.com%2F145384&v=300&winname=addthis. And my videos are intended to provide a lot of information, in an easy to understand format, in a short amount of time
@@InsideCloudAndSecurity Thanks for the information. I have schedule my CISSP exam for the 28 of April. I'm a little bit worry about the kind of questions that will appear since all the practice test are more technical oriented and every one says "think like a manager" but none of the practice test are manager related questions. I have a overall basic knowledge of all the topics, will that be good for the test adding the manager mind set? honestly I don't have a clue of what type of questions to expect on the test!
Ah, it's actually iso-iec 15408, aka "Common Criteria" en.wikipedia.org/wiki/Common_Criteria. Good catch! Common Criteria is what you want to remember for the exam, and focus on Evaluation Assurance Levels (EAL)
I corrected this bit of errata in the exam cram full course. Watch my full description of Clark-Wilson at this time-stamped link - ua-cam.com/video/_nyZhYnCNLA/v-deo.htmlsi=r9cV9OaUZFqIDCOd&t=10483
Question is not the patch management lifecycle; 1.) evaluate patches, 2.) Test Patches, 3.) Approve Patches, 4.) Deploy patches. 5.) Verify Patches are deployed...?? Please let me know
Thanks for the question, Lee. While there's not one definitive patch management life cycle model, virtually any you will find will include a scanning element as detailed in this video. You need to scan systems to know where patches need to deployed based on vulnerabilities (remember to look at this process through the lens of security). What you see in domain 6 in this video is pretty consistent with what you will find in the public space. Certainly one could assume that testing has to happen somewhere in the 'download and deploy' phase. You'll even see variations titled the 'vulnerability management life cycle' or 'patch and vulnerability management life cycle'. I've not seen a patch management life cycle that includes an 'approve patches' phase, but one could assume that only patches that deployed in your test ring without negative impact or then deployed to production. Bottom line be familiar with the conceptual process and don't get bogged down in terminology for this one.
I know that the OSI model is filled with complexity and sometimes confusion, but wouldn't SSL/TLS be part of Layer 6? I think that they have to at least be above Layer 4 because they run on TCP, Layer 5 is a total mystery to me, but Layer 6 deals with encryption which seems like the right layer for SSL/TLS.
Not exactly. Per Wikipedia, "Transport Layer Security (TLS) does not strictly fit inside the model either. It contains characteristics of the transport (layer 4) and presentation (layer 6) layers." (source: en.wikipedia.org/wiki/OSI_model). And since SSL has been replaced by TLS, I think you are safe in that a question on TLS in the OSI model is not going to be a question you see that determines your pass or fail.
Hi man thanks for the video, one thing got me confused. First you say that the "Biba" security model is a state machine model (in the overview) and then when you describe it in details you say that it is a lattice based. This got me a bit confused. Could you explain please? Thanks in advance.
You will find an updated explanation of that (and all models) in the full course I released earlier this year - CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION! ua-cam.com/video/_nyZhYnCNLA/v-deo.html
Current syllabus AND still applicable for 2021. I'll be releasing updates to address what's been added for 2021, which are incremental changes in the big picture.
That typo / errata was corrected for the full course - CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION! ua-cam.com/video/_nyZhYnCNLA/v-deo.html
This is exactly what I was talking about being a consolidated framework video! Very impressed with your material!
Glad that one hit the spot! Did you see the video I released on "the cissp mindset"? Had a couple of testers this week tell me it was absolutely key to their clearing the exam.
