Least Privileged

Apparently I don't need to know!

The Adventure Continues…Coming up with Plan B

Posted by -Durk- on January 8, 2010

The Monday after I took the CISSP exam I was still pissed.  If you recall the 3 thoughts I had:

I had 3 immediate thoughts during and right after the exam:

  1. Inch deep mile wide my ass! I wrote this on the inside cover of the exam booklet.
  2. My boss got ripped off on the 300 (ISC)² questions! The exam simply wasn’t like the practice test questions.
  3. I’m gonna have words with my co-workers who said that the test questions we were studying are an accurate representation of the real exam.

I spent MUCH time and focus on taking practice tests.  I still feel this was the right thing to do, but I need to find questions that are closer to the exam.  That same Monday after the test I looked at a few resources that we had not focused on.  The (ISC)² Official Guide book came with a CD that has something called Transcender on it.  There were several hundred questions.  I think I will start there.

The other key is being in a study group.  Fortunately one of my co-workers passed!  YAY D!  Unfortunately at least one of my co-workers failed (one is still unknown as I write this).  It seems logical since he and I studied the exact same stuff together and were at pretty much the same level throughout.

So there you have it, the initial content to Plan B is studying better practice questions in a study group.  Plan B is eerily similar to Plan A.  But hey, Plan A got me 93.42% to the goal of passing.  A pessimist might say it failed me 6.58%.  Whatever.  I am pressing on!

Posted in CISSP Exam, CISSP Preparation | Tagged: , , , , | 1 Comment »

Another Statistic

Posted by -Durk- on January 8, 2010

I received my CISSP results today.  I am now part of the 80% of the people that fail the CISSP exam their first time.  I got 65% and needed a 70%, so I barely failed. Time to put Plan B into effect.

Here is the form email:

Dear Candidate,       Certificate Number: 360xxx

Thank you for sitting for the Certified Information Systems Security Professional (CISSP)® examination on 12/05/2009. We recognize and commend the significant personal commitment you made with regard to the testing experience, as well as the time and effort spent preparing for the exam.  We are sorry, however, to inform you that you did not achieve a passing score.  Your scaled score on the examination was 654. A scaled score of 700 or higher is required to achieve a PASS status on the examination.

To help you understand how you performed on the examination, the content areas that are tested in the exam are listed below.  Next to each domain is a ranking number that indicates your relative performance in answering the questions for that domain.  For instance, the numeral 1 indicates your highest scoring domain, and the number 10 indicates your lowest scoring domain

ACCESS CONTROL (7)
TELECOMMUNICATIONS & NETWORK SECURITY (10)
INFORMATION SECURITY & RISK MANAGEMENT (4)
APPLICATION SECURITY (6)
CRYPTOGRAPHY (2)
SECURITY ARCHITECTURE & DESIGN (8)
OPERATIONS SECURITY (3)
BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING (1)
LEGAL, REGULATIONS, COMPLIANCE & INVESTIGATIONS (5)
PHYSICAL (ENVIRONMENTAL) SECURITY (9)

We hope you will reapply to take the exam again.  The above performance information should guide you in your preparation efforts.  If you haven’t previously acquired a copy of the Study Guide or Candidate Information Bulletin, it is highly recommended that you do so.  In addition,CBK® Review Seminars are also available through (ISC)² and could be effectively utilized by focusing on the course modules corresponding to those domains requiring the most improvement.

For examination retakes, you must complete and submit the examination application again.  The application provides (ISC)² with contact information and requires that you demonstrate the mandatory experience. Through the application, you will also execute the Candidate Agreement, select your test site and date, and submit the appropriate fee.  Visit www.isc2.org for registration information.

Thank you for your participation, and we wish you the best of luck in your future endeavors.

(ISC)² Services

Of course I am a little disappointed, but this was not unexpected, the CISSP exam was a HUGE slap in the face.  Now I know what to expect.

Next post:  Coming up with Plan B.

Posted in CISSP Exam | Tagged: , , , , | Leave a Comment »

The Waiting Game

Posted by -Durk- on December 28, 2009

I am still waiting on the results.  I am not stressing too much.  The first team of folks were going crazy waiting and did the Happy Dance when they passed.  I either passed or I failed.  If I passed, awesome, I’ll be Happy Dancing for a long while.  If I failed I have a plan.  Well, I have the start of a plan.

The waiting does suck.

