Passed the CISSP – Thank you Braindumps!

Okay, okay, put the flamethrowers away. The braindump comment was a joke! There are like 20 “Passed” threads today, so I thought I’d try some creative advertising!

I did pass last Thursday, and that’s definitely not a joke! I owe everyone who contributes to this forum a huge debt of gratitute.

So, in an effort to pay that goodwill forward, here’s the breakdown of my exam prep and test experience:

My Background

I’ve got 15+ years of work experience. I started my career in semiconductor design, designing network-related ASICs such as switch fabrics, RAID controllers, packet forwarding engines, traffic managers, and ATM SARs.

Over the years, I gradually shifted from the hardware side of networking to the software. I currently work for a multicore processor company and I support customers who use it for crypto acceleration and various kind of deep packet inspection.

Why did I decide to pursue the CISSP?

My job doesn’t require CISSP certification, but all the customers I work with are designing IDS/IPS systems, SSL proxies, and secure web gateways. Since I spend all my time working in network security anyways, I decided to pursue the CISSP.

I didn’t want the CISSP to land a new job, rather I wanted to increase the breadth of my understanding of the security industry.

My goal was not to find the fastest way to add the title “CISSP” to my resume. My goal has always been to gain a holistic understanding of security – to learn more about those domains that I don’t touch in my job. This means I wasn’t trying to cram for the exam or look for ways to skip topics that might not show up on the test. To the contrary, I wanted to drill down into the nuts and bolts of every domain.

How long did I prepare?

About 9 months. Because of work and family, I couldn’t carve out 4 hours of study time per day even if I wanted to. So I studied whenever I could for as long as I could. Somedays not all, other days for an hour or two. I knew that preparing for this exam would be a marathon, not a sprint. That prevented me from getting frustrated or giving up. Slow and steady but eyes always on the prize.

Study Material
All In One – read the whole thing, cover to cover.
Sybex CISSP Study Guide (by Stewart) – read 80%
The Official (ISC)2 Guide to the CISSP CBK (Hernandez) – cover to cover
CISSP Study Guide (by Conrad) – cover to cover
CISSP 11^th Hour (by Conrad) – cover to cover
And a ton of supplemental online research such as tutorials and whitepapers from various sites

My studying process when something like this:
1. Start with Conrad’s CISSP Study Guide. I’d structure my notes to follow topics in the order he covered.
2. Read the same chapter in AIO and updated my notes
3. Read the ISC Official Guide and Sybex – filling in my notes even further

You can see why it took my 9 months to prepare for this exam. For each domain I was reading 4 different books and taking notes. It took a long time and my notes for each domain were typically 50+ pages. But each author covers topics in a slightly different way, and that really helped solidify my understanding.

I tried watching videos and listning to MP3s, but they covered the material too slowly. Books were a more efficient way to learn for me.

Practices Tests Used
McGraw Hill online – took both quizes x 10 domains = 1000 questions
Shon Harris CISSP Practice Exam Book (3^rd Edition) – Completed about 500 questions
Transcender – Completed 750 questions
SSI Logic’s CISSP Exam Book – 500 questions
CCCure (paid) – Completed 1800 questions
Conrad/Elvisier – took both sample tests – 500 questions

I’ve listed the tests in the order of effectiveness. I definitely felt McGraw Hill tests were the toughest. The 3^rd Edition of the Shon Harris book is also very good, followed by Transcender.

Exam Experience

I took the exam last Thursday and also took the day before (Wednesday) off to prepare. What I didn’t do on Wednesday was lock myself in a room and cram. I stayed home, reviewed my notes and took a practice test. But I took long breaks, relaxed and because it was a nice day, I fired up the barbeque, grilled steaks and had a nice sit-down dinner with my wife and kids. Did I do this because I was so confident that I didn’t think I had to study? Not at all. I was nervous and worried I wasn’t ready. But I told myself that if I wasn’t ready after 9 months preparing, what difference would one more day of cramming make? So I decided not to spend the day stressed out. I was going to have a nice evening with my family and do my best to relax.

I took this approach because I felt an overlooked component of this exam is mental preparedness. I think it’s underestimated how important it is. The CISSP has a reputation of being a difficult exam and I think some folks let that reputation psych them out. They get so worked up, its like the exam has beaten them before they even take it! I told myself that I might not pass on Thursday, but I wasn’t going to let this test punk me. I respected the exam, but I wasn’t scared of it. So I had a nice dinner, put my kids to sleep, reviewed my notes and was asleep by 10pm.