Cleared CISSP last friday. Your videos were instrumental in my success. I watched this specific video multiple times and it 100% payed dividends during the exam. Keep up the great content
Will do, thanks Jonathan! And CONGRATULATIONS! 🏆🎉
*Security & Risk Management - Domain 1*
2:50 NIST 800-37
4:35 Other RMF - OCTAVE, FAIR, TARA
4:52 BCP
5:20 Threat Modeling - 5:31 Approaches - Focused on Assets/Attackers/Software
6:16 Threat Modeling Frameworks - STRIDE, PASTA, VAST, DREAD, TRIKE
10:06 Security Control Framework - COBIT: Control OBjectives for Information & other related Tech
*Asset Security - Domain 2*
11:22 Data Classification for Govt Entities & Non-Govt Entities
*Security Architecture & Engineering - Domain 3*
13:20 Common Criteria (ISO-IEC 15048), TCSEC, ITSEC
14:30 Common Criteria as a process- is of two kinds - Community Protection Profile(Black Box), Evaluation Assurance Level(White Box)
16:09 Classes of TCSEC, ITSEC & Common Criteria
17:20 Security Models
18:22 Security Model Properties - Simple Security Property(read), * Security Property(write), Invocation
18:50 Security Models - Integrity (BIBA, Clark-wilson, Goguen Meseguer, Sutherland Model), Confidentiality (Bell LaPadula, Brewer & Nash, Take Grant)
26:43 State Machine Model
27:35 Information Flow Model
28:28 *Communication & Network Security Model - Domain 4*
28:30 OSI Model
*Identity & Access Management - Domain 5*
30:19 Access Provisioning Life Cycle
*Security Assessment & Testing - Domain 6*
31:06 NIST SP 800-53A Rev. 5 (superseding existing SP in Jan, 2023)
Assessing Security and Privacy Controls in Information Systems and Organizations
calls out best practices for conducting security & privacy assessments
31:35 NIST SP 800-53A Rev. 5 - components/specifications/documents
*Security Operations - Domain 7*
32:40 Change Management
33:23 Information Lifecycle
35:02 NIST SP 800-61 Rev. 2 : Computer Security Incident Handling Guide that enumerates 7 step process - primary incident response framework is referenced here
37:34 BCP
39:16 BCP vs DRP
40:02 Patch Management Lifecycle
41:23 *Software Development Security - Domain 8*
42:11 SW-CMM
43:25 CMMI
45:44 IDEAL model
46:43 SDLC
48:25 AGILE model
49:43 Waterfall model
53:19 Spiral Model
Just posted a new CISSP video you may appreciate. ua-cam.com/video/qMScJnHaC9s/v-deo.html. Working on a very granular table-of-contents menu of topics I should have ready tomorrow.
I have provisionally passed the CISSP exam just on 100 questions yesterday. Thank you so much for your inspiring videos, slides and the 50 questions. It helped me a lot in summarizing the vast domains of the exam. So keep up the good work.
Wonderful! Glad I could help! Congratulation! 🎉👍
And BTW, only 100 questions?!? That means you CRUSHED IT! 👍🎉🏆🎖️
@@InsideCloudAndSecurity Yes just 100 questions, and still feel ecstasy and victorious about that. Thank you so much Sir.
@@InsideCloudAndSecurity Thank you so much. The steady and assuring flow of information you present through the videos and slides about the vast domains in short still resonates in mind even after passing the exam. It helped me a lot to build my confidence after exhaustive reading of the CBK and Study guide cover to cover. Your slides and videos are to the point and that helped a lot to solidify and focus.
@@InsideCloudAndSecurity Now I am left with the endorsement process and I looking for someone to do that.
I used your videos on the CISSP exam and the study guide and managed to pass the first try. Thank you for putting these videos out. Wouldn't have been able to do it without you.
Excellent! Glad the series helped. CONGRATULATIONS! 👍🏆🎉
Glad that I was able to see this series of CISSP CRAM videos the week before my exam, which clarified some points I was not sure before. and i have passed :) Thanks
Thanks Karol! Glad it was helpful!
Thank you for these videos - I passed the CISSP exam today at the first attempt. Spent 2 months learning the study guide inside out.
I watched all of the Exam Cram videos in the days leading up to the exam and they really helped!
Glad to hear that! CONGRATULATIONS! 🏆🎉
This is a fantastic presentation. Been preparing for the CISSP for over two months and really needed this to help consolidate it all.
Glad to hear that Bobby! Good luck on the exam! 🍀🤞
And it's still super useful
After 175 questions, I am pleased to announce that I provisionally passed the CISSP today. May God continue to bless you and everything you do and if I can donate, help, or support your vision and generosity in any way, please let me know. I will be more than happy to help. Take care!
Well done! CONGRATULATIONS! 🏆🎉🌟Glad the series was helpful!
That must have been nailbiting. My exam is very soon. At least it shows not to lose hope if you keep getting thrown more questions. Well done
Still super useful. You are a pillar of the CISSP community.