1/8/10 update:  I received my CISSP results today from (ISC)².  I am now part of the 80% of the people that fail the CISSP exam their first time.  I got 65% and needed a 70%, so I barely failed. Time to put Plan B into effect.

Posted in CISSP Exam | Tagged: , , , , | 3 Comments »

Taking the CISSP Exam – My Personal Experience

Posted by -Durk- on December 18, 2009

There were two groups of folks from my work who prepared and took the CISSP exam. The first group of 3 (including my boss) started off with a CISSP boot camp, studied for about 10 weeks, traveled to a different city, stayed in a hotel and took the exam. They felt very unsure after the exam and thought that they either barely passed or barely failed. They all passed. So the pressure was on me and the rest of the second group! The first group studied about 500 hours.

There were 4 guys from my team that made up the second group (including me). I started out with just the AIO Shon Harris book (Fourth Edition) and the online searchsecurity.com site that is extremely introductory but has some short Shon Harris videos (basically just introduces each domain). Shortly after I added a SANS audio/slides series taught by Eric Cole. The audio and slides were from a 1-week CISSP boot camp sponsored by SANS.  And then I took many tests (http://www.freepracticetests.org/quiz/quiz.php). And failed miserably! I had to switch gears!

SO, the first thing I did was start a study group. I really think this is key. It was definitely a turning point for me.  If you can get a study buddy then DO IT! We added a video series by Shon Harris. I also made some study cards based on a boot camp that centers around the Shon Harris book. The first group of 3 guys went through that actual boot camp by Eric Reed, they traveled and went through a week of hell. They said it was a waste of money. It was not sponsored by ISC2, but still a waste (in their opinion).

We conned our boss into buying 300 practice questions from ISC2. They are pretty good questions, but nowhere near the difficulty level of the real exam. And we focused on the freepracticetests.org site. We generated questions across each individual domain that we studied and focused on the pro questions. But then we discovered later on that the pro (the hardest) doesn’t give you much of the easy/medium/hard, but seems to pad with the rookie questions. So then we went back and generated 250 (or the max) for each level (Rookie, Easy, Medium, Hard & Pro) across all domains. If I had a chance to do it again (and I just might!) I would do each level for each individual domain (or 50 different tests).

Once we generated the questions we copied/pasted into note pad or text pad, printed the questions off, created a scan tron sheet (link here) and we practiced taking the real exam with the questions from freepracticetests.org. We were scoring in the mid to upper 80s to lower 90s. We made it a practice to write on the test. We wrote the answer (A, B C or D) on the test, crossed off the wrong answers, made notes, circled or underlined key words. marked questions that we were unsure or not confident about, etc.

One of the guys on our team used the Official ISC2 book and we also used an Exam Cram book and Exam Cram practice test book, we mostly used these as a reference along with wikipedia. I estimated that I studied around 300 hours-just me.

The exam that we registered for was in our metro area, but about 45 minutes away. We conned our boss into letting us stay in the hotel that was hosting the exam the night before the exam. That way there were no worries about traffic or travel. We relaxed the night before, did a little bit of last-minute testing and cramming and we felt pretty darn good. We visited the conference room where the exam would be held-nothing too special, but still building up our confidence. We made sure that we woke up 2 hours before the exam and we were ready to go when the doors opened a half hour before the instructions were given. The room was packed-about 40 testers, most seemed to be there for the CISSP exam.

And then there was the taking of the real CISSP exam after all that preparation. Holy hell. It was like a blow to the head from out of nowhere.

I came up with the idea of a cheat sheet. I started to create a cheat sheet (link here) that I wanted to memorize so that when I sat down for the exam I could just begin to write these notes on paper and create a cheat sheet from memory!  I was proud of myself, before I even looked at a question I scribbled my notes on the inside of the first page. I made a half a page of notes. The OSI model, reserved IP range, Bell LaPadula, Biba and Clark Wilson model and some notes. And a few others. I never used any of it! I had one question on the OSI model and it was about an optical cable…physical layer.  That was the easiest question on the test.  Maybe the only easy question on the test.  And I still spent a good 2-3 mins making sure I wasn’t being tricked.

About 3 pages in I had to close the booklet to make sure I was actually taking a CISSP exam. There were a couple of other exams being offered at the same time. Unfortunately I had the right exam. I will say this, about 3-4% of the questions I knew the answer before I saw the answers, but there were about the same amount that I didn’t have a freaking clue, as in I totally and completely guessed-but only 5-7 questions. MOST of the questions I was able to cross off 2 of the 4 answers and make a pretty good decision about the final answer-as in I felt pretty good about the answer I picked.  I didn’t second guess too much.