I woke up, had a good breakfast, packed some fruit, energy bars and water and left for the test center. I didn’t look at any CISSP material at all. On the way the test center, I rolled down the car windows, cranked some Imagine Dragons and RUN-DMC and made it to the test center in 20 minutes.

Registration went really quick and next thing I knew, I was sitting behind the computer while the proctor got the test started. It was game time.

What did I think of the exam? It had it’s challenging moments, but overall it wasn’t nearly as hard as I had expected. If anything, I was over-prepared. I’m not saying the test was easy, nor should anyone think this material comes easy to me or that I have a photographic memory. Not the case at all. If you gave me 2 months to prepare, I probably would have found the test a lot harder. So the point I’m making is, the test isn’t hard if you put the required time and effort in. If you have an abreviated prep schedule, then sure, it’s going to be more challenging.

I completed all 250 questions in 3 hours, no break and I didn’t skip a single question. I did flag 100 questions. Yes, that’s a lot. But my strategy for flagging questions was this: unless I was absolutely sure I had the right answer, I flagged the question. So that meant, of the 250 questions, I had no doubt about my answers to 150 of the questions. This is the reason I felt the test wasn’t so hard. I was expecting every question to be a battle, but it turned out 150 were straight forward. I also kept track of how much time I was spending on the questions. After every 30 questions, I’d note the elapsed time and calculate the average time per question. For most of the exam I was averaging 40 seconds/question, which is much, much faster than I was expecting. In some cases, I could predict what the right answer was while I was reading the question. I could tell, just from the question setup what I was going to be asked. I’m sure folks have had this same feeling while taking the practice quizes.

Of the 100 I marked, I’d say there were 30 I really shouldn’t have flagged at all. But I was flagging a lot of questions at the beginning of the exam because I was a little nervous. But once I reviewed them, I was sure the answers were right.
Of the remaing 70, I’d say there were only 6 questions that I couldn’t narrow the choice down to 2 correct answers. And I was pretty sure those 6 were experimental because they just seemed odd or different.

So after spending another 1 hour reviewing the 100 flagged questions, I stopped. I knew I had passed because the I put the remaining 70 flagged questions in the “50/50” category. Which meant that there was a 50/50 chance I got the question right. So I assumed I’d get 35 of these right and miss 35. That meant I had 215 questions right, and 35 wrong. Which gave me a pretty good feeling I passed.
I realize these are all just estimates. I probably missed some of the ones I felt very confident about, and maybe I missed more than 35 in the “50/50” pool. But I knew 50 of the questions wouldn’t count, and my “gut” just told me many of those experimental questions were in my 50/50 list. So at the 4 hour mark, I ended the exam. Went to the proctor, who slipped me the paper with the good news.

Q & A For Those Preparing To Take The Exam

Question: What domains can I skip? Which domain did you see the most questions from?

Answer: I can’t give breakdowns, obviously. But I will say this: MAKE SURE YOU STUDY ALL 10 DOMAINS. I saw questions from all domains. Review the CIB and the CBK – everything, and I do mean everything, is fair game.

Question: This exam is all about thinking like a manager right? High level concepts right?

Answer: Personally, I don’t think the “know the concepts” advice is very useful. I mean, what’s the alternative? To NOT study the concepts?!? So of course you need to know the concepts – that’s so obvious, it’s of no value.
But if you think just knowing concepts is going to be good enough, you will find yourself in trouble on this exam my friend. “Think like a manager” ain’t gonna save you. Some of the questions I got were very, very technical. Deep dives in technology. So again, my advice is the same – know all topics in the CBK. Don’t assume anything is out of bounds.

Question: Should I use practice questions? Some people say they are a waste of time

Answer: Everyone is different, but the practice questions helped me immensely. You should do at least 2000, half of which should be full 250 question tests that you sit through to build stamina.
And here’s the most important piece of advice I can pass along regarding practice quizes: MAKE SURE YOU REVIEW ANSWERS FOR QUESTIONS TO GOT WRONG AND RIGHT
I spent a lot more time reviewing my answers than I did taking the test. And why is it important to review the answers even for questions you got right? Because during the quizes, I’d have to guess on some of the answers. Just because I guessed right doesn’t mean I knew the answer. So if you happen to guess right, go back and review.

Can I PM you for your study notes or transcender login? Can you mail me all the books the bought?

Answer: Sure! Of course! Is there anything I can get you while I’m at it?
And don’t worry, I won’t cut-and-paste your PM into a forum post so everyone knows who’s asking.

