CISSP 2nd Attempt - 664

simondeys

Hi Guys

My first attempt was some where in 2011 scored 575, the second attempt recently this month scored 664 ,

I read Sybex 7th Edition cover to cover at least 7 to 8 times ,
CCURE - All questions
Eric Conrad - 2 times
Shon Harris , - 3 to 4 times cover to cover.
Practiced almost all questions available on the internet.

My views about the exams ,

First attempt
I focused only and only on Shon Harris ,
It was a written exam , where i have to put a dot on a cardboard.
I found the exam very difficult , for eg. In crytography i knew what are types of attacks such as Plaintext , cipher text only, but the question was drafted in a such a way ,i was clueless .
I can say 10% was objective , rest all scenario based

Second Attempt
Couple of days before the exam i was confident enough that i would nail it , as per my hard work and studies ,

On the day of the exam , the very first questions , why are embedded system hard to hack into , and i cannot explain what options they have given , all sounded irrelevant .

Does anyone knows what is the total evacuation time in BCP , is it the time when people leave the building and reach the safe area , is it the time when people start leaving the building , etc etc.

I saw 50% on application security , 40 % on cloud computing , and 5 % poly instantiation , and 5 % objectives.

It is very unfair the questions are not divided domain wise equally,

How am i suppose to know , which document is signed and for what between the customer and Cloud security provider.

I must say , no matter how much you study from books or practice questions , the exam mostly relies on your extra knowledge , experience , common sense and above all "luck" .



I will probably schedule this exam asap , but i dont understand what to study now and from where , as i left no stones unturned during the last preparation.

Appreciate an expert advice.

Thanks.

Mike7

Take a look at http://www.techexams.net/forums/isc-sscp-cissp/117111-why-most-them-fail-cissp-exam.html

gespenstern

Not to be unexpected. What's your experience in the field? Do you have at least 5 yrs?

I passed it after I've spent 13 years in the industry.

dhay13

That was going to be my question, how much experience do you have in this field. A few of the questions you asked seem to be real world related.

I have about 10 years of experience, 6 full-time, and recently passed on my first attempt. I focused on Sybex 7th and cybrary.it. But I have to say, if I didn't have the experience I don't think it would have mattered how long I studied or what materials I used.

Example, the embedded systems question would depend on the answers given. Sometimes embedded systems are not on the network, making them very difficult to hack. If they are on the network they often lack the security systems of other devices so in that sense may be easier to hack. You have to see what answers are available before you can figure out the correct one. One of the nuances of this test is that it is heavily dependent on reading apprehension.

simondeys

Thanks for your replies ,


I have more then 5 years experience in information security and Infrastructure.


If we talk about experience , can a guy even with 16 to 20 years experience answer question like below ?


- how is total evacuation time calculated in BCP ( i dint find any material which has an answer)
May be someone with only BCP experience can answer this .


- What document and why is it signed between Customer and security Cloud Provided ,
I asked my service provider , and his answer was not even close the options given in the exam.


- 3% Questions on ATM , (ATM cash machine not Asynchronous Transfer mode) , yes , it was mentioned with the full name ,
Which infosec experience guys can answer on ATM cash machine internal security.


These are only a couple of examples , i saw tons on queries which was far beyond the scope and difficult even from an experience guy


My question here is , what should be the next step , what else should i cover , as am very well versed with Sybex 7 th edition cover to cover


I have no worries to give another try anytime , Am more afraid if the same questions gets repeated ,

jazz_01

Sybex Book is a good course for the preparation but I think you should keep working on labs and simulators more. I was also facing the same problem, failed my exam once but one of the experts suggested me to try out uCertify labs and simulators which I git it free access for 15 days and then bought it for $90. It has helped me out to pass my exam, thank you #uCertify.

