How was the CISM Today

Hi Guys,

I had CISM exam today and let me tell u that the exam was healthy difficult. Some questions were really difficult and conceptual and some where very straight forward.
Frankly I don't know the result. I want to hear from you also how u feel about the exam and ur experiences.

Thanks

Find more posts tagged with

Comments

Tongy

I found it very hard and hope that others felt the same!

eric_gokongwei

I found it hard as well. The questions from the database were quite far from the actual exam.

Ray_SA

I found the first 100 to be OK and got progressively more difficult into the last 100 Q's. But yes, was tough! You can't even compare the Q&A exam database to the exam, the were worlds apart in the degree of difficulty!

Tongy

I really found some of the questions obscure and some used terminology that I'd not encountered, so took a best guess.

If this is indicative of all ISACA exams, regardless of outcome when results come out, I don't think I'll be taking another (or retake CISM). It has been an expensive journey and I'm not sure how much the databases Qs helped, the manual was tedious and the exam confusing.... it's as if they ran out of real, well thought out questions to ask.

I'm hitting CISSP next year, I think.

mokaz

Tongy wrote: »

I really found some of the questions obscure and some used terminology that I'd not encountered, so took a best guess.

If this is indicative of all ISACA exams, regardless of outcome when results come out, I don't think I'll be taking another (or retake CISM). It has been an expensive journey and I'm not sure how much the databases Qs helped, the manual was tedious and the exam confusing.... it's as if they ran out of real, well thought out questions to ask.

I'm hitting CISSP next year, I think.

Yes i think you're right here, its expensive and well i've got to be honest the materials bored me real bad so i'd probably not retake if i failed. Though i take it this way, at least i know now that i do not have a very high respect over these certs.. I'd rather study hard for something that gets me some real knowledge, so after my OSCP, an OSCE or such. One guy at the test center told me that he thought the CISSP was obsolete and that is why he didn't took it, i felt like man, at least i came out of my CISSP with the feeling that i've learned some decent things - to me ISACA is too closed circuitry, there is nothing out there except their own study materials which makes your journey hard and expensive..

haa well, lets see the results now..

Cheers guys,
m.

tuabuikia

I personally think that I did 'Okay'; not too bad. I do agree with what some of you have mentioned. Some questions and answers seemed a little vague and obscure.

Also, I personally think that some of ISACA's questions and answers on the exam and QAE book reflects little on real-world requirement and they are dated; especially on the technical side. For example, on the QAE, ISACA considers stronger password to be the answer to brute-force attack. I personally think that account lockout to be a superior solution. Another example from the QAE is that ISACA believe that the number of administrator presents greatest threat to an internal wireless network. Personally, I believe that rogue AP presents greater threats in an internal wireless network. With that said, it would be difficult for someone like myself coming from a technical security background to accept these as answers let alone, present these solutions to the management if I am an Info Sec manager.

As far as similarity between the QAE and exam is concerned, there are a few similarities. A few forumers here have already pointed earlier that the questions on the exam will be different from the QAE but the 'tone' would be the same. I did noticed some question on the exam that was similar to the QAE. The answers on the exam, however, was somewhat 'diluted' to become vague / obscure but contain hints to be the correct one.

Tongy

Yes there were similarities... However I don't think that the questions bore close enough a relationship to the study material to allow the concepts to be applied.

The two questions that you quoted I got right, phew!nat least that 1%!

Mike7

Sometimes, you need to understand "the ISACA way" where certain assumptions are being made.

tuabuikia wrote: »

Also, I personally think that some of ISACA's questions and answers on the exam and QAE book reflects little on real-world requirement and they are dated; especially on the technical side.

For example, on the QAE, ISACA considers stronger password to be the answer to brute-force attack. I personally think that account lockout to be a superior solution.

Brute-force attacks use dictionary words for cracking, so a strong password prevents cracking. I used to host WordPress websites and attackers use botnets to carry out distributed brute-force attacks where each botnet will try 3 password combinations only. So account lockout will not help.

