Venting
diabolusBR
Member Posts: 12 ■□□□□□□□□□
in SSCP
I find it really impressive that the two most used books nowadays can't agree on some aspects. Even considering the information provided by the other wrong.
I've been using mainly the Sybex Study Guide 7th Ed. and Conrad's CISSP: Study Guide.
They both use completely different frameworks for mostly everything, but that is fine because everyone says the exam itself doesn't focus on specific frameworks but instead focus on the overall process (which all in all it always comes down to the PDCA model in pretty much everything).
But some specific things are absurd. I've come across several things like this while studying and even answering the same question on both test banks provided each considering a different answer correct (even though both had each others "correct answers" as well).
Here is an example:
Sybex book, Incident Response Steps. Step "Response":
Computers should not be turned off when containing an incident. Temporary files and data in volatile random access memory (RAM) will be lost if the computer is powered down. Forensics experts have tools they can use to retrieve data in temporary files and volatile RAM as long as the system is kept powered on. However, this evidence is lost if someone turns the computer off or unplugs it.
Conrad's book, Incident Response Steps. Step "Containment" (the equivalent to the Response used by Sibex' framework):
Containment might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident. This phase is also typically where a binary (bit-by-bit) forensic backup is made of systems involved in the incident. An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system.
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 7742-7745). Elsevier Science. Kindle Edition.
I've been using mainly the Sybex Study Guide 7th Ed. and Conrad's CISSP: Study Guide.
They both use completely different frameworks for mostly everything, but that is fine because everyone says the exam itself doesn't focus on specific frameworks but instead focus on the overall process (which all in all it always comes down to the PDCA model in pretty much everything).
But some specific things are absurd. I've come across several things like this while studying and even answering the same question on both test banks provided each considering a different answer correct (even though both had each others "correct answers" as well).
Here is an example:
Sybex book, Incident Response Steps. Step "Response":
Computers should not be turned off when containing an incident. Temporary files and data in volatile random access memory (RAM) will be lost if the computer is powered down. Forensics experts have tools they can use to retrieve data in temporary files and volatile RAM as long as the system is kept powered on. However, this evidence is lost if someone turns the computer off or unplugs it.
Conrad's book, Incident Response Steps. Step "Containment" (the equivalent to the Response used by Sibex' framework):
Containment might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident. This phase is also typically where a binary (bit-by-bit) forensic backup is made of systems involved in the incident. An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system.
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 7742-7745). Elsevier Science. Kindle Edition.
Comments
-
vanillagorilla3 Member Posts: 79 ■■■□□□□□□□Maybe I'm misunderstanding, but they both sound correct. Sybex is correct in saying you can lose valuable data in RAM/temp files by powering off. Conrad's book says, and I quote your thread: "An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system" It also just states that "containment MIGHT include..." Might being the keyword.
In some situations, it may be best to power off immediately. In others, you want to pull data that may be in RAM or temp files. -
chrisone Member Posts: 2,278 ■■■■■■■■■□They both are correct and I have gone through most of the 7th edition sybex book. I understand the contradictory here and in fact this "containment" strategy is also mentioned in the 7th edition sybex book as well. Forgive me for not searching for the exact paragraph right now since I am at work, but its the only book I am using for this exam and I remember the sybex talking about containment as well.
Its somewhat like a double edge sword. Just a theory here, but containment is to isolate a serious issue. You can yank it off the network to contain the host without powering it off. Sybex is correct in that you should not power it off so you can go back and assess and analyse the host.
Conrad almost sounds like he kind of threw that "power off host" as an option. Not a valid solution but it IS in fact an option to isolate a situation whether it is ethical or not. He covers himself in the very last sentence too "An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system."
Powering off systems is not wise for forensics, but is a solution to isolate active incidents.Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
diabolusBR Member Posts: 12 ■□□□□□□□□□Here are some more:
Conrad: Tailgating / Piggybacking is the same thing
Sybex: Tailgating: When someone holds the door for you. Piggybacking: When someone enters with you without providing credentials.
Conrad: Directive is one of the Categories (also refers as Administrative)
Sybex: Directive is a Type of control within the Categories (Administrative, Technical, Physical)
Conrad: Maintenance Hooks: "done by the programmers". Seen as a security flaw but not an attack / Backdoors: seen as attacks.
Sybex: Maintenance Hooks and Backdoors are the same thing. -
cyberguypr Mod Posts: 6,928 ModYou may be reading too much into it. For tailgating/piggybacking the essence of the term is the same: an unauthorized user follows an authorized user to gain access. A back door is something that bypasses access/security controls. It could be benign. A maintenance hook is a type of backdoor. As you noticed, they could be use interchangeably without losing the core concept.
You will find many instances of this. Try to strip this down to the core principles and think how you will apply it, rather than sticking to a black and white definition. -
diabolusBR Member Posts: 12 ■□□□□□□□□□I try to do this, but get angry as hell when I selected backdoor on one of the Conrad's questions and the answer was actually maintenance hook and so on... This is the main reason why I noticed these differences, I usually read through this kind of thing but went back when I knew I selected the right answer but yet the respective test bank said I was wrong.
