Recent CISSP Feedback

in

Mary Pat Esposito, a former student, recently passed the CISSP, and had this to say:

“I took the test yesterday and passed! 😉

 

Here’s the advice that helped me the most…

  • [Ben’s] “footstomps” helped filter the minutia out of the study guide. No RAID questions. Phew!

  • Kelly [Handerhan]’s video. The link was provided in the chat. She recommended selecting responses from a management perspective not a practitioner perspective.

  • Read the responses backward, forward, read the question over and over. You can’t go back so be sure you’ve taken the time to understand the question and the options"

Great info, Mary Pat— thanks! Congrats to you, and good luck to everyone taking the exam soon.

It IS Possible To Pass The CCSP With Only 10 Days of Preparation

in

One of my recent students shared their study/exam experience with me. I think it demonstrates some excellent insight:

”After sleeping on it, I wanted to give you some feedback after preparing for the test almost exclusively with materials written by you an/or delivered by you. First, thank you for putting these materials together, I wouldn't have been able to pass without them. I don't know how you could create material that would adequately prepare someone for that test. I got a 81 on the last "fresh" practice test I took, the second one in your example test book. The real exam was MUCH harder than any of the practice tests in any of your books. I felt I was pretty hosed after getting 5 questions into the real test, but stuck through it and was re-checking and changing answers right up until the very end. I feel like the preparation got me the right answer to about 1/2 of the questions, good test taking skills eliminated around 1/2 of the remaining wrong answers, and serious logical deduction got me over the edge.


Some examples would include:

The questions would not have been satisfied by just knowing what HIPAA is, but by knowing what a HIPAA BAA was and used for.

It wasn't just about what PCI-DSS was, but about how their rules effected security practitioners as detailed here https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Not only what a TPM is, but how it is utilized and appropriate use cases.


Despite all of this, technically it is possible to pass the exam while only getting 45/125 questions correct. There were at least 3 questions where the correct answer was given elsewhere in the exam, or could be deduced from different questions. Test taking skills such as, if two options are the same you can eliminate both of them as options were indispensable. What it boils down to is that if you go into the exam only know 1/2 of the answers (around 1/2 of my answers were flagged after the first go round), find 2 or 3 answers elsewhere in the exam, and eliminate about 1/2 of the answer options in the remaining questions, you'll wind up with more than a passing score.


Thanks again for all your help.”


That student also followed up with:

”Here is some more material you are free to use.

How I passed the CCSP in 10 days and study plan.

Friday: Was offered a chance to fill in for someone who had to bail on the CCSP crash course.

Sunday: Received CCSP ISC2 Study Guide.

Sunday-Thursday: study/read/took  1 chapter practice test in morning and 1 in evening… about 2 hours a day.

Friday: Re-read/re-took the practice tests for the sections I struggled with. I found that I had gotten 85-95 on every chapter except chapters 7 and 11. Generally skimmed over materials again. Honestly I did this while waiting in line at an amusement park. Rides make great study breaks and ride lines make a good place to study.

Saturday-Sunday: ISC2 CCSP crash course.

Sunday: picked up official CCSP guide to the CCSP CBK at ISC2 book store. Re-read the sections I was struggling with (legal compliance). Took 1 of the official ISC2 practice tests while at airport/flying home… got an 81. Watched a couple 5 minute or shorter youtube videos on concepts I was weak on (REST vs SOAP)

Monday: Went to work, left early, studied outside test center for 2 hours… practiced my brain dump. They give you a grease pen and paper at the test center so you want to write down your [mnemonic] memory aids if you have any. Took the entire time. I flagged around ½ my questions on my first pass so I was not super confident, but after some serious thinking got it down to where I thought I passed. I think it is important to brush up on good test taking skills before taking something like this, and I think that tips like, “if 2 answers are essentially the same, they are both wrong” got me through. I have no idea how I really did, but I did pass. All in all it was an honest 30-40 hours of study and real application to pass.”

WOW— I am stunned and impressed by this accomplishment. I do NOT recommend that anyone try to cram for the test with such a limited timeframe…but it is evidently possible to pull off.

Tales From The Field

in

And now, the first installment of a feature I’m calling Tales From The Field, about INFOSEC practitioners on the job. This one from friend and colleague Matt Snoddy (https://www.linkedin.com/in/mattsnoddy/).

“The Bourbon Story

A few years back, my partner in our computer forensics company got a call from an attorney. It was a new case involving the Kentucky Distiller’s Association (KDA), which is the big governing body over the whisky distilleries that dot Kentucky’s landscape. The KDA has been around for a very long time, long before the current renaissance of bourbon, before computers, and even before Prohibition. Their offices reek of history, tobacco, leather and oak.

