Options
Passed - Nov 9
Hey Everyone 
Needed to do the customary "Passed" post as well tell you guys my journey to hopefully help some people achieve their goal of passing the CISSP. I know I've read forum posts every single morning for the past 4 months to help tailor my studying.
A little bit of background information about me:
Jan 2012 I worked IT Helpdesk straight out of university for a hospital. 6 months later I became a senior analyst for access administration. After about 1 year dedicated to the user provisioning process (including process development), I spent about 2 years on various projects from an access point of view including an Identity and Access Management project which I was the technical lead for. This project actually got me thinking from a security point of view (other projects included implementing auditing software, and privileged account management software as well as consulting for security perspectives). Last year I did a 1 year internal auditing course at a local university. This previous April I wrote the Security+ after 3 days of studying to be eligible to apply for a Security Analyst opening. Officially became Security analyst this previous July with a contract condition of passing the CISSP (exam only) before the calendar year end. During these previous 4-5 months I've been exposed to various security tools and methods. I was also lucky because the portfolio of my extended team (outside of access administration but under the same director) included Change Management, DRP, Lifecycle Management, Privacy and Security.
Resources Used:
Shon Harris AIO - I feel this was probably the best book to use if you're not familiar with the topics . Yes, it may be verbose (as is this post!) but the explanations are spot on. I found some of the jokes in there had me chuckling (a user sets his password to 'Iw3arPanTie5' or something like that??). I also had the Shon Harris practice exam book that is separate. Did spot checks (randomly flipped open the book to a page, did 2-3 practice questions, flipped to a random page did 2-3 practice questions). These questions are good to make sure you understand the concept. I actually feel like the scenario based questions are well formatted and were of similar format. I made no notes and pretty much read this like a novel.
Eric Conrad 11th Hour - I loved this review book. Just down to the facts and details. Used this in my last two weeks as many had suggested. This was perfect to cut out all the unnecessary words, examples, etc. Pretty much definitions of key terms and such. Probably my favorite part of studying. It helped prime my brain and made me realize I know/remember a lot more than I thought i did. Again, read this the same way as AIO.
Cybrary videos - Started watching these. Got about 80% of the way through. They were good for certain topics for me. I felt a little slow paced, and then someone mentioned to watch them in 1.8x speed. I was going to rewatch them ALL and review, but ended up not doing it. Watched these about 3-4 weeks prior to my exam. Still no note taking. These helped me identify areas to which I should focus my review. I wanted to learn from all domains equally first. Then I wanted to use a review the reinforce the areas I should end up focusing on. I think the most important part about these videos was Kelly quantifying the number of questions we might get. It's easy to say oh you'll get a few questions - well what's a few questions out of 250 questions? Kelly helped quantify by saying you'll get 10 questions or you'll get 50 questions (obviously examples!). Helped me tailor my exam review.
CCCure practice engine - Bought a three month subscription, let about 1.5 months go to waste. Only really started using it in my previous week or so. Did about 1000 questions altogether. Did about 2 250 question exams. I'm a fairly quick test taker. 250 questions I would complete in about an hour - an hour and a half. I would purposely have background noise (my nephew would be playing and laughing in another room, or kids in my house playing with toys that make sounds etc). I have difficulty concentrating in completely quiet environments if it's not a real exam. Also, I prefer to guage my ability while I'm not giving 110% of my attention to the questions. For some reason this gives me a higher comfort level that I was able to score 80-90% on CCCure test (always taken on hard) while going through it quickly (this is just how I grew up studying! Please use your own study style of course!!)
Combined Notes/Sunflower Notes - Sunflower notes I went through every single detail, again, only reading through it. No real memorization. Combined notes I read through the first 30 pages or so (until enterprise architecture. My studying style (if you havent realized by now ) is I quickly absorb information in the first pass (80%?) and then subsequent passes through help fill information or strengthen associations between the two.
