You’re Almost There !!!

So after 6 month of studying and 2 weeks of intense studying, I passed my CISSP exam, yesterday.  Since I am under NDA, I can’t share any specific questions or answers but I can talk about my experience.  To be honest, even now I still don’t know which are the correct  answer to some of the questions on the exam.  They are like this post I saw on Reddit.

Which of the following add up to six?

A: 9-3

B: 0+6

C: 4+2

D: 12/2

Like many people have already talked about, the exam is more management exam than technical, but it doesn’t mean there isn’t a specific technical question popped in there once in a while.  So just be prepared and really read the questions twice before answering.  if you can’t understand it the first time, skip for flag it and come back.  you will get it after about 150 questions later.

First, I have to apologize for not keeping up with this blog.  The intention was to post my learning as a way to refresh myself, but as work got busy, I fell behind.  But I may continue to post things I learned about security on this site to help others.  So let’s talk about what I used to study for this exam.

As I stated from my previous post, I started to use the following books.

NOTE:  The Eric Conrad book was only $1 dollar!!!!! Yes!!! $1. Use the link above and use promo code: ONESALE!!!  What a great deal.  [1]

  •  I also used this website for my practice test questions

http://www.cisspexampractice.com

My study process and exam experience:

After I signed up the the CISSPexampractice.com, I’ve been working on at least one exam every week.  I made a note book of all the topics that I miss on the exam and I try to review those every morning.  However, the reality is that process did not really happen until 5 days before the exam.

So, I finished the CISSP in 21 days and the God awful Shon Harris’ AIO book around 1.5 weeks before my exam, I then started to do nothing but practice exam questions. I also did every section exam in Shon Harris’ book and Eric Conrad’s book and the free exam on Eric Conrad’s website.  I was consistently getting around 70%.   As I miss one, I research the topics and read the other books to get the answer.  I write the specific topics to my little notebook for my daily review.  At times it feels that I was jamming so much stuff into my brain that I was about to explode.  Around the last few days I started to find a pattern and a grove to the material and I thought I was ready.   I think I must have done over 1000+ questions.

The day before the exam, I took a day off to study and relax I was going to stop studying around 4 PM and just chill and get ready for the exam, but I ended up studying and finding areas that I am still a bit unsure until 11PM.  I could not fall asleep and I needed up waking up at 5:30 AM for my 8:00AM exam.

It took me 15 minutes to drive to my exam site (I was lucky that there is an exam site really close to where I live).  I tried to hype and psych myself up by listening to some awesome pump up music to get me into the zone… the “DANGER ZONE”.    However, when I got the the exam site, the registration process really mess up my excitement and snap me back to reality.

During the exam:

I am not the best exam taker so I was very nervous, I feel like I know the material but for the first 20-50 questions, I felt like I really did not understand what they were asking.  I marked all the exam questions that I was not sure and I just continue to push through.  I felt a little bit better around question 150, but still uncertain.  I took a short pee break around question 125. There are times during the exam, I really felt that I’ve failed and I will need to think about retaking and when I can retake.  But I continue to take deep breath cool my head and continue to answer the questions (thinking like a consultant and an advisor).  I also was expecting to finish in about 2 1/2 – 3 hours based on my practice tests, but ended up taking 5 hours.  For the last hour, I went through all the flag questions first and then use the remaining 20 minutes to just go through as many questions as I can.

Finishing the exam and receiving my results:

By the time I was done, I was so burnt out I really thought that I failed, even through at the end going through the questions I felt those were the best answers that I can choose.  When the proctor hand me the results sheet, I read the middle of the page and saw “You’re almost there!!!”.   I thought to myself… “DAMN, I failed”.  But for some reason, I could not find my score on the page.  Then reread the page from the beginning and it said “… you passed the CISSP exam”.  Woo hoo!!!   The “You’re almost there!!!” was just referring to that I must get my endorsements submitted before I am officially a CISSP.

