How I Studied For & Passed The CISSP

I got asked the other day at work on how I studied to pass the Certified Information System Security Professional (CISSP) back in Dec 2011. While I was relaying my experience, I made a few notes, and I figured it would be good to document the endeavor in a blog post.

AFC79C51-1617-4C5A-85ED-C70FE57E43BF

I think my main advantage was that I was able to get access to SANS Management 414 class via their self-study content using training dollars from work [direct link for more info].  While expensive, the 'do it on your own time' offering was much better for me than going to a class (which can also be expensive). 

One of the other key features that I liked about the self-study offering was there were seperate MP3s of all the sessions plus the online course review material.  This allowed me to binge listen to the audio content during my daily exercise, drives in the car, and while on travel (which happend about 5 times during my prep time before the test). The only bad news about all this 'listening' is that when I have a CISSP related nightmare I still hear Dr. Eric Cole's voice.

The package included printed slides for all the material (sync'd online to the audio feed): [Domain 1 - Information Security Governance & Risk Management; Domain 2 - Access Controls; Domain 3 - Cryptography; Domain 4 - Physical Security; Domain 5 - Systems Architecture & Design; Domain 6 - Business Continuity & Disaster Recovery Planning; Domain 7 - Telecommunications & Network Security; Domain 8 - Application Security; Domain 9 - Operations Security; Domain 10 - Legal, Regulations, Compliance, & Investigation], and a copy of the following book - "CISSP Study Guide" by Eric Conrad, Seth Misenar, Joshua Feldman. Also included was a series of pre-tests both online and paper and then a full practice test that was online.

Other books I used for reference included:

Once I went through all the material one time via MP3/Slides, I then deteremined when there was a class about 16 weeks/4 mouths in the future and signed up for that one.  I found it very useful to have a target date on the calendar to motivate me to block out time for studying.  I then spent every Off-Friday from work and ~4 hours each Saturday and Sunday studying the material up to the test week.  The test was on Tuesday and I pretty much studied full time Friday, Saturday, Sunday, and Monday before the test.  If my math is correct that was about ~250 hours of studying (not including the MP3 material listening which I continued doing during my exercise, driving, etc times up to the test).

In addition to the study reference material above, I also took a great deal of practice tests.  If there was a test I could take I took it. My prevous experience getting a Windows OS certification and Security+ was that there was a ton on of value in reviewing as many questions as possible. This turned into a a pretty detailed stats tracking on how I was doing and where I needed extra focus.  Here is the "final" view of my spreadsheet tracker I setup in Google Docs:

Cissp-test-tracking-1Cissp-test-tracking-2

The other thing I did that really helped was that any question I missed during any of the tests I took and turned it into a 3x5 study card.  I also kept the cards organized by the 10 major topic areas of CISSP.  This helped me really focus on studying the areas that needed the most work.  By the end I'm pretty sure I had 400 cards, and on the day of the text all I did before the test was drill through those cards.

What about the actual test?  Yes, it was very hard. Definitely the hardest test I've ever taken. I was the last one to leave taking up all but the last 5 minutes before the scheduled end time.  I don't know how well I did other than I passed.  And since that was the goal -- mission accomplished!

If you have any additional questions, comments, etc. then please let me know.

[Originally written on 2/24/2012 but updated 2/23/3014]


Tip - Subscribing to Twitter Accounts in Google Reader

NOTE: As of October 16, 2012 the official Twitter API turned off RSS options per this article.  What I wrote here doesn't work anymore.

I personally like keeping track of some Twitter accounts (especially security related ones) using Google Reader.  Unfortunately, I've found lately though that Twitter keeps messing with RSS urls, and getting subscribed without errors can be hit and miss.

Here is my understanding of the current format as of this posting ...

If you have a Twitter account like @johnswayer that you want to follow in Google Reader.  Then take the following main URL (twitter.com/statuses/user_timeline/) and add <twittername>+.rss -- for example:

"https://twitter.com/statuses/user_timeline/" + "johnhsawyer.rss"

Becomes:

 "https://twitter.com/statuses/user_timeline/johnhsawyer.rss"

And use that for the subscribe url.  I usually use a text editor to this (Notepad+ on Windows or TextWrangler on Mac).

Did I get this right? Did Twitter change this already? Is there a better way?  Leave a comment or send me email and I'll update this post.

 


Tech Tracking #001 - New News, Mobile, Video, Security, Books, Training, Etc

Here are some new items I am tracking --


Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)

One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.

While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu.  There is no NoScript version for Chrome but you can turn off by default JavaScript via:

  1. Options (aka Preferences)
  2. Under the Hood tab
  3. Privacy > Content Settings ... button
  4. JavaScript tab
  5. Do not allow any site to run JavaScript
  6. Close button

Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:

Chrome-no-script-icon  

You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected.  Here is what Hulu.com says if you go there without JavaScript turned on:

Hulu-no-java-script-message

IMHO, this is better than running JavaScript on every site you go to by default.  The best security practice is now to only allow JavaScript on sites you trust and know.  Not perfect but better than the alternative.