CISSP - Sybex study guide - My LEAST favorite of all of the resources. Again, read through it no notes. Read through the first 300 pages. Then began skimming every paged based on section headings/titles. If I felt comfortable with it, I skipped it. If I felt it had new information, I would read it. i ONLY used this book to fill gaps for the new information (which to be honest? wasn't very much at all!). For me, there's a few things I do not like with the book. 1) It's organization. Sure, it's broken down into smaller manageable chapters which I love. Allows you to feel like you're making more progress (example - if chapter completions are a milestone, then overall you feel like you're progressing better than Shon Harris's 250 page Network chapter) and it allows for more frequent and more end of chapter questions. What I didn't like, however, of the organization is that the book would jump back and forth between topics, between chapters. For example, it have a BCP chapter. But then it'll have a DRP chapter 15 chapters later. It'll have a backup chapter or section scattered throughout the book. The risk analysis chapter may then be somewhere between the BCP and DRP chapter whereas it's a fundamental topic for both. Redundancy might be discussed in chapter 6, but only in the context of hard drives. Redundency will then be revisited in the networking chapter, and agagin in the DB chapter, and again in the operations chapter, etc etc. So what made this challenging for someone like me who was just looking for the new content is that Cloud computing would be scattered throughout all of these chapters. It would have been helpful to have a chapter dedicated to JUST cloud computing and knowing its different aspects inside and out. What threats are associated with Cloud computing? Legal requirements? The different types of cloud computing etc. It helps paint an overall picture better in my opinion and allows for logical flow of the book. I skimmed the remaining of the book but did not find any of it helpful. 3) I found while Shon Harris explained importance of several concepts in real-life examples, this book was very technical. Presenting mathematical formulas and information about cryptography? Not ONE bit of it was needed. There were also concepts which Shon Harris spent a good paragraph or page explaining (at least! and I'm talking important topics) and the Sybex book briefly mentioned in a sentence. Made it seem like it wasn't a big deal. If I was going based just on this book, I wouldn't have understood the topic, wouldn't have remembered it, nor would i have been able to link it in different ways to different domains.
TechExams.net - Yes this was a HUGE resource for me. Reading up on everyone's experiences, their resources, and even their exam experience. Helped me mentally prepare as well as further tailor my studying (focus on BCP/DRP, risk management, etc)
Further study strategies:
I'm a bit supporter of studying smarter not harder. I believe in maximizing your ROI. So I didn't bother memorizing any key/block sizes for encryption. As long as I knew which ones were Asymmetric vs symmetric, as long as i understood how they can be used together, or what services they offered, etc. I wanted to understand HOW they worked (ie. HOW does Kerberos work, not necessarily every single detail of every single step). Based on Kelly's guidance as well, things like the legal chapters were skipped in almost entirety. I didn't bother reading the name of any laws, didn't bother too much with anything that required memorization. If i could rephrase it and explain it, I was good with it. Some things that required memorizing, I would make patterns instead. Such as Type I error vs Type II error. Type I, you can turn the I into R (R stands for false rejection). Type II you can turn the II into A meaning false acceptance rate. Rows are tuples and columns are attributes (because T is closer to R and A is closer to C in the alphabet). My mind looks for patterns or makes these type of links to help remember things. Another example is POP3 uses port 110 - how do i remember? The backbone of each P makes a 1 and the O is zero (110). IMAP is port 143 IMAP - the I is made of 1 line, the M is made of 4, and A and P combine to have 3 - therefore 143 Anyhow, moving on.