You can check out the CISSP labs at www (dot) ucertify (dot) com.

dhay13

Hard to say about your answers above without seeing the entire question, available answers, and context of the question, but think of it this way...
if management was conducting a fire drill when do you think they would likely start the timer? Likely as soon as a fire is alerted.So my answer would be from the time the fire is alerted until the last person reaches the rendezvous point. I think I remember seeing this question somewhere too but can't recall where.

The other question about a cloud partner? I would say most likely the answer would be SLA (Service Level Agreement). That is usually the most important document when it comes to service type arrangements.

As far as ATM? Not sure what the question asked.

But again, it depends on the context of the question.

anthonx

The term commonly used by our service provider is SLA but in the contract the cloud provider also calls it master service agreement or MSA. I dont know the difference. Maybe someone else can provide the explanation. Just sharing...

dony2015

I failed a second time on December 19. I had the same problems with this poster. So many Cloud questions I did not see anywhere in the books I used. First it was polyinstantiation, then the cloud questions. I don't know what other material to use to support the ones i already have. Failing this again is not an option. I went over the Cybrary videos over and over, bought another video from Udemy for the 10 domains. Used all the books available. I was still hammed on Domain 8, i.e. Software development security with polyinstantiation questions and Cloud questions which has nothing to do Paas. Iaas, etc. Just have to think about my next line of action before taking CISSP heads on again.

lucky0977

What are you not getting about poly instantiation? You should only need the high level concept, such as it being used in a database scenario. Two users with completely different security clearances will physically be able to see the same instance in a database but logically, they are different as there is information for one classification level and information for another classification level. I don't remember what kind of questions I had on cloud so i couldn't help you there.

kabooter

Hang on Guys
I think I know what is going on. I think.
Lot of new stuff was added to exam in 2015. Lot of it is covered in CBK Green book. Not in others.
BUT
a Lot of it is NOT covered anywhere. We need to find the resources. So I am adding some resources here from Clement's site AND requesting all of you to please list more such resources here in this thread. W/o these resources there is hardly any chance of cracking the exam.
· Read about the newly added content
[FONT=&quot]o [/FONT]https://cccure.training/m/articles/view/CISSP-CBK-2015-WHAT-WAS-ADDED
[FONT=&quot]CISSP® CBK® 2015 WHAT WAS ADDED[/FONT]
[FONT=&quot]

WHAT IS NEW WITHIN EACH OF THE DOMAINS

Below you have the list of new domains on the left and the new topics that were introduced within each of the domains on the left. I welcome your help to complete it with even more details. If you know of topics and links that could be added, please send an email to support@cccure.com and let me know.

NEW DOMAIN NAME

NEW TOPICS THAT WERE ADDED

Security & Risk Management

Threat Modeling
More details were added about threat modeling



Asset Security

Acquisition
Integrate security risk consideration into acquisition and practice
Hardware, Software, and services
Third Party assessment and monitoring
(on site assessment, document exchange and review, process/policy review)
Minimum security requirements
Service-level requirements



Security Engineering

Mobile Systems
This is NOT referring to Phones and other tools. It is referring to laptop as mobile devices and the risk associated with those mobile devices.

Internet of things (IoT)
Welcome to the Internet of Things. Please check your privacy at the door. | ITworld

and


https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

and

How to Build a Safer Internet of Things - IEEE Spectrum

and

The Cyber Defense Magazine also has some interesting articles on the challenge of IOT at:
index
Embedded Systems
Smart Appliance, devices with a computer.





Communications & Network Security

Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
Software Defined Networks
see: https://www.opennetworking.org/sdn-resources/sdn-definition
Video to watch:
https://www.youtube.com/watch?v=DiChnu_PAzA

and
If you wish to learn more: https://www.youtube.com/watch?v=l25Ukkmk6Sk
Storage and Network Convergence
iSCSI and FCoE
http://www.redbooks.ibm.com/redbooks/pdfs/sg247986.pdf
Read chapter one of the document above for a quick overview.
Content Distribution Networks
Akamai
Cloudflare
Amazon CloudFront
and Others