I drove home shaking and excited, it’s finally over I can finally sleep 😀 … so time for some beer!!!

My Thought on the different books and study guides

I used both ebooks and hard copies.  I have all 3 main books (AIO, Eric Conrad’s Study Guide, and CISSP CBK) in ebook format.  I have the AIO 6th edition, Eric Conrad’s 11th hour study guide, and the CISSP in 21 days.  I found that iBook on my Macbook pro is extremely helpful in finding the explanation of a particular topic.  I try to search for the topic of my missed questions on all 3 main books.

  1. First Shon Harris’s AIO book is a good reference guide, but it is not a good book to read.  I’ve went through the entire 1456 pages and it sucked!  She is very very wordy some of the concepts are not very clearly explained and some are just confusing enough that it maybe wrong (e.g. polymorphism).  She is also a sexist, all most all the good security scenario examples in the book are referred to by the pronoun “she”, and the bad scenario examples are referred to by the pronoun “he”.  I think the book can probably be written more concisely and reduce about 700 pages.  But with all that said, it is truly an ALL-IN-ONE book.  It really has just about everything and the kitchen sink that you need to know and may need to know for the exam.
  2. The Eric Conrad’s books (CISSP Study Guide, 2nd ed., Eleventh hour: CISSP study guide) are much more straight forward, cleaner layout, and much easier to read.  It was much less confusing than Shon Harris’ book and the examples are much better for a technical guys like me than Shon’s book.    I actually really like the 11th hour CISSP Study Guide for quick reference and few key materials.
  3. CISSP in 21 days is worthless.  The good has so little material and useful information, it is like a very high level outline, without other books there is no way that a person taking the exam for the first time can ever pass with that book.  DO NOT BUY IT!!!

My Final Recommendations: 

If I were to do everything all over again,  here is what I would do.

  1. I would still maintain a schedule for covering all 10 domains.  It is alot of materials
  2. DO NOT USE  Shon Harris’ BOOK as your primary study guide!!!! Use the Eric Conrad’s book.  You will have many less headaches, but do use the AIO book as a reference.
  3. Do lots of practice questions to get the different concepts relating to the 10 domains in your mind.

Future:

I am thinking of using my study experiences and help people understand CISSP topics.

I hope this write up helps.  If you have any more questions please let me know.

[1]http://www.techexams.net/forums/isc-sscp-cissp/94884-cissp-study-guide-eric-conrad-only-1-a.html

Registered for my CISSP exam!

So, today I am officially a register candidate for the CISSP exam.  I am about halfway through my studies and I am consistently getting around 70% on my review questions.  That is not good but it is not horrible.  My exam date is on November 15th, 2013.

The process for sign up was pretty straight forward.  I just followed the steps at ISC2 and after $599 I was registered for the exam.

So counting down T-73 days until my CISSP exam.

CISSP training 2 months later…

So it has been about 2 month since I seriously started to study for my CISSP exam.   I am about half way there.  I am planning to take my exam in November which is only 2 and half months away or 10 weeks away.    This post is an update of what I am doing for my study so far.

As you are probably aware from my previous posts, I am using the following books and resources for my study.

Primary: Shon Harris’ CISSP All in One book

Secondary: Eric Conrad’s books both the study guide and the 11th hour cram book.

I am also using DreamVoice as my primary text to speech reader to get me through the huge amount of material in Shon Harris’ book.

I was also doing the IT Masters free short course on CISSP, which I just took the final exam last night.

NEW:

I started to use  http://www.cisspexampractice.com  as a way of tracking my progress and my level of understanding.

The bad news is based on my current assessments, I’ve been getting an average around 70%.  Which in the school world it is a C and in the real world it is not good enough to pass the CISSP exam.

The good news is, I still have 2 months and most of what I missed are sections that I haven’t read or studied.  I am hoping that by the time I get to October, I should be able to get 80% or higher on most of my practice tests.