KDA needed some computer hard drives forensically imaged for the case, which is right up our alley. The imaging had to happen on-site at their office in Frankfort, so we packed up our gear in Lexington, made the half-hour drive up I-64, and arrived early for what was going to be a long day.

We arrived, took over their conference room, and settled in with extension cords running everywhere, notes taped to drives, and laptops whirring.

The KDA has a pretty straightforward office décor: If there’s a wall, put a picture of bourbon on it, and if there’s a flat surface, put a bottle of bourbon on it. A simple stroll from the front door to the conference room introduces the eyes to a feast of hundreds of bottles of bourbon, old and new, rare and common, all glorious. Surprisingly (or perhaps not), many bottles had been opened and sampled.

As we went through our day, things were running on target to be wrapped up about when they closed. About 3 PM, several of the staffers filtered into the conference room and heartily announced, “Happy hour!” and asked what I was drinking.

As a businessman and a polite Kentuckian of average breeding, of course, I accepted the three fingers of Woodford Reserve Rye neat that they poured me. It would be a social faux-pas to decline such hospitality.

After drinks all around and as hard drive imaging wrapped up, one of the staffers told me to make sure I took something from the goodie-closet before I left.

I asked what the goodie-closet was.

I was walked up a short hallway off the conference room to a full size kitchen pantry. She opened the door for me and inside, floor to ceiling, across shelves and shelves as far as the eye could see, was all manner of bourbon, probably a thousand bottles, some sealed in shipping boxes, some just freestanding like you’d find in a high end liquor store, waiting to be gifted to visitors. “All the distilleries send us several cases each year,” she explained. “We keep some of it and give the rest away.”

Well, with that kind of invitation, I carefully looked at all the shelves, looking for the wild unicorn of bourbon, Pappy Van Winkle.

“I don’t see any Pappy in here,” I joked.

“Oh, no, we’ll never have Pappy. This is the Distiller’s Association. Pappy is just a label. They put Buffalo Trace that comes from a certain corner of a warehouse in a certain bottle and call it Pappy. If you want some Buffalo, we have a couple of cases over there,” she helpfully pointed out. “But we’ll never have Pappy, unless they start distilling their own stuff again,” she gleefully explained, effectively thumbing her nose at all the new-money bourbon crazies.

“Ah! Well that explains that,” I said, as I reached for a bottle of Elijah Craig 23-year. “Thanks for the bourbon!”

I packed up my things and headed back to Lexington, new bottle of bourbon in tow, and hoping for another crack at their goodie-closet when and if they call again.

The Elijah Craig didn’t make it past the weekend, if my memory serves...”

--Matthew

Matthew Snoddy

Ditch One To Get The Other

in

In the INFOSEC realm, we often discuss the CIA Triad: Confidentiality, Integrity, and Availability; this is the basis and end goal of information security efforts.

It occurred to me the other day that we could get rid of one of the legs of the Triad in order to perfect another.

Without Confidentiality, we could have perfect Integrity.

If I gave up all privacy, I could be protected from all fraud. If I were to livestream my entire life, it wouldn’t matter that you could see my credit card number and PIN and whatever other credentials/authentication techniques I used; you could not use my payment methods in order to make unauthorized purchases, because my bank would also be able to confirm whether or not I, myself, had conducted those transactions— by watching the same livestream you took my payment info from.

In fact, we could (theoretically) do away with all systems-based payment methods, and revert to an older, historical model: trust-based methods. I wouldn’t need a credit card (or even a credit card number)— I could just say, “I agree to pay you X amount,” and that would suffice for my bank to pay you that amount. Not too long ago (150 years back or so), this was very close to how money and debts were conveyed: I would write a note to you, and sign it, as an instrument of payment or promise; you could present this to my bank for payment, or transfer it to someone else who was willing to purchase it (perhaps your own bank, or another person) on the assumption that they, themselves, could collect it from my bank.

Manual confirmation (a bank teller watching my livestream to confirm I’d promised payment) would be time-intensive at the moment…but I get the feeling this could be automated very quickly.

This idea intrigues me.

CCSP How-To: A Legit Cheat-Sheet

in

A recent CCSP test-taker posted a blog entry (and made a related Reddit post) about their own experience in studying for/taking the exam…it is incredibly detailed and thorough, and reads very well. When I teach test-prep classes, I try to convey a list of “foot-stompers”: those elements of the material that are crucial and which candidates should really drill down on for the exam…this blog entry seems like a perfect list of foot-stompers to me. Enjoy!

