How do you GENIUS pass the CISSP!? I Got 645 FAIL!!!!!!!!!!!!!!!!!!!!!!!!!!!!

in SSCP
All,
I've studied for over 6 months days/nights/weekends/holidays included! Used the following sources to prepare me:
- Eric Conrad 2nd edition (read cover to cover 3 times)
- CCCure questions (paid version)
- Shon Harris Mp3 audio/practice questions
- Eric Conrad 11th hour 1st edition
- Boot camp with Secure Ninja
I feel as though I have the majority of the materials/concepts down packed across all 10 domains, of course not everything memorized since there are just way too much to remember, but for some reason I just don't seem to know how to select the "best" answers for over 20-25 questions that was asked in the actual exam. Most of them pertaining to NON TECHNICAL domains and NON TECHNICAL questions... WHAT AM I NOT DOING RIGHT????
My co-worker only studied for 2 months and took the bootcamp with me and passed!!?? WTF!!!! She barely studied, did NOT use any text books, but only listened to Shon Harris's MP3 and used CCCure practice questions and that's it!!?? On the other hand, I'd studied so GOD D*** hard!!!! WHY God, why? Why do you have to do me like that!!?? Life is so unfair!! And is there a God!? Seriously, is there????
Example of the type of questions that I have NO clue on answering:
1) If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?
A) contact the customer and asked them to change their password
notify the law enforcement
C) document the incident and inform management (I choose this one)
D) disable the customer's account
CISSP holders,
Please shine some light towards my direction, as I am LOST and have no clue as to how to pass the CISSP exam!???
Thanks in advance!!! Mixed emotions! So blown, hurt, lost, upset, disappointed, angry, frustrated, etc.......

:
I've studied for over 6 months days/nights/weekends/holidays included! Used the following sources to prepare me:
- Eric Conrad 2nd edition (read cover to cover 3 times)
- CCCure questions (paid version)
- Shon Harris Mp3 audio/practice questions
- Eric Conrad 11th hour 1st edition
- Boot camp with Secure Ninja
I feel as though I have the majority of the materials/concepts down packed across all 10 domains, of course not everything memorized since there are just way too much to remember, but for some reason I just don't seem to know how to select the "best" answers for over 20-25 questions that was asked in the actual exam. Most of them pertaining to NON TECHNICAL domains and NON TECHNICAL questions... WHAT AM I NOT DOING RIGHT????
My co-worker only studied for 2 months and took the bootcamp with me and passed!!?? WTF!!!! She barely studied, did NOT use any text books, but only listened to Shon Harris's MP3 and used CCCure practice questions and that's it!!?? On the other hand, I'd studied so GOD D*** hard!!!! WHY God, why? Why do you have to do me like that!!?? Life is so unfair!! And is there a God!? Seriously, is there????
Example of the type of questions that I have NO clue on answering:
1) If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?
A) contact the customer and asked them to change their password

C) document the incident and inform management (I choose this one)
D) disable the customer's account
CISSP holders,
Please shine some light towards my direction, as I am LOST and have no clue as to how to pass the CISSP exam!???
Thanks in advance!!! Mixed emotions! So blown, hurt, lost, upset, disappointed, angry, frustrated, etc.......




Comments
Good luck on your next try.
As for the question - that's one of neat things about ISC2 questions - it is built on security concepts but you may have to see beyond the actual question. I don't remember how ISC2 covers incident response but the general process used by most frameworks includes various steps in a response. The first step is usually "Identify" and the second step is "Contain". In the question, an issue is already identified. So the next step is containment. The "best" way to contain the issue is to disable the account. While (a) could contain the incident, it is less timely so it is not the best response.
A big part of security management is really non-technical so understanding how administrative processes and controls are applied is very important.
my thought process: management gets to decide if an account is compromised based on their predefined rules outlined in the incident response methodology. If the question said "unusual activity" rather than "compromised", then notifying management for the appropriate action is appropriate response. In this case, it's redundant. The third phase of IR is "response". So shut down the account.
In your example, a manager would look at that situation and think, "What is best for the business and what will keep me out of trouble if I only do one thing?" The correct answer is D because that shifts the burden of liability off of the manager's (and therefore the business's) shoulders. That way they can say, "I noticed the problem and immediately did everything in my power to rectify the issue." The very next action would be to contact the customer, because that is best for the business.
