Taking the CISSP Exam – My Personal Experience

There were two groups of folks from my workgroup who prepared and took the CISSP exam. The first group of 3 (including my boss) started off with a CISSP boot camp, studied for about 10 weeks, traveled to a different city, stayed in a hotel and took the exam. They felt very unsure after the exam and thought that they either barely passed or barely failed. They all passed. So the pressure was on me and the rest of the second group! The first group studied about 500 hours.

There were 4 guys from my team that made up the second group (including me). I started out with just the AIO Shon Harris book (Fourth Edition) and the online searchsecurity.com site that is extremely introductory but has some short Shon Harris videos (basically just introduces each domain). Shortly after I added a SANS audio/slides series taught by Eric Cole. The audio and slides were from a 1-week CISSP boot camp sponsored by SANS.  And then I took many practice tests (http://www.freepracticetests.org/quiz/quiz.php). And I was failing miserably! I had to switch gears! Read the rest of this entry »

The Secret Life of Passwords (New York Times article)

I found this article extremely interesting and a really great read!

“Passwords do more than protect data. They protect dreams, secrets, fears and even clues to troubled pasts, and for some, they serve as an everyday reminder of what matters most. ”

I would love to read your thoughts.

New York Times – The Secret Lives of Passwords

(ISC)² Official Announcement of the (ISC)² Kansas City Metro Chapter and Inaugural Meeting

From (ISC)²:

Dear Member,

(ISC)² is proud to announce that the (ISC)² Kansas City Metro Chapter has recently received its charter and is now an official chapter of (ISC)²! It will provide information security professionals in the local community an opportunity to build a local network of peers to share knowledge, exchange ideas and earn CPEs. In addition, you will be able to:

• develop or enhance your leadership skills by serving as an officer or chairing a committee
• pursue speaking or writing opportunities for chapter functions or general public
• collaborate with other local chapter organizations to develop synergy and share knowledge
• advance security awareness within the local community, from children to senior citizens
• mentor students as they pursue and enter the information security profession

The (ISC)² Kansas City Metro Chapter will be holding its inaugural chapter meeting on January 7, 2015. Details about this event are listed below:

When: January 7th, 2015 (The first Wednesday of January)
Time: 6:30 PM to 8:30 PM
Where: THE CAVES! Cavern Tech Phase 4
Address: 17501 W 98th St #856, Lenexa, Kansas 66219

To RSVP or learn more about the (ISC)² Kansas City Chapter, please contact Keith Shaw at Kds4269@gmail.com .

Kind regards,
(ISC)² Chapters

---

That’s right boys and girls, we are meeting in a fricken cave!  OH YEAH!  How cool is that?  For free. With tables and chairs and projector and…well, yeah, like real meeting space.  Our inaugural meeting will include a guest speaker from the FBI who will be facilitating an interactive discussion around the topic of The Insider Threat.

I think our format is what will set us apart from other local security groups.  The format: Roundtable, interactive discussion with security professionals from many different industries, tech companies and organizations, from upper management to operators who have many diverse experiences. We invite knowledgeable and expert members and guests to facilitate and keep the discussion moving along and on-task.

I am serving as the Director of Membership.  And I am super excited about this new local information security group.

Here is our official website:  http://isc2kcchapter.wordpress.com/

If there isn’t a local (ISC)² chapter in your area, consider staring one.

Chartering a Local (ISC)² Chapter: Learn from Others

It is always wise to look back before moving forward.  History has much to teach those who are moving into the future.   (ISC)² has an annual (ISC)² Chapter Report that they have available to members and there is a wealth of information within!  The report gives stats and annual reports from chapters all over the world.  But it also offers advice to those that wish to start a new local chapter.  Here is what the report has to say:

Chapter Advice

In the chapter reports, officers offered advice to help new chapters meet their challenges. Below is a summary of their suggestions:

Organization: Develop long and short-term business plans that include the vision and mission of the chapter. Understand and budget for operating and activity costs. Establish a formal process to help gauge success and progress. Establish an open channel of communication among chapter leaders. Hold regular, in-person meetings of chapter officers and provide written copies of agendas at the meetings to establish structure and set expectations. Set goals and follow-up action items at the end of each meeting. And lastly, promote chapter events well in advance.

Growth: As the chapter grows, the number of committee chairs and support volunteers should grow in order to ease the burden on chapter officers and utilize additional resources to organize new initiatives and events for chapter members. It also provides leadership opportunities and encourages member involvement.

Support: New chapters should reach out to more established chapters to learn from their successes and leverage their ideas. Also, chapters should collaborate on initiatives to share resources and generate interest among members. [Chapter contact information can be found in the (ISC)2 Chapter Directory at www.isc2.org/ch-directory.] Also, chapters should seek support from members’ employers or local companies to assist with the chapter’s activities when appropriate.

