Category Archives: CISSP

My CISSP Experience

7
Posted by Skyler on January 1, 2011 – 3:22 pm
Filed under Certifications, CISSP, Reviews

After 4 months of studying, I took the CISSP exam on the 20th of November. Let me share with you my journey:

Preparation

I began with a very intense and structured study schedule (see my previous CISSP study post). After starting back up the last semester, and having a wave of testing assignments come up, I was forced to simplify my study plan. I used 3 primary sources:

  1. The Official (ISC)2 Guide to the CISSP CBK
  2. CISSP Study Guide (Syngress) by Eric Conrad
  3. CCCure.org

I spent the first couple months simply chewing through the official coursework. In retrospect, I think I might have been better prepared if I had used Shon Harris’ book instead of the offical book. Although the Offical Guide was full of great content, it was often hard to undertand and apply the principles. This is extremely detrimental to the CISSP candidate (for reasons I will explain further down). So although the content is supposed to be the most “unadulterated”, it perhaps was too cryptic for the average person to benefit from the most.

The Study Guide by Eric Conrad was fantastic! Although it did not go through the same breadth of topics as the Offical Guide, it covered nearly 95% of the topics, and emphasized what I found to be the most testable topics. I appreciated the simplicity of Conrads book and helped me to better understand topics that I had only partially understood from the Offical Guide. So the way I used the Conrad book was as follows. I would read the chapter of the official material, and then read the Conrad book’s corresponding chapter. After that finish those books, I read the Conrad book again, taking a page worths of notes from each chapter (see below for detail on the notes I took).

CCCure was amazing. The videos were fairly redundant for what I had read, but if you have time I would suggest watching all of those before starting any of the books. What I benefited from the most was the quizzes. I took nearly all of the quizzes possible (in sets of 25), and kept chart of those areas I struggled in most. I used these test results to help me identify what I needed to take notes on and study further when I reread Conrad’s book. I must say that the quizzes were the biggest help in solidifying my conceptual understanding of the CBK. I have to also mention how helpful Clement (the owner and operator of CCCure) was. He was quick to respond with emails, and had personal responses to my questions. He also sent me an amazing summary of BCP/DRP. Although you dont get to see your test results if you pass, I do believe that I didn’t miss a single BCP/DRP question because of that guide. There are also some amazing last minute review guides on the CCCure website that were of great assistance. I took one with me until the moment I walked in the door to the testing room.

Taking the Exam

The test day wasn’t too bad. I took it at the University of Utah in their medical building. There must have been 15-20 people in the testing session with me. I was by far the youngest, and was intimidated to find that many (much senior) candidates were taking the test for their 3rd and 4th time. At that moment I figured I would fail miserably; perhaps the experience would be a good was to prepare for my next time. Here is what I found about my experience:

  • Although you could bring food, and drink, I didn’t really need it. The proctor brought some water, but other than that I didn’t want to waste the time eating my snacks.
  • The time calculates down to actually a fairly short amount of time for each question. As a response, I decided that I would read through all the questions, filling in the questions I knew for sure, and skipping any question I had the least amount of doubt about.
  • When actually answering the questions, I used good ‘ol test taking skills. I would first identify the outlandish answer and scratch that off. Then I would Identify any other answers that were contradicting the remaining ones. From there I would scratch my first impression on what the correct answer was, and move on. When returning to those questions after my first pass through the exam, I found that my nerves were calmer, the questions seemed clearer, and the answers stood out more easily (whether they changed or not depended on my reading of the question, which I found I had often misread/misunderstood on the first reading).
  • I finished with about an hour to spare. I could have gone through the questions again, but I was so mentally exhausted I just wanted it to be done. After all, I wanted to avoid the second guessing that occurs during stressful tests.

The Exam

I must say that what I had heard about the exam worked it up to be some evil device only the devil himself could have created. In actuality, it is quite opposite. I cant give many details about the actual test, but I will say this:

  • It is very well written. However, it does use double negatives and other tricky wording. So if you have trouble with reading comprehension, you should take great care.
  • It is NOTHING like the CEH. The CEH is nearly all the memorization of facts. The CISSP was very different. It required more understanding of the concepts and principals. So dont go into the CISSP studying as if you are going to be regurgitating facts. Dont get me wrong, you need to know the facts (about protocols, encryption, etc), but questions will require the knowledge of facts within the application of principles.
  • Dont expect to find the answers to questions within other test questions. I read a post by someone saying that this was the case, but I seriously doubt that they actual took the test.

The Aftermath

Yes Yes, everyone has their aftermath story. Mine was like this: I was feeling great… until I got to the entry hall of the building we were in. There I saw one of the other candidates, and we asked how we felt we did. I guess I hadn’t read enough about the actual exam, because the fellow explained to me how the questions were weighted differently. You see, I was confident that I had answered over 75% of the questions correctly; very little doubt about it in fact. However, after that I was panicing that I had failed. As I explained to my wife, “I am sure I won the popular vote, but I may have been killed by the electoral college” (a little bit of political humor).

After weeks of waiting (probably because of the holiday season), I got my congratulations email at 6:30am the day before christmas eve.

If you have any questions, feel free to post them!

CISSP Passed!

5
Posted by Skyler on December 29, 2010 – 2:17 pm
Filed under Certifications, CISSP, News

Yup! I passed the CISSP! Wasn’t too bad. More on that to come!

CISSP Study Plan

0
Posted by Skyler on August 18, 2010 – 8:15 am
Filed under Certifications, CISSP

I am considering taking on the CISSP as my next certification. I am finishing up the ECSA (review to come), and I am already leveling my sights on the next target.

CISSP vs. eLearnSecurity

I was debating on what my next target should be. Seeing as the next semester starts up in 3 weeks, I was hesitant to commit myself to something too big, but still wanted a good goal. I had long been wanting to enroll in the eLearnSecurity Pro Pentesting Course, but for some reason I could never justify the cost. What I mean is that under threat of a new version, the obscurity and lack of credibility of the certification, and the fear that the course delivers less than it advertises, I am skeptical to invest in that course. Nevertheless, it still remains something I would like to try.

On the other hand, the CISSP still remains the defacto gold medal for Security professionals. Although not Penetration Testing focused, it is the top dog of the DoD 8570 and packs lots of credibility. The CISSP is no simple task, and (from what I have seen) yields an 80% failure rate. However, seeing as my past certification history has always resulted well due to good study, I believe I could do it.

So for those reasons I have decided to work for the CISSP rather than the eLearnSecurity course (eCPPT). If you think i am making a mistake in that choice, please share with me your comments.

So how do I prepare?

After much studying and researching, I figured out that my best choice for prep material would stem from 2 books.

  1. Official (ISC)2 Guide to the CISSP CBK, 2nd Edition by (ISC)2 Press)
  2. CISSP All-In-One Exam Guide 5th Edition by Shon Harris

These seem to be the best books to use. I will also use the Shon Harris exam mentor CBT, as well as the CCCure.org site and practice exams.

Spending at least 5-10 hours a week, I am wondering how soon I will be prepared. Earliest I could take the exam is November 20th, but more than likely Ill end up taking it in January (the exams are live, proctored exams that are scheduled in different regions at different times).

I think I might try to follow the outline of this fellows study plan.

If anyone has taken the CISSP or is preparing for it, please contact me. I would love to compare and discuss study helps and such!

Bad Behavior has blocked 275 access attempts in the last 7 days.