Unnecessarily and deeply explained subjects in CISSP All-in-One Exam Guide, Sixth Ed.

Hunter85

Hi,

I was wondering if it also appeared you that, this book is consisting of almost 1500 pages and almost 50% of it is not even relevant to the exam?

I was going through chapter 4 - Security Arch. Design and it starts explaining CPU architecture (deeply) and adding tons of acronyms for CPU, RAM, ROM (it is not simply a RAM or ROM it has 5-6 different types for each) and additionally tons of access rights frame works (Bell-LaPadula model , Biba model etc...)

I have just downloaded the exam outline and non of these are covered...

I feel like I am wasting my time studying for staff which are not even going to be asked in the exam...

Sam_aqua

Books are mosters, be it AIO 6th edition OR Official Guide 4th edition as I am facing the same challenge with OIG. When it comes to the irrational portion in any of the domain chapters, it seems like why we are reading when we know we won't even remember this at the exam time.. I guess that's the same case with all..

Another way, that I see to make the preparation interesting is to watch videos / do practice questions from various sources. I have started doing this whenever I get frustrated going through the domain chapters.

Hunter85

I was again looking at software development lifecycle subject, ok you need to know the essentials like waterfall or agile but the book goes deep into C++ developing and explaining all the attributes. It is so frustrating for me to read through all these unnecessary staff just to realize that i wasted 3 hours of my time just to confirm that these things wont be asked in the exam

wes allen

If you already have a solid background in IT Security, than skip the thick books and get the Eric Conrad guide: CISSP Study Guide, Second Edition: Eric Conrad, Seth Misenar, Joshua Feldman: 9781597499613: Amazon.com: Books

TheFORCE

Hunter85 wrote: »

Hi,

I was wondering if it also appeared you that, this book is consisting of almost 1500 pages and almost 50% of it is not even relevant to the exam?

I was going through chapter 4 - Security Arch. Design and it starts explaining CPU architecture (deeply) and adding tons of acronyms for CPU, RAM, ROM (it is not simply a RAM or ROM it has 5-6 different types for each) and additionally tons of access rights frame works (Bell-LaPadula model , Biba model etc...)

I have just downloaded the exam outline and non of these are covered...

I feel like I am wasting my time studying for staff which are not even going to be asked in the exam...

You can't be serious right? You want to get into security without knowing how the basics and the fundamental access models work? Really? And just an FYI to you, you will get questions about the access models on the exam. Enough said.

nk_vn

I can assure you that every single term and concept in AiO is testable. The detailed explanations are there to help you with understanding it as a concept. Shon Harris uses lots of real-world and "explain like I am 5 years old" examples. They are there for a reason. I can assure you that I would have never passed my exam if it wasn't for her detailed explanations of the security models that you are mentioning. If you are very familiar with a topic, it is easy to skip the detailed explanations. For example I only skimmed through the Network&Telecom chapter and this was enough for me after 10 years in the Telco industry and the ability to calculate any netmask and easily picture in my head complex network diagrams. But as far as Sec.Arch. and Design goes, I went through it several times (3 I think).

BlackBeret

Short answer: It is all relevant.

tuabuikia

That's right. Lengthy in detail but all points are self explanatory. That's what I can say. Even some of her humorous remark on the top of each topic and the diagrams on her book are informational and self-explanatory.

grungeisevil

It is a monster of a book, and I chose not to use it for the exam. That being said, it's a comprehensive guide for folks who really want to do a deep dive into the security realm.

If you do know most/all of the stuff inside the book, go for Conrad, but if you're just getting into the Security realm with very little or no knowledge at all, then this book is a gem.

P/S: Access Control Models are not a waste of time

cyberguypr

I have to agree that all of the stuff in the book is directly relevant. Having said that, I bought a copy wanting to like it but it just didn't work out. It was overly verbose for my level and I couldn't stand Shon's style. I quickly put it down and moved on the Conrad books. I only used it to cover my weaker domains. Despite not liking this book, it is part of my permanent collection and came in handy as reference for my WGU MSISA work. I'll take it over the OIG any day.

Sheiko37

Did you read the introduction to the book? Did you even read the cover?

"Ideal as both a study tool and an on-the-job reference"

gespenstern

Can't tell as I didn't read them, but access control models, especially Bell-LaPadula and Biba and processor architecture are both represented on the exam. To the extent of asking tricky questions on Bell-LaPadula logic and understanding of processor registers.

