How to Crack Your CISSP Exam
Studying for the CISSP is a decisive action. One has to choose to pass it with firm resolve.
If you go through all the "How To Crack The CISSP Exam" posts, you will see that dedication and discipline have been the hallmark of all those who have passed. Having a positive and unrelenting mindset is just as important as having all the CISSP books, practice questions, flashcards, or videos.
Read books. Watch videos. Take practice questions. Stick to the plan.
Once this is finished, disregard the plan completely and be faithful to only the absolute concepts.
The following are my suggestions. It may align with your current selection or act as a helpful guideline. Your life schedule will dictate the most effective path.
Even though the CISSP exam is changing in May 2021, the below strategies and resources will still be valid to use.
Step 1 User Shon Harris As Your Encyclopedia
If you read this book 3 times, you will be able to talk the language of security.
Shon Harris adds humor, and almost knits a story in a way you don't find in the Sybex book. The Sybex gives it to you hard and fast. Shon takes you out to a nice Italian dinner, a movie, and then romances you.
Some of the explanations may be overkill for the actual exam, especially the technical stuff, but it really only serves to properly reinforce the important concepts. The end of the chapter questions are some of my favorite, and I think closest to the exam. There was a lot of genuine effort put into this book.
If you plan on taking months to study, then go with Shon Harris AIO 8th edition. She is the best storyteller and you don't find it dry like Sybex (IMHO) and you grasp the core concepts in a very easy way, you may not forget them years from now.
Additionally, the act of reading is essential to understand the high-level concepts. I talk about the importance of actually reading your CISSP books here:
If you just can't sit and read for hours, this technique to mix questions and videos may help:
Use the Sybex 8th Edition As Your Primary Book
A high number of those who have passed the exam has said that this book was their primary study guide - and this is exactly the book I most recommend. Use the Sybex 7th as your primary study guide, and then use the Shon Harris book in Step 1 as your reference to expand on topics.
It's like the author took a ton of comprehensive notes while reading the Shon Harris book, and turned those notes into the Sybex book. The efficacy is appreciated.
For example, while the Sybex may have the general steps of BCP/DRP planning, the Shon Harris book goes into granular detail on what happens at each step.
While Sybex has a short paragraph on conducting a site survey to fulfill physical security requirements, the Shon Harris 7th Edition book has over 10 pages of information on proper physical security.
As important as it is to understand Kerberos, the Sybex sums up how it works in 2 pages with a simple overview of how tickets and session keys are exchanged. The Shon Harris 7th Edition goes over Kerberos in full detail that would even help a network security engineer understand the concept.
The book is dry, but so is this exam. The Shon Harris puts in an effort for a little bit of humor at least.
Take At Least 3,000 - 5,000 Practice Exam Questions
If you read all the study guides, watched all the videos, and have 8 years experience in the security field, but you don't take any practice exam questions - you will fail the exam.
There are two things to juggle when the exam is in front of you: concepts and how to read the question.
You are not taking 5,000 practice questions to see how many you get correct, but rather to see if you truly understand your concepts. I've always suggested that the key is to take as many practice exam questions as possible.
50% of your studies should be books, and 50% should be practice exam questions. To take full advantage of these questions, you should not only try to get the answer right, but also realize why the other answers are wrong.
Here's one more secret: if you take enough practice questions, eventually you start to "see" the pattern. You start to see the code, sort of like Neo while in the Matrix. Sooner or later by the 3,747th question you start to understand how the ISC2 wants you to answer the questions...you start to see what the ISC2 wants you to know.
In reality, there is no CISSP exam. It's just a test to see if you can "see" the concepts of security. Once you can see this after going over so many quizzes, no question on the exam can fool you. You will get 100% of the questions correct.
I have a short sample of some of my original practice exam questions here: CISSP Promo Quiz
Additionally, below is an example of what it means to know the concepts:
Sample Practice Question
Looking at the diagram, what type of technical preventative control would best protect your traffic?