Leadership: Elect members to leadership positions who are enthusiastic and active. Leaders should understand the objectives and share the vision of their chapters and be willing to work to make their chapters successful. Involvement should not be based on self-serving purposes, such as seeking visibility, building one’s resume or earning CPEs. Officers should realize the amount of time and level of commitment required to help build a chapter. Lastly, candidates should be recruited throughout the year.

Overall, the key message was to be patient. It takes a great deal of time and effort into developing a chapter to ensure its success. It is important to understand the duties and responsibilities involved and find people who are willing to make the commitment and are enthusiastic about the vast opportunities available to the chapter and the local community.

Chartering a Local (ISC)² Chapter: Petitioning Process

Here is an update regarding chartering a local (ISC)² Chapter in Kansas City.   First, from (ISC)²:

Determine Eligibility and Petition to Start an (ISC)² Chapter
First determine if a chapter already exists in your area by referring to the (ISC)² Chapter Directory.  If not, then review the (ISC)² Chapter Guidelines for requirements and if eligible, complete and submit the (ISC)² Chapter Petition for review and approval.  Once approved,(ISC)² will reserve your requested territory and post your contact details in the directory.

I submitted an (ISC)² Chapter Petition (Feb 21^st) and received an initial response from (ISC)² Friday (March 7^th).  The response indicated that (ISC)² will indeed assist in the formation of a new chapter in Kansas City.  WOOT!  It informed that there are 180 members in our area, which is super encouraging.  The next step is for the petition to go to the (ISC)² chapter committee for “further review and consideration”.  And the response indicated that we “should receive feedback and/or approval within 2-3 weeks.”  This approval merely means that we may proceed with forming a charter of a local chapter.  It isn’t the acknowledgement that a chapter has been formed.

Although we have a small group of guys that are interested in launching the chapter, I filled out and submitted the petition on my own.  Although this wasn’t a mistake, I would recommend perceiving that you are not one person petitioning (ISC)², but rather a small group.  Use words like “we” and “us” when responding to (ISC)².  Also have an initial mission and vision in mind.

We do not quite have 15 (ISC)² members on board yet.  This is our next hurtle.  But I am confident that we will gather that group and proceed to the next step of holding an initial start-up meeting.

Here is a quick overview on the steps involved in starting an (ISC)² Chapter in your local community:

1. Determine Eligibility and Petition to Start an (ISC)² Chapter
   First determine if a chapter already exists in your area by referring to the (ISC)² Chapter Directory.  If not, then review the (ISC)² Chapter Guidelines for requirements and if eligible, complete and submit the (ISC)² Chapter Petition for review and approval.  Once approved,(ISC)² will reserve your requested territory and post your contact details in the directory.
2. Hold a Start-up Meeting and Submit an Application
   Notify local members, hold a start-up meeting, discuss chapter goals and plans, elect officers and collect signatures on the (ISC)² Chapter Application from a minimum of 15 (ISC)² members,  and then submit to (ISC)² for review and approval.
3. Process Documentation and Establish Chapter Governance
   Once the application is approved, you’ll receive an information packet containing the paperwork necessary to finalize the application process.  This includes signing off on the (ISC)² Chapter Affiliation Agreement, registering your chapter (if applicable), and developing your Chapter Bylaws (or other governance document).
4. Become an Oficial (ISC)² Chapter and Receive a Welcome Kit
   Once the required paperwork has been processed and finalized, you will become an Official (ISC)² Chapter!  You will receive a welcome kit containing your custom chapter materials and access to the chapter officer portal.
5. Send Official Chapter Announcement and Hold an Inaugural Meeting
   (ISC)² will send an email notification on your behalf to announce your chapter to all local (ISC)² members within your geographic boundaries, and to invite them to the first chapter meeting.
6. Maintain Chapter Reporting and Activity Requirements
   Submit interim activity reports after 90 and 180 days of receiving your charter, then annually thereafter; and hold regular chapter member and officer meetings throughout the year.

Chartering a Local (ISC)² Chapter

I finished my first 3-year CISSP certification cycle.  I was scrambling to finish the last 30 CPEs, but I finished and am re-certified.

My plan was to write posts that communicated (cool, simple, interesting) ways to earn CPE’s.  But if I were to summarize my CPEs from the last 3 years I would include a few vendor and (ISC)² conferences and a lot of podcasts and training courses.