Fortunately I've read Wiki on access control models and have found that they are covered pretty well there and I know assembly language and actually worked as an x86 assembly programmer for a while in the past so I breezed through this stuff.

g33k3r

I have yet to take the exam and have seen some great recommendations here in the forum on study guides and practice questions. The top two books I've seen referenced are the Shon Harris AIO and Eric Conrad's Study Guide. I chose the later due to its more concise format. I've watched all of the cybrary videos which were great. I just finished reading Eric Conrad's book which was about 70% review and the remainder an introduction into new concepts. I have over 12 years of Sys Admin experience with a security focus over the last few years. The domains which included an introduction into topics where around security governance, risk management, legal/regulation, and methodologies of software development and business continuity. I've dealt with these concepts from a consumer point of view so it was helpful to get a good explanation of the rationale and function of these less "technical" concepts. I've supplemented any area's of what I've read or watched thus far with other resources such as youtube, wikipedia, google, forums. That being said, should I also try and read the Shon Harris text? or focus on study questions/exams to test my knowledge and gaps and fill the knowledge gaps through additional research? I intend to purchase the Shon Harris book as a professional reference, but hope the Eric Conrad books will suffice for my focus of exam prep.

Thanks!

!nf0s3cure

Well it is this kind of information cramming that you never use in you job to make security work is a big turn off for me. I am leaning more towards CISM for this very reason! Time will tell.

gespenstern

g33k3r wrote: »

That being said, should I also try and read the Shon Harris text? or focus on study questions/exams to test my knowledge and gaps and fill the knowledge gaps through additional research?

My two cents, ultimately it's up to you, but as I mentioned here already, I haven't opened nor Shon Harris nor official CBK nor videos and passed relying solely on experience (15 yrs), wikipedia and quizzing. So yeah, it's doable.

jt2929

g33k3r wrote: »

I have yet to take the exam and have seen some great recommendations here in the forum on study guides and practice questions. The top two books I've seen referenced are the Shon Harris AIO and Eric Conrad's Study Guide. I chose the later due to its more concise format. I've watched all of the cybrary videos which were great. I just finished reading Eric Conrad's book which was about 70% review and the remainder an introduction into new concepts. I have over 12 years of Sys Admin experience with a security focus over the last few years. The domains which included an introduction into topics where around security governance, risk management, legal/regulation, and methodologies of software development and business continuity. I've dealt with these concepts from a consumer point of view so it was helpful to get a good explanation of the rationale and function of these less "technical" concepts. I've supplemented any area's of what I've read or watched thus far with other resources such as youtube, wikipedia, google, forums. That being said, should I also try and read the Shon Harris text? or focus on study questions/exams to test my knowledge and gaps and fill the knowledge gaps through additional research? I intend to purchase the Shon Harris book as a professional reference, but hope the Eric Conrad books will suffice for my focus of exam prep.

Thanks!

Since you plan to purchase the Harris book anyway, I would use that to fill the gaps after you do your quizzes or to look deeper into topics you are interested in. I don't know when your exam is, but 1400+ pages is a lot to read. I have the book myself and use it to supplement my weaker areas after reading the Conrad book and watching the cybrary videos. The testing software that comes with the Harris book is very useful as well.

BlackBeret

Keep in mind the purpose of this cert. It's for high level security managers, not firewall administrators. It's for the people that need to understand a little about all of the various aspects of security. This is about learning a little about a LOT of different areas, and that book is designed to explain each area as if you're brand new to it. If you work in a security role you should understand least privilege, if you're managing security for any type of environment you should understand read up/down, write up/down and their various security implications.

g33k3r

Excellent points. Sorry for hijacking the ops discussion. Hopefully this is beneficial to them and others. By the time I am done with my study notes, they should be a great future reference for me as well!

gespenstern

BlackBeret wrote: »

It's for high level security managers, not firewall administrators. It's for the people that need to understand a little about all of the various aspects of security.

As usual, I object to this "manager hat" perception regarding CISSP. It's technical, about 75%. Lots of crypto, AES and algorithms DES phases, IP protocol numbers, IPSec phases, TCP/UDP protocol numbers etc.

Where this manager hat perception comes from? From when tech people study for it they often run into new and unknown concepts, such as BCP, DRP, RA, stuff like that it is perceived as difficult because tech people don't deal with it that often. While technical stuff on the exam is perceived as easy because it's their everyday life.

BlackBeret

You're welcome to disagree, but that's what it was designed for, security managers. It's designed to give them the technical basis in everything they may encounter when managing a well developed security program. In order to be an effective manager you need to know what you're managing. The technical portions you mentioned are only in one domain, hardly 75% of the test. It has technical aspects, but everything is usually at a high level.

gespenstern

BlackBeret wrote: »

that's what it was designed for, security managers. It's designed to give them the technical basis in everything they may encounter when managing a well developed security program.

