What do the ILOVEYOU and Melissa virus attacks have in common?
They are both denial-of-service (DOS) attacks.
They have nothing in common.
They are both masquerading attacks.
They are both social engineering attacks.
While a masquerading attack can be considered a type of social engineering, the Melissa and ILOVEYOU viruses are examples of masquerading attacks, even if it may cause some kind of denial of service due to the web server being flooded with messages. In this case, the receiver confidently opens a message coming from a trusted individual, only to find that the message was sent using the trusted party's identity. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 650).
Crackers today are MOST often motivated by their desire to:
Help the community in securing their networks.
Seeing how far their skills will take them.
Getting recognition for their actions.
Gaining Money or Financial Gains.
A few years ago the best choice for this question would have been seeing how far their skills can take them. Today this has changed greatly, most crimes committed are financially motivated.
Profit is the most widespread motive behind all cybercrimes and, indeed, most crimes- everyone wants to make money. Hacking for money or for free services includes a smorgasbord of crimes such as embezzlement, corporate espionage and being a “hacker for hire”. Scams are easier to undertake but the likelihood of success is much lower.
Money-seekers come from any lifestyle but those with persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy make better “hacks for hire”.
"White hats" are the security specialists (as opposed to Black Hats) interested in helping the community in securing their networks. They will test systems and network with the owner authorization.
A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization before they attempt to comprise the security mechanisms in place. "Grey Hats" are people who sometimes work as a White hat and other times they will work as a "Black Hat", they have not made up their mind yet as to which side they prefer to be.
The following are incorrect answers:
All the other choices could be possible reasons but the best one today is really for financial gains.
References used for this question: library.thinkquest.org/04oct/00460/crimeMotives.html and www.informit.com/articles/article.aspx?p=1160835 and www.aic.gov.au/documents/1/B/A/%7B1BA0F612-613A-494D-B6C5- 06938FE8BB53%7Dhtcb006.pdf
What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account?
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2001, Page 644.
Java is not:
JAVA was developed so that the same program could be executed on multiple hardware and operating system platforms, it is not Architecture Specific.
The following answers are incorrect:
Object-oriented. Is not correct because JAVA is object-oriented. It should use the object- oriented programming methodology.
Distributed. Is incorrect because JAVA was developed to be able to be distrubuted, run on multiple computer systems over a network.
Multithreaded. Is incorrect because JAVA is multi-threaded that is calls to subroutines as is the case with object-oriented programming.
A virus is a program that can replicate itself on a system but not necessarily spread itself by network connections.
What is malware that can spread itself over open network connections?
Computer worms are also known as Network Mobile Code, or a virus-like bit of code that can replicate itself over a network, infecting adjacent computers.
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself,
relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
A notable example is the SQL Slammer computer worm that spread globally in ten minutes on January 25, 2003. I myself came to work that day as a software tester and
found all my SQL servers infected and actively trying to infect other computers on the test network.
A patch had been released a year prior by Microsoft and if systems were not patched and exposed to a 376 byte UDP packet from an infected host then system would become compromised.
Ordinarily, infected computers are not to be trusted and must be rebuilt from scratch but the vulnerability could be mitigated by replacing a single vulnerable dll called sqlsort.dll.
Replacing that with the patched version completely disabled the worm which really illustrates to us the importance of actively patching our systems against such network mobile code.
The following answers are incorrect:
Rootkit: Sorry, this isn't correct because a rootkit isn't ordinarily classified as network mobile code like a worm is. This isn't to say that a rootkit couldn't be included in a worm, just that a rootkit isn't usually classified like a worm. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of
certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Adware: Incorrect answer. Sorry but adware isn't usually classified as a worm. Adware, or advertising-supported software, is any software package which automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. The term is sometimes used to refer to software that displays unwanted advertisements.
Logic Bomb: Logic bombs like adware or rootkits could be spread by worms if they exploit the right service and gain root or admin access on a computer.
The following reference(s) was used to create this question:
Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?
Intrusion Detection Systems
XSS or Cross-Site Scripting is a threat to web applications where malicious code is placed on a website that attacks the use using their existing authenticated
session status. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross- site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information
retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
Configure your IPS - Intrusion Prevention System to detect and suppress this traffic. Input Validation on the web application to normalize inputted data.
Set web apps to bind session cookies to the IP Address of the legitimate user and only permit that IP Address to use that cookie.