My co-workers and I have been talking for awhile now about starting a local (ISC)² chapter.  We finally started the process.  There are tons of benefits but what I hope to gain out of the experience is learning leadership and security skills, networking, serving the community and lastly earning CPEs.  Here is what (ISC)² has to say:

Being a member of an (ISC)² Chapter has its benefits. Not only will you gain a sense of fellowship with colleagues in your profession, you will also be able to network and exchange ideas with fellow (ISC)² credential holders and other information security professionals in your local area.  Other opportunities consist of:

• Advancing Information Security
•  Local network of peers to share knowledge, exchange resources, collaborate on projects
•   Engaging in leadership roles 
•  Earning CPEs
•  Participating in co-sponsored events with other industry associations
• Assisting (ISC)² initiatives by speaking at industry events or writing articles for publication
• Participating in local community outreach projects (public service) to educate people about information security
•  Receiving special discounts on (ISC)² products and programs

Take the Lead! Start an (ISC)² Chapter in Your Community!

(ISC)² Chapters are forming throughout the world. If a local chapter is not located near you, then start one!  The basic structure of an (ISC)² Chapter is:

• A minimum of 15 members are required to form a chapter; exceptions may be made for extenuating circumstances
• Only (ISC)² members are able to start up chapters and serve as officers
• (ISC)² members are not required to be a member of a chapter
• Non-(ISC)² members are eligible to join after a chapter has been chartered
• Chapter member dues are at the discretion of each chapter
• (ISC)² does not collect fees from chapters

(ISC)² Chapter Formation Process

Here is a quick overview on the steps involved in starting an (ISC)² Chapter in your local community:

1. Determine Eligibility and Petition to Start an (ISC)² Chapter
   First determine if a chapter already exists in your area by referring to the (ISC)² Chapter Directory.  If not, then review the (ISC)² Chapter Guidelines for requirements and if eligible, complete and submit the (ISC)² Chapter Petition for review and approval.  Once approved,(ISC)² will reserve your requested territory and post your contact details in the directory.
2. Hold a Start-up Meeting and Submit an Application
   Notify local members, hold a start-up meeting, discuss chapter goals and plans, elect officers and collect signatures on the (ISC)² Chapter Application from a minimum of 15 (ISC)² members,  and then submit to (ISC)² for review and approval.
3. Process Documentation and Establish Chapter Governance
   Once the application is approved, you’ll receive an information packet containing the paperwork necessary to finalize the application process.  This includes signing off on the (ISC)² Chapter Affiliation Agreement, registering your chapter (if applicable), and developing your Chapter Bylaws (or other governance document).
4. Become an Official (ISC)² Chapter and Receive a Welcome Kit
   Once the required paperwork has been processed and finalized, you will become an Official (ISC)² Chapter!  You will receive a welcome kit containing your custom chapter materials and access to the chapter officer portal.
5. Send Official Chapter Announcement and Hold an Inaugural Meeting
   (ISC)² will send an email notification on your behalf to announce your chapter to all local (ISC)² members within your geographic boundaries, and to invite them to the first chapter meeting.
6. Maintain Chapter Reporting and Activity Requirements
   Submit interim activity reports after 90 and 180 days of receiving your charter, then annually thereafter; and hold regular chapter member and officer meetings throughout the year.

For questions or more information, contact us at chapters@isc2.org or call +1.727.785.0189.

If there isn’t a local (ISC)² chapter in your area, consider staring one.  I will keep you posted!

iCISSP – (ISC)² goes paperless! Leave Your Pencils at Home

https://www.isc2.org/cbt/default.aspx

(ISC)² is pleased to provide the opportunity for candidates to take computerized examinations via Computer-Based Testing (CBT) at local testing centers worldwide. This new testing method provides candidates with top-of-the-line security measures and a comfortable testing environment. Further, candidates are able to take their examination closer to home, saving both time and money.

CISSP Continuing Professional Education (CPEs): The Basics

A CISSP-certified individual needs to earn 120 CISSP CPEs over a 3 year period.  CISSP Continuing Professional Education (CPEs) are the continuing education that one has to earn to remain CISSP certified.  There are two CISSP CPE categories, Category A directly relates to CISSP domains and Category B relates more to information tech in general (presentations, learning Office or programming or a new system, etc.) and professional learning in general.  One has to have a minimum of 20 Category A CPEs per year and a total of 80 CPEs from Category A at the end of 3 years and 40 CPEs from Category B at the end of 3 years.  There is no minimum from Category B per year.

There are many activities you can do to earn CPEs, but they basically boil down to 2 categories, passive and active.  Passive, attend some sort of event where you listen and learn.  Active, take a class or attend some sort of training, prepare for a presentation, read an approved security periodical, publish a security article or book, write a book review, or volunteer.

