Friends I am trying to relate the study portions through my journey of CISSP..Be aware that its a very lengthy post.
I have completed my MCSE in 1998 and i've started my career as a faculty on teaching MCSE. After that I took my CCNA and CCNP in 2000 and started teaching that too. After switching career to the real coporate network world, i've never bothered to take any certifications mainly for 2-3 reasons.
1. I thought I know how the certification works - Successfully done a crypto analysis on its questions pattern. (Poor IV on WEP)
2. Those who already cracked the code started publishing and legally selling their code called as brain dumps. So reading dumps and writing the exam was like a dumb terminal job. (RARP + Bootp)
3. Certification was only a gateway to get a professional job - It's like an L2TP tunnel to reach to an unfamiliar destination.
During my tenure as a network eng , I heard this monstrous name called CISSP in 2004 from one of my Seniors but after seeing the size of the book, I haven't even bothered to have another glance on it for 2-3 reaons.
1. It's length was too much for me (no chance for a bruteforce )
2. And it was looking like a very complex algorithm of domains that I haven't even thought was related to IT such as legal, business, Fire suppression etc..(Looks like an Asymmetric algorithm for me )
3. Senior told me that he is trying to pass this test but its tough because of no dumps and the question pattern is so different ( no chance for a frequency analysis )
Alrite, now let us move on to year 2016..
The time flies too fast huh ? - yes, it seems the time is using a hardware oriented symmetric stream cipher ?
One of my younger colleague achieved CISSP and he told me that I too should try that.. and in a short time, I came to know another news too that my organisation is planning for a merge. I could immediately sense the danger of being obsolete and I started to think of this beast CISSP, as a personal DRP plan. I started gathering all the details about the course, gathered all the materials to start my study, i think i've done a due diligence here. Yes i created a scope and initiated a study plan. But i also needed to do my BIA, a pure cost benefit analysis by doing the quantitative and qualitative analysis about the future of CISSP and i am ready with a plan for 6 months dedicated study.
Next part was to get my management approval, yes it was none other than my family, my younger daughter who always wanted a story at night had to endorse my plan. I had to build a business case here in her language (I had to convince her in her business language that it would be tough to buy ice-creams and the Cinderella dress for her Kindergarten graduation if I don't sit for the study and pass the exam ). Yes now the management got convinced and endorsed my plan. I started the full fledged study (Due care) from December 29th. The real development starts here ( Studying hard/Software coding + Unit testing of each individual chapters, code reviews/ reviewing the notes..etc )
Boring huh ? OK, let us move on to June 23rd..a week before the exam, the certification. July 1st was my plan for the certification.
Coding done from the developer side, now its testing phase. I had to do an interface testing ..Why ? I have developed a product of knowledge for the last six months, now I need to check whether it would work only in modules or in combination with other parameters such as patience to sit for 6 hours in-front of the PC, mental stress and other physical issues etc. I have done 2-3 tests as an integration test. Though the results were not very positive but the tests helped me to identify the issues. (Vulnerability analysis and a Pentest done).
Based on this result, two things I have done here. Postpone the exam to 2 more days (a compensatory control, I cant prevent so just a delaying mechanism). Listed out and gone-through the weak portions once again, added additional time for viewing some related videos etc. Now i had to do the regression testing since there is change on the product.
Yes, done the tests again. Better than the previous results. Getting close to 80% for all the tests. But I know most of these practice exams are direct technical questions and the real exam would be different. Do you know why it is ? It's easy for test banks to prepare the direct technical questions rather than logical intelligent questions. They can prepare 20 technical questions while spending time for 1 logical question. So I have prepared a list of portions more to refer before the exam.
This was during the Eid holidays in Qatar and there was 9 official holidays for us. I could very effectively use this time and i slept only 2-3 hours per day by staying until 11.30 pm in the night and getting up at 2.30 in the morning. I was using the best ever technique called "power nap". Those who are having trouble with the time, i highly suggest power nap..! But before going to the exam, I've realized one thing that i wasn't able to cover the listed weak areas, weak portions etc..I could do only the Risk acceptance here since it was not worth to postpone once again due to the cost benefit analysis. But there is a catch here, i used the qualitative analysis here rather than the quantitative. I was concerned about my reputation damage since I've already told every single person in the earth that I will be certified on this date :)
The final exam date..July 3rd
Final night before the exam, I've planned to sleep from 10 PM until 5.30 AM in the morning since my test is scheduled at 8.30 AM and I need to start driving at least by 6.30 since the center is 100 Km away from my place. I started for an 8 hour sleep but, but I've automatically woke up at 2.30 AM and i cant sleep again..!!! I got panicked since I read that many are failing due to fatigue..I should've done my due diligence here on knowing that there is a physical/psychological habitual factor of humans that they need no alarms to get up on a specific time, if they've practiced it before..Anyway i couldn't do much on this rather than reading all the notes once again.
Reached the exam center, examiner took my palm scan, asked me to do the signature bio. I could remember that the signature dynamic machine was capturing my signature as electrical signals and at the same time, another electrical signal was going through me, heart beat was reaching to a threshold. Started the exam. I realized one thing while the exam progressing, it's getting a bit tougher, toughest, toughestoreousnotorious medical condition. I am notorious to my patience, all the practice tests were done in 3 hours time..but here I've become paralyzed..i cant move to next question. I am spending too much time on questions, more than 2 minutes on one question..Done the damage control by started selecting the best ones and marked it for review. I know I should and I would pass the exam but some how I am unable to justify that confidence with my answers. It looks like I am suddenly disconnected to the whole world..!. I've planned to fight until my intelligence got attenuated and to affect the integrity on my real sense.
Yes, finally I've completed all the 250 questions in 5.30 Hours time. Took another 28 minutes to review the remain ones..oh no..i couldn't completely reviewing all the questions that I marked..you know why ? I've marked too many questions for review..Now you know the damage on classifying everything as important..yea ?
Done at 5 Hrs 58 Minutes..Examiner had given me the key to collect my items which is not at all an important thing..the most precious thing for me is the very normal boring thing for them. No connection on feeling, no coupling at all :). He just took the paper from the printer to me saying Congratulations..! Yes that's it..!
Act as a good anti-malware software or an Inference engine..Why ? Because the answers are looking very beautiful and similar . But on a second look, you would realize that they are poly-instantiated or like a polymorphic virus, mother of one but not twins..each child are having some minor differences..tough time for you to pick the best one.. Here comes the knowledge engine..you can use your inference technique to deduce the best answer..!
I started with Shon Harri's AIO. It was not at all moving, but I tried to read much as possible.
I have joined this group by that time and I personally attended couple of sessions of Luke's wonderful presentations.
Luke Ahmed advised me to refer the Sybex too..and I completely loved it..since it's divided into 21 chapters rather than 8 big chapters..It was giving me confidence to end chapters quickly rather than diverting me from study.
I have attended a 3 day training on CEH from Manoj KV..It helped to know much about SDLC and attack techniques.
Ahmed Khatib 's Telegram group and my buddies there,instrumental support with questions, discussions etc..
Shon's MP3 - Amazing material, Listened every bit of it during my office to home driving sessions..
Test engines- CCCure, ISC Official tests, Total Tester from Shon's book.
Thanks again for the support and your patience to read this much..and wish you good luck for your exams..!