See the XSS (Cross Site Scripting) Prevention Cheat Sheet See the Abridged XSS Prevention Cheat Sheet
See the DOM based XSS Prevention Cheat Sheet
See the OWASP Development Guide article on Phishing.
See the OWASP Development Guide article on Data Validation. The following answers are incorrect:
Intrusion Detection Systems: Sorry. IDS Systems aren't usually the target of XSS attacks but a properly-configured IDS/IPS can "detect and report on malicious string and suppress the TCP connection in an attempt to mitigate the threat.
Firewalls: Sorry. Firewalls aren't usually the target of XSS attacks.
DNS Servers: Same as above, DNS Servers aren't usually targeted in XSS attacks but they play a key role in the domain name resolution in the XSS attack process.
The following reference(s) was used to create this question:
CCCure Holistic Security+ CBT and Curriculum and
Which of the following should be performed by an operator?
Adding and removal of users
Installing system software
Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment.
Source: MOSHER, Richard & ROTHKE, Ben, CISSP CBK Review presentation on domain 7.
At which of the basic phases of the System Development Life Cycle are security requirements formalized?
System Design Specifications
Development and Implementation
Functional Requirements Definition
During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet end-user needs. The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security requirements should be formalized.
The Development Life Cycle is a project management tool that can be used to plan, execute, and control a software development project usually called the Systems Development Life Cycle (SDLC).
The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development. Because there is no industry-wide SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be shown together or as separate elements. The model chosen should be based on the project. For example, some models work better with long-term, complex projects, while
others are more suited for short-term projects. The key element is that a formalized
SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and implement) on up.
The basic phases of SDLC are:
Project initiation and planning Functional requirements definition System design specifications Development and implementation
Documentation and common program controls
Testing and evaluation control, (certification and accreditation) Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two additional phases: Operations and maintenance support (post-installation)
Revisions and system replacement System Design Specifications
This phase includes all activities related to designing the system and software. In this phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are designed, generally based on the overall security architecture for the company. Development and Implementation
During this phase, the source code is generated, test scenarios and test cases are developed, unit and integration testing is conducted, and the program and system are documented for maintenance and for turnover to acceptance testing and production. As well as general care for software quality, reliability, and consistency of operation,
particular care should be taken to ensure that the code is analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks. Documentation and Common Program Controls
These are controls used when editing the data within the program, the types of logging the program should be doing, and how the program versions should be stored. A large number of such controls may be needed, see the reference below for a full list of controls.
In the acceptance phase, preferably an independent group develops test data and tests the code to ensure that it will function within the organization’s environment and that it meets all the functional and security requirements. It is essential that an independent group test the code during all applicable stages of development to prevent a separation of duties issue. The goal of security testing is to ensure that the application meets its security requirements and specifications. The security testing should uncover all design and implementation flaws that would allow a user to violate the software security policy and requirements. To ensure test validity, the application should be tested in an environment that simulates the production environment. This should include a security certification package and any user documentation. Certification and Accreditation (Security Authorization)
Certification is the process of evaluating the security stance of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements. The certification or evaluation document should contain an analysis of the technical and nontechnical security features and countermeasures and the extent to which the software or system meets the security requirements for its mission and operational environment.
Transition to Production (Implementation)
During this phase, the new system is transitioned from the acceptance phase into the live production environment. Activities during this phase include obtaining security accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if necessary, conducting any parallel operations.
Revisions and System Replacement
As systems are in production mode, the hardware and software baselines should be subject to periodic evaluations and audits. In some instances, problems with the application may not be defects or flaws, but rather additional functions not currently developed in the application. Any changes to the application must follow the same SDLC and be recorded in a change management system. Revision reviews should include security planning and procedures to avoid future problems. Periodic application audits should be conducted and include documenting security incidents when problems occur. Documenting system failures is a valuable resource for justifying future system enhancements.
Below you have the phases used by NIST in it's 800-63 Revision 2 document As noted above, the phases will vary from one document to another one. For the
purpose of the exam use the list provided in the official ISC2 Study book which is presented in short form above. Refer to the book for a more detailed description of activities at each of the phases of the SDLC.
However, all references have very similar steps being used. As mentioned in the official book, it could be as simple as three phases in it's most basic version (concept,
design, and implement) or a lot more in more detailed versions of the SDLC. The key thing is to make use of an SDLC.
