Common Sense vs. Book

Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
First post icon_cheers.gif

So I'm scheduled to take the exam on Feb 19th. I'm competely nervous and have been cramming a ton of material, btw thanks ISC2 for changing exam scope the month I'm supposed to take it. I've been running into a reoccuring problem while taking practice tests and would much appreciate any advice input available.

Should I be answering questions based on common sense or should I focus on what's in the book (Shon Harris 5th ed.). I've been taking some practice tests where the book answer isnt the "Best" answer. Ushually I go common sense first but it's easy to switch gears when something in the back of your head says, "wait the book said this".

Example: (Rephrased Question)

What is the best method to limit unauthorized access to critical servers though a wireless access point?

A) Rule Based Access Contol
B) Discretionary Access Control
C) WPA2 Enterprise
D) 802.11n

My brain says WPA2 enterprise because that's what you use. But, Rule Based kinda covers that and much more. It certainly doesnt help your torn between a technical implementation and a theory.

Based on answers to the questions I've practiced the answer is WPA2 Enterpise. But as a template for the exam should I place my judgement above the book?

Comments

  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    Rick1 wrote: »
    First post icon_cheers.gif
    Welcome to TE!
    Rick1 wrote: »
    Should I be answering questions based on common sense or should I focus on what's in the book (Shon Harris 5th ed.). I've been taking some practice tests where the book answer isnt the "Best" answer. Ushually I go common sense first but it's easy to switch gears when something in the back of your head says, "wait the book said this".

    Realize that Shon Harris and the (ISC)2 are in no way related as collaborators or business partners. In fact, they (probably) do not use her material for creating their exams. I would use her books for studying the topics on the exam, but do not assume that the SSCP (or CISSP) exam questions will look like what's in her books. If you want practice exams that are close to the actual exam items, you'll need to get studISCope for the SSCP from the (ISC)2.
  • Ricky5chsRicky5chs Member Posts: 26 ■□□□□□□□□□
    Hey Rick, where are you taking the exam?
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Rick1 wrote: »
    First post icon_cheers.gif

    So I'm scheduled to take the exam on Feb 19th. I'm competely nervous and have been cramming a ton of material, btw thanks ISC2 for changing exam scope the month I'm supposed to take it. I've been running into a reoccuring problem while taking practice tests and would much appreciate any advice input available.

    Should I be answering questions based on common sense or should I focus on what's in the book (Shon Harris 5th ed.). I've been taking some practice tests where the book answer isnt the "Best" answer. Ushually I go common sense first but it's easy to switch gears when something in the back of your head says, "wait the book said this".

    Example: (Rephrased Question)

    What is the best method to limit unauthorized access to critical servers though a wireless access point?

    A) Rule Based Access Contol
    B) Discretionary Access Control
    C) WPA2 Enterprise
    D) 802.11n

    My brain says WPA2 enterprise because that's what you use. But, Rule Based kinda covers that and much more. It certainly doesnt help your torn between a technical implementation and a theory.

    Based on answers to the questions I've practiced the answer is WPA2 Enterpise. But as a template for the exam should I place my judgement above the book?

    How long have you been preparing for the CISSP? Do you have years of experience in the field in the security domains?
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    Oh yeah, "CISSP." I had "SSCP" on the brain when I posted. The same advice applies to both (ISC)2 exams.
  • forestgiantforestgiant Member Posts: 153
    Rick1 wrote: »
    First post icon_cheers.gif

    I've been running into a reoccuring problem while taking practice tests and would much appreciate any advice input available.


    The exams (CISSP and SSCP) draw from a large bank of questions, and they were all vetted by a group of experts. They decided what's the best answer for any given question.

    Why is that important? Imagine if you are already certified, and vetting the question with your peers. Why do you think the majority would pick one answer over another? (that should address the "common sense" part of the question).

    Also, remember that the CISSP and SSCP are not very technical. Put on your manager hat --- would you try the business approach first (rules-based), or technical approach (WPA2)?

    The AIO is extremely helpful, but that's also its weakness. It really does try to cover all the bases, leaving no stone unturned, so to speak. What you'd eventually see on the exam is only a subset or off shoot of the AIO materials. So try to understand what the AIO asks and all the explanations, but it aint always right.

    Hope that helps.
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    Also, remember that the CISSP and SSCP are not very technical.
    The SSCP is actually very technical. It's intended for people who are fresh from learning a lot of the technical stuff in college, but don't yet have the professional business work experience required for the CISSP.
  • Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
    Wow lots a responses and questions, I'll try to respond to all in one post if I miss something let me know. Sorry for the delayed response but after posting last night I had family over.

    I've been studying for the CISSP since October, although not seriously until I scheduled the exam a couple weeks ago.

    As for experience I have my undergrad in network security, Net+, Sec+, ITIL v3 foundation, 6 years of military experience as a information systems operator/analyst, 1 year as a help (Service) desk manager, and right now I'm doing software compatibility testing for NMCI windows 7 migration.

    I became intrested in CISSP because of DoDD 8750 and believe it will open doors for better jobs as a government contrator. I have someone lined up to vouch for my experinece but I'm not expecting to pass the exam on the first attempt. I'm trying the best I can but I'm realistic about how comprehensive the exam is and there are domains I have very little experinece in. I think my stregnths are in Cryptography, Access Control, Security Architecure, and Network Security. I'm weak in App security, and Legal/Regulations, but getting better icon_wink.gif

    I'll be taking the exam in Raliegh NC, which is a good drive from where I live in Virginia. Since the exam is on a Sunday and won't disturb my work it seemed like the best place and time to take it.

    At first I thought I would do a major cram session on Saturday before taking the test but after doing some of these practice questions I'm thinking a walk in the park with my dogs might be more beneficial to keep perspective.

