How do you GENIUS pass the CISSP!? I Got 645 FAIL!!!!!!!!!!!!!!!!!!!!!!!!!!!!

SecurityGuru23

All,


I've studied for over 6 months days/nights/weekends/holidays included! Used the following sources to prepare me:

- Eric Conrad 2nd edition (read cover to cover 3 times)
- CCCure questions (paid version)
- Shon Harris Mp3 audio/practice questions
- Eric Conrad 11th hour 1st edition
- Boot camp with Secure Ninja

I feel as though I have the majority of the materials/concepts down packed across all 10 domains, of course not everything memorized since there are just way too much to remember, but for some reason I just don't seem to know how to select the "best" answers for over 20-25 questions that was asked in the actual exam. Most of them pertaining to NON TECHNICAL domains and NON TECHNICAL questions... WHAT AM I NOT DOING RIGHT????

My co-worker only studied for 2 months and took the bootcamp with me and passed!!?? WTF!!!! She barely studied, did NOT use any text books, but only listened to Shon Harris's MP3 and used CCCure practice questions and that's it!!?? On the other hand, I'd studied so GOD D*** hard!!!! WHY God, why? Why do you have to do me like that!!?? Life is so unfair!! And is there a God!? Seriously, is there????

Example of the type of questions that I have NO clue on answering:

1) If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?

A) contact the customer and asked them to change their password
notify the law enforcement
C) document the incident and inform management (I choose this one)
D) disable the customer's account


CISSP holders,

Please shine some light towards my direction, as I am LOST and have no clue as to how to pass the CISSP exam!???

Thanks in advance!!! Mixed emotions! So blown, hurt, lost, upset, disappointed, angry, frustrated, etc.......:

jahaziel

never studied for CISSP but I would guess D. Reason being because the account can still be used until he changes the password

paul78

Sorry to hear about your troubles with the exam. It must be difficult to prepare so thoroughly but still fail. Don't compare yourself to others - everyone's penchant for taking exams or retaining learned knowledge is very different and unique. Perhaps the boot-camp simply fit your colleague's learning style.

Good luck on your next try.

As for the question - that's one of neat things about ISC2 questions - it is built on security concepts but you may have to see beyond the actual question. I don't remember how ISC2 covers incident response but the general process used by most frameworks includes various steps in a response. The first step is usually "Identify" and the second step is "Contain". In the question, an issue is already identified. So the next step is containment. The "best" way to contain the issue is to disable the account. While (a) could contain the incident, it is less timely so it is not the best response.

A big part of security management is really non-technical so understanding how administrative processes and controls are applied is very important.

emerald_octane

D.

my thought process: management gets to decide if an account is compromised based on their predefined rules outlined in the incident response methodology. If the question said "unusual activity" rather than "compromised", then notifying management for the appropriate action is appropriate response. In this case, it's redundant. The third phase of IR is "response". So shut down the account.

swild

My honest opinion on this exam is to think like a manager. I'm not talking about an IT manager. I'm talking about some recent grad with an MBA or even a BBA that was hired to lead an IT group because they might have indicated computer experience or to have taken one computer science class, but in reality barely know enough to turn on their computer and open Word.

In your example, a manager would look at that situation and think, "What is best for the business and what will keep me out of trouble if I only do one thing?" The correct answer is D because that shifts the burden of liability off of the manager's (and therefore the business's) shoulders. That way they can say, "I noticed the problem and immediately did everything in my power to rectify the issue." The very next action would be to contact the customer, because that is best for the business.

I can see why you chose C, however, regardless of what they say, you are the management. The holder of a CISSP is not a teller, they are a manager, possibly filling in for a teller.

You can't over think the questions. When I took the exam, I finished in less than 3 hours and passed on the first attempt. My plan of action (back when it was a paper exam) was to go through and only answer the questions that I knew the answer to without a second guess. Then to go through a second time on the questions that I skipped and rule out possibilities to minimize my guessing. I wound up only having a handful of questions on my second round and didn't go back through to check my work on the first round.

This worked out for me, but everybody works a little differently. When I was going through CCCure quizzes, I was only getting about 70%. However, for every single question that I missed, I went to Google and read through whatever I could find to figure out, not only the correct answer, but why the rest of the answers were wrong.

Don't get discouraged. Buck up, study more, and try again. While I passed my CISSP on the first try, it took me 4 tries to pass my CCNA.