“Preparation Guide for ISC2 Certified Cloud Security Professional (CCSP) Certification” by Stanislas Quastana

https://stanislas.io/2018/07/12/preparation-guide-for-isc2-certified-cloud-security-professional-ccsp-certification/

CCSP Feedback From Today

in

Got this from a former student today:

”I certainly don't want to scare anyone who hasn't taken it yet but I thought it was fairly difficult. Moreso than the CISSP in my opinion. Some of the questions seemed pretty out of left field based on the material we studied. And I think as we all know, the wording and phrasing of the question is super key so you have to pay very close attention to that or you'll get tripped up. Can't emphasize that enough. 180min duration and I wrapped with 7mins left but that was after I went through and reviewed EVERY answer a second time and some three times.”

Good to know.

Bank Shot

in

My primary bank has recently instituted a requirement for repeat-factor identification during online transactions (not multifactor; it’s just double entry of the same single factor). It’s an annoying interruption to the process, albeit a fairly small one. There is a cost of convenience for any amount of security.

I’ve said it before, though: this is not to protect me and my money: this is to protect the bank and the bank’s money. I am protected (because I live in the US, which is also where my bank is) by federal, which limits my damages from fraudulent charges. The bank, however, is on the hook to pay for anyone using my account in an unauthorized way. So the bank wants to protect itself.

By complicating my transaction.

CISSP Study Tips

in

A former student recently checked in and shared this. A darned good read.

“For some quick background, when we had our class I had been working in IT for about 15 years as a sort of jack of all trades at almost every level between help desk and IT Director. Every position I've held included some aspect or consideration of security so I had a decent background coming into the class and had already been studying the Pluralsight and Cybrary CISSP courses.

After the class, I was very intimidated by what I felt was my lack of depth of knowledge about some of the domains. I was so busy at work that I wasn't making time to study at first. Instead of dedicated study time, I had been studying ad-hoc on flights, in the evenings, on morning and evening commutes; basically, I tried to make CISSP my background noise. I think in the end this helped a little, but looking back, at the time it added to the anxiety since I wasn't spending dedicated time reviewing the material. My work slowed down a little in January around the time I needed to refresh my goals for our performance review process at work, so I took advantage of the opportunity to set a goal to study for 4 hours each week, take at least two practice tests per week, and sit for the exam by the end of June thinking it was far enough out.

Setting up the goal to have dedicated study time and take practice tests made a huge difference for me. I realized that I knew a lot more of the content than I thought and taking the practice exams (I started with the questions in the books and then later caved and bought the Boson ExamSim so I could get through more questions) helped me gauge more accurately what I needed to work on. Around March, I was still sticking with my study schedule and had even shifted the time around to take a practice exam each morning before work so I could note anything I wasn't familiar with and look it up during those few minutes of down time between tasks during the day. Anything I didn't recognize or any questions I got wrong I would jot down, and I would go through the items I was interested in during the day. A key piece of advice I received: Don't carry a running list for stuff like that beyond one day, if you don't get to everything by the end of the day just scrap it and start again the next day. It helped relieve a lot of the stress I had in trying to cover everything before moving on.

Another concept that played into my approach a lot was absorptive capacity. I think it's applied more commonly to organizations than people, but basically: the more knowledge you have, the more effective you are at integrating new knowledge. Or, the more you already know, the better you are at learning new things. I figured out that I need to be able to contextualize a concept to really understand it, so when I was trying to learn a new concept or term I tried to find resources that related the term back to something I was already comfortable with. For example, when learning more about the different encryption ciphers, I had to get down to the fundamentals first since so much of that content is specific to encryption. But once I was able to contextualize and visualize the basic concepts the rest of it just became different variations and combinations of those base concepts. To help remember those variations, it helped me to look at the situations in which those ciphers and combinations of protocols would be most effective or optimized for a specific situation (encrypting data for transfer vs. storage, encrypting for strength vs. performance, etc.). That was more beneficial for me than rote memorization. Since I work as a consultant, I was able to put some of those concepts into play at work, which helped me further solidify the knowledge.

One of my friends was ribbing me about not having even taken the exam yet since so many of our colleagues had already passed, so on a whim I scheduled an exam for a few days later on May 11. I sat for the exam, was convinced as I was taking the exam that I did not know the content well enough, and was convinced when, immediately after question 100 when the screen told me I was done and I needed to go see the proctor to get my print out, that I had failed so badly that the system wasn't even going to let me try the last 50 questions. I walked to the proctor convinced I had wasted $699 and beating myself up for stressing so much about time that I rushed through the first 100 questions in about 55 minutes. I was resigned to going home, taking a break from studying for the weekend, then starting again with practice tests and Pluralsight videos on Monday. But I passed. The proctor handed me the print out saying I had provisionally passed the exam and that I would receive an email when they confirmed I had passed. Awesome! Cue awkward, involuntary smile.