Thanks Tristan! If you're prepping for CISSP, make sure to take a look at the full exam cram video! ua-cam.com/video/_nyZhYnCNLA/v-deo.html
@InsideCloudAndSecurity been watched and watching all morning. I'm testing in 1 hour
@@tristanziemann1825 Wow! Good luck! 🤞🍀👍
@@InsideCloudAndSecurity I passed! Thank you!
Thank you so much for this video. I took my exam this week (2nd attempt) and this time I had less time to prepare.
This video helped me organized my preparation with limited time
Glad it helped! CONGRATULATIONS! What a great way to finish 2022! 🏆🎉
Thanks for these summary videos. Very helpful for my prep. I provisionally cleared cissp exam couple of hours ago. Gratitude!!
Excellent! CONGRATULATIONS! 🏆👍
Can’t thank you enough for putting out these videos. They were very helpful in helping me prepare for the test. Passed it yesterday first try!!! Thanks again
Nice!!! That's AWESOME Nathan! Congratulations! 👍🎉👏🥂
Pete Zerger... Thank you so much for these videos. They helped me pass the CISSP on the first attempt! I am so grateful for the content you put out!
That's great news! CONGRATULATIONS! 🏆🎉👍
@@InsideCloudAndSecurity Thanks so much!
Top notch content. Delivered in a no nonsense and to the point, manner. Plus, great voice which makes it so much more easier to take in. Thank you
Glad you enjoyed! Good luck on the exam!🍀🤞👍
This is definitely the hardest part of the CISSP so far, remembering all these different multi-step processes and keeping them separate in your mind.
Definitely a challenge, because questions may drop you into the middle of a process and ask you what comes next.
Many thanks for this concise and informative video. It helps to remove a lot of confusion about frameworks and focus on what is important.
You're very welcome! Good luck on the exam! 👍
Thanks a lot for this wonderful videos just before my exam in few weeks.
Good luck on the exam!
Thank you for doing this, very much appreciated!
My pleasure! Glad you like it.
No reference book says that Clark Wilson is a Biba model which you showed here. The distinctive feature of CW is that it enforces SoD (a definitive clearance) and also Auditing. Integrity are ensured in CW in all sort and is done by Integrity Verification Procedures (IVP). These are missing in Biba.
Just to be sure, I'll go back and have a look after my team meeting, reconcile all the sources we've mentioned here and ping you back. 👍
Another awesome study guide... Thank You!!
My pleasure! 😉👍
You said earlier that Biba (at 19:37) was a "state machine model", then at 27:48 you say Biba and Bell-Lapdula are both "information flow models", Which is it??
Both. The Information Flow model is an extension of the state machine concept and serves as the basis of design for both the Biba and Bell-LaPadula models. www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=4
@@InsideCloudAndSecurity Understood thank you.
Very useful summary. I still try to wrap my mind around Graham Denning, if it is orthogonal to the confidentiality and integrity properties or if it an integrity model. Similar for the Harrizon-Ruzzo-Ullmann Model.
Could you check with the latest CISSP guide (9th) on patch management steps and SDLC steps, I think they somehow changed them (or maybe I look at the wrong place)....
You may also see the high-level patch mgmt process, which would be "Evaluate > Test > Approve > Deploy > Verify".
Small confusion
CBK states following classification on basis of severity
1. Confidential
2. Sensitive
3. Private
4. Proprietary
5. Public
While other sources illustrate as following
1. Confidential/ Proprietary
2. Private
3. Sensitive
4. Public
Which one is the correct classification
The first is mixing government and commercial. Use what I show at - ua-cam.com/video/_nyZhYnCNLA/v-deo.html
Looks like there is a mistake in Clark-Wilson slide, it is not lattice model and properties are taken from Biba model. Was confused to see that two models are almost identical, while I still recall that C-W model shall be using process, that controls data flow between subject and object.
Indeed. That bit of errata is rectified in the full course. 👍
Pete, the free CISSP 50 practice questions seem to have been removed from the site. Can they still be accessed somewhere? Thanks.
