ISC² Common Body of Knowledge
CISSP Reference Guide
A comprehensive, updated study reference covering all 8 CBK domains. Updated for 2024 exam objectives including cloud security, Zero Trust, and AI governance.
8 Domains
1,000+ Hours Study
Updated 2024
What is CISSP?
CISSP (Certified Information Systems Security Professional) is a globally recognized certification by ISC², validating expertise across all security domains in the Common Body of Knowledge (CBK). First issued in 1994, it remains the gold standard for senior security practitioners.
Exam Format
CAT · 125–175 questions · 4 hours
Passing Score
700 / 1000 scaled
Experience Required
5 years in ≥2 domains
Exam Strategy: Think like a manager, not a technician. Choose the answer that protects people and assets with the most comprehensive approach, not the most technically clever one.
DOMAIN 01
Security and Risk Management
The largest domain (~15% of exam weight). Covers governance, ethics, legal frameworks, risk methodology, and business continuity planning.
Security Triplet
Threat
Any event or circumstance that has the potential to harm assets. Could be natural, human, or environmental.
Vulnerability
A weakness in a system, process, or control that can be exploited by a threat. E.g., unpatched software, weak passwords.
Risk
The probability that a threat will exploit a vulnerability, resulting in harm. Risk = Threat × Vulnerability × Impact
Due Care
Doing what a reasonable person would do. The minimum level of protection an organization must maintain. Legal liability concept.
Due Diligence
Practicing and sustaining the activities that maintain Due Care. Defense against negligence claims.
Risk Management
Risk Avoidance
Changing plans to eliminate the risk entirely. E.g., not connecting a sensitive system to the internet.
Risk Mitigation
Installing safeguards to reduce likelihood or impact. Residual risk remains after controls are applied.
Risk Transference
Shifting financial responsibility to another party. Cyber insurance, outsourcing with SLA contracts.
Risk Acceptance
Formally acknowledging a risk when the cost to mitigate exceeds the potential loss. Must be documented and signed off.
Risk Deterrence
Warning potential attackers of consequences. Legal banners, prosecution notices, visible security cameras.
Risk Rejection
Ignoring or denying the existence of a risk. This is never an acceptable strategy — only acceptance after evaluation is valid.
Threat Modeling Frameworks
STRIDE
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Developed by Microsoft.
DREAD
Damage, Reproducibility, Exploitability, Affected users, Discoverability. Scoring model (0–10 per category, averaged). Used by OpenStack.
PASTA
Process for Attack Simulation and Threat Analysis. 7-stage risk-centric framework: Define Objectives → Scope → Decompose → Threat Analysis → Vulnerability Analysis → Attack Simulation → Risk Impact.
VAST
Visual, Agile and Simple Threat Modeling. Designed for Agile/DevOps environments at scale.
MITRE ATT&CK 2024
Knowledge base of adversary tactics and techniques based on real-world observations. Essential for threat modeling in modern environments. Organized by Tactics → Techniques → Sub-techniques.
MITRE D3FEND 2024
Complementary framework to ATT&CK focused on defensive countermeasures. Maps security controls to offensive techniques.
Quantitative Risk Assessment
AV (Asset Value)Dollar value of the asset being protected.
EF (Exposure Factor)Percentage of asset loss if threat is realized. Expressed as 0.0–1.0 or 0–100%.
SLESingle Loss Expectancy =
AV × EF. Dollar loss per single incident.AROAnnualized Rate of Occurrence — estimated frequency of a threat per year (0.1 = once per 10 years).
ALEAnnualized Loss Expectancy =
SLE × ARO. Expected yearly loss. Used to justify control spend.ALE = AV × EF × ARO
Safeguard Cost Principle: A control is financially justified if its cost is less than the reduction in ALE it provides.
Value of Control = ALE(before) − ALE(after) − Annual Cost of Control
Qualitative Risk Assessment
Scenario-based; uses ratings like Low / Medium / High instead of dollar values. Methods include Delphi Method (expert panel, anonymous rounds), OCTAVE, and NIST SP 800-30. Often combined with quantitative analysis in practice.