C:\Users\MCS\Desktop\1.jpg SDLC phases Reference(s) used for this question:
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach Publications. Kindle Edition.
Over our 26-year history, (ISC)² has earned a reputation for providing gold standard information security credentials. Maintaining the relevancy of those credentials amidst the changes in technology and the evolving threat landscape occurring in this industry is a core strategy upon which this organization was built.
As a result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams, I’m pleased to announce that enhancements will be made to both the Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (">SSCP) credentials, beginning April 15, 2015. We conduct this process on a regular basis to ensure that the examinations and subsequent training and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.
Both credentials reflect knowledge of information security best practices, but from different facets. ">SSCPs are typically more involved in hands-on technical, day-to-day operational security tasks. Core competencies for ">SSCPs include implementing, monitoring and administering IT infrastructure in accordance with information security policies, procedures and requirements that ensure data confidentiality, integrity, and availability. CISSPs, while also technically competent, typically design, engineer, implement and manage the overarching enterprise security program.
">SSCPs and CISSPs speak the same information security language with unique perspectives that complement each other across various IT departments and business lines.
The content of the official (ISC)² ">SSCP CBK has been refreshed to reflect the most pertinent issues that security practitioners currently face, along with the best practices for mitigating those issues. The result is an exam that most accurately reflects the technical and practical security knowledge that is required for the daily job functions of today’s frontline information security practitioner.
The domain names have been updated as follows to describe the topics accurately:
">SSCP Domains, Effective April 15, 2015
Refreshed technical content has been added to the official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today. Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.
The domain names have been updated as follows:
CISSP Domains, Effective April 15, 2015
Some candidates may be wondering how these updates affect training materials for the CISSP and ">SSCP credentials. As part of the organization’s comprehensive education strategy and certifying body best practices, (ISC)² training materials do not teach directly to its credential examinations. Rather, (ISC)² Education is focused on teaching the core competencies relevant to the roles and responsibilities of today’s practicing information security professional. It is designed to refresh and enhance the knowledge of experienced industry professionals.
The content within (ISC)² training materials will be revised to align with the updated CISSP and ">SSCP domains, according to the schedule provided in the FAQs. If candidates have recently participated in or plan to soon participate in an (ISC)² training course for the CISSP or ">SSCP, we encourage them to go ahead and schedule their examination at a Pearson VUE testing center for a date prior to April 15, 2015. If candidates are currently in a training course or are unable to sit for the CISSP or ">SSCP credential examination prior to April 15, 2015, I believe that an (ISC)² training course is still a beneficial step in their study plan.
I am confident that these updates positively reflect on our commitment to ensure that our certifications remain relevant to the industry today and continue to earn the gold standard reputation.
For more information, please refer to the FAQs on our website. And as always, our global Member Services Department is available to answer any additional questions at membersupportisc2 or directly via phone in accordance with your respective region at
PrepKit ">SSCP ">SSCP, ISC2 ">SSCP is an interactive software application that helps you learn, tracks your progress, identifies areas for improvements and simulates the actual exam. This PrepKit contains 6 interactive practice tests with over 440 challenging questions guaranteed to comprehensively cover all the objectives for the ">SSCP: Systems Security Certified Practitioner exam. With detailed analysis for each question, over 357 study notes, interactive quizzes, tips and technical articles, this PrepKit ensures that you get a solid grasp of core technical concepts to ace your certification exam.
Our PrepKits help you get certified. You save both, time and money. As a matter of fact, we do better than that. Each PrepKit is backed by money back guarantee. So, if you don't get certified in the first attempt, we will return your money.
System Requirements: Pentium-I or higher processor, IE 5.5 or later, 12 MB RAM, 6 MB hard disk space.Operating System Support: Win98, WinME, WinNT 4.x, WinXP, Windows2000, Windows2003, Windows Media Center Edition 2005, Windows Vista Starter, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, Windows Vista Home Basic x64, Windows Vista Home Premium x64, Windows Vista Business x64, Windows Vista Enterprise x64, Windows Vista Ultimate x64 ">SSCP,">SSCP,">SSCP question, ">SSCP exam,">SSCP study guide,">SSCP notes,">SSCP ">SSCP, ">SSCP practice test, ">SSCP mock test,">SSCP test
Article by ArticleForge
ST Electronics (Info-Security) and ISC have signed a partnership agreement to offer the official Systems Security Certified Practitioner (">SSCP) Common Body of Knowledge (CBK) training with hands-on practical in Singapore. DigiSAFE Cyber Security Centre (DCSC), the training arm of ST Electronics (Info-Security), will provide an integrated ">SSCP CBK training curriculum with hands-on practical tools by using the Centre's cyber range exercise system to prepare security professionals for the ">SSCP certification and a career in information security.
