*PASSED* 11/26/2018 CCSP 30 days....
Hello TE,
I wanted to create this thread for a few reasons. One, to give others some insight and hopefully help them prep for this exam and two hold me accountable.
I am 30 days out from the CCSP, my first less technical cert and my first ISC2 cert. So far up to this point I have read the CBK, the CSA Guide (v3.0) and a few NIST and ISO documents in preparation. I am half way through the Cybrary videos, which are pretty good!
My employer paid for a bootcamp, which I attend the first week of October. I plan on taking the CCSP around October 11th.
My background:
Started in IT in 2013, 6 months of helpdesk, 24 months in a MSP, 18 months in a Bank/network engineer, 9 months as a security analyst for a cloud company. I have a BS in MIS, some certs and a mostly technical background.
The plan:
Flash cards (updated as I complete them):
Domain 1
https://quizlet.com/313748684/ccsp-domain-1-flash-cards-2018-flash-cards/
Domain 2
https://quizlet.com/313874911/ccsp-domain-2-flash-cards-2018-flash-cards/
Domain 3
https://quizlet.com/314689850/ccsp-domain-3-flash-cards-2018-flash-cards/
Domain 4
https://quizlet.com/314712711/ccsp-domain-4-flash-cards-2018-flash-cards/
Boson questions flash cards:
https://quizlet.com/314234345/ccsp-flash-cards-boson-2018-flash-cards/
I wanted to create this thread for a few reasons. One, to give others some insight and hopefully help them prep for this exam and two hold me accountable.
I am 30 days out from the CCSP, my first less technical cert and my first ISC2 cert. So far up to this point I have read the CBK, the CSA Guide (v3.0) and a few NIST and ISO documents in preparation. I am half way through the Cybrary videos, which are pretty good!
My employer paid for a bootcamp, which I attend the first week of October. I plan on taking the CCSP around October 11th.
My background:
Started in IT in 2013, 6 months of helpdesk, 24 months in a MSP, 18 months in a Bank/network engineer, 9 months as a security analyst for a cloud company. I have a BS in MIS, some certs and a mostly technical background.
The plan:
- Complete the CBK end of chapter tests, making flash cards as I go (posting them here)
- Read the Sybex CCSP study guide
- Complete the Sybex end of chapter tests, more flash cards....
- Finish the Cybrary videos
- Read/analyze NIST, EINSU, ISO and other standards/frameworks/publications
- Review the CSA v3 Guide again
- Bootcamp week
- Last minute review (1-3 days)
- Sit for exam
Flash cards (updated as I complete them):
Domain 1
https://quizlet.com/313748684/ccsp-domain-1-flash-cards-2018-flash-cards/
Domain 2
https://quizlet.com/313874911/ccsp-domain-2-flash-cards-2018-flash-cards/
Domain 3
https://quizlet.com/314689850/ccsp-domain-3-flash-cards-2018-flash-cards/
Domain 4
https://quizlet.com/314712711/ccsp-domain-4-flash-cards-2018-flash-cards/
Boson questions flash cards:
https://quizlet.com/314234345/ccsp-flash-cards-boson-2018-flash-cards/
Comments
https://quizlet.com/313748684/ccsp-domain-1-flash-cards-2018-flash-cards/
Master of Science in Information Security and Assurance - Western Governors University
Bachelor of Science in Network Administration - Western Governors University
Associate of Applied Science x4 - Heald College
I've heard the difficulty was also very high and then I hear that its not that bad. Who knows? I will in about a month! I have a free retake if I fail (via the bootcamp), so I do have a plan B.
Nice catch, thanks.
Ahem....V4:
https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf
https://quizlet.com/313874911/ccsp-domain-2-flash-cards-2018-flash-cards/
Hours today: 3.75
Did you "take" the end of chapter tests in the official CBK? If yes, how is the wording compared to the actual exam? I worry that I will know the concepts but make mistakes because I have read a few times that the wording can be confusing.
https://quizlet.com/314234345/ccsp-flash-cards-boson-2018-flash-cards/
1 hour today
4.75 total
Thanks for the feedback, this makes sense....Its kind of what a lot of exams are like.