Business Continuity Terms
| Metric | Definition | Example |
|---|---|---|
| MTD / MTO | Maximum Tolerable Downtime — longest time a business can survive without the function | 72 hours for payroll |
| RTO | Recovery Time Objective — target time to restore systems after an incident | 4 hours |
| RPO | Recovery Point Objective — maximum acceptable data loss measured in time | Last 1-hour backup |
| MTBF | Mean Time Between Failures — average uptime between failures | 10,000 hours |
| MTTR | Mean Time to Repair — average time to restore after failure | 2 hours |
Policies, Standards, Baselines, Procedures
PolicyHigh-level management intent. Mandatory. States what must be done. Must include: Purpose, Scope, Responsibilities, Compliance consequences.
StandardMandatory technical specifications. Defines how the policy will be enforced. E.g., "All workstations must use AES-256 disk encryption."
BaselineMinimum acceptable security configuration for a system type. Derived from standards.
ProcedureStep-by-step instructions for accomplishing a task. Operational-level detail.
GuidelineDiscretionary recommendations and best practices. Not mandatory.
Privacy & Data Protection
GDPR Key Points: Applies to all EU residents' data globally. 72-hour breach notification to supervisory authorities. Right to erasure. Data portability. Fines up to €20M or 4% of global annual revenue.
Data ControllerEntity that determines the purposes and means of processing personal data.
Data ProcessorEntity that processes data on behalf of the controller. Subject to controller's instructions.
DPAData Protection Authority — supervisory body in each EU member state. Receives breach notifications.
CCPA UpdatedCalifornia Consumer Privacy Act (enhanced by CPRA 2023). Right to opt-out of sale of personal info, right to know, delete, and correct data.
PDPA 2024Bangladesh Personal Data Protection Act — emerging regulation relevant for regional practitioners. Modeled partly on GDPR principles.
Intellectual Property
| Type | What it Protects | Duration | Key Notes |
|---|---|---|---|
| Patent | Inventions, processes, designs | 20 years | Must be novel, useful, non-obvious. After expiry → public domain. |
| Copyright | Creative works: art, writing, software code | Life + 70 years | Automatic upon creation. Registration strengthens enforcement. |
| Trademark | Brand identifiers: names, logos, slogans | Indefinite (must be renewed + used) | Abandoned if unused for 5 years. Trademark dilution is a legal concept. |
| Trade Secret | Confidential business information | Indefinite | Protected as long as secrecy is maintained. No registration required. |
DOMAIN 02
Asset Security
Data Classification
Government / Military
Top Secret → Secret → Confidential → Sensitive → Unclassified. Based on damage to national security if disclosed.
Commercial / Private
Confidential → Private → Sensitive → Public. Based on business impact if disclosed.
Data States
Data at RestStored data on disk, tape, USB, databases. Protected by encryption (AES-256), access controls, DLP.
Data in TransitData moving across networks. Protected by TLS 1.3, IPsec, VPN tunnels.
Data in UseData actively being processed in memory. Protected by Trusted Execution Environments (TEE), memory encryption, confidential computing.
Data Anonymization Techniques
AnonymizationIrreversible removal of PII so the data can never be re-linked to an individual. Not covered by GDPR once truly anonymized.
PseudonymizationReplacing identifiers with pseudonyms. Still GDPR-regulated as re-identification is possible.
TokenizationReplacing sensitive data with non-sensitive tokens. Original data stored in a separate secure vault. Common in PCI DSS environments.
Data MaskingObfuscating data for non-production use. E.g., replacing SSNs with random numbers in test databases.
Differential Privacy 2024Mathematical framework adding calibrated noise to datasets so individual entries cannot be inferred. Used by Apple, Google in telemetry.
DOMAIN 03
Security Architecture and Engineering
Access Control Models
MACMandatory Access Control — OS enforces access based on labels and clearances. Users cannot override. Bell-LaPadula model. Used in classified government systems.
DACDiscretionary Access Control — resource owners grant permissions. Flexible but less secure. Default in most Unix/Windows environments.
RBACRole-Based Access Control — permissions assigned to roles, users assigned to roles. Simplifies administration. Most common enterprise model.
ABACAttribute-Based Access Control — policies combine user attributes, resource attributes, and environmental conditions. Most granular model. Used in Zero Trust architectures.
ReBAC 2024Relationship-Based Access Control — access determined by relationships between entities (e.g., "owner of", "member of"). Used in Google Zanzibar / modern cloud IAM.