Account lockout mechanism usually has both a duration (e.g. 30 seconds) component and a number of invalid attempts component. Brute-force attacking tools can be customized to have fixed delays between attempts to prevent account lockouts.

andhow

Reasonable people can disagree on which control is more effective. ISACA's question review process should weed out questions like that.

mubashir@engineer.com

I also agree that questions in QAE book have a little similarity to the one which were exam. The first 100 questions were too confusing, the next 100 were not bad. My experience that the working experience in IT Security and compliance area is very important. Again what if you have to choose between password complexity and account lockout option for a system administrator? I will say account lockout. What is your opinion?. Any way that was good 4 hours exercise I completed in 3: 30 minutes and rest of the 30 minutes I used to just make sure I have spotted right answer to my answer sheet. Belive me 3 of them were at wrong places and couple of the questions on answer sheet I did not filled so revision of answer sheet will help to save at least 5 percent of score.

Mike7

mubashir@engineer.com wrote: »

Again what if you have to choose between password complexity and account lockout option for a system administrator? I will say account lockout. What is your opinion?.

Guys, I respectfully disagree.

What if your system admin password is password?

Will account lockout help? In fact, I do not even have to use a brute-force attack tool.
If account lockout works for 3 invalid attempts in 30 seconds, can the attacker tune his brute-force attack tool to try one combination every 15 seconds instead? With one attempt every 15 seconds, we get 240 attempts per hour and 3K attempts per day. All we need is someone with a weak password.

Just this year, someone "hacked" into 300 accounts to SingPass, which is Singapore's national identity authentication mechanism. The system has account lockout mechanism and implements captcha if your first 2 attempts are invalid. How did he do it? The 300 accounts have their userid as passwords.

Believe the password policy was "8 characters or more".

To be fair, we should implement both password complexity and account lockout. And for those who say "who will be so stupid to use password as their password?", I present 20 most popular passwords

Only non-IT personnel makes such mistakes? A senior app dev manager at a previous job had his team's development database server administrator account password as password. We discovered it while trying a free VA scan software.

Another IT manager default account policy for new employee is your first name as userid, and password is userid123. So my userid will be mike and my password is mike123. And he kept wondering how spammers managed to login to his mail server to send spam mail.

So a strong password policy is still a better control than account lockout.

tuabuikia

I believe there's 2 types of password attack here; a dictionary attack and a brute-force attack. The dictionary attack uses a pre-compiled list while brute-force attempts all possible combination with the advance ones capable of making assumptions as well.

With a dictionary attack, the effectiveness of it relies heavily on how comprehensive or extensive your list is. Brute-force on the other hand, I believe, depends on the computing resource the attacker has. Now, even if we do have a strong password, wouldn't it be just a matter of time before the machine successfully attempts all possible combination?

Now, for some of the cases you have cited, I believe they are blunders at every level of the security process. ISACA like any other professional body emphasizes on security participation on every level of the application development life cycle.

So during the development phase they should appropriately define validation rules to check if password is the same as the username as well as incorporating capabilities for administrator to specify password complexity, password length, password expiration and password history in the application.

Next is during acceptance testing phase. The compliance analyst performing hardening review must ensure that password parameter setting on the application is defined according to the established security policy and enforced in the application before signing off.

And lastly the procedure for generating new password and resetting password for user. Help desk team should note if the password is secure, created inline to the security policy and handed over to user securely. Security awareness training would also come in handy at this phase.

Again, I don't believe weak password alone is solely to be blamed for the incidents cited; a strong password definitely helps. But when dealing with brute-force attack, it would be a matter of time. I do agree with you that strong password must be used in conjunction with account lock out.

upnorth77

It's funny, I thought the first 100 were really difficult, but the last half were ok.

Tongy

upnorth77 wrote: »

It's funny, I thought the first 100 were really difficult, but the last half were ok.

Hilarious

Seriously though, I found that there were patches where I thought things were getting better then it all went vague again.

1 month today.

lbmetroguy

So results will be out on the 15th in the morning, is this the consensus?

Tongy

Yes, Friday 15th January at midday CST.