Here’s detailed info from the (ISC)2® CONTINUING PROFESSIONAL EDUCATION (CPE) POLICIES AND GUIDELINES (you may have to login), pages 8-12

Calculating CPE Credits

CPE credits are weighted by activity. Shown below are common categories of activities and the amount of credits you can earn for each. Typically, you will earn one CPE credit for each hour spent engaged in an educational activity. However, some activities are worth more credits due to the depth of study or amount of ongoing commitment involved. In general, CPE credits are not earned for on-the-job activities.

• Attending Educational/Training Courses and Seminars

Educational training course and seminars related to the domains of your credential will qualify for one Group A CPE credit for each hour of attendance. Training courses and seminars that are not domain-related to your credential, qualify as one Group B CPE credit for each hour of  attendance.

• Attending Conferences

One CPE credit for each hour of attendance (or one session). Security conferences qualify as Group A credits. Other educational conferences qualify as Group B credits

• Attending Professional Association Chapter Meeting

One Group A CPE credit for each hour of attendance at a professional association chapter meeting. The qualifying professional association must be related to the domains of your credential.

• Attending Vendor Presentations

One Group A CPE credit for each hour of attendance at a vendor presentation. The presentation must have an educational aspect with regard to the domains of your specific credential. Note: If you are attending a conference which includes vendor presentations, do not enter your CPE credits in the “vendor presentations” category. Instead, you should enter your CPE credits in the “conference” category – and, accordingly, determine your CPE credits by using the method described under “conferences”.

•  Completing a Higher Academic Course

One Continuing Professional Education credit (CPE) is permitted for each hour spent in class, or for online classes. Credit will only be given on passing/completing the course. The course must be related to the domains of your certification to qualify as a Group A credit. Otherwise it may be considered a Group B credit.

• Providing Security Training

Four Group A credits per hour of presentation for the initial preparation training materials. CPE’s may be earned for updating an existing presentation. CPE credits are not earned for time spent presenting the course, lecture, or training. This CPE activity is most relevant for short presentations of a few hours. Examples would include Webinars or Pod Casts.

Credits are not earned for teaching or training courses that are multiple days, weeks, or months in length.

•  Publication of a Security Article or Book

Group A CPE credits for the first publication of an article placed in a journal or magazine. The article must be related to the domains of your credential. The article may be printed or in  lectronic form. The below chart identifies the number of CPE’s that will be earned based on the length of the article.

You are entitled to 40 Group A CPE credits for the initial publication of a book. Reprints or republications do not apply. The book must be related to the domains of your credential. You cannot earn Group B CPE credits within this category.

•  Board Service for a Professional Security Organization

A maximum of 40 CPE credits per year of service on the boards of professional security organizations. Credits will be based on the level of contribution, as determined by the board of the relevant organization. Please maintain a record of your hours of participation for audit purposes. We recommend that you document your service hours by having an officer of your organization sign a statement specifying the hours. You may post your own CPE credits if the organization will not do this for you.

CPE credits will be given for those performing volunteer work on behalf of (ISC)²®, either serving as a board member, committee member, item writing contributor, or other type of approved volunteer activity. (ISC)² will determine the amount of credits earned for such activity and will submit credits on your behalf.

•  Self-Study, Computer-Based Training [CBT], Web Casts, Pod Casts

Members can earn one CPE credit per hour for completing a self-study program, computer-based training, or viewing a Web Cast or Pod Cast. (ISC)2 will allow you to submit no more than the maximum number of CPEs/hours recommended by the self study provider. Please keep your documentation in the event that you are audited. This category may also be used to record credits when there is no other category available to record such credits. This would most often cover any type of research that is done in conjunction with preparation of other activities that are not listed in any of the other categories.

If you have done preparation work to obtain another professional certification, which is not a certification from (ISC)2® and if this other certification is one in which you have increased your knowledge-base, then you are entitled to CPE credits for the preparation or self-study work you did to achieve this other certification. Your preparation or self-study work for the non-(ISC)2 credential must have been completed during the three years of your current (ISC)2 certification cycle. If the non-(ISC)2 credential is related to the domains of your (ISC)2 credential, then you would earn Group A credits. If the other credential is not related to the domains of your (ISC)2 credential, you would earn Group B credits. Your CPE credits associated with another  certification are not for achieving this non-(ISC)2 certification, but, rather, CPE credits are for the time you spent in preparation to obtain the non-(ISC)2 certification.

•  Read Information Security Book / Magazine

Members can earn five (5) CPE credits, limited to one book per year and one authorized magazine subscription per year, for a total of ten (10) CPE credits per year. Please note that beginning June 1, 2011, members will no longer be awarded five (5) CPE credits by simply subscribing to (ISC)2 approved magazines.

• Beginning June 1, 2011, (ISC)2 will ask its members to validate their learning experience for reading a security book or for subscribing to an authorized magazine.