Security Models
| Model | Focus | Core Rules |
|---|---|---|
| Bell-LaPadula | Confidentiality | No Read Up (Simple Security) · No Write Down (★ Rule) |
| Biba | Integrity | No Read Down · No Write Up |
| Clark-Wilson | Integrity | Well-formed transactions · Separation of duties. Uses CDIs, UDIs, TPs, IVPs. |
| Brewer-Nash | Conflict of Interest | Chinese Wall — subject cannot access data in conflicting datasets after accessing one. |
| Graham-Denning | Access Control | Defines 8 rules for creating/deleting subjects & objects and managing access rights. |
| Non-Interference | Confidentiality | High-level actions must not be observable by lower-level subjects. |
Cryptography
| Algorithm | Type | Key Length | Block | Status |
|---|---|---|---|---|
| AES-256 | Symmetric Block | 256 bits | 128 bits | ✅ Current standard |
| AES-128/192 | Symmetric Block | 128 / 192 | 128 bits | ✅ Approved |
| ChaCha20 2024 | Symmetric Stream | 256 bits | — | ✅ Modern alternative to AES in TLS 1.3 |
| 3DES | Symmetric Block | 112 / 168 | 64 bits | ⚠️ Deprecated by NIST 2023 |
| DES | Symmetric Block | 56 bits | 64 bits | ❌ Broken — do not use |
| RSA-2048+ | Asymmetric | ≥2048 | — | ✅ Minimum 2048; 4096 recommended |
| ECDSA / ECDH | Asymmetric (ECC) | 256 bits (≈RSA-3072) | — | ✅ Preferred for modern systems |
| Kyber / Dilithium PQC | Post-Quantum | Variable | — | ✅ NIST standardized 2024 (FIPS 203/204) |
Post-Quantum Cryptography (PQC): NIST finalized the first PQC standards in 2024. CRYSTALS-Kyber (ML-KEM) for key exchange and CRYSTALS-Dilithium (ML-DSA) for digital signatures are the recommended replacements for RSA and ECDSA as quantum computing threats mature.
Hashing Algorithms
| Algorithm | Output | Status |
|---|---|---|
| MD5 | 128 bits | ❌ Broken — collisions in <1 second |
| SHA-1 | 160 bits | ❌ Deprecated — collisions demonstrated (SHAttered 2017) |
| SHA-256 | 256 bits | ✅ Current standard |
| SHA-384/512 | 384 / 512 bits | ✅ High security applications |
| SHA-3 (Keccak) | 224–512 bits | ✅ Alternative to SHA-2; different construction |
| HMAC-SHA256 | 256 bits | ✅ Message authentication with secret key |
| bcrypt / Argon2id 2024 | Variable | ✅ Recommended for password hashing (NIST SP 800-63B) |
Key Cryptographic Protocols
TLS 1.3 CurrentMandatory cipher suites: ECDHE for key exchange, AEAD ciphers (AES-GCM, ChaCha20-Poly1305). Removed: RSA key exchange, RC4, 3DES, SHA-1. Faster 1-RTT handshake.
IPsecAH (Authentication Header, protocol 51) for integrity. ESP (Encapsulating Security Payload, protocol 50) for confidentiality + integrity. IKEv2 for key exchange.
PKI / X.509Certificate hierarchy: Root CA → Intermediate CA → End Entity. Certificate revocation via CRL or OCSP stapling.
PGP / OpenPGPWeb-of-trust model for email encryption and signing. GPG is the open-source implementation.
DOMAIN 04
Communication and Network Security
OSI Model
L7ApplicationHTTP/S, DNS, SMTP, FTP, SNMP
L6PresentationEncryption, encoding, compression (TLS ends here conceptually)
L5SessionNetBIOS, RPC, SQL session management
L4TransportTCP (reliable, segments), UDP (fast, datagrams), TLS
L3NetworkIP, ICMP, OSPF, BGP — packets. IPsec operates here.
L2Data LinkEthernet, 802.11, MAC addresses, frames. ARP operates here.
L1PhysicalCables, hubs, fiber, RF — bits
Mnemonic (top-down): "All People Seem To Need Data Processing" — Application, Presentation, Session, Transport, Network, Data Link, Physical.
Network Attacks
DDoSDistributed Denial of Service. Subtypes: Volumetric (UDP floods), Protocol (SYN floods, Smurf), Application-layer (HTTP floods, Slowloris).
