PASSED 11/26/2018 CCSP 30 days....

Hello TE,

I wanted to create this thread for a few reasons. One, to give others some insight and hopefully help them prep for this exam and two hold me accountable.

I am 30 days out from the CCSP, my first less technical cert and my first ISC2 cert. So far up to this point I have read the CBK, the CSA Guide (v3.0) and a few NIST and ISO documents in preparation. I am half way through the Cybrary videos, which are pretty good!

My employer paid for a bootcamp, which I attend the first week of October. I plan on taking the CCSP around October 11th.

My background:
Started in IT in 2013, 6 months of helpdesk, 24 months in a MSP, 18 months in a Bank/network engineer, 9 months as a security analyst for a cloud company. I have a BS in MIS, some certs and a mostly technical background.

The plan:

Complete the CBK end of chapter tests, making flash cards as I go (posting them here)
Read the Sybex CCSP study guide
Complete the Sybex end of chapter tests, more flash cards....
Finish the Cybrary videos
Read/analyze NIST, EINSU, ISO and other standards/frameworks/publications
Review the CSA v3 Guide again
Bootcamp week
Last minute review (1-3 days)
Sit for exam

Ill post progress and flash cards as I complete them.

Flash cards (updated as I complete them):

Domain 1
https://quizlet.com/313748684/ccsp-domain-1-flash-cards-2018-flash-cards/

Domain 2
https://quizlet.com/313874911/ccsp-domain-2-flash-cards-2018-flash-cards/

Domain 3
https://quizlet.com/314689850/ccsp-domain-3-flash-cards-2018-flash-cards/

Domain 4
https://quizlet.com/314712711/ccsp-domain-4-flash-cards-2018-flash-cards/

Boson questions flash cards:
https://quizlet.com/314234345/ccsp-flash-cards-boson-2018-flash-cards/

Find more posts tagged with

Comments

--chris--

Domain 1 CBK Flash Cards
https://quizlet.com/313748684/ccsp-domain-1-flash-cards-2018-flash-cards/

PCTechLinc

This is definitely one I want to get eventually. I've heard it's a bear, even for those who already have CISSP. I might consider this after I renew my CCNA. I look forward to seeing your review. Best of luck!

--chris--

PCTechLinc wrote: »

This is definitely one I want to get eventually. I've heard it's a bear, even for those who already have CISSP. I might consider this after I renew my CCNA. I look forward to seeing your review. Best of luck!

I've heard the difficulty was also very high and then I hear that its not that bad. Who knows? I will in about a month! I have a free retake if I fail (via the bootcamp), so I do have a plan B.

cyberguypr

Make sure you do CSA guide V4.

--chris--

cyberguypr wrote: »

Make sure you do CSA guide V4.

Nice catch, thanks.

Ahem....V4:

https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf

--chris--

Domain 2 CBK Flash Cards:
https://quizlet.com/313874911/ccsp-domain-2-flash-cards-2018-flash-cards/

Hours today: 3.75

Info_Sec_Wannabe

Subscribed to the thread...

vCISO2017

Best wishes for the exam - any questions fire away here and we'll do our best to answer.

--chris--

vCISO2017 wrote: »

Best wishes for the exam - any questions fire away here and we'll do our best to answer.

Did you "take" the end of chapter tests in the official CBK? If yes, how is the wording compared to the actual exam? I worry that I will know the concepts but make mistakes because I have read a few times that the wording can be confusing.

--chris--

Flash Cards taken from topics I struggled with in the boson engine....

https://quizlet.com/314234345/ccsp-flash-cards-boson-2018-flash-cards/

1 hour today

4.75 total

vCISO2017

Sure did - wording does not accurately reflect the exam - too specific in the book - the exam is more vague and in a lot of areas uses different terminology to the texts. However by doing the questions\answers in the book you are reinforcing your core CCSP knowledge and that does help your ability to read the question and interpret what they are looking for.

--chris--

vCISO2017 wrote: »

Sure did - wording does not accurately reflect the exam - too specific in the book - the exam is more vague and in a lot of areas uses different terminology to the texts. However by doing the questions\answers in the book you are reinforcing your core CCSP knowledge and that does help your ability to read the question and interpret what they are looking for.

Thanks for the feedback, this makes sense....Its kind of what a lot of exams are like.

Domain 3 Flash Cards:
https://quizlet.com/314689850/ccsp-domain-3-flash-cards-2018-flash-cards/

Domain 4 Flash Cards:
https://quizlet.com/314712711/ccsp-domain-4-flash-cards-2018-flash-cards/

I also spent some time getting familiar with ISO 27034-1 (Application Security Management Process creation aka ASMP) and understanding the STRIDE threat model process. These are both domain 4 related.

Edit: Worked on Domain 5 test for 45 minutes, discovered the official CBK has 22 questions in the test and only 21 answers in the key...... -_-

Hours: 4.75+1.5 today

6.25 total

--chris--

There was another thread here where I was asking questions about boot camp providers, I went out on a limb after getting mixed answers and just picked one of the "big" ones. I used Trainingcamp.com, they pay for a retry if needed, they are a ISC2 partner and the class was offered online.

