How to Crack Your CISSP Exam
Around 50 people contact me on a monthly basis asking how to start and pass the CISSP exam. I provide them a single technique that has helped 90% of those students get certified.
The technique is not a brain dump. It's not trying to make you a better test taker. It's not a shortcut. It's not easy.
It relies more on how hard you work and maintain the discipline to follow the steps.
If you go through all the "How To Crack The CISSP Exam" posts, dedication and discipline have been the hallmark of all those who have passed
I'm not here to tell you how to take notes, organize your desk, tell your friends/family that you are about to take on a long journey, or what kind of discipline to maintain. All that stuff is your responsibility as a professional working adult.
I've been helping others pass the CISSP for over 3 years now, and like to think I have a formula down that actually works.
Below you will find the exact steps I tell everyone.
Step 1 Use Sybex 7th Edition As Your Primary Study Guide
Literally everyone that has passed the new exam has said that this book was their primary study guide - and this is exactly the book I most recommend. Use the Sybex 7th as your primary study guide, and then use the Shon Harris book in Step 2 as your reference to expand on topics.
It's like the author took a ton of comprehensive notes while reading the Shon Harris book, and turned those notes into the Sybex book. That's some good efficacy.
For example, while the Sybex may have the general steps of BCP/DRP planning, the Shon Harris book goes into granular detail on what happens at each step.
While Sybex has a short paragraph on conducting a site survey to fulfill physical security requirements, the Shon Harris 7th Edition book has over 10 pages of information on proper physical security.
As important as it is to understand Kerberos, the Sybex sums up how it works in 2 pages with a simple overview of how tickets and session keys are exchanged. The Shon Harris 7th Edition goes over Kerberos in full detail that would even help a network security engineer understand the concept.
The book is dry, but so is this exam. The Shon Harris puts in an effort for a little bit of humor at least.
User Shon Harris As Your Encyclopedia
This book is for the long haul. It's a novel, a dictionary, an encyclopedia...if you have never worked in security, networking, or anything tech, this book does a great job in explaining it to you in excruciating detail. At times I spent more time with this book than my wife.
If you read this book 3 times, you will be able to talk the language of security.
Shon Harris adds humor, and almost knits a story in a way you don't find in the Sybex book. The Sybex gives it to you hard and fast. Shon takes you out to a nice Italian dinner, a movie, and then romances you.
Some of the explanations may be overkill for the actual exam, especially the technical stuff, but it really only serves to properly reinforce the important concepts. The end of the chapter questions are some of my favorite, and I think most closest to the exam. There was a lot of genuine effort put into this book.
If you plan on taking months to study, then go with Shon Harris AIO 6th edition. She is the best storyteller and you don't find it dry like Sybex (IMHO) and you grasp the core concepts in a very easy way , you may not forget them years from now.
Take At Least 5,000 Practice Exam Questions
If you read all the study guides, watched all the videos, and have 8 years experience in the security field, but you don't take any practice exam questions - you will fail the exam.
There are two things to juggle when the exam is in front of you: concepts and how to read the question.
You are not taking 5,000 practice questions to see how many you get correct, but rather to see if you truly understand your concepts. I've always suggested that the key is to take as many practice exam questions as possible.
50% of your studies should be books, and 50% should be practice exam questions. To take full advantage of these questions, you should not only try to get the answer right, but also realize why the other answers are wrong.
Here's one more secret: if you take enough practice questions, eventually you start to "see" the pattern. You start to see the code, sort of like Neo while in the Matrix. Sooner or later by the 3,747th question you start to understand how the ISC2 wants you to answer the questions...you start to see what the ISC2 wants you to know.
In reality, there is no CISSP exam. It's just a test to see if you can "see" the concepts of security. Once you can see this after going over so many quizzes, no question on the exam can fool you. You will get 100% of the questions correct.
I have a short sample of some of my original practice exam questions here: CISSP Promo Quiz
Additionally, below is an example of what it means to know the concepts:
Sample Practice Question
Three things occurred during Study Notes and Theory's recent branch office move:
1. Fire extinguishers were kept within 50 feet of critical areas 2. The office is an open area, without cubicles 3. The front door area is well-lit with video cameras 4. Switched from Telnet to SSH for server access
After migrating from a Telnet environment to SSH, the security administrator at SNT's branch office required all users to generate their own private/public keys.
The public keys were sent to the administrator using plaintext email without encryption. The public keys were then uploaded to an SSH proxy server.
Which type of attack could be performed on one of the employees to obtain their private key?
A. Blue Snarfing B. Dumpster diving C. Man In the Middle D. Shoulder surfing
The correct answer is D, Shoulder surfing. Why? Let's eliminate the incorrect answers first.
It's not A. Blue Snarfing because that has to do with an attack on Bluetooth devices. The question has nothing to do with that.
It's not B. Dumpster Diving because public/private keys are electronic media and not something you can find in a dumpster like paper or folders. I suppose you can find a USB drive in the trash but that's going out the scope of this question.
It's not C. Man In the Middle because the private keys are not being sent over any kind of medium, they are being generated at someone's workstation. You can perform a MiTM attack on the public keys that are sent over plaintext, but there is no gain from obtaining a public key, it's public!
Take a look at this line from the question "2. The office is an open area, without cubicles" - this means that it is easy to walk around and peer into other people's monitors in the office. Monitors where someone could be generating their private keys and typing in a password. Someone could walk by and observe them, and memorize the password. Based in reality? Maybe, maybe not. A concept you should know for the exam? Definitely.
The concept to take away from this question is that public keys can be seen by anyone without any harm, and that private keys should be seen by no one! The distraction in the question was when public keys were sent to the administrator using plaintext email. It doesn't matter if it was in plaintext because it doesn't matter if anyone see your public key.
Watch As Many CISSP Videos As Possible
YouTube. CBT Nuggets. Cybrary. GIFs. Anything visual to supplement your reading can exponentially increase your understanding of a topic.
In all my time as a CISSP I've watched a lot of videos, and read the CISSP study guides for FUN.
Use Mind Maps and Domain Summaries
After reading a study guide all day, watching videos, and taking practice exam questions...sometimes you just don't want to do it anymore. You're done.
Yeah, you need to pass the exam, but you also need your rest and sanity, not to mention time for your family.
Mindmaps and domain summaries are like your CISSP vitamins. They help to provide you the nutrients to maintain the steam of all your studying. they are the best way to NOT forgot everything you learned in 3 days.
Additionally, after reading hundreds of pages, everything starts to blend in - that's not good. You need to understand how topics are categorized. You need to know the Biba Model falls under the Access Control domain, or that IPsec can fall under both the Network Security and the Cryptography section.
Find mindmaps, PDF summaries, and some other helpful tips here:
Discipline and Dedication
If you need constant motivation and encouragement, this exam is not for you.
Motivation is for those who have not decided or don't know what they want.
Discipline and dedication is for people who know what they want.
Dedication is sticking to a schedule until you pass the exam. Dedication is waking up at 6AM on your days off and studying until you can't anymore until midnight - then waking up again the next day and doing it all over again.
Motivation is reaching for that alarm clock, turning it off, and going back to sleep. Motivation is reading inspirational quotes and deciding to act on them...but at a later time. Motivation is when you need someone else to tell you how to lead your life.
Teach yourself discipline and cultivate it. Motivation is hard to get, you have to wait for it, wait for it to come to you from others.
Dedication and discipline will always be there for you, it is reliable.
Pass the CISSP Exam
"Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination."
Good luck and thanks for reading!