• Reading Security Books – Members upload a brief summary (approx. 150 words) of their learning experience from a security book they read in order to earn CPE credit.

• Subscribing to Security Magazines – Members may receive five (5) CPE credits for subscription to an authorized magazine in one of the following ways:

1. Members upload a brief (approx. 150 words) summary of the learning experience gained from reading any issue of the magazine subscription at (ISC)2 website to claim the CPE credits.

2. Members complete a quiz provided by the magazine publisher, and the publisher will automatically submit five (5) CPE credits to (ISC)2.

If members subscribe to one of the following magazines, the magazine, as an approved CPE credit submitter, will submit the five (5) CPE credits to (ISC)2 if a quiz is madeavailable and successfully completed.

• The (ISC)2 Journal (qualifies as a magazine subscription)

• Information Security Magazine

• InfoSecurityToday Magazine

CPE credits for the above magazine subscriptions, if a quiz is provided by the magazine publisher, will be posted for new subscriptions or renewals. These credits for the successfully passed quiz will be submitted by the magazine publisher and may not be added by the member.

 If members read other information security magazines, they must submit their CPE credits through the (ISC)² website. Members must retain information that could support their CPE claim if they are audited.

•  Read InfoSecurity Professional magazine

Members will not earn five (5) CPE credits for subscribing to the InfoSecurity Professional magazine because it is the (ISC)²’s digital, members only-magazine, which will allow members to earn two (2) CPE credits per issue if they complete and pass the online quiz associated with each issue. Members must submit their credits on the (ISC)² website. Please be sure to retain all certificates for the successful completion of the quiz, as CPE’s will be subject to random audit.

•  Information Security Book Review

One book review per year which is accepted and published on the (ISC)2® Website. Earn five Group A CPE credits. The book must be related to your (ISC)2 credential domain. The review must be at least 500 words and should include a brief description of the book’s contents and an overall evaluation of the entire book and its value to the professional. Please keep in mind that other members will be reading your book review. They may use your book review to determine whether a book is worth purchasing or reading.

Submitter and members should allow up to 3 weeks for (ISC)² to post CPE credits to member records.

•  Government, Public Sector, and other Charitable Organizations Volunteering

You are entitled to one CPE credit for each hour of volunteer work. As documentation of your volunteer efforts, you must retain a signed confirmation on the organization’s letterhead, indicating the number of hours of volunteer work you have performed. This volunteer work must be a domain-related activity and would earn only Group A CPE credits.

Many of the CISSP folks I know attend a week-long security conference and they’re good to go on their A credits from one event.  Most of the time their job pays for traveling, attendance and accommodations.  This takes time and money, but it is an easy and fun way to earn lots of credits at one time.

However, I like cheap and easy (there’s a joke there somewhere).  I will go into more detail in the next posts, but I’ve chosen mostly to attend a few podcasts and seminars.

More Info from (ISC)2:

Group A & B Credits https://www.isc2.org/group-credits.aspx

Calculating CPE Credits https://www.isc2.org/calculating-cpes/default.aspx

CPE Opportunities https://www.isc2.org/cpe-opportunities/default.aspx

CISSP Continuing Professional Education (CPEs): Preliminary

OK,  so I told you that I’d continue to write about CISSP Continuing Professional Education (CPEs)-the continuing education that one has to do to remain CISSP certified.  And I will, but first I’d like to hear from you.  What have YOU done to gain CPEs?

My initial take is that gaining the CPEs is pretty easy.  I have 37 under my belt, 24-A & 13-B.  But others say it is a hassle and difficult.  I started out very strong, got busy with work and then gathered a few more towards the end of the year.

What are YOU doing to earn CISSP CPEs?  I look forward to your replies.

What Makes a Password Stronger

http://finance.yahoo.com/family-home/article/113007/strong-online-passwords-wsj

by Stu Woo
Friday, June 24, 2011

provided by

With concern about hackers, tools for remembering so many codes; no more pet names or 123456.

For all its benefits, the Internet can be a hassle when it comes to remembering passwords for email, banking, social networking and shopping.

Many people use just a single password across the Web. That’s a bad idea, say online-security experts.

“Having the same password for everything is like having the same key for your house, your car, your gym locker, your office,” says Michael Barrett, chief information-security officer for online-payments service PayPal, a unit of eBay Inc.

More from Yahoo! Finance: • Companies Run Exclusively By Men • Things Your Neighbors Won’t Tell You • Most Dangerous Cities in the U.S. Visit the Family & Home Center

Mr. Barrett has different passwords for his email and Facebook accounts — and that’s just for starters. He has a third password for financial websites he uses, such as for banks and credit cards, and a fourth for major shopping sites such as Amazon.com (Nasdaq: AMZN – News). He created a fifth password for websites he visits infrequently or doesn’t trust, such as blogs and an online store that sells gardening tools.