P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.


Learn Some Hacker Skills Online from SANS & Paul Asadoorian

Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:

Metasploit is a fantastic tool for testing your network and applications.  Come learn about all of its new features! You can use  discount code "PaulDotCom" and save 20%!


TSA Travel Woes - Post A Comment To Their Blog

I just found out that the Transportation Security Administration (TSA) is now officially blogging (started Jan. 30, 2008) and is accepting comments on their blog posts.

The blog is called "Evolution of Security" and can be found at: http://www.tsa.dhs.gov/blog.

If you run into trouble or maybe have a great experience, then make sure you use this resource to give them some feedback.


Some New Cold War History Recommendations

I am a big history buff. I am particularly interested in stories about World War II and The Cold War. 

I came across a bunch of recently released Central Intelligence Agency (CIA) docs at the Federation of American Scientists (FAS.org):

  • "The Secret War in Korea, June 1950 to June 1952," March 1964 [pdf]
  • "Record of Paramilitary Action Against the Castro Government of Cuba, 17 March 1960 - May 1961," May 1961 [pdf]
  • "The Evolution of Ground Paramilitary Activities at the Staff Level, October 1949-September 1955," November 1968 [pdf]
  • "The Berlin Tunnel Operation, 1952-1956," 24 June 1968 [pdf]

They all have some pretty interesting information in them.  I am fascinated by considering what the redacted parts contain.

The Cold War has many different angles and perspectives. One of the other resources that is really interesting is from Tony Kahn over at WGBH's Morning Stories podcast.  Tony produced the following series called "BlackListed" (RSS):

In October 1947, the House Un-American Activities Committee opened its hearing into Communist influence in the movie business and promptly denounced 19 prominent directors, producers, screenwriters, and actors as enemies of the state. One of them was Hollywood screenwriter Gordon Kahn, whose films include All Quiet on the Western Front and The African Queen.
    
In this six-part personal history of the Hollywood Blacklist, Gordon Kahn's son, Morning Stories producer Tony Kahn, tells the story of his father's 15 years of persecution and the fear that followed him, his family, and thousands of other Americans for being accused of having the wrong political ideas.

I have currently listened to three of six podcasts, and I am really enjoying this very well produced audio program.  No matter what your political views this is is a podcast that should not be missed.


Windows Mobile 6 Tip - Specific Ports for IMAP, SMTP, Etc.

One of the main reasons for moving to the AT&T Tilt was for the 'faster' network options 3G/UMTS/HSDPA plus Windows Mobile 6 was suppose to address a port mapping bug I've had on the Cingular 8125.

Our IMAP/SMTP services at work use non-standard ports for SSL/TLS connections, and you could not apparently assign these to non-standard ports with previous versions of Windows Mobile or PocketPC without doing some registry hacks.

Now, with Window Mobile 6 you can successfully append the port you want to connect to to the machine you are connecting to.  If your SMTP service is listening on port "444" and you SMTP server is called "smtp.mycompany.net" then the setting in the Mail setup is "smtp.mycompany.net:444" (with out the " quotes).

This tip should help others that might run into a problem with Google's new GMAIL IMAP support.

P.S. It appears that the AT&T Tilt is also referenced by AT&T as the 8925.  The unit is made by HTC that has a family of very similar if not exact models that go by 'TyTn II' and 'Kaiser.'


Taking Something On Purpose By Being "Clever" Is Still Stealing

I just just reading through Bruce Schneier's latest newsletter published on September 15, 2007, and it had this article:

Getting Free Food at a Fast-Food Drive-In

It's easy.  Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food.  This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food.  The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window.  Tell the clerk that you forgot your money and didn't order anything.  Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit.  Basically, it's a synchronization attack.  By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix.  The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food.  Or the second window could demand to see the receipt.  Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer.  But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

http://www.youtube.com/watch?v=T1jgYPsvsrA

While it is a 'clever exploit, taking something purposely without paying for it is still stealing and stealing is illegal.


Privacy Thoughts - Google Vs. ISPs

There is a lot of good blogger analysis about Google's ability to drill down deep into the search world and possibly get  into trouble by not keeping personal privacy data private. 

Given Google's business model of matching people to ads, it is in their best interest to not blow this, and keep private data private.

However, there seems to be a small group of alarmists raising issue with Google's recent purchase of RSS service provider Feedburner.

I do have to disclose that I am a big fan and happy customer of Feedburner. Congrats to the team over there. 

Based on my above assertion that Google must, if they want to be successful, protect privacy, that this new found very rich data in Feedburner will get the same high-level of protection. 

Plus, I don't see any signs of Google behaving badly, and that can not be said about ISPs.

Wired recently published a piece that outlines one of my big privacy concern areas - the data ISPs can and will be collecting, and what they plan to do with it as it effects public disclosure (overt, covert, and stolen), and possible manipulation as it enters 'their' network and gets to your devices.