Actual exam experience:
Went to the test center, put all my things in the locker. Went into the exam (very nervous - not knowing what to expect). Started the first 10-15 questions, probably flagged 5-10 questions). Then I started gaining confidence. I found that in every single question I was able to eliminate at least 1 (I'm going to say I was able to elminiate at least 2 for about 75% of the questions). Except for about 5 questions which I had no idea what they were talking about just because I didn't know the term (it was for a newer topic not well covered in Sybex book). I did my first pass in about 1.5 hours. This left 15 blank which I just didn't feel like thinking about in the beginning, and an additional 35 flagged for review. I only reviewed the 50 flagged/blank questions so in about 2-2.5 hours I was done the exam. I took 2 5 minute breaks. Bathroom, granola bar + red bull in each break (half the can in the first break, second half of the can in the second - didnt take two complete red bulls!). Felt pretty confident about the exam and hit submit. Heavy heavy heavy on DRP/Risk management/Access domain. All three of these played to my advantage - experience from the access domain from work. DRP/risk management was from 1 year internal auditing course i took from the university (at that time no intent of CISSP). I actually feel that internal auditing course prepared me way better than ANY of the materials listed above. I should say I used the microsoft secuirty+ exam book to study for Sec+ and i feel that covered the tecnnical aspects of the exam, and my internal auditing course covered process portions so the entire CISSP exam and materials felt like a complete review for me. Went to the counter, and got the Congrats page If all goes well I should get my 5 year completion end of January 2016. There were quite some give me questions. VERY non-technical exam. based on process or logic (this doesn't mean you don't have to know the different types of network attacks - you can know what they do or how they're initiated, but you don't need to know bit #6-50 need to be modified to carry out a xmas attack). All in all, I was surprised by how easy it was (without sounding cocky). The sec+ exam was way more technical than this. I feel if you were able to pass Sec+ and know the material, you're more than well prepared technically for this exam.
I'm more than happy to answer any questions. I know this community has helped me out tremendously in the days leading uup to the CISSP. I'd like to be an active member and give back as much as I can.
Sorry for the long post!
Cheers!
Needed to do the customary "Passed" post as well tell you guys my journey to hopefully help some people achieve their goal of passing the CISSP. I know I've read forum posts every single morning for the past 4 months to help tailor my studying.
A little bit of background information about me:
Jan 2012 I worked IT Helpdesk straight out of university for a hospital. 6 months later I became a senior analyst for access administration. After about 1 year dedicated to the user provisioning process (including process development), I spent about 2 years on various projects from an access point of view including an Identity and Access Management project which I was the technical lead for. This project actually got me thinking from a security point of view (other projects included implementing auditing software, and privileged account management software as well as consulting for security perspectives). Last year I did a 1 year internal auditing course at a local university. This previous April I wrote the Security+ after 3 days of studying to be eligible to apply for a Security Analyst opening. Officially became Security analyst this previous July with a contract condition of passing the CISSP (exam only) before the calendar year end. During these previous 4-5 months I've been exposed to various security tools and methods. I was also lucky because the portfolio of my extended team (outside of access administration but under the same director) included Change Management, DRP, Lifecycle Management, Privacy and Security.
Resources Used:
Shon Harris AIO - I feel this was probably the best book to use if you're not familiar with the topics . Yes, it may be verbose (as is this post!) but the explanations are spot on. I found some of the jokes in there had me chuckling (a user sets his password to 'Iw3arPanTie5' or something like that??). I also had the Shon Harris practice exam book that is separate. Did spot checks (randomly flipped open the book to a page, did 2-3 practice questions, flipped to a random page did 2-3 practice questions). These questions are good to make sure you understand the concept. I actually feel like the scenario based questions are well formatted and were of similar format. I made no notes and pretty much read this like a novel.
Eric Conrad 11th Hour - I loved this review book. Just down to the facts and details. Used this in my last two weeks as many had suggested. This was perfect to cut out all the unnecessary words, examples, etc. Pretty much definitions of key terms and such. Probably my favorite part of studying. It helped prime my brain and made me realize I know/remember a lot more than I thought i did. Again, read this the same way as AIO.