I can see why you chose C, however, regardless of what they say, you are the management. The holder of a CISSP is not a teller, they are a manager, possibly filling in for a teller.
You can't over think the questions. When I took the exam, I finished in less than 3 hours and passed on the first attempt. My plan of action (back when it was a paper exam) was to go through and only answer the questions that I knew the answer to without a second guess. Then to go through a second time on the questions that I skipped and rule out possibilities to minimize my guessing. I wound up only having a handful of questions on my second round and didn't go back through to check my work on the first round.
This worked out for me, but everybody works a little differently. When I was going through CCCure quizzes, I was only getting about 70%. However, for every single question that I missed, I went to Google and read through whatever I could find to figure out, not only the correct answer, but why the rest of the answers were wrong.
Don't get discouraged. Buck up, study more, and try again. While I passed my CISSP on the first try, it took me 4 tries to pass my CCNA.
and it so frustrating to think that i need to start this hell ones over !!!
what are the domains that you didn't go good at them?
and be strong man we will make it!!!
On the question you post, as of my understanding, your answere is correct.
On a ocation if there were no proper documented procedure for this kind of scenario, the best way is to get the guidance from the Management.
If I was the CIO of that company and I got to know that my admin just dissabled a compromised account without notifying, my fealing wiill be not good.
Compromizing a customer account is a serious issue, and fraud may already happened. All the money may be already withdrawed. So there will be no meaning of dissabling account. The only probable solution is to trace the logs/evidence to identify the thief. If he access acount again from any branch, probability of caching him will be high.
And you would be 100% wrong. How would you limit liability? How would you close the security breach?
1. Disable the account
2. Notify the account holder
3. Document the situation and all actions taken
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
The comparison people sometimes make between themselves and other cert exam candidates often fails to consider the differences in what they already know about the cert's objectives prior to beginning studies for the cert exam. How much and how well a candidate needs to study for a cert exam largely depends on how much the candidate already knows about the topics and how well the concepts the cert exam tests for are understood. If someone else already knows a lot more than you do, and they understand what they know better (because of their professional experience), they will need a lot less study time than you. In effect, these types of comparison between yourself and other people who have passed the exam are fairly useless unless you are both equal on most accounts.
Regardless of how much you study, the one factor of a cert exam that you can't really study for is the exam experience itself. Did any of your study prep include emulating actually taking the cert exam? You study in the comfort of your home or work or local library for months and at your own pace, but for the exam you are thrust into the cold, bright, and unfamiliar atmosphere of a testing center and forced to take a very long, mentally-exhausting exam in a relativity short amount of time. How much of your studies included preparing for that experience? This is why I write blog article with titles like, "The CISSP Certification Experience."
When you restudy for the CISSP, make sure to change-up your study materials and habits. Something you are doing is not working for you. It may be your ability to concentrate on unfamiliar exam questions, eliminate the distractors, and discern what the exam item is really asking. You should force yourself to take very long practice exams in a limited amount of time to toughen up your mental stamina. Keep an open mind about what you need to change. People will advise you just study your three worst domain and take the exam again ASAP, but that really won't help you understand the material in a way you need for your InfoSec career.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
You are thinking too far into it. Based on the question presented, disabling the account is the best security option. There is no further liability (from an exposure standpoint) once the account is disabled hence it being the correct answer.
Think within the bounds of the question, no need to get into who is authorized to take action etc.
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Thanks SecurityGuru23 for sharing the practise question.
Based on real life events, banks have been found negligent if they do not shut down an account that they suspect to be compromised and allow transactions to occur so unless you want to be called out on vacation, you gotta let your ops do their job.
Comerica bank ordered to pay after customer hacked.
If you were an operator and noticed that a system has been infected virus, what is the FIRST thing you should do?
A) Contact the anti-virus software vendor for help
C) Document the incident and inform management
D) Unplug network cable from the system
According to Incident Management, it should be identify, containment, eradication...
So, the answer is D? But it deficits availability.
Thank you.