Some questions took up a half or a whole page. It took me 5 solid hours. I took 2-3 bathroom breaks. I had 2-3 plastic 20oz bottles of Pepsi. I had a few chocolate granola bars. I went through 3 pencils (that they provided). It was brutal. I planned to review the questions I didn’t feel too good about, but just didn’t have it in me-plus I went a tad slower and was pretty comfortable with the answers I chose. 2 of the others in my group also took a solid 5 hours and one took about 3. I am very unsure of how I did. I THINK I guessed OK most of the time.

I had 3 immediate thoughts during and right after the exam:

  1. Inch deep mile wide my ass! I wrote this on the inside cover of the exam booklet.
  2. My boss got ripped off on the 300 ISC2 questions! The exam simply wasn’t like the practice test questions.
  3. I’m gonna have words with my co-workers who said that the test questions we were studying are an accurate representation of the real exam.

Most of the others on my team that took the exam were almost sure that they failed. The first group of 3 that took the exam last summer felt the exact same way, 2 were sure they failed and were on pins and needles waiting for the results. Boss thought that they would all barely pass (or barely fail).  They all passed!  They too expressed frustration with the practice questions they studied.

There was only 1 in my group that took the exam with me that is pretty confident that he passed. He has been in the telecom and tech industry for 20 years, and honestly, he is the smartest person I know. I am sure he passed. The other 3 of us just flat out don’t know. If I failed then I think I only missed the mark by a little-I doubt I got less than 60%. And I am very confident that I can switch gears and study another month or 2 and pass no problem.

My co-worker keeps asking if I think I got 75 questions wrong-that is about how many you can miss and still pass. The questions are weighted so that is not completely accurate. ISC2 throws out 25 that they use to just test the waters.  70% of 250 would mean one could miss 75 questions, but 250 minus 25 is 225, 70% of that is about 67 questions.  So technically one could miss 67 plus 25, or 92!  I really don’t know how I did! I sure could have missed 75 questions! I just don’t know. Hopefully I will know before Christmas.

I took the CISSP exam December 5th, 2009. It is my understanding that they just wait until they have “enough” exams and then they grade them all. So I don’t know when they will grade them or when I will get the results.

I will let you know ASAP! And I will be honest about the results.

1/8/10 update:  I received my CISSP results today from (ISC)².  I am now part of the 80% of the people that fail the CISSP exam their first time.  I got 65% and needed a 70%, so I barely failed. Time to put Plan B into effect.

Posted in CISSP, CISSP Exam, CISSP Preparation, Training, Uncategorized | Tagged: , , , , , , , | 1 Comment »

Practice, Practiced, Practice

Posted by -Durk- on December 18, 2009

In my opinion taking practice tests are essential. How do you know if you are processing the info you are studying? How do you know where the CISSP focus is? How can you prepare to read poorly written questions (and there were some terribly worded questions on the real exam)? PRACTICE TESTS! The practice tests help you determine where your weaknesses and strengths are and help you get a feel for what the questions will be like (although the actual exam was much more difficult that any practice questions that I have found so far, by far). Most of the CISSP texts and websites mentioned within this blog have practice questions. My boss also bought 300 of the ISC2 CISSP questions for $300-great idea, but again, not on the same difficulty level as the real exam. It wasn’t a waste of money, but it is not a fair representation of questions that will be on the real exam.

Read a section, take a short test. Read a chapter, take a longer test. Watch a video take a test. Listen to a lecture, take a test! Repeat tests for domains you studied a couple of weeks ago.

It is also important to identify questions you are getting consistently wrong and unlearn why you are picking the wrong answer.

Here are my tips:

  • Time yourself. Get a feel for how long it takes you to take different number and different levels of tests.
  • Work up to 250 questions SLOWLY. Start with 10 rookie questions from a domain or all domains. Then go to 25, then 50, etc. Then go up a level and do the same. The important thing is that you are testing while you are initially learning.
  • Don’t be afraid to quit a test in the middle. Note how many you answered then note how many you got right in the results.
  • Review the questions you got right! Did you guess or did you really know it? If you guessed learn it!
  • Be encouraged with your progress and don’t be discouraged when you fail. NOW YOU KNOW WHERE YOU NEED TO FOCUS!! Focus your study to your problem areas.
  • Don’t take the real exam until you are scoring into the 90 percent range.
  • Remember that you only need 70% for the real exam, but the real exam is much harder than any tests I practiced.

