(Pending endorsement)
Hi all CISSP lovers,
I joined this group a long time ago because I found it a very great initiative and wanted to participate, but I was not very active because I was very busy studying … CISSP. But every time I went on Facebook I saw the group posts and that reminded me not to forget to move on with it and I silently answered to all questions in my head. This Facebook group is an amazing initiative!
Great job Luke Ahmed.
I successfully passed the CISSP exam yesterday, on first attempt, but after a long journey of two years! Never too late, right :-).Now is the time for me to share my experience and help others whenever possible.
So, let’s begin with telling how things happened for me.
Why it took me two years is not so important, life events are that way that you have to change priorities sometimes. What is important is where I struggled and how I overcame it in my case.
When I began in June 2015 I did a 5 days CISSP Bootcamp from (ISC)2, then I gathered all possible stuff, Shon Harris, CISSP CBK, Sybex books, Syngress books, video links (Cybrary, Lynda, Shon, …), …
Then I began to read the books and encountered two first big problems: first, English is not my native language and a lot of words I had never heard about, second a lot of concepts mixed all the way with Frameworks, Ethics, Laws, Risk, Vulnerabilities, Threats, Cryptography, Networking, … When I was at page 100 I didn’t remember what I had read on page 1. At 53 years your memory is not so good anymore as at 20 . I went completely overwhelmed and discouraged, totally confused with too much information.
CISSP is a very TOP-DOWN philosophy but I was not ready for that because too much spoiled with a lot of technical stuff and words (How the hell can you remember what dumpster diving is if you don’t know the word dumpster, nor the word diving! Or the funny Piggybacking word, I know Miss Piggy from the Muppet Show but, for God’s Sake, what was she doing here? ).
So, I decided to study DOWN-UP and remember things by REPETITION. I turned myself to the COMPTIA Security+ and (ISC)2 CCSP (Books, Cybrary and Lynda videos, Wikipedia, ..) and by reading and listening again and again all basic concepts (Networking, Cryptography, Attacks, Vulnerabilities, Access Controls, …) they became obvious. Only English and all basic technical stuff.
When I felt some tired after a day work, I just looked at videos or readings in a passive mode, when I felt in great strength I focused on understanding more complex stuff like Kerberos, DES modes, Digital Signatures, PKI, Digital Signatures and HTTPS TLS way of working. Different videos, different readings, again and again, and it all became some kind of “automatic”.
Although, I kept it simple (1 inch deep) and I did not even try to study the complete Mathematical Elliptic Curve associated with Discrete Logarithms theory for Diffie-Hellman Cryptographic Key Exchange, objective was not to get a big nervous breakdown!
Now all those basic principles did not spoil my mind anymore, they became Natural. But the thing is that even with all that technical and new English knowledge, I was still unable to answer CISSP Kind of questions like the following one (this is a complete fictive question, not a CISSP question at all):
Question: Your Server seems to be under attack and you are very tired, what is BEST to do:
- Go for some sleep and come back later to reboot the Server - Advice your Manager and go for a walk to buy some chocolate - Eat a chocolate bar to gain some energy, then reboot the server - Disconnect the Server from Network and go for a Walk taking fresh air and eating some chocolate, then call your Manager.
There is no one good answer in there, right? So what is the BEST answer? How the hell do I know what is the BEST? The best for me is to sleep when I am tired, right? And no matter if I am tired or not when a Server is under attack, something right has to be done. But rebooting the server is not right because if you do that you will not be able to do Forensics (another great word for CISSP to learn) afterwards. So, you can eliminate solutions 1 and 3. So I can do solutions 2 or 4. Buy some chocolate, kidding me? Well, Advice the Manager is a good thing, this could be a BEST solution even if the chocolate stuff has nothing to do here. But let’s take a look at solution 4. That’s the longest answer with a lot of not related stuff but it is the BEST answer: analyse, then contain, then Manage the problem is a good thing to do. If you need some fresh air and chocolate while doing this, ok for me, keeping calm facing a problem is important too.