Thank you for visiting Telecompaper
We hope you've enjoyed your free articles. Sign up below to get access to the rest of this article and all the telecom news you need.
Article by ArticleForge
Palm Harbor, Fla., USA, Jan. 9, 2006 – The International Information Systems Security Certification Consortium [(ISC)2®], the non-profit international leader in educating and certifying information security professionals worldwide, today announced that the International Organization for Standardization’s (ISO) United States representative, the American National Standards Institute (ANSI), has accredited (ISC)2’s ">SSCP® (Systems Security Certified Practitioner) credential under ISOIEC 17024 standard in the area of information security.ISOIEC 17024 establishes a global benchmark for the certification of personnel. ANSI accredits standards developers, certification bodies and technical advisory groups to both the ISO and the International Electrotechnical Commission (IEC).This accreditation meets the new requirements by the U.S. DoD (Department of Defense) Directive 8570.1, which requires its information assurance (IA) workers to obtain a commercial certification that has been accredited by ANSI or equivalent authorized body under the global ISOIEC 17024 standard. This DoD-wide policy was made official in August 2004 and approved for implementation in December 2005.
“(ISC)2 was the first organization within the information technology sector to earn accreditation for personnel certification for the CISSP® (Certified Information Systems Security Professional) credential, and we are proud to announce that (ISC)2 is continuing to set standards for competency in the information security field, meeting the changing demands of industry and government through the accreditation of our ">SSCP credential,” said John Colley, CISSP, chairman of the board of directors of (ISC)2.
“We are committed to the industry and to supporting the DoD’s efforts to certify those information assurance personnel who are critical to safeguarding the agency’s networks and ensuring that mission-critical information gets to the right people at the right time,” said Rolf Moulton, CISSP-ISSMP, president and CEO (interim) of (ISC)?.
“(ISC)2 is commended for completing this rigorous process a second time and receiving ANSI accreditation,” said Dr. Roy Swift, program director for certification accreditation for ANSI. “ISOIEC 17024 was developed in response to businesses and governments seeking a valid benchmark for agencies who certify people. Employers in the public and private sectors can be confident that information security professionals holding the (ISC)2 ">SSCP credential possess the necessary skills to implement information security policies, processes and procedures anywhere in the world.”
The ">SSCP is awarded by (ISC)2 to information security professionals who successfully pass a comprehensive examination based on the (ISC)2 ">SSCP CBK®, a compendium of global information security best practices, possess at least one year cumulative work experience in the field, subscribe to the (ISC)2 Code of Ethics, and are endorsed by an existing CISSP or equivalent professional. Continuing Professional Education credits are required to maintain certification.
The International Information Systems Security Certification Consortium, . [(ISC)2®] is the internationally recognized Gold Standard for educating and certifying information security professionals. Founded in 1989, (ISC)? has certified over 40,000 information security professionals in more than 100 countries. Based in Palm Harbor, Florida, USA, with offices in Vienna, Virginia, USA, London, Hong Kong and Tokyo, (ISC)2 issues the Certified Information Systems Security Professional (CISSP?) and related concentrations, Certification and Accreditation Professional (CAPCM), and Systems Security Certified Practitioner (">SSCP?) credentials to those meeting necessary competency requirements. The CISSP and ">SSCP are among the first information technology credentials to meet the stringent requirements of ANSI under ISOIEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)? also offers a portfolio of educational related products and services based upon (ISC)2’s CBK®, a compendium of industry best practices for information security professionals, and is responsible for the annual (ISC)? Global Information Security Workforce Study. More information about (ISC)2 is available at .isc2.
Article by ArticleForge
The International Information Systems Security Certification Consortium, ., known as (ISC)2, offers two security certifications. The first is the Certified Information Systems Security Professional (CISSP) program, a senior-level credential aimed at full-time security professionals and consultants. The second is the Systems Security Certified Professional (">SSCP), a junior-level credential aimed at those whose system or network administration duties also include routine security matters. CISSPs analyze, design, implement, and verify security policies and procedures; ">SSCPs carry them out and perform related maintenance tasks. The CISSP program has been around since 1992 and is widely recognized and well respected; the ">SSCP program has been around since 1998 and is gaining recognition as a useful entry-level security certification.