Domain 3 Flash Cards:
https://quizlet.com/314689850/ccsp-domain-3-flash-cards-2018-flash-cards/
Domain 4 Flash Cards:
https://quizlet.com/314712711/ccsp-domain-4-flash-cards-2018-flash-cards/
I also spent some time getting familiar with ISO 27034-1 (Application Security Management Process creation aka ASMP) and understanding the STRIDE threat model process. These are both domain 4 related.
Edit: Worked on Domain 5 test for 45 minutes, discovered the official CBK has 22 questions in the test and only 21 answers in the key...... -_-
Hours: 4.75+1.5 today
6.25 total
I mention all of that because some people were interested in how this went, so here is a continuation of my experience with them so far.
I booked the camp mid July for October. I received an email yesterday from them telling me the October bootcamp was cancelled, no explanation, and they asked if I could select another date (there are two left). I am worried the other two might get cancelled like the first one did, they won't offer a guarantee that the class will run and the best I can do is sign up for another class and wait it out.
So far, not so good. I need to sit for the exam this year because of my "goals" at work, if this gets bumped again I will be getting a refund.
CCSP Certified Cloud Security Professional All-in-One Exam Guide by Daniel Carter also helpful
I second, study material from Ben Malisow. I got his Offical CCSP study guide as well as the test questions. I also used cccure test questions for both knowledge and endurance for the exam.
Thanks, both of you. I will order these up.
Shifting my focus back to this exam as I am about 30 days away from the bootcamp then the exam.
Domain 5 Flash Cards:
https://quizlet.com/315153871/ccsp-domain-5-flash-cards-2018-flash-cards
While my focus was else ware I still spent some time everyday reading the Sybex exam guide co-authored by Malisow. It is much easier to read than the CBK but I still struggle with the required discipline to tear through it quickly.
https://quizlet.com/328584277/ccsp-domain-6-flash-cards
Good news, I appear to be doing well with Domain 1 topics. On the 50 question practice exam I scored a 93%.
The uncertain-category news, the practice exam had two questions with wrong answers
I have a feeling the legal/compliance domain will be my weak spot so I will be working on that next.
Ha! I wish! This was low hanging fruit the question was regarding the CIA triad...and it said the "A" stood for authorization (CIA triad = Confidentiality, Integrity, Availability). That was beat into me on day one of my BS from school in 2013!
Something I am getting hung up on is the "roles" in data ownership. Talking (or typing) through it here can help me figure it out and as always, input is welcome!
There are 6 roles in data handling per the CCSP outline.
Data Subject: the subject of the personal data
Data Controller: the entity that determines how/when/if data is processed
Data Process: the entity who processes data on behalf of the data controller
Now the three that I foresee some trouble....
Data Steward: the entity responsible for the content, context and integrity of the data
Data Custodian: the entity responsible for the secure transport, custody and storage of the data
Data Owner: the entity that holds the legal rights and complete control over the data; defines distribution and policies impacting the data
Data Steward vs Data Custodian: This is kind of fuzzy for me.
I don't see much difference here. I don't understand what the text/study materials means when it says the Steward is responsible for "content & context" of the data. Integrity, I get that.
For the Custodian, its a little more clear. Secure transport and storage is easy to grasp. What about custody? I can't figure out what an example of that would be.
I could use rote memorization to hammer in what the Steward does vs what the Custodian does, but the bandwidth for that kind of study is limited and I would rather save it something else.
Score
Domain
79
Domain 1
76
Domain 2
70
Domain 3
78
Domain 4
68
Domain 5
70
Domain 6
82
Practice test 1
85
Practice test 2
76
Average Score
So far I like it, but I won't know if the camp will help me pass yet. I am booked to take the exam on the 26th of November (cyber Monday, whooops...).
I will say at this point, roughly a 1/3 of class time has been spent dissecting ISC2 question asking methods and common hazards when attempting to answer the questions. ISC2 questions do appear to be as convoluted as others have mentioned...which is frustrating.