ARP PoisoningSending fake ARP replies to associate attacker's MAC with a victim's IP. Enables MITM on local networks. Mitigated by Dynamic ARP Inspection (DAI).
DNS PoisoningInserting forged DNS records to redirect traffic. DNSSEC signs records to prevent forgery.
BGP HijackingMalicious BGP announcements rerouting internet traffic. Supply-chain level attack affecting entire networks or ISPs.
MITMAttacker intercepts communications between two parties. Mitigated by certificate pinning, TLS, MFA.
Replay AttackCapturing and retransmitting valid credentials or tokens. Mitigated by nonces, timestamps, session tokens.
Wireless Security
| Protocol | Encryption | Status |
|---|---|---|
| WEP | RC4 (weak IV) | ❌ Broken — do not use |
| WPA | TKIP / RC4 | ❌ Deprecated |
| WPA2-Personal | AES-CCMP | ⚠️ Acceptable; vulnerable to KRACK |
| WPA2-Enterprise | AES-CCMP + 802.1X | ✅ Recommended for corporate |
| WPA3-SAE Current | AES-GCMP + SAE handshake | ✅ Preferred — forward secrecy, no PMKID attack |
Firewalls, IDS/IPS & Zero Trust
Packet Filter (Gen 1)Stateless — inspects individual packets against ACL rules. No session awareness.
Stateful (Gen 2)Tracks TCP/UDP connection state tables. Allows return traffic automatically.
Application FW (Gen 3)Inspects payload at Layer 7. Understands HTTP, DNS, FTP semantics.
NGFW CurrentNext-Generation Firewall — combines stateful inspection, deep packet inspection, IPS, application awareness, TLS inspection, and user identity.
NIDS / NIPSNetwork-based IDS/IPS. Monitors traffic at strategic network points. Signature-based or anomaly-based detection.
HIDS / EDR CurrentHost-based IDS / Endpoint Detection & Response. Monitors system calls, file changes, process behavior. Modern EDR uses behavioral AI.
Zero Trust 2024"Never trust, always verify." No implicit trust based on network location. Every request authenticated, authorized, and encrypted. NIST SP 800-207 is the reference architecture.
SASE 2024Secure Access Service Edge — converges networking (SD-WAN) with security (CASB, FWaaS, SWG, ZTNA) in a cloud-delivered model.
DOMAIN 05
Identity and Access Management (IAM)
Authentication Factors
Type 1 — Knowledge
Password, PIN, passphrase, security questions
Type 2 — Possession
Smart card, TOTP token, hardware key (FIDO2)
Type 3 — Inherence
Fingerprint, retina, iris, face, voice, gait
MFA Strength Hierarchy (weakest → strongest): SMS OTP → TOTP App → Push Notification → Hardware Token (HOTP) → FIDO2/Passkey (phishing-resistant)
Biometric Performance Metrics
FAR (Type II Error)False Acceptance Rate — legitimate non-user accepted. Security risk. Lower FAR = more secure.
FRR (Type I Error)False Rejection Rate — valid user rejected. Usability problem. Lower FRR = better user experience.
CER / EERCrossover Error Rate / Equal Error Rate — point where FAR = FRR. Lower CER = better overall accuracy.
Modern IAM Concepts
SSOSingle Sign-On — authenticate once, access multiple systems. Implemented via SAML 2.0, OIDC, Kerberos.
Federated IdentityIdentity provider (IdP) vouches for user to service providers (SP). Cross-organizational trust. Standards: SAML, OAuth 2.0, OIDC.
OAuth 2.0 / OIDC CurrentOAuth 2.0 (RFC 6749) = Authorization framework. OIDC adds identity layer on top. Used for "Sign in with Google" flows. JWT tokens.
FIDO2 / Passkeys 2024Phishing-resistant authentication using public key cryptography. Passkeys are synced FIDO2 credentials. Supported by all major platforms as of 2024.
PAMPrivileged Access Management — controls and monitors administrative/privileged accounts. Just-in-time access, session recording, credential vaulting.
Zero Trust IAM 2024Continuous authentication and authorization. Every request re-evaluated against policy. No standing privileges. Microsegmentation of access.
Kerberos Authentication Flow
1. Client → AS: Authentication request (with pre-auth)
2. AS → Client: TGT encrypted with client's key + Session Key
3. Client → TGS: TGT + Service request
4. TGS → Client: Service Ticket (encrypted with service's key)
5. Client → Service: Service Ticket
6. Service → Client: Confirmation
Key facts: UDP 88, requires clock synchronization (±5 min), tickets have TTL (default 10h), KDC holds all secrets.