My recommendation is to study through all of the domains and build up to this:

  • Generate 250 (or max) questions on each domain at each level (rookie, easy, medium, hard and Pro). This would be 10 domains times 5 levels or 50 different tests.
  • Generate 250 questions from across all domains at each level (rookie, easy, medium, hard and Pro). This would be 5 tests of 250 questions.
  • Always choose these settings: “closely related”, uncheck “Shuffle answers in questions”, uncheck “Review only incorrect answers”, uncheck “Activate timer”

I also strongly recommend simulating the real test as much as possible. You don’t have to do this in the core of your studying, but after you have gone through the domains a time or two focus on paper tests and a paper “scan tron” answer sheet. After generating a test select all, copy it into notepad, print it out. Submit answers for grading (without answering any) and copy the answers into notepad, print it out. Finally download and print the 250_Answer_Sheet.xls here. Here are some tips:

  • WRITE ON THE TEST. Write notes. Notate confidence level for an answer. Cross out wrong answers. Circle key words. Write the corresponding letter (answer) ON THE TEST. I went through 3 pencils on the real exam (they provide pencils, no highlighters allowed, no scratch paper allowed, there is a blank page on the inside of the test). Another good reason to write the answer on the test is if you get messed up and off on the answer sheet, you can always refer to the written letter answers on the test to fix.
  • Transfer answers one page at a time to the “scan tron” answer sheet. Pay careful attention when transferring to select the right answer.
  • Review your answers. When you are finished with the test go back and review your answers, look for questions that you identified as unsure. It is rarely good to second guess yourself, so skip over questions that you felt pretty good about and focus on the questions you struggled with.
  • TAKE BREAKS! You can take breaks on the real exam, so practice that too!
  • Pay attention to what makes you comfortable and uncomfortable, posture, breaks, drinks, etc.
  • TAKE YOUR SWEET TIME! The real exam is 6 hours. I used up 5 solid hours, took 3-4 breaks, ate 2-3 chocolate granola bars, went through 2-3 20 oz plastic bottles of Pepsi.
  • Be mindful of the times you take the tests versus results. We took many practice tests at 7 or 8 at night. We usually did a little worse. Thankfully the real exam is at 9 in the morning.

Posted in CISSP, CISSP Exam, CISSP Preparation, Training | Tagged: , , , , , | Leave a Comment »

Switching Gears

Posted by -Durk- on December 18, 2009

(Insert sound of SCREECHING breaks here!)

About week 6-7 a few things happened.  One was my family got the swine flu.  But more importantly I started to feel like I really needed to switch gears.  SOMETHING had to change.  I just kept doing really awful on the CISSP practice tests (at a pro level).  I expressed this to my co-worker who was also studying for the exam and he too overwhelmingly agreed that something had to change!  From day one we talked about meeting and forming a study group.  We finally agreed that talk was cheap and we finally met one weekend at work in a meeting room with a projector.

The change was just what was needed!  It was night and day difference.  I was still studying the same video and audio files, but I was much more focused.  We continued to meet and put in some major hours of studying.

I’ll talk more about that, but next some study observations.

Posted in CISSP, CISSP Exam, CISSP Preparation, Training | Tagged: , , , , | Leave a Comment »

Week Six: Cryptology (Domain 6 in book, 3 on website)

Posted by -Durk- on October 10, 2009

Study Plan:

Things to note:  Not quire as difficult as I thought it would be.

Posted in Uncategorized | 1 Comment »

Week Five: Telecommunications & Network Security (Domain 5 in book, 5 on website)

Posted by -Durk- on October 10, 2009

Study Plan:

Study organization: Study Guide,  What to Review and Flash Cards

I have been noting what things to put together for a possible study guide.  Maybe for something to use to cram with or to put onto flash cards.  The cool thing is that the entire Shon Harris book is on .PDF, there are .PDF slides that correspond to the Eric Cole lectures, and I have been copying tests into Word documents and formatting them so that they are easy to read.  To save room I print 4 pages to a page and print front/back.  Eric Cole identifies a few slides that just need to be memorized, he recommends printing these out and reviewing throughout the day (in the bathroom).  Some things I have identified so far:

  • The “Quick Tips”, “Questions” and “Answers” section from the book
  • Practice tests from http://freepracticetests.org, select the domain, 250 questions, closely related, generate quiz, submit answers (this also produces explanations) and then print.  I take out unneeded lines and highlight the answer.
  • Any slides that Eric Cole identifies as needing to be memorized. 
  • Practice tests from the Eric Cole lectures

TIP/TRICK: Taking the Test

One of the things that I really appreciate about the Eric Cole lectures is that he gives many useful tips and tricks.  He provides memory techniques, identifies what needs to be memorized, provides very memorable examples and re-explains things when questioned.  He teaches you how to learn, identifies what you just need to memorize all to prepare you to take and pass the exam.  Cole talks about the test a lot:  It is designed to trick you, take short breaks, show up an hour early, exiting the real world and entering the (ISC)2 world, etc.