Cybrary videos - Started watching these. Got about 80% of the way through. They were good for certain topics for me. I felt a little slow paced, and then someone mentioned to watch them in 1.8x speed. I was going to rewatch them ALL and review, but ended up not doing it. Watched these about 3-4 weeks prior to my exam. Still no note taking. These helped me identify areas to which I should focus my review. I wanted to learn from all domains equally first. Then I wanted to use a review the reinforce the areas I should end up focusing on. I think the most important part about these videos was Kelly quantifying the number of questions we might get. It's easy to say oh you'll get a few questions - well what's a few questions out of 250 questions? Kelly helped quantify by saying you'll get 10 questions or you'll get 50 questions (obviously examples!). Helped me tailor my exam review.
CCCure practice engine - Bought a three month subscription, let about 1.5 months go to waste. Only really started using it in my previous week or so. Did about 1000 questions altogether. Did about 2 250 question exams. I'm a fairly quick test taker. 250 questions I would complete in about an hour - an hour and a half. I would purposely have background noise (my nephew would be playing and laughing in another room, or kids in my house playing with toys that make sounds etc). I have difficulty concentrating in completely quiet environments if it's not a real exam. Also, I prefer to guage my ability while I'm not giving 110% of my attention to the questions. For some reason this gives me a higher comfort level that I was able to score 80-90% on CCCure test (always taken on hard) while going through it quickly (this is just how I grew up studying! Please use your own study style of course!!)
Combined Notes/Sunflower Notes - Sunflower notes I went through every single detail, again, only reading through it. No real memorization. Combined notes I read through the first 30 pages or so (until enterprise architecture. My studying style (if you havent realized by now
) is I quickly absorb information in the first pass (80%?) and then subsequent passes through help fill information or strengthen associations between the two.CISSP - Sybex study guide - My LEAST favorite of all of the resources. Again, read through it no notes. Read through the first 300 pages. Then began skimming every paged based on section headings/titles. If I felt comfortable with it, I skipped it. If I felt it had new information, I would read it. i ONLY used this book to fill gaps for the new information (which to be honest? wasn't very much at all!). For me, there's a few things I do not like with the book. 1) It's organization. Sure, it's broken down into smaller manageable chapters which I love. Allows you to feel like you're making more progress (example - if chapter completions are a milestone, then overall you feel like you're progressing better than Shon Harris's 250 page Network chapter) and it allows for more frequent and more end of chapter questions. What I didn't like, however, of the organization is that the book would jump back and forth between topics, between chapters. For example, it have a BCP chapter. But then it'll have a DRP chapter 15 chapters later. It'll have a backup chapter or section scattered throughout the book. The risk analysis chapter may then be somewhere between the BCP and DRP chapter whereas it's a fundamental topic for both. Redundancy might be discussed in chapter 6, but only in the context of hard drives. Redundency will then be revisited in the networking chapter, and agagin in the DB chapter, and again in the operations chapter, etc etc. So what made this challenging for someone like me who was just looking for the new content is that Cloud computing would be scattered throughout all of these chapters. It would have been helpful to have a chapter dedicated to JUST cloud computing and knowing its different aspects inside and out. What threats are associated with Cloud computing? Legal requirements? The different types of cloud computing etc. It helps paint an overall picture better in my opinion and allows for logical flow of the book. I skimmed the remaining of the book but did not find any of it helpful. 3) I found while Shon Harris explained importance of several concepts in real-life examples, this book was very technical. Presenting mathematical formulas and information about cryptography? Not ONE bit of it was needed. There were also concepts which Shon Harris spent a good paragraph or page explaining (at least! and I'm talking important topics) and the Sybex book briefly mentioned in a sentence. Made it seem like it wasn't a big deal. If I was going based just on this book, I wouldn't have understood the topic, wouldn't have remembered it, nor would i have been able to link it in different ways to different domains.