MiJeG0

SecurityGuru23 i am so understated you it is the exactly the same score i get a month ago,
and it so frustrating to think that i need to start this hell ones over !!!

what are the domains that you didn't go good at them?

and be strong man we will make it!!!

tony71

I would choose D. Need to stop the bleeding before letting anyone know about it.

warmkitty

Be strong and stop worry what you got. Hope you learned lot from this, and now you know what you missed.
On the question you post, as of my understanding, your answere is correct.
On a ocation if there were no proper documented procedure for this kind of scenario, the best way is to get the guidance from the Management.
If I was the CIO of that company and I got to know that my admin just dissabled a compromised account without notifying, my fealing wiill be not good.
Compromizing a customer account is a serious issue, and fraud may already happened. All the money may be already withdrawed. So there will be no meaning of dissabling account. The only probable solution is to trace the logs/evidence to identify the thief. If he access acount again from any branch, probability of caching him will be high.

RouteMyPacket

@=warmkitty
And you would be 100% wrong. How would you limit liability? How would you close the security breach?

1. Disable the account
2. Notify the account holder
3. Document the situation and all actions taken

warmkitty

I accept on all the action points mentioned. But just think, who should be the authorized persion for direct above. Are you suggest that bank teller should have the authority to initiate all of those ?.

JDMurray

Some things that come to my mind:

The comparison people sometimes make between themselves and other cert exam candidates often fails to consider the differences in what they already know about the cert's objectives prior to beginning studies for the cert exam. How much and how well a candidate needs to study for a cert exam largely depends on how much the candidate already knows about the topics and how well the concepts the cert exam tests for are understood. If someone else already knows a lot more than you do, and they understand what they know better (because of their professional experience), they will need a lot less study time than you. In effect, these types of comparison between yourself and other people who have passed the exam are fairly useless unless you are both equal on most accounts.

Regardless of how much you study, the one factor of a cert exam that you can't really study for is the exam experience itself. Did any of your study prep include emulating actually taking the cert exam? You study in the comfort of your home or work or local library for months and at your own pace, but for the exam you are thrust into the cold, bright, and unfamiliar atmosphere of a testing center and forced to take a very long, mentally-exhausting exam in a relativity short amount of time. How much of your studies included preparing for that experience? This is why I write blog article with titles like, "The CISSP Certification Experience."

When you restudy for the CISSP, make sure to change-up your study materials and habits. Something you are doing is not working for you. It may be your ability to concentrate on unfamiliar exam questions, eliminate the distractors, and discern what the exam item is really asking. You should force yourself to take very long practice exams in a limited amount of time to toughen up your mental stamina. Keep an open mind about what you need to change. People will advise you just study your three worst domain and take the exam again ASAP, but that really won't help you understand the material in a way you need for your InfoSec career.

RouteMyPacket

warmkitty wrote: »

I accept on all the action points mentioned. But just think, who should be the authorized persion for direct above. Are you suggest that bank teller should have the authority to initiate all of those ?.

You are thinking too far into it. Based on the question presented, disabling the account is the best security option. There is no further liability (from an exposure standpoint) once the account is disabled hence it being the correct answer.

Think within the bounds of the question, no need to get into who is authorized to take action etc.

warmkitty

This is good way to learn. Thanks RouteMyPacket. You point out that I am thinking too far where I should not. Will go for D. The issue is changing the mindset to think as that.
Thanks SecurityGuru23 for sharing the practise question.

emerald_octane

warmkitty wrote: »

If I was the CIO of that company and I got to know that my admin just dissabled a compromised account without notifying, my fealing wiill be not good.

Based on real life events, banks have been found negligent if they do not shut down an account that they suspect to be compromised and allow transactions to occur so unless you want to be called out on vacation, you gotta let your ops do their job.

Comerica bank ordered to pay after customer hacked.

calviny

I have a similar question below:
If you were an operator and noticed that a system has been infected virus, what is the FIRST thing you should do?

A) Contact the anti-virus software vendor for help
Notify the law enforcement
C) Document the incident and inform management
D) Unplug network cable from the system

According to Incident Management, it should be identify, containment, eradication...
So, the answer is D? But it deficits availability.
Thank you.

SecurityGuru23

MiJeG0 wrote: »

SecurityGuru23 i am so understated you it is the exactly the same score i get a month ago,
and it so frustrating to think that i need to start this hell ones over !!!

what are the domains that you didn't go good at them?

and be strong man we will make it!!!

