*PASSED* 11/26/2018 CCSP 30 days....



  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Found some info on the storage/memory thing...

    Per ISC official study guide:

    Cloud resources are compute (CPU & RAM), storage and networking.

    Since memory is not listed by name in this resource list (its called RAM), they can use it to reference the medium that data is stored on. 
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Domain 3 practice test: 114/143 (79%)

    After reviewing what I got wrong, its not clumped into one single area that I am lacking but stuff on the fringes (like what do you call it when a user on one VM can see the resource calls of a another user on a different VM?  Answer: Inference attack).  I had never seen that before now, but now I know.  I will work through these again and see if I can spot a trend and put together some study notes to post here.  
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Domain 4 practice test: 80/112 (71%)

    Found a weak spot!   A series of questions referred to "installing APIs" on BYOD devices (I missed 4 of 5 of these) then asked about security controls to mitigate risks specific to this situation.  It appears that API's/application can be used interchangeably by ISC2 when referring to user interaction.  So of course all of my answer were cloud centric and not user/end device centric which is what they were looking for.  

    • SDLC (user input is MOST necessary during the design phase, during testing is the best time to bring in "3rd party" or external help)
    • ISO 27034, STRIDE model 
    • REST vs SOAP, 
    • REST server response types (JSON & XML)
    • comparing MOST important controls in legacy vs cloud deployments (encrypting at all stages of application use, multi-tenancy, application isolation, focusing on building with known-secure library) 
    • WAF & DAM are L7 devices 
    • XML gateways (per ISC2) are focused on monitoring SFTP traffic (not WAF) 
    • TLS uses symmetric encryption, If a question references TLS "communication session" creation it is asking about the symmetric encryption and asymm
    • What occurs during dynamic testing (aka fuzzing per ISC2, "logical path" testing is a metric here)
    • What occurs during static testing (source code review, "code coverage" is a metric used here)
    Some of these I got wrong simply because I took the "technical" point of view instead of the management point of view.  For example, when asked about over deploying security controls I selected "will negatively impact performance" and the correct answer was "be a waste of money".  
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Domain 5 practice test 69%

    Domain 6 practice test 71%

  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Reviewed Domain 6, below are fuzzy areas (many).

    -Three levels
    -tier 1, self assurement
    -tier 2, 3rd party certification
    -tier 3, continuous auditing

    OECD Privacy Principles
    Collection limitation principle
    -Place limits to the collection of personal data

    Data Quality principle
    -Personal data should be relevant and the data subject should be able to update the PII

    Purpose Specification Principle
    -The reason why personal data is collected should be made clear when the data is collected

    Use limitation principle
    -PII should not be used or disclosed for purposes other than those specified in the purpose specification

    Security Safeguards principle
    -PII should have reasonable security measures in place to protect it

    Openness Principle
    -A general policy of openness should exist about developments, practices and policies in regards to a subjects PII

    Individual participation principle
    -Lists individual rights in regards to the PII (4+)

    Accountability Principle
    -The data controller will be accountable for complying with measures that give effect to the principles stated above

    ISO 27001 vs 27002
    -27001 details requirements against which an organizations ITSM can be audited
    -27002 details individual security controls, in a much greater detail

    -Created by the AICPA, replaced by the SSAE 16 in 2011.  Used to audit service organizations.

    SOC Report types
    -SOC 1; restricted use (internal only), Reports on controls regarding financial reporting
    -SOC 2; Generally restricted, may be released with NDA; Reports on controls related to compliance and/or operations
    -SOC 3; General Use Report; freely shared with clients, Reports on controls related to compliance (leaving out details found in SOC 2)

    NIST 800-53 - Security and Privacy controls
    NIST 800-37 - Risk Management Framework
    ISO 27034 - Standards for Secure Application Development
    ISO 27017 - A set of standards regarding the guidelines for info sec controls that apply to cloud services

    EU Data Directive created (or provided outline for) the "Safe Harbor" program which was established and run by the US FTC until it was replaced by the Privacy Shield program.  This is used by US companies to process data from EU entities.  