After the fact, I remembered not being worried about failing going into the exam because I knew I had been putting in the time and effort and my manager and the people in my support system knew I had been putting in the time and effort. I wasn't confident that I would pass, but I was confident that I had prepared and would be able to adapt my approach if I needed to retake the exam. I was taking the adaptive exam, so I expected it to be more difficult and that I would need all 150 questions to pass. In my head this meant that I would likely need to take more time on later questions since I figured I would get questions on domains I had not done well on earlier, so I tried to push through the first 100 questions quickly and if I wasn't confident in a question I made a best guess and moved on without waiting. Since I was expecting to need the additional questions and time, when I hit question 100 just before the hour mark I felt pretty good that I would be able to take my time on the last 50 questions. When the exam told me I was done, it was a huge surprise and such a big turn against my expectations that I was convinced I had failed. Ultimately, going into the exam confident that I had put in good time and effort on an effective study plan and being confident in my strategy helped a lot. I know I have a tendency to over-analyze, so relying on my ability to understand the intent of the questions without allowing myself to over-analyze every aspect was an inadvertent but important effect of my strategy for taking the exam.


Last thing: treat the endorsement process seriously and expect it to take a long time. After waiting for 6+ weeks, they let me know that I had not entered enough information to show 60+ cumulative months in at least two of the domains so my first endorsement application was declined. They're re-reviewing now and I submitted more information going all the way back to 2003, so hopefully there are no issues this time. I'm still getting some of the jokes from my group since I'm technically not a CISSP yet, so not doing the endorsement application correctly the first time led to a facepalm on my part.

Lessons learned for me:
1. Using the study material as background noise can help as long as it doesn't add to the anxiety about the volume of content.
2. A dedicated study plan focused on the process of studying effectively - not focused on passing the exam - worked best for me.
3. Practice exams exposed me to concepts, terms, and perspectives that helped me to build context around content I wasn't fully familiar with.
4. Using a variety of sources (our class, the (ISC)2 books, the Sybex books, the Pluralsight courses, the Cybrary courses, and the various practice exams) gave me different angles for the content, which helped me build context around some topics I struggled with.
5. It's important to have confidence going into the exam as long as that confidence is the result of following through on a good study program and a strategy for the exam that emphasizes your strengths and helps compensate for your weaknesses.
6. Support from the people around me allowed me to integrate studying into my daily routine so that my time studying could be dedicated and effective.”

Casting Shadows

in

          I once worked in a corporate environment where I was told I could not install an open-source, free browser on the company-owned PC that sat on my desk. When I asked why, I was told, “We don’t want to support multiple browsers in our environment, so we chose [popular proprietary brand], and that’s what we’re going with.”

          At the time, both were equivalent in terms of vulnerabilities, and the open-source browser had more functionality. I asked, “Well, what if you don’t support it, and I won’t complain if I ever have a productivity problem. In fact, if there’s anything that doesn’t work right with my open-source browser, I’ll just switch over to the corporate browser, and use that for the specific task.”

          Nope. Corporate was dead-set against using this software.

          But I wasn’t the only one who seemed to have this urge-- someone had made a version of the browser that runs from a flashstick. I never even bothered unplugging the flashstick. I was willingly violating corporate policy in order to enhance my productivity.

          You want shadow IT? Because this is how you get shadow IT.

         

Paper Tiger

in

Why are newspapers somehow immune from littering laws? My local paper throws “free” samples on my lawn occassionally. If the publishers of advertising circulars did that with their content, they’d be run out of town on a rail. If online providers did that to my machine, it would be considered malware. In the US, our press freedoms allow anyone to publish just about anything they want; it does not give them license to forcibly distribute that content to others.

I guess what I’m saying is, literally: get off my lawn.

More CISSP Feedback

in

A former student offers this insight:

“ I just took the test this afternoon. Ended up with 101 questions, in  just under 95 minutes, and I passed (unless they decide they need to do  "psychometric" (lie detector?) or "forensic" evaluation). At that speed,  even if I had gotten the maximum number of questions I would have been  O.K. -- from what I've seen, many people report finishing with time to spare, so I would recommend not rushing. 