I remember one of the McGraw questions had this as well. I selectected the answer that was the definition for the item on the Conrad's book. WORD BY WORD (I picked up the Conrad's book to double check) and it still said I was wrong. In this particular case I couldn't see what was different because I don't have the McGraw's book. -
gespenstern Member Posts: 1,243 ■■■■■■■■□□Agree with TS and disagree with ppl protecting the books.
Regarding the example in the first post: might means that it's allowed and a possible way to resolve under certain circumstances. Should not means that it's not allowed and prohibited. Contradiction is clear for me.
There is a lot of other stuff in other non-technical sections, especially on what constitutes what type of control (corrective, preventive, deterrent, detective, etc), frameworks, abstract matters such as security kernel and reference monitor, etc. I've posted here a bunch of them and I can tell that it always drives me crazy. Things should be certain because correct answers on exam and ultimately correct behavior in real world situations depend on it. -
havoc64 Member Posts: 213 ■■□□□□□□□□I read both during my study, and several others. I feel the Sybex book is the better one, that after taking and passing the test. What I will say is that it all comes down to the wording of the question. With all the examples you have given, they could all be correct depending on how the question is worded.
When looking at the term piggybacking or Tailgating in the books I have studyied:
Eric Conrad book, Piggybacking refers you to Tailgating.
The Official CISSP Classroom book, only shows Tailgating.
Sybex Study Guide, I couldn't find the term Tailgating this Sybex book, but Piggybacking was.
The Official (ISC)2 Study Guide had 5 references to Tailgating and it specifically mentions, "..the legitimate person will usually hold the door open for the attacker." It also mentions Piggybacking when talking about Turnstiles and Mantraps saying, "..unauthorized person following through a checkpoint....called Piggybacking or tailgating."
As it has been pointed out, SEVERAL TIMES, in this forum, there is no one book that will cover everything the CISSP test for. And the information in Study guides are only a fraction of what you need to know for the test.
When taking the test it's VERY important to look at the adjectives and adverbs in the question. Read the question..SLOWLY. When I took the test, I read the answers before I read the question. Then I look at the question presented and find the actual question, the sentence with the question mark. I read it. Then I read the descriptive paragraph, looking for the descriptive words, the adjectives and adverbs. This helped me narrow down the answers.
Take the piggyback / Tailgating example. A question could be something like this:
You are an ethical hacker and hired to evaluate a company. The workplace Access is controlled by two-factor authentication. Employees are required to have an Access Card and a 6 digit Pin to enter the building. One morning you have several boxes of donuts to bring in and your arms are full, you notice that one of the employees, Mary, is ahead of you entering the building. As you get to the entrance, she notices your arms are full and opens the door and holds it open so you allowing you to enter without an access card and pin. What type of attack have you just accomplished?
a. The Two-Man Concept
b. The Buddy System
c. Tailgating
d. Social-Engineering
In the above answers there are two right answers, C & D. Tailgating is a type of Social Engineering. If you pick D, you will have missed the question. C could have easily been Piggybacking, but it was pointed out in my CISSP class that they would never put two terms that mean the same in the answers, i.e. both Tailgating and Piggybacking as options.
When taking the test, read the questions carefully and discern what the question writer wants you to answer. Then use the knowledge you have acquired to pick the best answer that is presented. Don't argue in your head, "Hey! The piggybacking is the correct term for this question, why isn't it one of the answers?!?" Just look at the answers presented and choose the best one of those. Remember, the CISSP Certification exam is NOT a technical exam, it is not a Security+ or SSCP exam. The CISSP is a managerial exam, think higher level and study that way.
Look at some of the types of Cryptography. You can have encryption methods that are Block, Stream, Symmetric and Asymmetric and combinations of those. The objective for you and us to understand is how we as information security professionals can utilize a given type of crypto to secure the data we are charged with safekeeping. If you have a question on cryptography, look at the answers and choose the one that is most correct.
There are domains that each of us have difficulty with, mine was Software Development..I HATE Programming, I've always been a hardware and Directory guy, but I had to wrap my head around it and study it..ugh..
BTW, the question above is not a test question that I saw, it's only an example.
BTW, I have been in the IT world since the late 80's. And below is a list of what I studied for the exam.
Books and study Material in order of my purchase and reading.
(ISC)2 Official CBK - Hardest book I have ever read, so much fluff..
CISSP Study Guide, 2E by Eric Conrad
CISSP Study Guide 11th Hour by Eric Conrad
**CCCure Practice Exam
CCCure Review Notes
**Transcender Practice Exams
Sunflower Review Notes
**(ISC)2 Official Study Guide 7th Edition - Sybex
**Cybrary CISSP videos and MP3s.
**Combined Notes from here
**Quizlet (ISC)2 Official Flash Cards (These are free and are the exact same flash cards they gave us at the class)
**Official (ISC)2 Traning Guide CISSP CBK - Official Training Guide from the class.
I read them all, cover to cover. The ones with the ** are what I think were most beneficial to my passing the exam. With the class I believe this is what helped me pass. From April to around August, I studied now and then, when I had time, mostly reading the Official CBK. From August until the Test, I studied for about 4-6 hours a day. If I had a break at work, in line for lunch and then 2-3 hours a night at home. I only took Sundays off. I took the official in person (ISC)2 CISSP Course from the 2nd through the 6th of November and sat for and passed the test on the 7th of November.
