CISSP training 2 months later…

So it has been about 2 month since I seriously started to study for my CISSP exam.   I am about half way there.  I am planning to take my exam in November which is only 2 and half months away or 10 weeks away.    This post is an update of what I am doing for my study so far.

As you are probably aware from my previous posts, I am using the following books and resources for my study.

Primary: Shon Harris’ CISSP All in One book

Secondary: Eric Conrad’s books both the study guide and the 11th hour cram book.

I am also using DreamVoice as my primary text to speech reader to get me through the huge amount of material in Shon Harris’ book.

I was also doing the IT Masters free short course on CISSP, which I just took the final exam last night.

NEW:

I started to use  http://www.cisspexampractice.com  as a way of tracking my progress and my level of understanding.

The bad news is based on my current assessments, I’ve been getting an average around 70%.  Which in the school world it is a C and in the real world it is not good enough to pass the CISSP exam.

The good news is, I still have 2 months and most of what I missed are sections that I haven’t read or studied.  I am hoping that by the time I get to October, I should be able to get 80% or higher on most of my practice tests.

Hacking Toyota Prius

While I was walking my dog this morning, I was listening to one of my favorite podcast: Science Friday.  They talked about something I found really interesting.  The topic was about hacking, in particular hacking a Toyota Prius from remote.

White hat  hackers (a.k.a. the good hackers)  at Defcon 2013 was able to show and demonstrate ways to hacking into a Prius from a Bluetooth connections or other external connections.  But the interesting thing was that once they are hacked in to the bluetooth connection, they were able to do damaging task such as preventing the brakes from functioning or turn off all light or display consoles or present false information.
Because of my current study in security and information assurance, this  is really brought in some insight on the interviewer’s comments.  The whitehat hackers suggesting using a layer approach for security, but currently the automakers are simply using security by obscurity.  Both concepts were talked about in detail in my CISSP studies and security by obscurity is a definitely a NO NO.   So the objects for future auto computer systems should be designed around a layered security approach and by minimize the  connections between the different computing system and have a way of logging the events.
This podcast reminds me of the following:
First, it  reminds me of Battlestar Galactica,  where  Battlestar Galactica was an old ship with everything is  communicated by by hand or by by wired and nothing wireless or over the computer network, this is to  prevent hacking from the Cylons.
Second, the podcast mentioned how they were able to duplicate  and inject  control signals/commands in to the system communications bus which can cause events to happen (e.g. shut down all lights, or disable breaks).   With all this intelligence or computing power in a car now, maybe it is time to implement some basic security rules… almost like the 3 laws of robotics?  humm… not exactly but something to think about.
so I think I should go and find a 1969 Mustang and forget about all this high tech stuff … what do you think?

— Ref:
NPR, Science Friday, Hacking Under the Hood and Into Your Car,  http://www.sciencefriday.com/segment/08/02/2013/hacking-under-the-hood-and-into-your-car.html

Security Vendors and ISO 17799 and ISO 27002

ISO-Logo

So it’s interesting, yesterday, I was in a vendor presentation about Building Automation Systems (BAS) and cabling systems.  On one of their slides, it talked about how their products meets the ISO standards (ISO 17799).  Since I’ve been studying for my CISSP, I was thinking that I should know that one, but it was a 17799 number and I thought the security standards were ISO 27000 series.  So,  I figure it would be a great reminder and a refresher to look it up.

After looking it up, here are the  facts to remember:

ISO 17799 = ISO 27002

ISO 17799 was renumbered in 2005 to ISO 27002 [1].

So that tells me that vendors just put numbers down to impress people, they really don’t know that it is an out of date standard and the standard  should have been supersede by ISO 27002.

References:

[1] E. Conrad, 11th Hour CISSP Study Guide, Syngress, Burlington, MA, 2011, pp 14.

 

CISSP Study Updates: vBookz vs. Voice Dream

I am 4 Chapters in to the Shon Harris’ CISSP all in one book, I’ve been getting 60% to 70% on the end of the chapter question answers on the first try.  Few initial thoughts are as follows.