A spate of recent attacks underscores how hackers are spending more time trying to crack into big databases to obtain passwords, security officials say. In April, for instance, hackers obtained passwords and other information of 77 million users in Sony Corp.’s (NYSE: SNE – News) PlayStation Network, while Google Inc. (Nasdaq: GOOG – News) said this month that hackers broke into its email system and gained passwords of U.S. government officials.

So-called brute force attacks, by which hackers try to guess individual passwords, also appear to be on the rise, Mr. Barrett says.

PayPal says two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts. A 2009 survey in the U.K. by security-software company PC Tools found men to be particularly bad offenders, with 47% using just one password, compared with 26% of women.

Another PC Tools survey last year showed that 28% of young Australians from 18 to 38 years old had passwords that were easily guessed, such as a name of a loved one or pet, which criminals can easily find on Facebook or other public sites. Other passwords can be easily guessed, too. Hackers last year posted a list of the most popular passwords of Gawker Media users, including “password,” “123456,” “qwerty,” “letmein” and “baseball.”

“If your password is on that list, please change it,” says Brandon Sterne, security manager at Mozilla Corp., which makes the Firefox browser and other software. Hackers “will take the first 100 passwords on the list and go through the entire user base” of a website to crack a few accounts, he says.

People typically start changing online passwords after they’ve been hacked, says Dave Cole, general manager of PC Tools. However, “after a relatively short time, all but the most paranoid users regress to previous behaviors prior to the security breach,” he says. He and other security experts recommend people change or rotate passwords a few times a year.

To come up with a strong password, some security officials recommend taking a memorable phrase and using the first letter of each word. For example, “to be or not to be, that is the question,” becomes “tbontbtitq.” Others mash an unlikely pair of words together. The longer the password — at least eight characters, experts say — the safer it is.

Once people figure out a phrase for their password, they can make it more complex by replacing letters with special characters or numbers. They can also capitalize, say, the second character of every password for added security. Hence “tbontbtitq” becomes “tB0ntbtitq.”

No matter how good a password is, it is unsafe to use just one. Mr. Barrett recommends following his lead and having strong ones for four different kinds of sites — email, social networks, financial institutions and e-commerce sites — and a fifth for infrequently visited or untrustworthy sites.

Even the strongest passwords, however, are useless if criminals install so-called malware on computers that allow them to track a person’s keystrokes. Security experts say people can avoid this by keeping their antivirus and antispyware software updated and by avoiding downloading files from unknown websites and email senders.

Some security experts recommend slightly modifying passwords within each category of site. Companies such as Microsoft Corp. (Nasdaq: MSFT – News) offer free password-strength checkers, but users shouldn’t rely on them wholly because such strength tests don’t gauge whether a password contains easily found personal information, such as a birthday or a pet’s name.

It’s especially important to have a separate password for an email account, says Mozilla’s Mr. Sterne. Many sites have “Forgot my password” buttons that, when clicked, initiate a password-recovery process by email. Hackers who break into an email account can then intercept those emails and take control of each account registered using that address.

Some websites, such as Google and Facebook, now let people register a phone number along with their account. If a person forgets his passwords, the sites reset the passwords by calling or sending a text message to that person.

Mr. Barrett says people should be able to remember four or five good passwords. If not, they can write them down on a piece of paper and stick it in their wallet, and then throw the cheat sheet away once all the passwords are memorized.

People who still struggle to remember them all can use a password manager. Several, such as LastPass, are free. LastPass prompts users to create a master password and then generates and stores random passwords for different sites. Some security experts warn against using managers that store passwords remotely, but LastPass Chief Executive Joe Siegrist says hackers can’t access the passwords because all data is encrypted.

The worst thing that people can do after creating their different passwords: Put it on a sticky note by their monitor. “That defeats the entire purpose,” says Mr. Sterne.

Heather O’Neill, a 27-year-old tech-company employee in San Francisco, had her Google email account broken into earlier this year. She says she used the same password for several sites, and that it was a weak one.

“I can’t have one password for everything,” she says. “Everything is going to be different.”

Write to Stu Woo at Stu.Woo@wsj.com

The Secret 11th CISSP Domain: Understanding How to Learn, How to Study and How to Take A Test

Why didn't I take the blue pill?

I took this personality test in high school, the teacher was finishing up his masters or PHD or something and he passed out these self-examination tests to the class.  It focused on how one learns.  I remember answering a question regarding how I learned with one answer then basically getting the same question later on and answering it differently!  I remember thinking, “I have no clue how I learn”.  “Are there different styles or methods?”  I just didn’t know!