2. AS → Client: TGT encrypted with client's key + Session Key
3. Client → TGS: TGT + Service request
4. TGS → Client: Service Ticket (encrypted with service's key)
5. Client → Service: Service Ticket
6. Service → Client: Confirmation
Key facts: UDP 88, requires clock synchronization (±5 min), tickets have TTL (default 10h), KDC holds all secrets.
DOMAIN 06
Security Assessment and Testing
Audit Fundamentals
Audits must be performed by auditors independent of the IT organization being audited. Audit frequency is based on risk level. Key outputs: Purpose, Scope, Results, Findings, Recommendations.
SOC 1Controls relevant to user entity's financial reporting (SSAE 18 / ISAE 3402).
SOC 2Controls over Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Most relevant for cloud providers.
SOC 2 Type IICovers operating effectiveness over a period (typically 6–12 months). Stronger assurance than Type I (design only).
Penetration Testing
| Phase | Activities |
|---|---|
| 1. Reconnaissance | OSINT, DNS enumeration, WHOIS, social media, shodan, passive gathering |
| 2. Scanning / Enumeration | Port scanning (nmap), service version detection, banner grabbing, OS fingerprinting |
| 3. Vulnerability Analysis | CVE/CVSS scoring, Nessus/OpenVAS scans, manual code review, threat modeling |
| 4. Exploitation | Using validated vulnerabilities. Metasploit, custom exploits. Lateral movement, privilege escalation. |
| 5. Post-Exploitation | Persistence, C2 establishment, data exfiltration simulation, pivoting |
| 6. Reporting | Executive summary, technical findings with CVSS scores, remediation roadmap, risk rating |
Black Box (Blind)
No prior knowledge. Simulates external attacker. Team not informed.
White Box
Full knowledge: source code, architecture, credentials. Maximum coverage.
Grey Box
Partial knowledge. Simulates insider or authenticated attacker.
Vulnerability Management
CVSS v3.1Base (severity by vendor) × Temporal (patch availability) × Environmental (org impact). Scores 0.0–10.0. Critical ≥9.0.
CVSS v4.0 2024Released 2023. Adds new metric groups (Supplemental, Environmental 2). Better reflects real-world exploitability with EPSS integration.
EPSS 2024Exploit Prediction Scoring System — ML model predicting probability of exploitation within 30 days. Complements CVSS for prioritization.
KEV Catalog 2024CISA Known Exploited Vulnerabilities — authoritative list of CVEs actively exploited in the wild. Federal agencies mandated to patch within deadlines.
DOMAIN 07
Security Operations
Key Laws and Regulations
CFAA (1984/2022)Computer Fraud and Abuse Act. Primary US federal law covering unauthorized computer access. Amended multiple times. CFAA Reform Act proposed 2022.
HIPAAHealth Insurance Portability and Accountability Act. Protects health information (PHI). Requires administrative, physical, and technical safeguards. Breach notification rule.
PCI DSS v4.0 2024Payment Card Industry Data Security Standard. V4.0 fully effective March 2025. New requirements for targeted risk analysis, multi-factor authentication, anti-phishing.
NIS2 2024EU Network and Information Security Directive 2 — effective October 2024. Expands scope to more sectors, stricter incident reporting (24h for initial alert), higher fines.
DMCADigital Millennium Copyright Act. Criminalizes circumvention of DRM. Safe harbor protections for ISPs.
FISMAFederal Information Security Management Act. Requires federal agencies to have information security programs. NIST frameworks (SP 800-53) used for compliance.
Incident Response
NIST SP 800-61r2 defines the incident response lifecycle:
1. PreparationIRP, CSIRT team, tools, training, communication plans, asset inventory.
2. Detection & AnalysisSIEM alerts, threat intel feeds, log analysis, triage and severity classification.
3. ContainmentShort-term (isolate system) + Long-term (patch, rebuild). Preserve evidence.
4. EradicationRemove malware, close attack vectors, apply patches.
5. RecoveryRestore from clean backups, monitor closely, validate security.
6. Lessons LearnedPost-incident review within 2 weeks. Document timeline, root cause, improvements.
Digital Forensics
Order of VolatilityCPU registers/cache → RAM → Swap/Virtual memory → Network state → Running processes → Hard disk → Removable media → Backups. Collect most volatile first.