Hacking Toyota Prius

While I was walking my dog this morning, I was listening to one of my favorite podcast: Science Friday.  They talked about something I found really interesting.  The topic was about hacking, in particular hacking a Toyota Prius from remote.

White hat  hackers (a.k.a. the good hackers)  at Defcon 2013 was able to show and demonstrate ways to hacking into a Prius from a Bluetooth connections or other external connections.  But the interesting thing was that once they are hacked in to the bluetooth connection, they were able to do damaging task such as preventing the brakes from functioning or turn off all light or display consoles or present false information.
Because of my current study in security and information assurance, this  is really brought in some insight on the interviewer’s comments.  The whitehat hackers suggesting using a layer approach for security, but currently the automakers are simply using security by obscurity.  Both concepts were talked about in detail in my CISSP studies and security by obscurity is a definitely a NO NO.   So the objects for future auto computer systems should be designed around a layered security approach and by minimize the  connections between the different computing system and have a way of logging the events.
This podcast reminds me of the following:
First, it  reminds me of Battlestar Galactica,  where  Battlestar Galactica was an old ship with everything is  communicated by by hand or by by wired and nothing wireless or over the computer network, this is to  prevent hacking from the Cylons.
Second, the podcast mentioned how they were able to duplicate  and inject  control signals/commands in to the system communications bus which can cause events to happen (e.g. shut down all lights, or disable breaks).   With all this intelligence or computing power in a car now, maybe it is time to implement some basic security rules… almost like the 3 laws of robotics?  humm… not exactly but something to think about.
so I think I should go and find a 1969 Mustang and forget about all this high tech stuff … what do you think?

— Ref:
NPR, Science Friday, Hacking Under the Hood and Into Your Car,  http://www.sciencefriday.com/segment/08/02/2013/hacking-under-the-hood-and-into-your-car.html

Security Vendors and ISO 17799 and ISO 27002

ISO-Logo

So it’s interesting, yesterday, I was in a vendor presentation about Building Automation Systems (BAS) and cabling systems.  On one of their slides, it talked about how their products meets the ISO standards (ISO 17799).  Since I’ve been studying for my CISSP, I was thinking that I should know that one, but it was a 17799 number and I thought the security standards were ISO 27000 series.  So,  I figure it would be a great reminder and a refresher to look it up.

After looking it up, here are the  facts to remember:

ISO 17799 = ISO 27002

ISO 17799 was renumbered in 2005 to ISO 27002 [1].

So that tells me that vendors just put numbers down to impress people, they really don’t know that it is an out of date standard and the standard  should have been supersede by ISO 27002.

References:

[1] E. Conrad, 11th Hour CISSP Study Guide, Syngress, Burlington, MA, 2011, pp 14.

 

CISSP Study Updates: vBookz vs. Voice Dream

I am 4 Chapters in to the Shon Harris’ CISSP all in one book, I’ve been getting 60% to 70% on the end of the chapter question answers on the first try.  Few initial thoughts are as follows.

The Shon Harris’ book is good with lots of material, but her writing style is very wordy and long winded and her humor is not really my style and isn’t that funny.   I feel sometimes that I know that there is a structure, but there are cases where it seems that we are just off to a tangent.   Don’t get me wrong, it was still relevant, but  just off to a tangent.  There are other times where I feel that the book has alot of repetition and not very efficient in the ways of communicating the 10 main domains.  But then again there are a lot of over lapping materials with in the 10 different domains.   With all that that said, there are a lot of great materials in the book and I think it will be a great reference book after I am done with the CISSP exam.

So this week, I was a bit behind on my reading… so I added 2 additional resources to help with my preparation.

1)  Because of how long it takes to get through Shon Harris’ book, I decided to try out Eric Conrad’s CISSP Study Guide.  I’ve already got the 11th hour study guide, but I thought I would give the regular study guide a go.

CAUTION: The domain numbers are different than the All-In-One Book.  all domains are covered, but the domain numbers are different.  So be careful when you talk about the domains just by itself.  Always refer to the actual domain name, for example Access Control Domain.