I mention all of that because some people were interested in how this went, so here is a continuation of my experience with them so far.

I booked the camp mid July for October. I received an email yesterday from them telling me the October bootcamp was cancelled, no explanation, and they asked if I could select another date (there are two left). I am worried the other two might get cancelled like the first one did, they won't offer a guarantee that the class will run and the best I can do is sign up for another class and wait it out.

So far, not so good. I need to sit for the exam this year because of my "goals" at work, if this gets bumped again I will be getting a refund.

--chris--

I went two days this week without studying (ahhhhhh!). However learning how to use Powershell with APIs; totally worth it. My new boot camp date is mid November, so I have more time to prepare....

userav

highly recommend ： CCSP Official (ISC)2 Practice Tests by Ben Malisow
CCSP Certified Cloud Security Professional All-in-One Exam Guide by Daniel Carter also helpful

ecuison

userav wrote: »

highly recommend ： CCSP Official (ISC)2 Practice Tests by Ben Malisow
CCSP Certified Cloud Security Professional All-in-One Exam Guide by Daniel Carter also helpful

I second, study material from Ben Malisow. I got his Offical CCSP study guide as well as the test questions. I also used cccure test questions for both knowledge and endurance for the exam.

--chris--

userav wrote: »

highly recommend ： CCSP Official (ISC)2 Practice Tests by Ben Malisow
CCSP Certified Cloud Security Professional All-in-One Exam Guide by Daniel Carter also helpful

Thanks, both of you. I will order these up.

Shifting my focus back to this exam as I am about 30 days away from the bootcamp then the exam.

Domain 5 Flash Cards:
https://quizlet.com/315153871/ccsp-domain-5-flash-cards-2018-flash-cards

While my focus was else ware I still spent some time everyday reading the Sybex exam guide co-authored by Malisow. It is much easier to read than the CBK but I still struggle with the required discipline to tear through it quickly.

--chris--

Domain 6 Flash Cards:

https://quizlet.com/328584277/ccsp-domain-6-flash-cards

--chris--

I received the trainingcamp.com materials last Friday and started working through the PDF used in the nightly review of the class. Good news / uncertain-category news.

Good news, I appear to be doing well with Domain 1 topics. On the 50 question practice exam I scored a 93%.

The uncertain-category news, the practice exam had two questions with wrong answers

I contacted the rep and let them know.

I have a feeling the legal/compliance domain will be my weak spot so I will be working on that next.

vCISO2017

Chris, you know you are ready to sit an exam when you are correcting answers in practice exams!

--chris--

vCISO2017 wrote: »

Chris, you know you are ready to sit an exam when you are correcting answers in practice exams!

Ha! I wish! This was low hanging fruit the question was regarding the CIA triad...and it said the "A" stood for authorization (CIA triad = Confidentiality, Integrity, Availability). That was beat into me on day one of my BS from school in 2013!

Something I am getting hung up on is the "roles" in data ownership. Talking (or typing) through it here can help me figure it out and as always, input is welcome!

There are 6 roles in data handling per the CCSP outline.

Data Subject: the subject of the personal data
Data Controller: the entity that determines how/when/if data is processed
Data Process: the entity who processes data on behalf of the data controller

Now the three that I foresee some trouble....

Data Steward: the entity responsible for the content, context and integrity of the data

Data Custodian: the entity responsible for the secure transport, custody and storage of the data

Data Owner: the entity that holds the legal rights and complete control over the data; defines distribution and policies impacting the data

Data Steward vs Data Custodian: This is kind of fuzzy for me.

I don't see much difference here. I don't understand what the text/study materials means when it says the Steward is responsible for "content & context" of the data. Integrity, I get that.

For the Custodian, its a little more clear. Secure transport and storage is easy to grasp. What about custody? I can't figure out what an example of that would be.

I could use rote memorization to hammer in what the Steward does vs what the Custodian does, but the bandwidth for that kind of study is limited and I would rather save it something else.

H-bomb

Sounds like you're getting close! I was averaging around 75% on the official (ISC)2 practice exams and passed. The lowest domain exam score i had was a 68 and the highest i had was an 80. I hope this helps!

Score
Domain

79
Domain 1

76
Domain 2

70
Domain 3

78
Domain 4

68
Domain 5

70
Domain 6

82
Practice test 1

85
Practice test 2

76
Average Score

--chris--

Day 4 of the bootcamp...

So far I like it, but I won't know if the camp will help me pass yet. I am booked to take the exam on the 26th of November (cyber Monday, whooops...).

I will say at this point, roughly a 1/3 of class time has been spent dissecting ISC2 question asking methods and common hazards when attempting to answer the questions. ISC2 questions do appear to be as convoluted as others have mentioned...which is frustrating.

--chris--

H-bomb said:

Sounds like you're getting close! I was averaging around 75% on the official (ISC)2 practice exams and passed. The lowest domain exam score i had was a 68 and the highest i had was an 80. I hope this helps!

Score
Domain

79
Domain 1

76
Domain 2

70
Domain 3

78
Domain 4

68
Domain 5

70
Domain 6

82
Practice test 1

85
Practice test 2

76
Average Score

I ordered this book, it should be here today. Our trainer also said he would suggest ~20 hours or so be put into practice exams and researching wrong answers prior to sitting for the exam. So that's my strategy over the next week.