So, what could help me manage a problem when I am facing situations with a lot of good and bad solutions, what is the BEST, the MOST, the LEAST, PRIMARY, ULTIMATELY, IN WHICH PHASE OF, …? Help, I needed help again because there are a lot of CISSP questions with those words out there!
Well, Frameworks, Policies, Standards, Procedures, Guidelines, Baselines, Methods, Forensics, Best Practices, Change Management, Configuration Management, XYZ Management … With Always the objective to maintain CONFIDENTIALITY, INTEGRITY and AVAILABILITY for the Business (All about not losing money and of course not losing human lives). And MANAGEMENT, don’t forget the Managers, they are paid well to assume the greatest challenges and ULTIMATELY take the Responsibilities, aren’t they?
Nevertheless, I was not ready for this real CISSP Core philosophy and decided to dig that way…
In my readings I saw a lot of time the words NIST, ISO2007, ITIL, and others I had never heard about (Zachmann Framework, really? ). While reading I went stuck again, too much information kills the Information.
Again, I decided to go to the bottom again. I dug into videos and readings about ISO27001/27002/27003/27004 and 27005. Then the same for ITIL, COBIT, NIST, and ITIL. A lot of good Videos and readings about those on the Web.
What did I learn? Well it seems that there is some common point on all frameworks and that is PLAN-DO-CHECK-ACT (or PLAN-DO-CHECK-ADJUST, which for my point of view is less confusing).
Have some readings about PDCA on Wikipedia because that’s basically how much Frameworks work and how the CISSP guys think when they create some of their questions about Frameworks . You’ll see in the article about PDCA on Wikipedia, the “See also” section at the bottom: Cobit, Six Sigma, Software Development Process, …. Hey, now I understood the global philosophy, let’s dig a bit further.
There are also some other points coming back a lot: human life is the most important, Ethics (!!!) is not an ideal but the most important thing also, Managers are always ULTIMATELY responsible, Data owners are PRIMARILY Responsible for Data Classification, Data Custodians are PRIMARILY Responsible for IMPLEMENTING that classification, and yes, USERS are a weak point, but not their fault if you don’t make them AWARE of the dangers.
Do not Confuse TRAINING for doing their job with AWARENESS “Training”. Write those kind of things down when you read them, they are highly important. For example if there is the word RESPONSIBLE for DOING the backup in a question, it’s the Custodian, when speaking about the ULTIMATE responsibility of the backups it’s the Management (Data Owner is generally a Manager).
See my point?
Forget everything you know about the real world (in my company they don’t even know what Change Management is, joking but that’s often the reality on the field). In your study construct the ideal company, with the ideal Managers, with the ideal people and functions at the right place, with all the ideal frameworks and the ideal Development methods, and so on…
When I began my journey I thought that the best way to deal with an attack on a Server was to reboot it in order to remove the virus from memory and immediately run anti-malware to clean things. That’s the world on the field, right?
In CISPP world you have to verify if it is really an attack, isolate the Server from network to contain the problem if there really is one (don’t break business if not necessary), then action the Crisis Management Team, then do an image of the Server (bit by bit), make a Hash of the original and a Hash of the copy to prove they are the same, analyse Memory and cache and other things, work only on the copy of the hard disk, mark the hard disk and seal it, document who handled the disk and where it was stored in a safe place to prove nobody modified it, then present all that to the judge.
Simply said: Chain of Custody (another strange beast I didn’t heard of before).
Did you ever did that? I didn’t, but that’s not a reason to accept that it should have been done that way in an ideal world. And that’s the way you will have to think at the exam.
Be also aware that the Software Development Domain is not easy but VERY Important. Listen to the news on all Data breaches, lack of patching, lack of input validation (XSS, Injections, Spaghetti code, …) Have some readings on OWASP site (owasp.org), very instructive and a lot of pretty tools to practice hacking there.