He provides suggestions on how to take the test.  He suggests looking at the answers FIRST, then very carefully reading the question (especially when getting tired-I practiced this and it works in some cases).  He recommends, once finished with the test, going back and re-reading the questions; looking for the word NOT, etc., something that may have been missed the first time.  However, he recommends not second guessing answers.  If you know you misread the question correct your answer.  I also noticed that there are statements in questions that reveal answers to other questions.  He recommends WRITING on the test.  Circle or indicate your answers (in case you get off on the fill-in-the-oval answer sheet you can use the test to correct), indicate questions that you were unsure about or that you wish to revisit (but always select an answer), write diagrams, phrases, triads, etc.  Bring a HIGHLIGHTER with you.  All very good stuff.

Things to note:  All the domains are rough.  This one is the longest…

Results:  I got sick…pneumonia.

CISSP in My Real World:  I work in the telecommunications world.  So many words and phrases were very familiar.  The problem is that I do not have a very technical understanding of most of the things I use on a daily basis.  I telnet to devices all day long, but what does it mean to telnet and how does it work.

Posted in Uncategorized | Leave a Comment »

Week Four: Applicagtion Security (Domain 9 in book, 6 on website)

Posted by -Durk- on October 10, 2009

Study Plan:

Posted in Uncategorized | Leave a Comment »

Week Three: Security Architecture and Design (Domain 3 in book, 4 on website)

Posted by -Durk- on September 20, 2009

Study Plan:

Study organization: Video Plus Book, and Test

I have been watching the video and then reading the book and then taking a test, duh.  But I think I am going to change it a bit again.  I think I am going to watch a section of video, read the cooresponding parts in the book and then take a test on just that part.  Then repeat.

Well, I tried that all day Saturday and here it is Sunday and I am no better than I was on Friday.  SO…I am going to change it up again.  I am going to bring up a 250-question test from freepracticetests.org and find the answers in the book.  Study that section and then go on.  I will use the videos when I can’t see straight anymore or need a break.

I answered 50 questions it took me 2 hours and I got 30 correct.  Open book. Next.

And then….(drum roll please)…I found…the following…

TIP/TRICK:  Switching Presenters!!!

Management 414 SANS +S Training Program for the CISSP Certification Exam presented by Eric Cole!  Holy crap he is good!  He is interesting and funny and provides memory techniques!  I also have the corresponding slides on .PDF!  Wow, GOOOOOD stuff!  This is what I need!  This is a boot camp on CD.  The audio is from 6 classes, 8:00am to 7:00pm., Monday through Saturday  There is about 125 slides per day.  He takes questions, and provides practice questions where he talks through the answers!  He tries to teach you the concepts logically and specifies those few that just don’t make sense, and provides a handful of slides that are simply wrote memorization.   Amazing stuff.  Let’s see if it can produce results.  I studied about 12 hours on Sunday.

Things to note: This domain is boring, dry; you are getting sleepy, very, very sleepy.  It is one thing to say that this material is not fun…but…wow.  What is a Biba?  Maybe it was the presenter.  Eric Cole made it much more palatable!

Another thing to note, the SANS stuff is slightly dated, not in the sense of being outdated, but it is organized differently from the book.  The domains and the info in the domains are organized differently.  Not a huge deal unless you are trying to use both.  I am trying to use both.

Results:  This ended up being a very busy week for me.  I studied my butt off on the weekend and at the beginning of the week, but work got in the way later in the week.  This one was rough.

CISSP in My Real World:  I recognize many things in this chapter too, but I have an extremely basic to nil understanding.  I know what a CPU is, but I don’t have an in-depth understanding of how it works.  Same with RAM and ROM and machine language and I/O and multitasking and multithreading and on and on.  Endless in-depth, dry discussion.

Test result on domain:  68%

Posted in Uncategorized | Leave a Comment »

« Previous Entries