A. Perimeter Security
B. Transport Layer Security
C. Anti-Replay Security D. Endpoint Security
A. Perimeter Security
Perimeter security devices such as firewalls, IPS, or DDOS protection measures would definitely work to thwart any action by the dual “Attacker” nodes closest to the client and the web server. The graphic is also showing the perimeter of the client and web server highlighted in pink. Placing a firewall in front of these two devices would be an appropriate technical preventative control to protect ingress/egress network traffic. But the main focus on perimeter traffic is to inspect and allow in or allow out authorized traffic. Perimeter security devices are stationary and work only at the point of location on the network, it does not help to secure traffic through the Internet across multiple nodes. They are a security guard, not a police escort.
B. Transport Layer Security
The correct answer is B!
The picture is showing a couple of things, most notable are the client and web server highlighted in pink on each end of the diagram. In between the client and web server are a few nodes labeled as either attacker, mystery node, or random unsecured router on the Internet. The thing to take away most from this diagram is looking for a technical preventative control that would secure our traffic from the client to the web server. Just the word “traffic” in the context of the question means that data is taking flight, it is not at rest – this is why choice D is incorrect.
Transport Layer Security secures our web and other network traffic that is leaving one domain and going to another domain. TLS can be used to secure multiple protocols such as FTP, and also HTTP.
How do we know that the diagram is focused on HTTPS traffic? Because the client is going to a destination web server. If it was a file server, then maybe FTP would be the protocol we want to think about – but either way, TLS can be used to secure both protocols.
TLS encrypts the traffic from the client, over the Internet, and to the web server. This encryption will protect against man in the middle attacks and anti-replay from any potential attackers, mystery nodes, or random routers on the Internet. It’s not to say that mystery nodes or unsecured routers are always malicious, but we can’t assume they are safe either. There are multiple routes and paths your traffic may take to reach its destination as you surf the web, and we don’t always have insight into all the hops in between. TLS provides the necessary integrity and confidentiality to traverse through these questionable nodes.
C. Anti-replay Security
Anti-replay Security isn’t a concept, but TLS would be considered a security measure against anti-replay. Although not applicable from the diagram, an IPSec VPN also provides anti-replay protection.
D. Endpoint Security
Endpoint security is more for data at rest, either at rest on the client side or the web server side. It’s true you could think there is data resting at either of the endpoints, but then why would the diagram go to the trouble of showing the descriptive nodes in between? The question is trying to enforce the concept of using TLS for securing data in motion. TLS is the only choice protecting data while in motion. The motion to make it through the mystery node, attacker, and random unsecured router on the Internet.
Watch As Many CISSP Videos As Possible
YouTube. CBT Nuggets. Cybrary. GIFs. Mindmaps. Anything visual to supplement your reading can exponentially increase your understanding of a topic.
In all my time as a CISSP instructor, I still read the CISSP study guides for FUN.
Think Like A Manager
The ISC2 states "The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles."
This is not a certification that tests your technical skills, it is to see if you can think like a manager. A manager who can understand the importance of the business objectives and can balance value, cost and keeping risk to a minimum, all while maintaining an acceptable level of security.
I've written a whole book on "How To Think Like A Manager for the CISSP Exam".
But if you are unable to purchase due to financial hardship or geographic location, then just watch this YouTube video and it should pretty much be the same thing:
For other study resources such as PDF notes, tips, and other strategies please visit the website here:
Discipline and Dedication
If you need constant motivation and encouragement, this exam is not for you.
Motivation is for those who have not decided or don't know what they want.
Discipline and dedication are for people who know what they want.
Dedication is sticking to a schedule until you pass the exam. Dedication is waking up at 6AM on your days off and studying until you can't anymore until midnight - then waking up again the next day and doing it all over again.
Motivation is reaching for that alarm clock, turning it off, and going back to sleep. Motivation is reading inspirational quotes and deciding to act on them...but at a later time. Motivation is when you need someone else to tell you how to lead your life.
Teach yourself discipline and cultivate it. Motivation is hard to get, you have to wait for it, wait for it to come to you from others.
Dedication and discipline will always be there for you, it is reliable.
Click here if it's "Almost Time To Take Your CISSP Exam?"
Pass the CISSP Exam
"Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination."
Good luck and thanks for reading.