Fast forward 20 years, one failed CISSP exam behind me and a year of studying ahead; I had to figure out how I learned, how to study and how to pass a freaking test as I prepared for the CISSP exam 2.0!   The process that I went through to prepare and pass the (second) CISSP exam taught me a lot about how to study, learn and take the hardest exam I have ever taken!

OK, here’s the point:  Identifying how YOU learn and identifying the best study and test methods that work for YOU are vitally important to passing the CISSP exam.

I’m convinced of this:  Understanding how one learns, how to study and how to take a test could be the difference between passing or failing.  Especially those that have failed multiple times and feel like they have studied their asses off and can’t possibly memorize or cram any more security info into their brain, lest it will explode!  Take pause, take an introspective inventory, do some research on learning, studying and test taking and then switch gears.  Think of this as the secret eleventh domain.

I am not going to spend a lot of time talking about how one learns in general, it is just too vast of a topic.  If you read through the rest of this post and simply can’t identify with any of it, then please keep searching and take the time to understand what it is that makes you tick.  Take a few personality tests to see what type of social person you are.  Are you an introvert or extrovert.  This answers the question of if you should study alone or in a group.  If you have some sort of learning disability then you really need to spend some time understanding yourself and how to overcome and be successful.  Talk with experts.  This will help you in all areas of your life.  Do yourself a favor and seek professional educational counseling.  Are you ADD?  Then you have to structure your studying accordingly by eliminating distractions and stick to a more formal plan.

Open Brain, Insert Content

Remember the scene from the sci-fi movie The Matrix when Neo (Keanu Reeves) is learning how to fight?  They plug this cable into his head, they download all these different styles of martial arts, Neo’s eyes are fluttering and all of a sudden his eyes pop open and he says “I know Kung Fu”?  [In my best Chris Farley Impersonation]:  “Yeah that was really awesome”.  Bad news:  That  ONLY happens in the movies!

Book Worms

How do you get the info from the 10 CISSP CBKs into your head, process them into an organized and memorable fashion so that you can regurgitate all that info when it counts on the exam?  I know some folks who can take a book, read it from cover to cover and then KNOW the concepts and understand the subject.  They can turn around and put all of that knowledge into practice.  People who can do this are pretty smart people.  And I can’t begin to relate to these type of people!  If you are one of these people you are probably in pretty good shape.  Use Shon Harris‘ CISSP All-in-One Exam Guide and the Official (ISC)2 Guide to the CISSP CBK.  I started out by myself with Shon Harris’ book.  I read and read, I highlighted, I underlined, I wrote in the book, I tabulated the book with sticky tabs and sticky bookmarks.  Although I could find just about any topic fairly easily I wasn’t getting very deep and although I was learning, I was not memorizing and wasn’t able to regurgitate on any kind of detailed level.  It was a lot of dry reading, I saw the words, but, what did they mean?  And most of all how can I apply the knowledge to different situations?  So I was reading and re-reading which was a waste of time for me.  Reading books are great for some people.  But I needed more.
–(CISSP book resources & practice test info:  https://inchdeepmilewide.wordpress.com/cissp-resources/)

Experience

Some people like to just dig in, start taking stuff apart, or building something and they just learn as they go.  They start by taking the engine all apart for no real good reason but to learn how to put it all back together again.

Most of the time there is only a part or two left over!

They have to touch, they have to feel, they crack the manual now and again when they get stuck but at the end of the day they have a re-built engine in their car and most of the time there is only a part or two left over!  The other HUGE caveat-it took them 5 years to put it all back together.  Gaining experience takes time.  Most people who have extensive technical experience fall into this category.  There’s simply no substitute for time and experience gained, and if you have enough of it, most likely the CISSP exam will be cake for you.  If your background is deep and wide most likely the practice tests will be fairly easy.  If they are not, dig deeper and wider.  Can you turn around and teach it?  That’s the level of knowledge required to pass the CISSP.  If yes you are set, if you fumble a bit, keep going.  Although I have 5 plus years in a network security group, my background is not in building networks or building server systems or managing firewalls and routers.  Even if you can teach the telecom domain in your sleep you may struggle with the more in-depth security concepts.