Good luck and I wish you the best. -
cledford3 Member Posts: 66 ■■■□□□□□□□I feel that in the end - it should not be possible to NOT be able to discern the EXACTLY correct answer to anything. Unfortunately, it appears ISC2 feels differently. I have found many found inconsistencies between the various resources - including the AIO, Conrad, Official CBK (which also seems to contradict itself, WITHIN itself...), and the Sybex book - which also happens to be the new "official" study guide. How can there be discrepancies over the correct definition of single term? This is indefensible to me. I do however agree that many answers are likely context based - but I still feel that there is often way too many discrepancies and that they exist (in my opinion) points to a failure, not some sort of higher degree of understanding that ISC2 in its infinite wisdom has determined the ultimate truth in a given matter.
Honestly, I believe it all points back to poor knowledge management. Test questions (from what I've heard) are authored/produced by active CISSPs. If true, ISC2 has essentially "farmed out" question generation to free labor. However, this leads to inconsistency and headaches for those hoping to sincerely study for and pass the exam.
Regarding the question about unplugging the computer - the Harris lectures suggests unplugging as the best course as well. Again context is important - but process is not to cover the 20% of unusual situations, it is cover the 80-90 of the typical. If you are not going to give enough information to determine where the situation falls in the 80/20 rule - then the answer should ALWAYS be aligned with the best practice procedure.
The inconsistencies are VERY frustrating and I'm not willing to give ISC2 a pass - I think a lot of this is not due to some "higher level' of knowledge synthesis on their part, rather it is simply due to a too broad an amount of material, with too broad a scope, that leads to conflict when a set of circumstances that is not well defined is applied to different points of view. This failure is generally perceived as some sort of mysterious nature about it all, with people are second guessing what is wrong with themselves, when it is really just a poor process on the other end. We tend to assume that those in positions of authority are infallible - but the reality is that there is often much going on "behind the curtain" that would completely alter our perspective if we knew about it. -
emaz Member Posts: 34 ■■■□□□□□□□I believe you are splitting hairs and as others have suggested looking too much into it. I know that the verbiage is a key part to this exam, however some of the terms that you have brought up are interchangeable. I wouldn't look too much into this and as you continue to study and use different materials you will begin to notice this more and more. The point is to just understand the concept of piggybacking/tail gating. Know when they would apply the best in a scenario that is presented to you and you will be fine.
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□For starters, the sybex book is the official guide based on the CBK...Any conflict with Conrad's book, go with the CBK...especially for the exam.
The scenario you list...first says containment might include because it depends on what happened. Once the volatile data is captured, powering off the system is not an issue...although maintaining the state is not a bad idea. One might give you a more in depth answer but CISSP materials are generally pretty good across the board from my experience...and those are two of the best resources. -
jonemac Member Posts: 11 ■□□□□□□□□□Personality wise, literal people (like me - and probably you from what I just read) pretty much suck at these types of tests. Give me something that requires concrete answers and I'll ace it every time - no matter the complexity.
Over the years, I've gotten better at dealing with exam semantics, but it still takes effort to overlook the glaringly obvious (at least to me) inconsistencies in a lot of the available instructional material. Some of it can probably be blamed on cultural differences where one author grew up hearing the term "piggybacking" (which eludes to an agricultural setting) and another grew up hearing the term "tailgaiting" (more urban/city in nature) but not all.
Some of it is simply laziness on the author/publisher's part in an effort to meet a deadline.. -
User2097 Member Posts: 41 ■■□□□□□□□□You just have to think how the siltation applies to you. For example real life, I had to correct higher not to use a crack disc because it would violate the integrity of the computer (which was pulled of the domain for security purposes). CISSP have thinking questions, so you have to apply the best possible answer according to the situation.Cert Goals: CISSP-ISSAP (May 2016) | CISM (2016) | GSEC (2016) | OSCP (2017)
College: MBA Project Management (2012) | Bachelors IT Management (2010)
Experience: Cyber Security, Information Assurance, and IT Management Officer -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□Every example you have mentioned is a correct and different way to say the same thing. That does not mean the books contradict each other, they simply explain the same concept in a different way. This is actually the reason why someone should use more than 1 book as a stidy material. There is value in it because it gives you another way of thinking, another way of expressing a concept. There is nothing in real life that can be explained or expressed in one way only. Once you realize that, you will understand the topics and the concepts better. The books actually complement each other they do not contradict each other. You are expecting them to say the exact same thing? What would be the reason for having 2 books if they say the same thing then? Study a bit more and you will have better understanding. Study slower in order to comprehend what it is being asked, covered and what the meaning is.