@MiJeG0, my 3 weakest domains are in: Physical, software development security, and cryptography. Yeah, lots of hard work from both of us have been wasted... Here we go again... Wish you best of luck on your 2nd round!!!

SecurityGuru23

@Paul78, Octane_emerald, Swild, JDMurray and everyone else who had provided feedback, Thank you for your time!!! I will brush up on my weakest 3 domains (Physical, Software Development, and Cryptography) and then resit for the exam again. I will also review sections on what to do FIRST given an scenario and also what to do LAST. Are there any other tips, advice, and techniques that anyone of you suggest on how to IDENTIFY and WEED out the DISTRACTORS??? I don't think there is, but just wanted to ask and see what everyone has to say.

Thanks for those who have provided feedback, I will continue to strive and work towards passing the CISSP exam next round!!!

Happy New Years Everyone!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

bobloblaw

Just remember not to only focus on your weak domains. I did that in practice quizzers and saw all of my other domains take a hit. Spend a majority of time on your weak domains, but stay fresh on the others.

You're almost there. How long did it take you to finish the exam? I finished around 3 hours and made myself read the long form questions twice.

SecurityGuru23

bobloblaw wrote: »

Just remember not to only focus on your weak domains. I did that in practice quizzers and saw all of my other domains take a hit. Spend a majority of time on your weak domains, but stay fresh on the others.

You're almost there. How long did it take you to finish the exam? I finished around 3 hours and made myself read the long form questions twice.

Thanks for the advice, it took me 4 1/2 hours to complete the exam with 1 1/2 hour left to review. I will review my top 3 weakest domains (physical, software development, and cryptography) and also brush up on the rest.

Baron Von Cissp

The best advice I got on how to pass the exam sounds obvious but it was to "read the question" it is easy under exam conditions to assume what is being asked and base your answer on this look out for things like which is "not" the best approach. Remember also that this is not an intelligence test so if you do not pass first time and someone else does that does not make them cleverer than you just potentially more experienced or got fewer ambiguous questions.... keep going when you have finally passed, it will be all the sweeter

SecurityGuru23

Baron Von Cissp wrote: »

The best advice I got on how to pass the exam sounds obvious but it was to "read the question" it is easy under exam conditions to assume what is being asked and base your answer on this look out for things like which is "not" the best approach. Remember also that this is not an intelligence test so if you do not pass first time and someone else does that does not make them cleverer than you just potentially more experienced or got fewer ambiguous questions.... keep going when you have finally passed, it will be all the sweeter

Thanks for the kind words, I will take your advice and continue to strive until I reach my goal which is to SLAY THE "BEAST"!!!

beads

In somewhat roundabout terms exams become easier with more exams. If its been years since you've sat for an exam your stress levels are going to go through the roof with general test anxietry. One way around this would be to do a Security+ or CCNA exam maybe sign up for the Qualys Basic VA classes and take the little exam afterwards. Exams like that. Try to get as much hands on or lab time as you can. VM player is free and there are many good VMs out there in which to play with on various different subjects. Nothing beats hands on experience and this is really an experience rather than a theoretical exam. That's why people talk about it as "management exam". Now, I understand getting practice in Law or BCP/DRM is all but happenstance (I have been through a couple of BCP and DRM real life incidents and they ain't fun), so your on your own with those. Learn the PICRELL model for incident handling. Draw out the TCP/IP/OSI stack and where everything goes in Visio and your have good hard pictures to remember. Crypto is hard because its crypto - just is and will always be - hard. You never really work with aust aside of it, SSL certificates, etc. Your not really working with the algorithm itself, just implementing it. So, we understand that. Learn where to use it and why. Shortcomings and all. Learn to recognize the outliers and exceptions to the rule(s) and the rest will start to fall in place. Really, that's what the exam is REALLY testing you and why so many people get so frustrated as the answers are almost always outliers to a problem. It should work like this but this outlier says in this case something else is going on but makes the question look "goofy". Now figure out why. Thats the exam and many others like it.

- B Eads

cgrimaldo

That's a great reply, beads. Can you elaborate on the PICRELL model more?

beads

PICRELL

Incident Handling Methodology

Preperation
Investigation
Containment
Remediation
Eradication/Elimination
Lessons learned (hence the small 'h')

I find it easier to remember these types of things by going with the acronym method which is already overly standardized in the industry. I am just adding to the already over-sized heap in this case.