COBOL_DOS_ERA

Good luck with your exam!! I believe they are so many people failed to pass CISSP, and other ISC2 related exam due to the convoluted nature of how they ask those exam questions; just do not get frustrated with it. You will do fine.

--chris--

Completed domain 1 of CCSP Official practice tests: 85%

I am weak on PCI details (like which tier applies to what volume). I spent today working on domain 1 test questions, review of weak areas in domain 1 and fleshing out the bootcamp notes for domain 1. About 2 hours.

The instructor did mention that knowing the ISO & NIST docs and their purpose is very useful, but it would be a waste of time to dive into the docs. Like knowing ISO27001 defines ITSM and ISO27002 defines security controls and NIST 800-145 is what ISC2 uses to define the cloud computing models and platforms.

As mentioned above, once my notes are completed I will post a link to them (they are in workflowy, its free).

--chris--

@promethuschow
Thanks! We spent A LOT of time working on testing strategy, nearly as much time was spent on that as was the content of the exam. I feel I have a better handle on test taking now and can at least narrow down things I don't know to a 50/50 shot.

--chris--

Domain 2 practice test (150 questions)

114/150 = 76%

--chris--

In the practice test a handful of questions referred to cloud memory as a synonym for storage. That was a first for me and I have read 3 CCSP study guides, several NIST/ISO docs and went through a bootcamp lol. Not sure if that will be on the exam, but FYI! cloud "memory" = "storage". Thankful the question's phrasing made dropping in storage in place of memory easy, if it was asking about elasticity of resources of something like that....it would have been a coin flip.

--chris--

I am going to go over some of the questions that I stumbled on, re-hash them here...maybe help me cement them.

edit: While reviewing my test answers I found a typo in the test bank, because of this I got 115 (not 114) right.

Domain 2:

Where is the worst place to store crypto keys?
Answer: With the cloud provider; creates a conflict of interest. Also best practice dictates keys should not be kept alongside the data they are encrypting.

Data dispersion provides protection for all the following security aspects except:
Answer: Provides security aspects (Protects confidentiality, availability, loss due to seizure) but does not protect against user error (deletion) because user error will likely result in all data sets being remove.

What cloud storage/memory method will provide a structured, hierarchic motif?
Answer: Object storage/memory is usually storage that is built with a file structure/hierarchy.

Egress monitoring/DLP solutions usually includes a function that...?
Answer: Will require an app be installed on a client machine, in order to inspect data being shared and sent from the endpoint.

Egress monitoring/DLP solutions usually map to an organizations ...?
Answer: ACLs, in this way the DLP solution is used to protect data using a predefined security structure

What type of data storage/memory is most often used in a PaaS setup?
Answer: Typically PaaS uses a database storage scheme.

Why type of data storage/memory is most of used in a SaaS setup?
Answer: Usually ephemeral and long term storage are concepts used in a SaaS environment.

List the possible data masking techniques (per ISC2):
Answer: Random substitution, Deletion, Algorithmic substation

Define direction identifiers:
Answer: This is anything that directly identifies the individual (name, social, address, DoB, etc...)

Define indirect identifiers:
Answer: This is information, that viewed in isolation can not identify an individual. However when combined with other indirect identifiers, its becomes possible to ID an individual.

How does bit splitting aid in protecting confidentiality?
Answer: Bit splitting chops data into segments, then stores that data in multiple locations. If an unauthorized user/attacker were to get access to one segment of data it likely will be unusable without the other segments.

What is/are Agile Analytics/business intelligence?
Answer: Agile analytics provides great insight and capabilities than all other previous generations of analytics.

What is a common/expect side-benefit of DLP/egress monitoring solutions?
Answer: Data discovery occurs holistically; as data is processed by the DLP solution it can be cataloged or categorized.

What is data transformation in a cloud environment?
Answer: When data is added to a server (VM), then that server is backed up (Archived), the VM may be restored and users may process data (raw data). All phases have potential for different security concerns and implications.For this reason, virtualization can pose a risk to data (because of ill defined security policies as data moves through the phases defined above).

All policies created within an organization should have all of the following qualities:
Answer: Assignation of an entity to periodically review for applicability, Assignation of an entity to monitor and maintain the process in the policy, A list of laws, regulations, practices and/or standards that acted as drivers for the policy.

I try not to post to much negative stuff, but today during study I ran across something thats kind of absurd. In one question the correct answer (regarding secure sanitation practices in the cloud) says "overwriting data" with 1's and 0's is not an accepted secure sanitization method because of forensic techniques. OK, I agree. Its possible.

The very next question says YES, overwriting data can be a accepted method to erase data in the cloud.

The key in the statements is that the first references "secure sanitization" and the latter does not, it just says acceptable methods of erasing data. Its this, fine line, nitty gritty tight rope walking BS that drives me nuts. It implies that secure sanitization is the accepted standard then goes on to state data overwriting, while not secure sanitization, is an accepted method. wtf.

Done for today, /rant. Good night.