My co-worker falls into these first two categories.  He can read a book or manual from cover to cover and he can turn around and explain it in technical and deep articulation.  He has been in the technology and telecom industry for 30 plus years and he paid very close attention.  He can program in several languages, not only build a PC but explain how it works in detail, he can re-build a car engine while he explains the history and physics behind every detail.  He is by far the smartest person I know.  He finished the exam in just over 3 hours and he passed his first time out.  The other 99,9% of the population just do not function this way!  There’s hope…keep reading.
–(Practice test info:  https://inchdeepmilewide.wordpress.com/cissp-resources/)

Back to School

Many people are traditional student learners, they can listen to or watch lectures, take quality notes, make study cards, study in groups, create cheat sheets and take practice tests.   Most classrooms fall into this category.  If college was the best learning experience of your life then this is for you!  If this is definitely you skip reading a book from cover to cover and please, don’t bother with an expensive boot camp. Purchase a couple of video (Shon Harris CISSP Video Seminar) and/or audio lectures (Management 414 SANS +S Training Program for the CISSP Certification Exam presented  by Eric Cole or enroll in college classes or a semester worth of classes that focus on CISSP.  If you thrive in a classroom spend the time and money and take a few quality instructor-led courses either in a real classroom or find something outside of your home (like a conference room or library) and create your own personal classroom.  For the most part I used this method.  I took a book with me to a conference room that I would turn into a classroom.  I found a study buddy and we watched a couple of different Shon Harris’ lectures, listened to an audio lecture and paid for online video lectures.  For the most part this worked for me.  If you are a social learner like me, take classes or create a classroom environment with others.
–(CISSP resources & practice test info:  https://inchdeepmilewide.wordpress.com/cissp-resources/)

Note To Self:  Take Better Notes!

Remember taking notes in school?  Of course you do!   Taking notes and studying them solidifies and reinforces what you’ve been hearing and seeing.  There are many different methods of taking notes.  There are outline techniques, term/definition techniques, shorthand, flash cards and the list goes on and on.  If you struggle in this area find a book or a webinar or lecture or a college orientation class or materials that focus on taking notes!  Heck, find a person who can take excellent notes and learn from them.  I have excellent index-style study cards, but I don’t want to merely give them to you because as you make them yourself you are organizing and learning!  And of course the last word on notes is to actually review them, study them.  I took way too many notes that I never looked at after I penned or typed them.  That was just stupid.

How to take a test

Unless you have a photographic memory, very few people have some magical edge when taking tests.  Stick to the basics:

• Spend the night at or near where the exam will be given
• Don’t cram
• Go to bed early-take a Tylenol PM (Benadryl) if you are restless
• Awake at least 2 hours before the exam doors open
• Eat a healthy and hefty breakfast
• Arrive before the doors open, check in find a good seat
• Turn off all noisy electronics, don’t just mute or vibrate, pack the distractions away, forget about them
• Bring Your Registration Letter and ID
• Bring food and drink
• Bring your own #2 pencils and a huge eraser
• Bring meds in case of a headache
• Take notes on the test-mark the questions you don’t know or aren’t sure of (use different markings)
• Circle the answer on the test THEN transfer the answer to your answer sheet
• Read the question carefully and completely
• Read all answers before choosing an answer
• Answer all questions
• First answers are usually right-but mark and review those that were a complete guess
• Take breaks-at least one per 60 to 90 minutes
• Break the test up into sections and when you reach the end reward yourself with a break, go potty, walk around or stretch for a minute or two, relax, consume food and drink, get back to it.
• Pay attention to the time
• Use all 6 hours, if you finish early take a break, review, then review again
• Be one of the last to leave

I think I am pretty good at taking tests in general-mostly because I commit to an answer and move on.  Most of the time if you know it, you know it, and if you don’t you don’t.  Failing the exam the first time simply told me I wasn’t quite prepared enough.

However, some people are worse at taking tests in general than others.  Some people suffer from test anxiety.  Some people psych themselves up for failure or get overly nervous or anxious or just freak out once they get the test in front of them.  From eHow.com, “Relax on the day of the test. Once you’re in the testing room, you can do nothing more to prepare. Worrying when you can do nothing more to improve your chances of scoring high on the test will affect your performance.”  People do weird things like read things into the questions that’s not there or second guess everything.  Although most of these folks know the content and understand the concepts they’ve studied, they are a completely different person as they take the real exam.  They go slower or faster, their minds go blank, they sweat, they have negative conversations with themselves, etc.  If you are one of these people then you HAVE to figure out a way to compensate.  Train your mind to take the exam.  Take lots of practice tests.  Take many long 250 question practice test.  Print out a practice test with the questions and use a Scantron to record the answers-just like the real exam.  Time yourself.  Pace yourself.  Find new questions so you’re not memorizing the question and answer rather than learning the concepts. Take practice tests at a crowded McDonald’s.

Knowledge is Power

Finally, learn from others’ experiences and mistakes and successes.  Walking into the exam my first time and sitting down to take the exam was like ice cold water or a bitchslap to the face-it was incredibly painful, frustrating and shocking.  Read my personal experiences.  Join CISSP forums.  Read security blogs.