@MiJeG0, my 3 weakest domains are in: Physical, software development security, and cryptography. Yeah, lots of hard work from both of us have been wasted... Here we go again... Wish you best of luck on your 2nd round!!!
Thanks for those who have provided feedback, I will continue to strive and work towards passing the CISSP exam next round!!!
Happy New Years Everyone!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You're almost there. How long did it take you to finish the exam? I finished around 3 hours and made myself read the long form questions twice.
Thanks for the advice, it took me 4 1/2 hours to complete the exam with 1 1/2 hour left to review. I will review my top 3 weakest domains (physical, software development, and cryptography) and also brush up on the rest.
Thanks for the kind words, I will take your advice and continue to strive until I reach my goal which is to SLAY THE "BEAST"!!!
- B Eads
Incident Handling Methodology
Preperation
Investigation
Containment
Remediation
Eradication/Elimination
Lessons learned (hence the small 'h')
I find it easier to remember these types of things by going with the acronym method which is already overly standardized in the industry. I am just adding to the already over-sized heap in this case.
You probably already know the TCP/IP: All People Seem To Need Data Processing; Phew Dead Ninja Turtles Smell Particularly Aweful; and that one about sausage pizza that escapes me as well. Same diff. These a bunch of these. Depends on when you memorized it. For me it was back in the Novell days hence - Data Processing. Like my degree!
- B Eads
And for future reference: Please Do Not Throw Sausage Pizza Away
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
If you have any sort of question where a crime has been committed, NOTIFY THE AUTHORITIES FIRST. Don't turn off the computer, don't change passwords, don't call the CEO, don't bake a cake. CALL THE AUTHORITIES.
Why? Because in real life, that could land you in some SERIOUS hot water...
First - unless you are party to the crime or you are covering up the crime, you would not be in "hot water".
Since we are discussing the reporting of cyber crime within an organization, the correct approach is still always to "contain". In organizations with mature incident response, the incident response team would normal report to authorities if necessary.
In the US at least, an individual is generally not brought up on "Misprision of felony" unless that individual has a special duty to report a crime. Within a company where the cyber-crime is committed, that person is usually an officer of the corporation.
And additionally, to emphasize the nature of CISSP, it's a manager-based exam. So, legal obligation aside, and your liability aside, you'd still be the one calling police.
Have you ever dealt with law enforcement? They are not going contain the breach for you - they may aid with the investigation but we have a lot more resources than law enforcement will have with the forensics. By the time, you can actually complete the paperwork - the amount of data exfiltrated or damage caused by bad actors will be too late. Why do you think there are companies out there that provide security incident response and investigative services?
I've also seen a lot of legal problems as a result of "fixing it ourselves". So, you would not notify the police if someone's bank account was compromised? Nobody is saying, including ISC2, that you call the police, and then sit back and have a cup of coffee. However, you do need to notify them immediately.
But, I am saying that if you come across a question, and that's what you see, you probably want to answer the legally correct way. An army of lawyers means little to someone who gets a 696 because they went with "how we do it at the office", and an army of lawyers won't have your back if they laser beam on you for not reporting. You could end up as a sacrificial lamb.
Here's a good link about breach notification laws. Security Breach Notification Laws
And here's one about notification laws (to the individuals) in IL: http://www.edwardswildman.com/Files/Publication/5571cb18-2939-4705-b73d-89771e2c6f07/Presentation/PublicationAttachment/12433132-87a5-4afb-b225-63507b92ecb0/Security_Breach_Notification_Law%20(Smedinghoff).pdf
Oh, and not reporting a crime making you an accessory and all... I don't see how that can be argued.
The reason why I responded to your post is because you stated that the first step for the individual is to contact law enforcement. That is never the first step. I did not wish individuals on this forum to have a belief that they would be the target of a law enforcement action if they worked at a company and followed the prescribed process for reporting potential security issues.
For example - if you are an IDS analyst and your job is to watch SIEM logs all day. One day, you find out that a bad actor has breached the perimeter via a SQL injection attack via a vulnerable web site and was in the process of exfiltrating credit card data. The first step is not to pick up the phone to call the FBI. It's to convene the incident response team to to shutdown the connection or shut down the web site. I.e Contain. The incident team which may include risk management like myself and supporting attorneys would then decide who to notify and how to notify.