It is designed for much broader audience than just managers, for example security engineers, security architects, security analysts, etc.

BlackBeret wrote: »

The technical portions you mentioned are only in one domain, hardly 75% of the test. It has technical aspects, but everything is usually at a high level.

I just looked briefly at the new 8 domains and they look to me that one of them (security and risk management) is certainly not technical (but certainly not 100% managerial) and others two contain some managerial stuff (operations security and assets security).

So 1 out of 8 is somewhat managerial, 3 out of 8 contain some management stuff. And somehow it is an exam for high level security managers. Containing, just for giggles, questions on IPSec phases. Because how managers can manage people without this valuable information.

beads

Here I thought the exam was created to asses and assert the candidates overall knowledge and hopefully their skill in everything Information Security. Though initially coveted by high end, long term security techs and managers has now given way to the (ISC)2's need for quantity over quality. if you've paid attention to numerous threads over the years people with actual InfoSec experience repeatedly tell you its not a hard exam to pass - hence the technical nature of the exam. People who wail about how difficult the exam appears or was to take? Probably shouldn't have taken the exam in the first place.

Oh and for the poster who thinks anyone saying they have more than a decade of experience is lying? I can safely state I had to start complying with HIPAA 18 years ago (GRC) and matching those feeble policies against my PIX firewall rules leading to my Security+, etc. Otherwise yes, most of these people were at best recalling the days of working in physical security as no one really gave a rat's rear about computer security. Though I brought down a mainframe in 1979 with a buffer overflow. Does that count as well? LOL.

- b/eads

NetworkNewb

Since this covers a wide range of topics and doesn't go overly deep, couldn't I apply those arguments as reasons a person new in Info Sec to take this test? To give them a good idea of everything Info Sec entails.

beads

Thats why we/the (ISC)2 rolled out the associate exam isn't it? Well, add to the ethical considerations needed to sit for the exam and you've already disqualified yourself as cheating. Signing off on the ethics portion of the exam both before and after is a key requirement to sitting for the exam. Something about integrity you could look up and explain to the rest of us.

- b/eads

NetworkNewb

Definitely, you won't get the CISSP accreditation until you get the required experience and will only be an Associate but I'm just referring to taking the test and knowledge a new person in Info Sec would gain from it. I'm not even studying for it yet so I'm not gonna act like I know, but do you think it would be beneficial for a new person to know all the domains it covers and have the knowledge to pass this exam?

Hunter85

well my point about Bell-LaPadula model and Biba model they can be explained in 2 sentences but instead of that it took 1 page each and if you add up all the concepts how this book explains it makes 1500 pages.

The same thing with CPU, just say it is the brain of the computer and thats it but the book goes really deep into the architecture and provides deep detail about how CPU works etc...

I am 100 % sure that there wont be any question about how a CPU works and if there are 2 processes 1 in RAM 1 in register which one will be first executed according to their priority and which core will take the job in a hypervisor where there are 3 virtual machines with 8 core infrastructure...

dou2ble

Hunter85 wrote: »

well my point about Bell-LaPadula model and Biba model they can be explained in 2 sentences but instead of that it took 1 page each

Maybe you already knew more which will be enough and the extra info is for the one's who are hearing about it for the first time. I know 2 people in the last few months who thought 2 sentences of knowledge was enough and didn't pass. Fortunately for you it sounds like you've read more than 2 pages. Unfortunately, you might not of actually read it. But maybe you could prove me wrong and explain all there is to know about the two models in two sentences to pass the CISSP. I'm being sarcastic, kind of...

beads wrote: »

Oh and for the poster who thinks anyone saying they have more than a decade of experience is lying?
- b/eads

Were they only talking about the US Federal Government's effort at C&A? I didn't see their post but it would've made me laugh.

Roxton

I have just attended the CISSP Boot camp, this past week. The Info was awesome, and the instructor did go into some detail on some of the more larger domains, and then also provided a lot of additional study material.

I am however grateful for the comments that are being shared here, as I am planning on writing in the next few weeks, i will be taking all the advise and council that was provided and applying it to my studies.

Sam_aqua

@ beads / Others

Do you mean CISSP exam's level of questions are different if one takes Associate Level & a different level of questions if one takes the regular one ?

Sheiko37

Hunter85, you sound like someone who has no interest in this field at all, you almost display pride in not knowing things you don't expect to be in the exam.

NetworkNewb

Sheiko37 wrote: »

Hunter85, you sound like someone who has no interest in this field at all, you almost display pride in not knowing things you don't expect to be in the exam.

+1, yea, I hate books that go into detail and help you understand the technology instead of just giving me the answers... Its almost as if the author actually expects you to understand the topics thoroughly. The nerve!