    Due Diligence  vs Due Care

    Due care: This is doing what a reasonable person in your position or situation would o

    Due Diligence: This is the management of Due Care; often thought of as step beyond due care.  Is the verification of due care through attainment of evidence (reports).


  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Confidence is not that high, I feel like if I pass it will be just barely.  I plan on taking one practice exam tomorrow, then focused review of my weakest areas (2-3 total) then take the rest of the day off.  

    Then Monday morning, focused review of techniques for taking the exam and "tips" provided by the bootcamp instructor (1-1.5 hour total time).  Then eat & drink well, take a break for 2 hours and drive the hour to the exam center (arriving 15 minutes early).  Then TEST.
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□

    I don't know how the score broke down, but I got a pass!  I didn't get any questions on frameworks (ISO, NIST, ENISA, CSA, nothing!).  I had ~10 questions on SOAP and REST, focusing on their best usage and not about the technical specs.  I had some questions that came out of left field which must have been the no-score questions. 

    I had 5 scenario questions (The kind where you get a paragraph of background, then 2-3 questions about what "BEST" suits this situation) and 2 drag and drop questions with 5 variables in each.  

    There were a handful of questions about law, evidence collection, privacy practices, etc... (domain 6).  Many tested on how well I knew the 3 types of service (IaaS, PaaS, SaaS), where the responsibility lies in each situation and what controls would be appropriate for the level of responsibility.  But of course they are not asked in plain English, instead they are asked in a convoluted manner with a few grammatical errors tossed in.  For instance the words "assess" and "access" were used interchangeably twice.  Be ready to recognize when a mistake was made, swap in the correct word in the question and then select your answer.  Don't dwell on whether or not your interpreted it correctly, just move on . 

    There were also several questions that I believe the correct answer was to not use the cloud, which caught me off guard but I think I got right.  

    The proctor for the center was weird and the testing center location was not easy to get into nor was it well placed (who in the hell thought it would be a good idea to put the test room next door to the campus sexual assault reporting office filled with crying people that can be heard occasionally through the walls?) But not ISC2's fault.  
  • RinzlerRinzler Junior Member Member Posts: 34 ■■■□□□□□□□
    Congrats on passing CCSP.  I hope to take this exam after CISSP is conquered, sir.  :p   
  • COBOL_DOS_ERACOBOL_DOS_ERA Member Northern VA, NYCMember Posts: 205 ■■■■■□□□□□
    Congrats on the pass!! and thanks for sharing your exam experience with us.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,927 Mod
  • leogloryleoglory Registered Users Posts: 1 ■■□□□□□□□□
  • Azt7Azt7 Member Member Posts: 121 ■■■■□□□□□□
    Congrats !
    Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
    Studying for :  TBD
  • anthonxanthonx Member Posts: 109 ■■■□□□□□□□
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□
    Thanks everyone!  
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    Congratulations Chris, it definitely inspires me to retake the exam in the new year but I've putting it off recently because of work commitments. I'm debating whether to take the exam or not given its value overall in my given situation and how sometimes the CCSP questions can be super vague. Great stuff on the pass.
  • --chris----chris-- Senior Member Member Posts: 1,518 ■■■■■□□□□□

    If you do reattempt, let know. I will gladly help you.  
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    Thanks Chris, I'll definitely do that :smile:

  • Info_Sec_WannabeInfo_Sec_Wannabe Senior Member Member Posts: 428 ■■■■□□□□□□
    Outstanding job! Hope to be in your shoes next year.
    X year plan: (20XX) OSCP [ ], CCSP [ ]
  • impelseimpelse Senior Member Member Posts: 1,237 ■■■■□□□□□□
    Congrats, good work pay off.
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

  • vCISO2017vCISO2017 Junior Member Member Posts: 51 ■■■□□□□□□□
    Great to hear - you're passing reflects the work you put in.  :)
    CITP | CCSP | CCSK | AWS CCP | VCP | CISM | CGEIT | CIPM | PMP | MCSE, etc.......
Sign In or Register to comment.