top of page

How Michael Cracked His CISSP Exam


Hi All.


Luke Ahmed advised me to write my study experience in clear text here. So here goes. (Sorry if formatting etc is a bit screwed up, I have also added the pictures so they show as in the word file).


CISSP Journey and Write-up

Information for relevance:

• Passed first try

• Had several sources for information (Elaborate later)

• Prep time 3-4 months

• Work experience from technical background to assessments and security architect

• Key point to study, learning and passing the test with few examples of “taking notes”

• FINAL Recommendations


Passed first try: My final week before my test, was done at a teaching facility by reputable provider, can give more information if needed. I will not say this gave me any “new” knowledge, but it refreshed my currently gained knowledge, and I will get a lot more into that in the “Key points to study”.

The test was done at the end of the week, in an onsite Pearson Vue facility. We were told the progression, and I will try to explain here what I have understood from the CAT. This is ONLY my own thoughts, and should not be seen as anything other than sharing personal experience. I WILL NOT PROVIDE ANY SPECIFIC QUESTION CONTENT, so do not bother asking for it.

It seems like it calculates your score @ 100Q, as several of the attendees was “stopped” after 101 Q. Of course some went further, some of these passed, some did not, so you ARE able to pass until the very last question !!!


Had several sources for information

My first resource and most informative is 100 % Thorteaches. ! I am in NO WAY suggesting he is “better” that anyone else, this was just MY PERSONAL PREFERRED source of knowledge intake. PS we are both Danish, it might have something to do with the language etc.

There are several key points I want to clarify! There are AWESOME information in the PDF files that are segmented into per Domain. I do not know if a lot of people are aware of this, when getting Thors bundle !


I had “ALL” the books, but these was mainly used to get “second opinions” on things where I maybe wanted to make sure it was clear to me.


Eleventh Hour CISSP®: Study Guide (English Edition) 3rd Edition

Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press Book 11) (English Edition) 3rd Edition

• The Effective CISSP: Security and Risk Management (English Edition)

• The Effective CISSP: Practice Questions (English Edition)

• IMPORTANT SOURCE: Pete Zerger - Inside Cloud and Security ( https://www.youtube.com/channel/UCAr0yk0um7lwLjmrKfzwyig)

• IMPORTANT SOURCE: Kelly Handerhan - Kerberos ( https://www.youtube.com/watch?v=1psrle2NQyA...)

• Google /Wiki/ and all the results that stem from official resources such as ISO2700x standard NIST 800-37 / 53 / 160 and so on. I would NOT suggest reading and getting photographic memory of these. Be aware and know what they are trying to achieve. I will get into this later in the study points.


Work experience from technical background to assessments and security architect My background has it roots mostly in Cisco, and then it expands to various different certs on the technical side( Palo Alto PCNSE, IBM Qradar analyst, Cisco Cybersecurity CCNA gotten on a scholarship, Lancope Stealthwatch (Aka Cisco Stealthwatch).


I started out in a operations role with switch router fw as the primary technologies. During this role Palo Alto was combined into it, and they have a “fundamental” different approach. Seeing this I went for Cisco CCNP sec and the PCNSE, which are at a similar level. My ultimate goal at that time was to achieve a CCIE Sec. which at the time represented the “ultimate knowledge level”. But after attending the CCNA Cybersecurity my mindset and focus totally changed. ! I started to realize, that there was no way a CCIE alone would help me, help the customers, achieving a HOLISTIC security posture. It was everything about the way that a security project was sold in, executed and evaluated upon, that was just lacking a lot of the dependencies in my perspective.

This got me to apply for a role in out newly created Cyber Security Solutions, which I got, and from there everything went at lightspeed for me. I was involved in Security Operations Center (SOC) as-a-service, which lead to me getting the Qradar certificate, and a lot of knowledge about the “5 W´s” of logging (what, why, etc……)

The primary and most important role I have in the department is my CIS/ISO assessments. This is a holistic approach, that get all around a customer infrastructure to evaluated, how mature they have implemented and work with Information Security.

Key point to study, learning and passing the test This part is by far the most important you will get from this write up.

All graphs, diagrams, frameworks, concepts and what ever else is in the study material you need to UNDERSTAND and be able to RELATE/REPRODUCE.

They will ask either specific knowledge, or you need deduct an answer from key words, what they are fishing for !!!!!