Chain of CustodyDocumentation tracking who handled evidence, when, and how. Critical for legal admissibility.
Evidence IntegrityCryptographic hashes (SHA-256) verify evidence has not been altered. Write-blockers prevent modification during acquisition.
Locard's ExchangeEvery contact leaves a trace. In digital forensics: every intrusion leaves artifacts in logs, memory, and filesystem.
DOMAIN 08
Software Development Security
Secure SDLC & DevSecOps
SASTStatic Application Security Testing — analyzes source code without execution. Finds injection flaws, insecure functions. Runs in CI pipeline.
DASTDynamic Application Security Testing — tests running application. Finds runtime issues, authentication flaws, XSS. Tools: OWASP ZAP, Burp Suite.
IASTInteractive AST — instruments running application with agents. Combines SAST and DAST benefits. High accuracy, lower false positives.
SCA 2024Software Composition Analysis — identifies open-source dependencies and their known vulnerabilities (CVEs). Essential for supply chain security. SBOM generation.
SBOM 2024Software Bill of Materials — machine-readable inventory of all software components and dependencies. Mandated by US Executive Order 14028 for federal software.
OWASP Top 10 — 2021 Edition
Note: OWASP Top 10 2025 is in community review as of 2024. The 2021 list remains the authoritative version for exam purposes.
| # | Category | Key Attacks / Notes |
|---|---|---|
| A01 | Broken Access Control | IDOR, path traversal, privilege escalation, CORS misconfiguration. #1 risk since 2021. |
| A02 | Cryptographic Failures | Weak algorithms (MD5, SHA-1, DES), plaintext storage, improper TLS, hardcoded keys. |
| A03 | Injection | SQL, LDAP, OS command, SSTI injection. Parameterized queries / ORM are the fix. |
| A04 | Insecure Design | Missing threat modeling, insecure design patterns, lack of secure design principles. |
| A05 | Security Misconfiguration | Default credentials, unnecessary features enabled, verbose error messages, S3 buckets public. |
| A06 | Vulnerable Components | Log4Shell (Log4j), Spring4Shell. SCA tools + SBOM help manage this. |
| A07 | Auth Failures | Weak passwords, credential stuffing, missing MFA, improper session management. |
| A08 | Software Integrity Failures | Supply chain attacks (SolarWinds). CI/CD pipeline security, code signing, integrity checks. |
| A09 | Logging & Monitoring Failures | Missing audit logs, no alerting. Average breach detection time 197 days without proper monitoring. |
| A10 | SSRF | Server-Side Request Forgery — server fetches attacker-controlled URL. Cloud metadata endpoints targeted. |
Additional Critical Vulnerabilities 2024
Prompt InjectionManipulating LLM/AI systems by embedding malicious instructions in user input or external content. Emerging threat for AI-integrated applications.
API SecurityOWASP API Top 10 (2023): Broken Object Level Authorization (BOLA/IDOR) is #1. Mass assignment, lack of rate limiting, improper authentication are key concerns.
Supply Chain AttackCompromising software build pipelines, dependencies, or CI/CD systems. SolarWinds, XZ Utils (2024) are notable examples.
Exam Quick Reference
Key NIST Publications
SP 800-30: Risk Assessment · SP 800-37: RMF · SP 800-53: Security Controls · SP 800-61: Incident Response · SP 800-63B: Digital Identity · SP 800-207: Zero Trust · FIPS 140-3: Cryptographic Modules
ISO Standards
ISO 27001: ISMS Requirements · ISO 27002: Security Controls · ISO 27005: Risk Management · ISO 27017: Cloud Security · ISO 27701: Privacy · ISO 31000: Risk Management
Common Port Numbers
21 FTP · 22 SSH · 25 SMTP · 53 DNS · 80 HTTP · 88 Kerberos · 110 POP3 · 143 IMAP · 443 HTTPS · 514 Syslog · 636 LDAPS · 1433 MSSQL · 3306 MySQL · 3389 RDP
Common Acronym Traps
SLE = AV × EF · ALE = SLE × ARO · CER (biometrics) = where FAR = FRR · MTD ≥ RTO ≥ RPO · MTBF = reliability, MTTR = maintainability