Let’s continue the journey. Now digging some deeper in all Frameworks, Development methodologies, Risk Management. Not so easy but take one each time you are full of energy.
Again, do not try to remember formulas such as ALE = SLE * ARO (I did in the beginning but forgot after 2 weeks), if you understand why an Annual Loss is the Single Loss multiplied by the times it happens in one year, the formula becomes obvious.
One more point of interest and not least: Cloud and Vendor Management (SLAs, Dangers, …).
Have a look there:
cloudsecurityalliance.org on the Notorious Cloud computing Top Threats.
I can tell without violating the NDA I signed that 70% of the questions where in my weakest domains, but I could answer the questions, not with only knowledge but applying the way of thinking of CISSP. Think like a CISSP and you will become a CISSP.
Three days before the exam I still was thinking I didn’t know enough to succeed because I felt that I didn’t understood principles anymore though I understood them very well a week before, that’s when panic tries to trick you . So, I took the two next days with only reading the Quick tips at the end of chapters of different books.
The day before the exam I stopped reading and thinking about CISSP until the next morning 9:00 at the exam. Even before the Exam I didn’t read anything about CISSP, went to a coffee bar and got some great warm “croissants”, just thinking about how nice life can be. Don’t stress the day before exam and don’t get up in the middle of the night to read some more, it’s pointless and to late. Get at the exam with full resources and a happy and positive mind.
The point is that if you succeed it’s great but If you don’t, well, you have tried, a lot of people didn’t even try, right? The exam is not cheap, so you have of course to do also some cost/benefit Assessment, sure .
Now some practical stuff on the exam.
The questions are written in very difficult English (for me in any case) and so are also the responses sometimes, and 1:30 minutes per question is not much while the clock is ticking… So practice the fully understanding of the concepts that are expressed behind. It never takes a long time to read the questions, meaning they are never very long, but underline each important word and put the concept out of it. Some scenarios are a bit longer to read, in that case read the response first, then you will see that in the scenario of ten lines only two lines are of importance, the remaining being only garbage to make it look as a nice story (but no time to read nice stories, go straight to the point) .
Practically I did 50 questions per hour and a 10 minutes break every 75 questions, the whole took less than 5 hours. The 50 last questions where horrible because I was tired and some stress coming with reaching the end. That’s the point where you think you have failed and just want to click everywhere to finish this misery. Don’t, take one more break and a full breath, then focus again, only 1 our left, you’ll do it! Time Management is important. I had also some “No Smoking Management” to deal with, so water and chocolate to compensate during breaks helped .
Another tip: when you will study the Development Domain you will encounter the “SPIRAL Iterative method”. Applied it to the exam with doing a first round on the 250 questions for questions and responses you are sure about and mark the other ones for review. Then do a second round with the more though questions (do not review the already done ones, only the marked ones). Finally do a third round with questions you even don’t understand (I had some) and respond with your best feeling or just pick one (never leave unanswered questions, you have one chance on 4 to be right). As you may know there are 25 “sample” questions in there and maybe those questions are absolutely not understandable (they are in testing phase). That’s a bit Exam Strategy but it’s fair play.
When you receive the paper with “Congratulations …” you feel very very good, believe me.
That’s it, a great adventure with a happy end for me. I hope my story was not to boring and will help you a bit see the big picture.
Very important: I did this in two years but that was my choice and because I am a bit lazy, it’s absolutely possible to achieve this in a few months, depending on each way of learning and time available. Not to mention family life and full support of them. I had that chance having a wife and three great boys supporting and encouraging me, even if they were thinking something like “why is he doing himself such a pain?” .
I received a lot of help of lot of people (think about those women and men posting great video’s for free, work groups like this one, ….).
Now my next objective is to help others also, for the safety and welfare of society and the common good, duty to our principles, and to each other.
Remember having read this somewhere? (ISC)2 Ethics !
I wish you all success if you intend to do your journey to the CISSP!
-Sven