You will NOT need page up and page down of every single “buzzword” in a sentence regards XYZ topic.

I will try to expand and give you an idea of what this means. !

Explain Encryption to me. ?


1. What is encryption ?

2. What is it used for ?

3. Are there any uses that have specific purposes ?

4. What separate them and why ?


So the above could be explained with a MASSIVE text, but for your notes and how to KNOW encryption, you need to “MAP” it, and understand it. There are a lot of ways of doing this, but I will give you my way and approach, this is nothing new, I just want to make it CLEAR.


To me I break it down like this


There are of course a lot more that needs to be put in, the reason for me stating this is a good way, is because the way you are asked the questions is in a way where it is a scenario.

I will try and go through a thought process, that is very similar to Luke Ahmeds book, and the other videos approach, but will also tie it to the “information” retention way of thinking, that Pete suggest.

Question breakdown:

When person A is trying to establish a way of sending XYZ to person B.

Explaining “context: The Question and keyword of establish, I already now know, that it is a ASYMMETRIC success or it will be a “negative” answer where it is HARD to achieve establishment through SYMMETRIC, since symmetric is dependent on Asymmetric typically, to have a “secure way of initial exchange”.

I hope this is clear, and how it is related to the table.

Key points to study “CONTINUED” So the schematic overview gives me 2 key things. I gives me a very compressed-applicative-full picture overview of my 4 initial questions:

1. What is encryption ?

2. What is it used for ?

3. Are there any uses that have specific purposes ?

4. What separate them and why ?

It is also a very good way of collecting(Document) and be able to quickly “repeat” my knowledge, to retain overtime knowledge, and lastly it is very precise, and “NOTEABLE” for notes review, when it gets go time.


It is not only for encryption you can use this, and I found it very helpful to figure out a way to know the Security models also (Which is also a topic with a lot of “similar” information.

First of, there are 2 types.

Confidentiality and integrity.. Ask the 4 Questions again, but with Security models instead (some more information, that is essential, are the state-machine etc). Do you Due Diligence=READ/UNDERSTAND !!!

1. What is XXXXX topic ?

2. What is it used for ?

3. Are there any uses that have specific purposes ?

4. What separate them and why ?


For me the hardest part was to get them “linked”.


This drawing was what I did on the plastic sheet you get to the Exam, and along with a schematic overview in my head like the Encryption part.


I know this might seem strange but Bell–LaPadula model = Confidentially, No read up, no write down. To me this made the most sense, when I wrote where it WAS ALLOWED, rather than where it was not allowed. I am not going deeper into the model, since this is important information, that you need to KNOW, but this is a very simple way to think about separating Bell vs BIBA.


This way of “documenting” your knowledge, and getting it to be FUNCTIONAL and UNDERSTANDABLE, is to me essential. I know that you might haver a very different way, but I hope this will help someone.

One special thing I want to point out is, the quantitative risk calculation you need to be able to do.. so do X amount of them, so you can do it with NO help ! Including this last one Value of safeguard


FINAL Recommendations Pick ONE source and go ALL THE WAY THROUGH IT

(BE CAREFUL NOT TO JUMP AROUND AND GET CONFUSED)


During the way, try to think about the above way of gathering and tying information together. The parts that is not understandable make a note and revisit these. This would be where I would reuse the first source, if still unclear, go to other source until you understand it. SO know you have a first time pass of information. Could you close your eyes and recall “everything” in tthe Encryption table ? IF not, redo it on another document. With all the information, you need to be able to “reproduce” the knowledge, either via KNOWING it by heart, or by being able to do a SUPPORT drawing like the Bell-BIBA overview with the line in the middle.


The repetition is very good to get from other sources (yes more than one other, so many good free stuff on youtube, wiki etc) than your MAIN source, since it will also give different angles, that might “click” better with your personal understanding or knowledge gain. For me this was Pete Zerger and the CISSP EXAM CRAM series. The mind maps, mnemonics and memorization.


A small sidenote ! When it gets hard, AND IT WILL !!!!!!!! Get a Pillar for support, for yourself. !! Personally, I am a New England Patriot fan.. Their “Slogan” is = DO YOUR JOB.


My continued motivation is THIS !



TO finish this of, and to give you more insight.

I have a fulltime job, Girlfriend, 2 kids (6 and 2), a dog and “an old house” + big garden.

If I can do it, you can too !

Go get it !!!

Comments


bottom of page