TechExams.net - Yes this was a HUGE resource for me. Reading up on everyone's experiences, their resources, and even their exam experience. Helped me mentally prepare as well as further tailor my studying (focus on BCP/DRP, risk management, etc)
Further study strategies:
I'm a bit supporter of studying smarter not harder. I believe in maximizing your ROI. So I didn't bother memorizing any key/block sizes for encryption. As long as I knew which ones were Asymmetric vs symmetric, as long as i understood how they can be used together, or what services they offered, etc. I wanted to understand HOW they worked (ie. HOW does Kerberos work, not necessarily every single detail of every single step). Based on Kelly's guidance as well, things like the legal chapters were skipped in almost entirety. I didn't bother reading the name of any laws, didn't bother too much with anything that required memorization. If i could rephrase it and explain it, I was good with it. Some things that required memorizing, I would make patterns instead. Such as Type I error vs Type II error. Type I, you can turn the I into R (R stands for false rejection). Type II you can turn the II into A meaning false acceptance rate. Rows are tuples and columns are attributes (because T is closer to R and A is closer to C in the alphabet). My mind looks for patterns or makes these type of links to help remember things. Another example is POP3 uses port 110 - how do i remember? The backbone of each P makes a 1 and the O is zero (110). IMAP is port 143 IMAP - the I is made of 1 line, the M is made of 4, and A and P combine to have 3 - therefore 143
Anyhow, moving on.Actual exam experience:
Went to the test center, put all my things in the locker. Went into the exam (very nervous - not knowing what to expect). Started the first 10-15 questions, probably flagged 5-10 questions). Then I started gaining confidence. I found that in every single question I was able to eliminate at least 1 (I'm going to say I was able to elminiate at least 2 for about 75% of the questions). Except for about 5 questions which I had no idea what they were talking about just because I didn't know the term (it was for a newer topic not well covered in Sybex book). I did my first pass in about 1.5 hours. This left 15 blank which I just didn't feel like thinking about in the beginning, and an additional 35 flagged for review. I only reviewed the 50 flagged/blank questions so in about 2-2.5 hours I was done the exam. I took 2 5 minute breaks. Bathroom, granola bar + red bull in each break (half the can in the first break, second half of the can in the second - didnt take two complete red bulls!). Felt pretty confident about the exam and hit submit. Heavy heavy heavy on DRP/Risk management/Access domain. All three of these played to my advantage - experience from the access domain from work. DRP/risk management was from 1 year internal auditing course i took from the university (at that time no intent of CISSP). I actually feel that internal auditing course prepared me way better than ANY of the materials listed above. I should say I used the microsoft secuirty+ exam book to study for Sec+ and i feel that covered the tecnnical aspects of the exam, and my internal auditing course covered process portions so the entire CISSP exam and materials felt like a complete review for me. Went to the counter, and got the Congrats page
If all goes well I should get my 5 year completion end of January 2016. There were quite some give me questions. VERY non-technical exam. based on process or logic (this doesn't mean you don't have to know the different types of network attacks - you can know what they do or how they're initiated, but you don't need to know bit #6-50 need to be modified to carry out a xmas attack). All in all, I was surprised by how easy it was (without sounding cocky). The sec+ exam was way more technical than this. I feel if you were able to pass Sec+ and know the material, you're more than well prepared technically for this exam.I'm more than happy to answer any questions. I know this community has helped me out tremendously in the days leading uup to the CISSP. I'd like to be an active member and give back as much as I can.
Sorry for the long post!
Cheers!
Comments
-
Options
g33k3r
Member Posts: 249 ■■□□□□□□□□
Congrats on the pass and detailed info! When you said it was heavy on the Access Domain for your exam did you mean Identity and Access Management? -
Options
clarkincnet
Member Posts: 256 ■■■□□□□□□□
awesome.. thank you or the detailed review!Give a hacker an exploit, and they will have access for a day, BUT teach them to phish, and they will have access for the rest of their lives!
Have: CISSP, CISM, CRISC, CGEIT, ITIL-F