The Shon Harris’ book is good with lots of material, but her writing style is very wordy and long winded and her humor is not really my style and isn’t that funny.   I feel sometimes that I know that there is a structure, but there are cases where it seems that we are just off to a tangent.   Don’t get me wrong, it was still relevant, but  just off to a tangent.  There are other times where I feel that the book has alot of repetition and not very efficient in the ways of communicating the 10 main domains.  But then again there are a lot of over lapping materials with in the 10 different domains.   With all that that said, there are a lot of great materials in the book and I think it will be a great reference book after I am done with the CISSP exam.

So this week, I was a bit behind on my reading… so I added 2 additional resources to help with my preparation.

1)  Because of how long it takes to get through Shon Harris’ book, I decided to try out Eric Conrad’s CISSP Study Guide.  I’ve already got the 11th hour study guide, but I thought I would give the regular study guide a go.

CAUTION: The domain numbers are different than the All-In-One Book.  all domains are covered, but the domain numbers are different.  So be careful when you talk about the domains just by itself.  Always refer to the actual domain name, for example Access Control Domain.

The initial thought is that the book is a lot thinner and not as wordy.I think it is a good supplement to my CISSP study.  So the current goal is use the All-in-One as the primary path and using the different supplementary resources to help me out.

2) CISSP Meet up

Last Thursday, I joined a CISSP meet up group to meet with a small group of folks to chat about CISSP and get me to be more focused on my studies.  It’s a very small group but they all seem to be very nice.  I hope we all pass in the near future.

3) So on an earlier post, I talked about using a text to speech app to help me get through the books.  Well, I have to say, after about 2 chapters with vBookz voice reader, I was very disappointed.  Here’s why.

  • Constant crashing and slow down on certain section of the pdf file.
  • Acronyms … it is very annoying how inconsistent vBookz reads acronyms… some time it reads as it sound, sometime it reads letter by letter, and sometime it even replace the acronym with a word. (e.g. CA vbookz will read California when in context CA was meaning  certificate authority.  Is there any ways to set how vbookz will read acronyms?  If it is all read as letters I would be fine with that… but it is just the inconsistency that is bothering to me and hard to understand.
  • split words. In my document there are alot of words that are split from line to line with – (dash). so for example the word “individuals” is split between two lines so it is now individu-als.  vBookz reads it as two word.  I can understand it most of the time but there are times where it doesn’t make sense.
  • bullets.  when vbookz reads a bullet list … it is just unbearable, small bullet..xyz ..small bullet … abc  .. small bullet etc… on and on …
  • Page numbers and Header and Footers… there is no way for vBookz to skip any text, so when you are listening to the page it will inject the next page’s header and number and continue to read on.  It’s pretty disruptive

vBookzvsVoice Dream App

So after emailing the author and looking around for alternatives, I decided to drop another $10 and try Voice dream app.  Oh my gosh, it was night and day!!!

I only wish I found this sooner.  This app actually took care of most of the concerns I had.

  • It automatically joined all split words.
  • It has a pronunciation dictionary that let you set  how you want words or acronyms pronounced.
  • It let you skip text so things like headers and footers can be skipped
  • It lets you use RegEx to define the filter for things to skip … so now I can also skip all the page numbers!!
  • Bonus: it treats the document like an audio file.  It tells you how much time until the end and how much time was read already
  • Bonus: it can be controlled like an audio file with earphone remote, etc
  • Bonus: Works with dropbox and icloud

All in all it is a very well designed app and a WINNER between the two different apps.

However, it does have a few bugs in this version, which I communicated to the app author and he agreed to look into it.   I will update this blog, if I see my suggestions updated.

I think it was worth the $10 price tag for this app.  This voice reader app was  much more refined and well thought out voice reader app than vBookz.

So all in all… I am slowing moving along the certification studying process for CISSP and it is sticky and nasty.