How Marc Cracked His CISSP Exam
This journey was very long and grueling might I add. I’d like to say that I’ve been working in IT since 2004. It wasn’t until my career change in 2006 that amplified my experience in the career field. In 2011, I was sent to a CISSP boot camp, I didn’t think anything of it as I already had a CCNP, Sec+, Microsoft Certs, etc. I failed the paper test at the time of course and I don’t recall my score. At this point I’d like to announce that just because you’re not reading a book or watching a video, doesn’t mean you’re not studying the certification. There is a reason why you need so many years of experience in the workforce to take this test. The idea behind the certification is being able to identify the concepts they explain in the book with real world experience. Meaning, if you’re in an environment that has Mandatory Access Control, identify where you see it. Vice-versa if you have Discretionary Access Control in your environment, identify that as well. Continuing on, I had some family events going on that precluded me from picking-up a book, though not picking up a book didn’t prevent me from receiving the information because I was working in a Network Security position with many CISSP certified engineers.
In 2013, I my job moved to Europe and in 2014 I was sent to another boot camp to try the test, but sadly failed with a 450. I don’t know what went wrong or maybe my head wasn’t in to it, but I was almost ready to give-up. From 2014-2016 it was really hard for me to sit down and read the book non-stop. I had a lot of work going on, but this is where I am talking about the 75% of absorption from doing “Practice by doing” which I will explain later. Around July2016 I was finally able to sit down and non-stop hardcore read these books. Learning all the concepts and then applying it to my daily life. This is where the Learning Pyramid comes into play. If you look at the learning pyramid you will notice that only 10% of what you read will be absorbed into your brain and 5% from a lecture 20%, and 30% respectively. Everything you do from reading a book to taking boot camps and listening to videos are all passive learning material and, therefore if you combine them all you would only learn 65% of the material. From July-Nov 2016 I was in the process of moving to a new city and new job, but during that time I was studying like crazy.
In Nov I took the test a 3rd time and got a 670. I was determined not to give up and purchased any studying material I could get my hands on. I don’t recommend doing this because I believe the Sybex book or anything that is an official certification book is a good resource to reference quickly to. You’re not going to be able to read the entire book unless you’re an avid reader, so I’d recommend skimming through it and highlighting the important theories behind it.
The 11th hr book was really useful attacking the important parts. Easy to read, so I highlighted the hell out of it. I signed up for my test a month and by then I’d gone through 5000+ CCCure, trancender, and all of those books questions collectively causing me to get burned out. About 3 weeks out, I stopped reading questions, and started back with the Feynman technique mixed with Cornell notes. Everything that I highlighted in the 11th hr book I copied in the cornell notes and read them out loud or enough to where I can understand it. Cybrary.it is a great resource that I started with. One week out I contacted Larry Greenblatt at InterNetwork Defense Cyber Kung Fu Training Program for CISSP. He had a 1 week online video boot camp that I had taken before in 2016 and a newer version for 2017 that I decided to do while I was coping the highlighted sectioned in the 11th hr. Though his training is a lecture he gives many examples regarding on how you can implement “Practice by doing” using Star Trek. Which is one of my favorite shows might I add. The last two nights be sure to get plenty of rest.
On the last night, I went through ever single Sybex question in that book. I looked at the question, then immediately looked at the answer. I covered all 21 chapter in about 4 hrs with break flipping back and forth question/answer. During the test, I was very nervous and when I started answer the questions it as if the answers were completely noticeable like the Sybex book. The answers popped out at him for not apparent reason. At times, I found myself in a scenario question, where I skipped the scenario and started reading the question. I would guess the answer and then said hmmm let me read the scenario, to only realize the scenario was a useless distractor, but useful in the second part of the question. Sometimes only one sentence in the entire scenario. There was one question I received, regarding cryptography, that when I read the answer my mind screams out the answer without hesitation and I click on it within a second of reading it. I froze and hesitated, reading the other answers, but my mind was screaming that it was the answer because it heard it 1000 times. I flagged it and continued on, though I never got to review it. When I check after the test I was right on that question. There were many question I quickly read and my mind knew the answer immediately based on many of the practice questions.
Your mind works in mysterious ways, if you mix all these study concepts you will fulfill all of the passive abilities your mind can handle, but that isn’t enough. When you go to work try to implement it or talk about it in your daily work. Think of it as the Parent/Child “but WHY” technique. For those of you that have kids you will understand a kid ask you a question and you answer them, they turn to you and ask “But Why” … you answer them again and they ask “But Why” (Audio visual 20%, Demonstration 30%, and Practice by doing 75%) What you don’t realize is, this is the best way for a child to learn, but also the best way for you to learn with “Teaching Others” (90%). This is why our teachers in school are so smart with what they teach because their mind has to work day and night to provide this information. And the teacher that have students get involved with the material absorb it much faster than to passively receive and all-day lecture.
So, after you’ve studied a domain, go into work and apply it. For example, I am walking into the building using a badge, OH that is physical access control, well who required that badging system to be there, management… how? With a policy using Administrative/Physical control and using a proximity card as a standard, but why… and so on. Or my friend came me today and wanted to create a new software, ok that is the SDLC so let’s start. How about Federated identity, I came to a website today that uses OAuth, how did it get implemented, well… If there was anything that I wanted an elaborate explanation on and it wasn’t covered in the book I went to YouTube and used Audio Visual 20% then I tried to think of how I use it in my daily life or work Practice By doing 75%.
The best way to look at it is that the test wants to ensure you know what door to knock on to get the answer.
Example: You’ve in an environment where you need to implement confidentiality on Back-up tapes. How would you accomplish this? A. Encrypt the Tape Drives B. Store it at your desk… Answer: A and that’s it! Don’t imply any other way don’t think about AES, or what time of encryption AES uses. The answer is A and nothing more… Same thing with Java… Java=Sandbox and that’s it no other question/answer is associated with Java and Sandbox in the test, so don’t imply anything else being there as an answer for it and move-on to the next.
With a final note combining all of these techniques will help you absorb the material quickly and apply it. I am not saying you will pass the test by doing this, but you will be better prepared to understand what you’re being asked and the concepts you’ve ingrained into you head to answer to provide the BEST ANSWER to the situation. So, get out there, learn the material, apply it to your everyday work/life, work with coworkers to talk about the material and hear different aspects of it and pass the test!
PS: for those of you that a fresh in the field. I recommend starting with the Comptia Security+ as your BASELINE to the security world!