Identity and Access Management

Session Management
Desktop Sessions Desktop sessions can be controlled and protected through several means including but not limited to the following: Screensavers
Timeouts
Automatic Logouts
Session/ Login limitation
Schedule Limitations
Registration and Proofing of Identity
Cloud Identity Services



Security Assessment and Testing

This is mostly a new domain that goes in a lot more depth about Security Assessment and Penetration Testing. The two document below will give you most of what you need to know.
See: Penetrating Testing Guidelines from the PCI DSS Council
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
And
NIST SP 800-115Technical Guide to Information Security Testing and Assessment
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf



Security Operations

Asset Management and asset inventory
https://www.sei.cmu.edu/productlines/frame_report/config.man.htm
Configuration Management
http://acqnotes.com/Attachments/IEEE%20Guide%20to%20Software%20Configuration%20Management.pdf
WhiteListing and Blacklisting
understand advantages and Disadvantages
Coverage of Sandboxing
http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
A bit more details on Patch Management
Technologies http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
Read chapter 3 of the document above about the challenge of Patch Management



Software Development Security

Integrated Product Team (IPT)
http://www.acq.osd.mil/se/docs/DoD-IPPD-Handbook-Aug98.pdf
DevOps and its principles
The Three Ways: The Principles Underpinning DevOps - IT Revolution IT Revolution
http://theagileadmin.com/what-is-devops/
Software Assurance
http://en.wikipedia.org/wiki/Software_assurance



Clement and Nathalie
[/FONT]
Source : http://www.techexams.net/forums/isc-sscp-cissp/115615-cissp-passed-11-23-2015-3-weeks-focused-study.html
Source: https://cccure.training/m/articles/view/CISSP-CBK-2015-WHAT-WAS-ADDED
PS: If moderators think it is not proper to copy and paste links from Clement's site, please remove it.

dhay13

I remember reading quite a bit on polyinstantiation but not quite sure where so I will list my sources:

Sybex 7th
cybrary.it
skillsoft (free through my employer) - mainly just used the practice tests
FedVTE (free for military (or ex-military), and anyone with a .gov email address - started with this so it has been a long time since i have looked at it


and that pretty much covers it there. I would THINK it would have come from Sybex as that was the only thing I looked at for the last 4 weeks and I remember reading quite a bit about polyinstantiation shortly before my test.

jcundiff

anthonx wrote: »

The term commonly used by our service provider is SLA but in the contract the cloud provider also calls it master service agreement or MSA. I dont know the difference. Maybe someone else can provide the explanation. Just sharing...

A MSA is the main 'contract' between a vendor and client... a MSA may contain multiple SOWs/SLAs... SLA is typically a metric within the SOW/SLA

SLA example " A 2-4 hour resolution time to a sev1 incident is a SLA that may be defined in a MSA

hope this helps

Mike-Mike

As someone with their test scheduled in less than 2 weeks.... this motivates me to quit wasting time online and start studying

jt2929

I can tell you from experience that "luck" had no part in me passing the exam. Quit thinking like that, study the material required, and pass the exam.

simondeys

Dear jt2929

When i say the "luck" factor in passing, it means the question set might have been much easier .as you know ISC2 says "they change the exam content to maintain the integrity"

I see guys with 10 years experience and years of hard work fail to clear the exam , on the other hand you can see post with half of the experience and 3 months preparation and pass in first attempt , the funny part is i read one Einstein post where he had experience of 6 months , he studied for 3 weeks, and he actually passed ,
how do you explain this ?

lucky0977

simondeys wrote: »

Dear jt2929
When i say the "luck" factor in passing, it means the question set might have been much easier .as you know ISC2 says "they change the exam content to maintain the integrity"

Experience plays a major factor. As far as luck in this exam, all questions are equally difficult and you pretty much have a 50/50 shot at answering the questions correctly as two answers are obviously wrong and the other two answers seem to be the correct answer to the question.
It's pretty much 50% reading comprehension/50% infosec related. The key is reading the entire question more than once, maybe 3 or 4 more times before answering the question.