    Hope that addressed everything I'll check back a in a bit, I got to hit the books again icon_study.gif
  • Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
    The exams (CISSP and SSCP) draw from a large bank of questions, and they were all vetted by a group of experts. They decided what's the best answer for any given question.

    Why is that important? Imagine if you are already certified, and vetting the question with your peers. Why do you think the majority would pick one answer over another? (that should address the "common sense" part of the question).

    Also, remember that the CISSP and SSCP are not very technical. Put on your manager hat --- would you try the business approach first (rules-based), or technical approach (WPA2)?

    The AIO is extremely helpful, but that's also its weakness. It really does try to cover all the bases, leaving no stone unturned, so to speak. What you'd eventually see on the exam is only a subset or off shoot of the AIO materials. So try to understand what the AIO asks and all the explanations, but it aint always right.

    Hope that helps.

    I really appreciate this answer, manager hat and what peers think does bring some validity to the "correct" answer. The reason in my head right now as to why WPA2 enterprise is the correct answer is because it most specifically answers the question. Rule based access control is a combination of controls which can result in a bad answer. Just because you made rules doesnt mean you made the right ones. Rule based answer could be, SSID will be hidden, Encryption will be though WEP and MAC filtering will be turned on. 3 rules that fail to keep the WAP secure vs. one rule that essentially addresses everything. icon_smile.gif
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    The trick yo answering this quesiton correctly is really knowing your 802.11 standard. "WPA2 enterprise" is probably the most correct answer because it is based on 802.1X, which is the standard scheme for integrating EAP authentication into 802.11 networks. The other three answer options have little or nothing to do with 802.11 network authentication, which is what the question is all about.
  • Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
    Exactly what I was thinking. I'm finding questions like these difficult because after reading about access control the book part of my head leans towards rule based since that's what I read about therefore feel that's the answer they want. It's a reoccuring problem while I'm practicing when I get a question that address a practical answer vs. a book answer.

    I think I've managed to at least rationalize my own answer. Go with your gut and not the book, but be very careful with the phrasing of questions. Change "method" to "model" in the question and Rule based becomes the best answer icon_wink.gif
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    Rick1 wrote: »
    Change "method" to "model" in the question and Rule based becomes the best answer icon_wink.gif
    Two of the answer options are "methods" and other two are "standards," so "method" was likely selected as a neutral descriptive term. That's what I would have tried to do if I had authored that exam item.
  • Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
    JDMurray wrote: »
    Two of the answer options are "methods" and other two are "standards," so "method" was likely selected as a neutral descriptive term. That's what I would have tried to do if I had authored that exam item.
    I'm hoping these practice questions are harder than the actual exam but I'm not counting on it.

    I had to look it up because part of my head said they are all standards. RBAC is a standard according to NIST, not sure if it's defined as a standard by ISO which would be the definitave answer imo. Words in this industry are so generically ambigious sometimes I'm supprised they don't call clients thingamapeople and domains whereamaplaces.
    NIST.gov - Computer Security Division - Computer Security Resource Center
  • secbensecben Member Posts: 10 ■□□□□□□□□□
    Also, remember that the CISSP and SSCP are not very technical. Put on your manager hat --- would you try the business approach first (rules-based), or technical approach (WPA2)?

    You are absolutely correct. There were few questions like these in my exam.

    If you have done a bit of studying or have experience in the industry, you can easily eliminate two answers easily in most case. Now you are down to two.To select the most suitable answer, you have to:
    1) Give precedence to laws > regulations > ethics > business
    2) See the keywords ("method" vs "standard" as JD pointed out here)
  • bryguybryguy Member Posts: 190
    Don't sell yourself short Rick1... I read somewhere that the CISSP had a 70% pass rate... That's pretty good odds if you ask me. I'd expect to pass it the first time, because you'll find that you often live up (or live down) to the expectations you set for yourself. Do yourself a favor, and don't cripple yourself by not expecting to pass the exam on the first attempt.
  • Rick1Rick1 Member Posts: 26 ■□□□□□□□□□
    bryguy wrote: »
    Don't sell yourself short Rick1... I read somewhere that the CISSP had a 70% pass rate... That's pretty good odds if you ask me. I'd expect to pass it the first time, because you'll find that you often live up (or live down) to the expectations you set for yourself. Do yourself a favor, and don't cripple yourself by not expecting to pass the exam on the first attempt.
    Not trying to bump but thanks for all this advice guys. I'm certainly hoping to pass but I'm not the type to bet I'm going to pass. I feel like if I did that I would be putting all eggs in one basket. Expect the worse and hope for the best may be negative, but in this industry it really matters. It's not how you fall down, it's about getting back up. Risk management, business continuity and Rocky taught me that much icon_smile.gif
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    bryguy wrote: »
    Don't sell yourself short Rick1... I read somewhere that the CISSP had a 70% pass rate... That's pretty good odds if you ask me. I'd expect to pass it the first time, because you'll find that you often live up (or live down) to the expectations you set for yourself. Do yourself a favor, and don't cripple yourself by not expecting to pass the exam on the first attempt.

    You've probably read that statistic from one of the review classes success rates. Its a lot of motivation to pass an exam when you pour $3500.00 into a preparation course to pass an exam. SANS may still use the blip that goes something like this: One recent class had a first try pass rate of 98%...

    Given that my purposed CISSP number is 413000+ and the last published statistic from the ISC2 was over 77,000 in 2010 I think you can extrapolate that the actual pass rate is fairly low. ISACA publishes a first time pass rate at roughly 50% and considered to be much easier to obtain than ISC2.

    This of course reminds me of the old adage: "Figures lie and liars figure..." Its still no cake walk of an exam, no matter how much you prepare.

    - Brent
Sign In or Register to comment.