They can. If you check again they should be there.
sorry for the question but what cram stand's for?
cram = To study for a test in the last remaining hours. www.addthis.com/bookmark.php?lng=en-US&pub=ra-50dc926d011f6845&source=tbx-300&title=Urban+Dictionary%3A+cram&url=http%3A%2F%2Fcram.urbanup.com%2F145384&v=300&winname=addthis. And my videos are intended to provide a lot of information, in an easy to understand format, in a short amount of time
@@InsideCloudAndSecurity Thanks for the information. I have schedule my CISSP exam for the 28 of April. I'm a little bit worry about the kind of questions that will appear since all the practice test are more technical oriented and every one says "think like a manager" but none of the practice test are manager related questions. I have a overall basic knowledge of all the topics, will that be good for the test adding the manager mind set? honestly I don't have a clue of what type of questions to expect on the test!
Here is a video to explain exactly what they mean by "think like a manager" ua-cam.com/video/vfC9OLsCqgk/v-deo.html
Great video! Many thanks!
Just in time for my exam. For domain 3, should it be ISO 15048 or 15408?
Ah, it's actually iso-iec 15408, aka "Common Criteria" en.wikipedia.org/wiki/Common_Criteria. Good catch! Common Criteria is what you want to remember for the exam, and focus on Evaluation Assurance Levels (EAL)
Thank you sir, great stuff!
Thanks! 👍
" G 14 classified" hahah that's great. 19 years in USMC and that definitely made me laugh lol :)
Borrowed a line from Chris Tucker from one of the Rush Hour movies. 😂
I thought clark-wilson was a rule based model and not lattice model? 25:01
I corrected this bit of errata in the exam cram full course. Watch my full description of Clark-Wilson at this time-stamped link - ua-cam.com/video/_nyZhYnCNLA/v-deo.htmlsi=r9cV9OaUZFqIDCOd&t=10483
@InsideCloudAndSecurity thank you so much for the quick response!! You da best sir!! :)
👍
Question is not the patch management lifecycle; 1.) evaluate patches, 2.) Test Patches, 3.) Approve Patches, 4.) Deploy patches. 5.) Verify Patches are deployed...?? Please let me know
Thanks for the question, Lee. While there's not one definitive patch management life cycle model, virtually any you will find will include a scanning element as detailed in this video. You need to scan systems to know where patches need to deployed based on vulnerabilities (remember to look at this process through the lens of security). What you see in domain 6 in this video is pretty consistent with what you will find in the public space. Certainly one could assume that testing has to happen somewhere in the 'download and deploy' phase. You'll even see variations titled the 'vulnerability management life cycle' or 'patch and vulnerability management life cycle'. I've not seen a patch management life cycle that includes an 'approve patches' phase, but one could assume that only patches that deployed in your test ring without negative impact or then deployed to production. Bottom line be familiar with the conceptual process and don't get bogged down in terminology for this one.
@@InsideCloudAndSecurity Thank you for that! the patch management system I described was in the CISSP sybex book.
I know that the OSI model is filled with complexity and sometimes confusion, but wouldn't SSL/TLS be part of Layer 6? I think that they have to at least be above Layer 4 because they run on TCP, Layer 5 is a total mystery to me, but Layer 6 deals with encryption which seems like the right layer for SSL/TLS.
Not exactly. Per Wikipedia, "Transport Layer Security (TLS) does not strictly fit inside the model either. It contains characteristics of the transport (layer 4) and presentation (layer 6) layers." (source: en.wikipedia.org/wiki/OSI_model). And since SSL has been replaced by TLS, I think you are safe in that a question on TLS in the OSI model is not going to be a question you see that determines your pass or fail.
Thanks for Your job
Happy to help. Good luck on the exam! 🍀🤞
Hi man thanks for the video, one thing got me confused. First you say that the "Biba" security model is a state machine model (in the overview) and then when you describe it in details you say that it is a lattice based. This got me a bit confused. Could you explain please? Thanks in advance.
You will find an updated explanation of that (and all models) in the full course I released earlier this year - CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!
ua-cam.com/video/_nyZhYnCNLA/v-deo.html
Is this for current syllabus or 2021 ?please confirm....
Current syllabus AND still applicable for 2021. I'll be releasing updates to address what's been added for 2021, which are incremental changes in the big picture.
@@InsideCloudAndSecurity Has that new update been released yet?
@13:44 Common criteria is 15408 not 15048
That typo / errata was corrected for the full course - CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!
ua-cam.com/video/_nyZhYnCNLA/v-deo.html
30:08
CC is ISO-15408 not ISO-15048
Indeed, a typo capture in the errata in one of my comments. Will definitely address in the March update to the series. 🙏 Good luck on the exam! 🍀🤞