You probably already know the TCP/IP: All People Seem To Need Data Processing; Phew Dead Ninja Turtles Smell Particularly Aweful; and that one about sausage pizza that escapes me as well. Same diff. These a bunch of these. Depends on when you memorized it. For me it was back in the Novell days hence - Data Processing. Like my degree!

- B Eads

JDMurray

beads wrote: »

You probably already know the TCP/IP: All People Seem To Need Data Processing; Phew Dead Ninja Turtles Smell Particularly Aweful; and that one about sausage pizza that escapes me as well.

Those are acronyms for the seven layers of the OSI network model, not the four layers of the TCP/IP (DoD) network model.

And for future reference: Please Do Not Throw Sausage Pizza Away

DavidEthington

Zombie thread, I know... BUT...

If you have any sort of question where a crime has been committed, NOTIFY THE AUTHORITIES FIRST. Don't turn off the computer, don't change passwords, don't call the CEO, don't bake a cake. CALL THE AUTHORITIES.

Why? Because in real life, that could land you in some SERIOUS hot water...

paul78

Respectfully, I would disagree.

First - unless you are party to the crime or you are covering up the crime, you would not be in "hot water".

Since we are discussing the reporting of cyber crime within an organization, the correct approach is still always to "contain". In organizations with mature incident response, the incident response team would normal report to authorities if necessary.

In the US at least, an individual is generally not brought up on "Misprision of felony" unless that individual has a special duty to report a crime. Within a company where the cyber-crime is committed, that person is usually an officer of the corporation.

DavidEthington

Legally, that makes you an accessory. And ISC2 will deduct points accordingly.

And additionally, to emphasize the nature of CISSP, it's a manager-based exam. So, legal obligation aside, and your liability aside, you'd still be the one calling police.

paul78

You are certainly entitled to your interpretation of the ISC2 BOK and how it works in your company. But I'm quite comfortable with how I run information security and risk management for my business which I draw from 25 years of management experience. Plus I have an army of lawyers that support me. Our organization's incident response is very mature and our reporting process is very clear. Our employees are instructed to contain the issue and if they don't know how - they are to escalate to the incident response team.

Have you ever dealt with law enforcement? They are not going contain the breach for you - they may aid with the investigation but we have a lot more resources than law enforcement will have with the forensics. By the time, you can actually complete the paperwork - the amount of data exfiltrated or damage caused by bad actors will be too late. Why do you think there are companies out there that provide security incident response and investigative services? I hope your incident response plan isn't to rely on law enforcement to help you stop a security breach.

DavidEthington

REMOVED unnecessary QUOTED REPLY


I've also seen a lot of legal problems as a result of "fixing it ourselves". So, you would not notify the police if someone's bank account was compromised? Nobody is saying, including ISC2, that you call the police, and then sit back and have a cup of coffee. However, you do need to notify them immediately.

But, I am saying that if you come across a question, and that's what you see, you probably want to answer the legally correct way. An army of lawyers means little to someone who gets a 696 because they went with "how we do it at the office", and an army of lawyers won't have your back if they laser beam on you for not reporting. You could end up as a sacrificial lamb.

Here's a good link about breach notification laws. Security Breach Notification Laws

And here's one about notification laws (to the individuals) in IL: http://www.edwardswildman.com/Files/Publication/5571cb18-2939-4705-b73d-89771e2c6f07/Presentation/PublicationAttachment/12433132-87a5-4afb-b225-63507b92ecb0/Security_Breach_Notification_Law%20(Smedinghoff).pdf

Oh, and not reporting a crime making you an accessory and all... I don't see how that can be argued.

paul78

I've very familiar with breach notification laws. It's a constant source of annoyance to keep up with each US states variations and the standards set by EU DPA's. It doesn't make you, the individual, an accessory. Compliance with breach notification laws rest with the data processor or data custodian, it is hardly intended to target the individual.

The reason why I responded to your post is because you stated that the first step for the individual is to contact law enforcement. That is never the first step. I did not wish individuals on this forum to have a belief that they would be the target of a law enforcement action if they worked at a company and followed the prescribed process for reporting potential security issues.

For example - if you are an IDS analyst and your job is to watch SIEM logs all day. One day, you find out that a bad actor has breached the perimeter via a SQL injection attack via a vulnerable web site and was in the process of exfiltrating credit card data. The first step is not to pick up the phone to call the FBI. It's to convene the incident response team to to shutdown the connection or shut down the web site. I.e Contain. The incident team which may include risk management like myself and supporting attorneys would then decide who to notify and how to notify.