My experience was:  Lots of "BEST" and "MOST" questions. Definitely not a test to take just  based on knowing facts by rote. I did guess on some answers, but only  when I could eliminate some of the responses: and I found that often at  least one response would not make sense. I also tried to follow advice I  saw to "read the question, read the answers, and then read the question  again", since during practice tests I often picked the opposite of the  answer I knew to be right. 

I studied from the Chapple book, and the (ISC)2 flash cards, and by  taking lots of tests. For tests I had the companion book (which seemed  closest to the real test), and CCCure tests (which too often revealed  the answer in the question: but if taken with "Pro" mode and fill-in-the  blank answers was still useful (and gave easier statistics on which areas I needed further study in). It was important each time to go back  and understand my wrong answers -- that's where about 1/3 of my learning  happened. 

A note on CCCure tests & fill in the blank: unless you type the exact phrase in, it will count it as wrong, so review the results before you  decide how well you did. “

Great stuff!

Enhance Your Inner Luddite

in

So....I still run Win7. Mainly because I am a curmudgeon who refuses to evolve. A weird kind of nerd, I know-- not even a late adopter, I am a “maybe I’ll get around to adopting someday.” Luckily, I don’t feel the same way about dogs as I do tech.

 

Anyway, I often run into problems with the platform, and am stuck trying to puzzle out how to fix the thing by doing Web searches (as I am sure you do, too). I recently stumbled across this place, and it fixed one of my issues right up: www.sevenforums.com. Highly recommended.

CISSP Feedback

in

Got a detailed message from a former student I’d like to share…good insight for those studying the CISSP:

“I took your class last year (7/16-7/20), sat for the exam in late September, but did not passL. In that instance I know I incorrectly answered a drag and drop on controls and was surprised by the number of Cloud questions. That said, I spent the rest of the year and this spring internalizing all the material using the following resources:

 

·         CISSP All-in-One Exam Guide, 7th Edition

·         Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press)

·         (ISC)2 CISSP Information Systems Security Professional Official Study Guide

·         CISSP Official (ISC)2 Practice Tests

·         How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP, CISA, CISM, Network+, Security+, and CCSP

·         CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide

 

I read the (ISC)2 CISSP Information Systems Security Professional Official Study Guide, Reviewed and read CISSP All-in-One Exam Guide, 7th Edition, and took all the end of chapter tests as well as the CISSP Official (ISC)2 Practice Tests and also read your book, How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP, CISA, CISM, Network+, Security+, and CCSP. In addition to all of that, I spent some time studying the Cloud Security basics contained in - CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide and test questions.

 

I then sat and passed the exam on 4/30/2019. I was fed a completely different exam questions and again had quite a few Cloud based questions which I felt prepared for after studying the CCSP material. It’s been a long road, the test always looks deceptively easy, and I am pleased to have provisionally passed. I must say the practice exam application that came with the SHON Harris book most closely represented the actual exam experience. “

Hope that helps— seems like useful stuff!

Traveling Time

in

                We’ve all heard of the Butterfly Effect: one small action somewhere can be traced to larger effects somewhere else. The idea is that everything touches everything else, because we’re basically living in a soup of molecules (on the planet, anyway-- space is more like a thin broth, not because of absence of stuff --there is, in fact, a lot of stuff in space-- but because that stuff is spread out over a very large volume). Molecules bump into each other all the time, causing reactions to those bumps.          

                Right now, we can reconstruct causes from their effects at a macro level-- after two cars collide, we can looked at the smashed vehicles and determine which one struck the other, estimating the speed each were traveling, etc. But the ability to do that on the micro-micro-micro-micro level --the quantum level-- is only a matter of sufficient computing capacity. By capturing a model of what is happening right at this moment, it is possible to reach backwards into all the possible combinations of molecular and subatomic collisions, and tell what occurred prior, leading up to the moment.

                Not time travel-- there’s no way to go back and modify what occurred. But close-to-perfect time vision. The ability to see everything that happened prior to right now. Everywhere.

                The math is staggering. We’d have to account for every atom, worldwide. And there would be some variables, as space introduces externalities to the (not-closed) system-- dust and rock and energy is constantly bombarding the planet, in non-negligible amounts.

                But once we nail the formula...nothing that ever happened before would be unobservable.

                Forget the end to privacy-- that’s already underway. But the end of ignorance...the end of not knowing. The end of mystery. We will always know exactly what happened.

                It won’t be predictive-- human beings are the reason; free will is the chaos in the soup. We add too much randomness to the formula, because we act from motivations other than instinct or reason.

                But nothing that has already happened will be shrouded from anyone. We will all know what happened, everywhere, always. The applications and implications are vast-- the ways in which this will change how we behave, interact, and function are almost unimaginable and incalculable.

                Almost.