The initial thought is that the book is a lot thinner and not as wordy.I think it is a good supplement to my CISSP study.  So the current goal is use the All-in-One as the primary path and using the different supplementary resources to help me out.

2) CISSP Meet up

Last Thursday, I joined a CISSP meet up group to meet with a small group of folks to chat about CISSP and get me to be more focused on my studies.  It’s a very small group but they all seem to be very nice.  I hope we all pass in the near future.

3) So on an earlier post, I talked about using a text to speech app to help me get through the books.  Well, I have to say, after about 2 chapters with vBookz voice reader, I was very disappointed.  Here’s why.

  • Constant crashing and slow down on certain section of the pdf file.
  • Acronyms … it is very annoying how inconsistent vBookz reads acronyms… some time it reads as it sound, sometime it reads letter by letter, and sometime it even replace the acronym with a word. (e.g. CA vbookz will read California when in context CA was meaning  certificate authority.  Is there any ways to set how vbookz will read acronyms?  If it is all read as letters I would be fine with that… but it is just the inconsistency that is bothering to me and hard to understand.
  • split words. In my document there are alot of words that are split from line to line with – (dash). so for example the word “individuals” is split between two lines so it is now individu-als.  vBookz reads it as two word.  I can understand it most of the time but there are times where it doesn’t make sense.
  • bullets.  when vbookz reads a bullet list … it is just unbearable, small bullet..xyz ..small bullet … abc  .. small bullet etc… on and on …
  • Page numbers and Header and Footers… there is no way for vBookz to skip any text, so when you are listening to the page it will inject the next page’s header and number and continue to read on.  It’s pretty disruptive

vBookzvsVoice Dream App

So after emailing the author and looking around for alternatives, I decided to drop another $10 and try Voice dream app.  Oh my gosh, it was night and day!!!

I only wish I found this sooner.  This app actually took care of most of the concerns I had.

  • It automatically joined all split words.
  • It has a pronunciation dictionary that let you set  how you want words or acronyms pronounced.
  • It let you skip text so things like headers and footers can be skipped
  • It lets you use RegEx to define the filter for things to skip … so now I can also skip all the page numbers!!
  • Bonus: it treats the document like an audio file.  It tells you how much time until the end and how much time was read already
  • Bonus: it can be controlled like an audio file with earphone remote, etc
  • Bonus: Works with dropbox and icloud

All in all it is a very well designed app and a WINNER between the two different apps.

However, it does have a few bugs in this version, which I communicated to the app author and he agreed to look into it.   I will update this blog, if I see my suggestions updated.

I think it was worth the $10 price tag for this app.  This voice reader app was  much more refined and well thought out voice reader app than vBookz.

So all in all… I am slowing moving along the certification studying process for CISSP and it is sticky and nasty.

Other certifications to be considered

I know that I am barely stared on my CISSP certification, but I am already looking at what will becoming up next.

As I stated from the beginning, I already started on my CWNA certification study as well, however, I will not continue full on with that certification until I complete my CISSP certification in November 2013.  Few other certifications that I am considering are the following.

1) PMP Certification – Project Management Professional (PMP)  from Project Management Institute

2) ITIL v3 Fundamental certification  –  Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

I believe these certs will add on the my credentials.  The CISSP should help on the ITIL cert since there are some similar domains.

More study help and downloading flash streaming podcast as mp3s

So I am really bad at trying to stop looking for more ways to getting free training information and start studying more… so I will share what I’ve found.

I thinks these overview should not be your primary study material, but it is good to listen to refresh what you read or to get your feet wet on each one of the domains.

First more free video training.

Based on Shon Harris’s CISSP All-in-One book is a FREE 10 video overview for each domain by SearchSecurity.

http://searchsecurity.techtarget.com/feature/CISSP-Essentials-training-Domain-1-Security-Management-Practices

Just scroll to the bottom and click on the video.  You will need to provide a valid email address. Oh and also videos 6-10 are in the links in the comment of each video page.