Editor's Note: This article was updated with new information on August 8, 2003.
Like this article? We recommend
The full name for the organization responsible for two popular security certifications—the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (">SSCP)—is the International Information Systems Security Certification Consortium, . (IISSCC). Everybody takes the easy way out and calls this group (ISC)2 (pronounced "ISC-squared")—even the organization itself, although the preferred representation takes the form (ISC)2.
The (ISC)2 includes representatives from numerous security companies, academic institutions, government agencies, and professional associations. Working groups composed of members created and maintain the requirements for two vendor-neutral security certifications, as follows:
(ISC)2 offers a program called the Associate of (ISC)2, which recognizes candidates who have passed the ">SSCP or CISSP exam and are in the process of gaining the required experience to become ">SSCP or CISSP certified. The Associate of (ISC)2 is not a certification but rather a stepping stone on the way to the ">SSCP or CISSP. According to the (ISC)2 Web site, Associate candidates benefit from obtaining "career-related support" through (ISC)2 early on in their professions.
The best source of information for these (ISC)2 certifications is in their respective study guides. To download study guides, visit
About the CISSP Program
Becoming a CISSP requires that you pass one exam, but it's a challenge: This exam consists of 250 multiple-choice questions pulled from 10 different security-related knowledge domains. That's why candidates are given up to six hours to complete this exam. In fact, the CISSP is a senior-level certification intended to identify individuals who are fully qualified to work as security professionals full-time. In practice, working full-time in security means filling one of two kinds of jobs:
For serious, advanced security professionals, the knowledge domains associated with the CISSP cover a lot of ground, but the exam sticks closely to subjects and technologies intimately related to security matters. The 10 knowledge domains relevant to the CISSP include the following:
CISSP candidates must agree to abide by the CISSP code of ethics, submit an Endorsement Form signed by a CISSP, and, if selected, pass a background and experience audit. Candidates must have four or more years of experience in at least one of the 10 knowledge domains (or three years’ direct experience along with a college degree or the equivalent life experience).
By virtue of its length and its broad coverage, the CISSP exam is regarded as something of an ordeal. That's why we urge you to obtain and review the CISSP Study Guide mentioned earlier in this article, especially the reference materials cited therein. You might be interested to learn that the (ISC)2 calls the objectives based on its 10 CISSP information domains the Common Body of Knowledge (CBK). That's why you might want to take an authorized CBK Review Seminar to help prepare for this exam.
CISSPs can choose a concentration much like a college student chooses a "major" in a college degree program. Currently, (ISC)2 offers three concentrations: ISSAP (Architecture), ISSMP (Management), and ISSEP (Engineering). The ISSAP and ISSMP exams consist of 125 items; the ISSEP exam consists of 150 items. Candidates have up to 3 hours to complete each concentration exam.
A CISSP certification lasts 3 years; to recertify, you must either take 120 hours of continuing education during the interim or retake the exam; see isc2cgi-bincontent.cgi?page=43 or isc2cgi-bincontent.cgi?category=24 for more information.
About the ">SSCP Program
Obtaining an ">SSCP also means passing one exam. The number of questions is half that for the CISSP: 125 questions, with up to 3 hours to complete it. The ">SSCP is an entry-level security certification that identifies individuals who can integrate day-to-day security activities into full-time jobs as system or network administrators. Although the descriptions for all seven of the knowledge domains for the ">SSCP match those for the CISSP, an ">SSCP candidate's knowledge need not be as deep or intimate as a CISSP candidate's.
The seven information domains for the ">SSCP are as follows:
The ">SSCP exam is relatively easy, when compared to the CISSP exam, but it's no pushover. That why we urge you to obtain and review the online ">SSCP Study Guide—especially the reference materials—cited earlier in this article. Although the course covers all 10 CBK domains (and the ">SSCP covers only 7 of those 10), you might want to investigate an authorized CBK Review Seminar to help you prepare for this exam.
Like the CISSP, the ">SSCP certification lasts for three years. You can recertify by taking 60 hours of continuing education during the interim or by retaking the CISSP exam; see