I am weak on PCI details (like which tier applies to what volume). I spent today working on domain 1 test questions, review of weak areas in domain 1 and fleshing out the bootcamp notes for domain 1. About 2 hours.
The instructor did mention that knowing the ISO & NIST docs and their purpose is very useful, but it would be a waste of time to dive into the docs. Like knowing ISO27001 defines ITSM and ISO27002 defines security controls and NIST 800-145 is what ISC2 uses to define the cloud computing models and platforms.
As mentioned above, once my notes are completed I will post a link to them (they are in workflowy, its free).
Thanks! We spent A LOT of time working on testing strategy, nearly as much time was spent on that as was the content of the exam. I feel I have a better handle on test taking now and can at least narrow down things I don't know to a 50/50 shot.
114/150 = 76%
edit: While reviewing my test answers I found a typo in the test bank, because of this I got 115 (not 114) right.
Domain 2:
Where is the worst place to store crypto keys?
Answer: With the cloud provider; creates a conflict of interest. Also best practice dictates keys should not be kept alongside the data they are encrypting.
Data dispersion provides protection for all the following security aspects except:
Answer: Provides security aspects (Protects confidentiality, availability, loss due to seizure) but does not protect against user error (deletion) because user error will likely result in all data sets being remove.
What cloud storage/memory method will provide a structured, hierarchic motif?
Answer: Object storage/memory is usually storage that is built with a file structure/hierarchy.
Egress monitoring/DLP solutions usually includes a function that...?
Answer: Will require an app be installed on a client machine, in order to inspect data being shared and sent from the endpoint.
Egress monitoring/DLP solutions usually map to an organizations ...?
Answer: ACLs, in this way the DLP solution is used to protect data using a predefined security structure
What type of data storage/memory is most often used in a PaaS setup?
Answer: Typically PaaS uses a database storage scheme.
Why type of data storage/memory is most of used in a SaaS setup?
Answer: Usually ephemeral and long term storage are concepts used in a SaaS environment.
List the possible data masking techniques (per ISC2):
Answer: Random substitution, Deletion, Algorithmic substation
Define direction identifiers:
Answer: This is anything that directly identifies the individual (name, social, address, DoB, etc...)
Define indirect identifiers:
Answer: This is information, that viewed in isolation can not identify an individual. However when combined with other indirect identifiers, its becomes possible to ID an individual.
How does bit splitting aid in protecting confidentiality?
Answer: Bit splitting chops data into segments, then stores that data in multiple locations. If an unauthorized user/attacker were to get access to one segment of data it likely will be unusable without the other segments.
What is/are Agile Analytics/business intelligence?
Answer: Agile analytics provides great insight and capabilities than all other previous generations of analytics.
What is a common/expect side-benefit of DLP/egress monitoring solutions?
Answer: Data discovery occurs holistically; as data is processed by the DLP solution it can be cataloged or categorized.
What is data transformation in a cloud environment?
Answer: When data is added to a server (VM), then that server is backed up (Archived), the VM may be restored and users may process data (raw data). All phases have potential for different security concerns and implications.For this reason, virtualization can pose a risk to data (because of ill defined security policies as data moves through the phases defined above).
All policies created within an organization should have all of the following qualities:
Answer: Assignation of an entity to periodically review for applicability, Assignation of an entity to monitor and maintain the process in the policy, A list of laws, regulations, practices and/or standards that acted as drivers for the policy.
I try not to post to much negative stuff, but today during study I ran across something thats kind of absurd. In one question the correct answer (regarding secure sanitation practices in the cloud) says "overwriting data" with 1's and 0's is not an accepted secure sanitization method because of forensic techniques. OK, I agree. Its possible.
The very next question says YES, overwriting data can be a accepted method to erase data in the cloud.
The key in the statements is that the first references "secure sanitization" and the latter does not, it just says acceptable methods of erasing data. Its this, fine line, nitty gritty tight rope walking BS that drives me nuts. It implies that secure sanitization is the accepted standard then goes on to state data overwriting, while not secure sanitization, is an accepted method. wtf.
Done for today, /rant. Good night.