The Certified Information Systems Security Professional (CISSP) is the gold standard certification for professionals wanting to challenge their knowledge on cybersecurity topics and concepts. The CISSP does an excellent job at breaking down important topics and areas needed as a cybersecurity professional helping to stop malicious attackers in their tracks. Recently, the CISSP exam has been updated and improved. Let’s break down some of the important changes to the new exam.
Here is a list of domains included in the CISSP course. The percentages notate how much of the new exam will deal with each knowledge area:
- Domain 1: Security and Risk Management – 15%
- Domain 2: Asset Security – 10%
- Domain 3: Security Architecture and Engineering – 13%
- Domain 4: Communication and Network Security – 13% (1% change from previous exam objectives)
- Domain 5: Identity and Access Management – 13%
- Domain 6: Security Assessment and Testing – 12%
- Domain 7: Security Operations – 13%
- Domain 8: Software Development Security – 11% (1% change from previous exam objectives)
Click here to view the CISSP Exam Outline
The updated 2021 version of the CISSP introduces many new topics and content while refreshing the previous topics. The first new topic is related to privacy. For the longest time, in the cybersecurity profession, we have been using the National Institute of Science and Technology (NIST) and their special publications to build cyber resiliency into systems and networks. With the recent update to NIST SP 800-53 Rev. 5 (source), we see the importance of privacy controls. Influenced by this update, Domain 1 (Security and Risk Management) of the CISSP now involves assessing not only security controls in the business but also privacy controls. Companies are looking for experts that can understand privacy risks to the business and help shape privacy protections based on company objectives. Due to the ever-changing nature of cybersecurity risks, privacy experts must be able to demonstrate an awareness of changes to privacy threats and the requirements needed to address these risks.
Another revision in the CISSP involves data protection methods discusses in Domain 2 (Asset Security). With a steady increase in businesses operating in or moving to the cloud, a Cloud Access Security Broker (CASB) has become an important entity to manage cloud resources. A CASB ensures that data is stored securely and gives great visibility into cloud usage. It also guarantees governance and compliance of company assets are been managed appropriately.
Zero Trust Networking
One of the biggest updates to the new CISSP is the addition of zero trust networking in Domain 3 (Security Architecture and Engineering). Zero trust networking assumes all data is de-parameterized (open to the internet) rather than safe if it is behind the corporate parameter. As we discussed, most corporate environments are living in a cloud world with numerous devices connecting from the public side of the internet. A zero trust networking model assumes breaches are occurring and verifies requests explicitly. It creates a means to microsegment interactions with corporate resources and always takes an approach towards least privilege when accessing resources. This model requires strong identity and access management (IAM) and log management capabilities.
The updated CISSP has a series of new attacks worth highlighting. These attacks include pass the hash, Kerberos exploitation and ransomware. Pass the hash is an exploitation technique. Windows 10 added a Remote Credential Guard to their platform. When enabled, this feature reduces capabilities like pass the hash from occurring on your networks. Active Directory attacks like Kerberoasting and golden ticket attacks have historically been implemented against active directory. CISSP highlighting these attack types and ways to defend against them is very useful for companies and cybersecurity professionals. Ransomware is not a new topic for cybersecurity. However, it continues to be an important area to defend against. Businesses need strategies and professionals with the knowledge to lessen the attackers’ impact when ransomware is utilized. Creating or improving the organization’ disaster recovery plan fights back and protects against potential attacks like ransomware.
The updates CISSP is a great next step in your cybersecurity career and can increase your earning potential. Possessing the CISSP certification demonstrates industry expertise in cybersecurity leadership and strategy.