 

Second, as I mentioned in my previous post, based on Eric Conrad’s CISSP study guide there is a 10 audio podcast.

http://booksite.syngress.com/companion/conrad/podcasts.php

So the problem with Eric Conrad’s CISSP audio podcast is that the audio files are streamed in a flash application and my iphone doesn’t support flash and most of your web plugins such as FVD downloader in Chrome extension doesn’t detect the audio files, so I can’t download it that way.  So since this is a security / hacking blog the following is a tip.

tl; dr.  USE rtmpdump

So how I found this solution is as follows:

1. In Chrome, I used inspect element and resources tab. Look under

podcast.php / XHR / mp3_playlistXML.xml

I found this

http://booksite.syngress.com/companion/conrad/mp3_playlistXML.xml

So each line in the xml fine shows the location of each file and it is streamed by RTMP

For example first podcast,

<videoname flvurl="rtmp://media.us.elsevierhealth.com/conrad_cissp_study_guide_mp3s/mp3:domain_01"desc="Podcast 1 - Domain 1"/>

2. So I found RTMPDump.  RTMP = Real Time Messaging Protocol

and in short

 rtmpdump -r "rtmp://media.us.elsevierhealth.com/conrad_cissp_study_guide_mp3s/mp3:domain_01" -o domain01.mp3

And repeat for all the other domains and mp3s.  There you go.  I hope it helps.

Access Control Authentication Factor based on Location

While I was listening to the Eric Conrad’s podcast, which by the way is another free CISSP resource, I learned something new that I thought was interesting.  When I was getting my masters in Information Assurance from ISU, when we talk about multi factor authentications, we always talked about 3 unique factors.

  • Something you know (e.g. passwords, passcodes)
  • Something you have (e.g. key fobs, ID cards, key cards, tokens)
  • Something you are (e.g. biometrics such as finger print, DNA, retina or iris scan)

This is talked about very often in every IA/security text book, but Conrad talked about something that I thought about but not really think it is its own category that is the following.

  • Where you are located (e.g. gps location)

This is very interesting because for the first time in human history, we can actually track almost every user with the ubiquitous use of cellular phones by everyone.   This means that your location can be an authentication factor.

For example, if there is a location assigned for the computer or a device that you are trying to access and if you are trying to access that device.  The device will verify your location to see if you are in proximity of where it is and provide a second factor of authentication.  However, this should only be used as a second form of authentication and not as a primary means to authenticate.

What is interesting is that I’ve actually done research on this topic back in 2010.  I presented a short IEEE paper in Macau on Secondary User Authentication Based on Mobile Devices Location.

Now, I don’t completely agree that this should be it’s own factor of authentication, I believe it is a subset of “something you have”.  The reason is in order for you to have a location, you must have your cellphone or some sort of device that transmit or provides a location ability.  In that case it is no different than having a key fob or an ID card.

But it is still interesting to see that Conrad considered location as a factor of authentication.

 

Free CISSP Class from IT Masters and Charles Sturt University in Australia

Amazing!!!Watch Full Movie Online Streaming Online and Download

IT Masters and Charles Sturt University in Australia is offering, free, a six weeks online course designed to prepare students for the Certified Information Systems Security Professional (CISSP) Security Certification.  This type of course is typically around $1500 to  $3800 US.

The course will run over six weeks starting from Wednesday July, 17 2013 (tomorrow) with lectures via weekly 90 minute webinars from 12:30 -14:00 hours AEST (7:30 pm PDT) each Wednesday.  Because of the high demand they are also opening a second class from 15:00-16:30 AEST (10:00 pm PDT) .  The classes will be available for video download if you can’t make the actual class.   In addition, students will be asked to do a total of 10-12 hours of study between webinars.

So what are you waiting for?  Go register and see you in class!!!

Link: http://www.itmasters.edu.au/free-short-course-cissp-security/