Best of luck to everyone who is preparing! Remember - calm down, don't get your undies in a bunch, it's just a test. No big deal.

Special thanks to PapaDoc for his write up and continued support of all of us who were preparing.

Find more posts tagged with

Comments

Iristheangel

LoL! Congratulations. You had me going when I clicked the link.

Enjoy the the new credentials!

cyberguypr

Absolutely dissapointed with finding a detailed writeup. Congrats or whatever. Haha!!

successrealm

Another great write-up! Congrats on the pass!

Back to studying for me...2 months to go.

NetworkNewb

I skipped the story and just going off the title... CHEATER!

E Double U

I wanted to post a link to the **** I used, but I didn't feel like hearing any crap from b/eads lol.

Congrats!

Magmadragoon

Congratulations

tahjzhuan

Congrats on the pass and thanks for the write up.

dustervoice

It took me longer to read this write-up than it did to study for the exam! Congrats you have found your place among the world's elite

Chuzpah

Congrats! Thanks for taking the time to write a comprehensive review.

yemi123

Thanks for the advice, Spin. Pls can i have a copy of the note you made while studying? My id is
oyeyemi.owolabi at gmail dot com. Many thanks.

mjsinhsv

Congratulations and Nice Braindump !
The "run-dmc" probably helped too.

Spin Lock

dustervoice wrote: »

It took me longer to read this write-up than it did to study for the exam! Congrats you have found your place among the world's elite .

Lol! You're not kidding dustervoice. I was channeling the late, great Shon Harris (RIP) when I wrote this beast!

Spin Lock

mjsinhsv wrote: »

Congratulations and Nice Braindump !
The "run-dmc" probably helped too.

Absolutely right mjsinhsv! If you're headed to take the CISSP, is there a more appropriate song than this:

https://www.youtube.com/watch?v=qBiA_po8TYM

Tricky, tricky. Trrrrrrricky!

Spin Lock

yemi123 wrote: »

Thanks for the advice, Spin. Pls can i have a copy of the note you made while studying? My id is
oyeyemi.owolabi at gmail dot com. Many thanks.

Come on, I'm being trolled here. Right?

papadoc

Congrats Spin! You deserved a pass with all of your prep.

beads

E Double U wrote: »

I wanted to post a link to the **** I used, but I didn't feel like hearing any crap from b/eads lol.

Congrats!

First sentence I typed wasn't exactly Rated-G but funny as all get out. Basically boiled down to glad I was the first thing you thought of when you read anything ethically centric. Just means I have raised some awareness concerning the issue.

- b/eads

E Double U

beads wrote: »

First sentence I typed wasn't exactly Rated-G but funny as all get out. Basically boiled down to glad I was the first thing you thought of when you read anything ethically centric. Just means I have raised some awareness concerning the issue.

- b/eads

Inbox it to me lol.

Spin Lock

beads wrote: »

First sentence I typed wasn't exactly Rated-G...

E Double U is from Long Beach, home of Snoop Dogg. I think he's heard plenty of colorful expressions living in the LBC.

jonwinterburn

Congratulations on passing! I thought you were already a CISSP, as you've doled out your fair share of excellent advice on these forums. Great write-up, it should be stickied and all those posters who ask "what's the best way to study for CISSP?" should be directed to your post. Awesome title, wish I'd thought of it!

Any thoughts on what your next challenge will be?

I received my CISSP certificate today in the post. Fancy bit of paper, though it wasn't as exciting to open as my SSCP was, as I knew what to expect. I like how they try to sell you crap when they send you the cert. You have that to look forward to

Chuzpah

Spin Lock wrote: »

E Double U is from Long Beach, home of Snoop Dogg. I think he's heard plenty of colorful expressions living in the LBC.

I live 30 minutes south of Long Beach, small world!

rickberr

Congratulations

coffeeluvr

Congratulations on the pass!

E Double U

Spin Lock wrote: »

E Double U is from Long Beach, home of Snoop Dogg. I think he's heard plenty of colorful expressions living in the LBC.

Getting under my thick skin is not an easy task I must say.

Spin Lock

Thanks everyone. Overall, the April 15th change has meant a lot of happy people on this forum. Good to see.

@jonwinterburn - thanks for the kind words. Glad you found my previous ramblings of (marginal) value

. As for my next cert? I'm actively trying to figure that out. I'm trying expand the breadth of my technical expertise. I'm an EnCE, so that covers digital forensics. I used to be a CCNA/CCNP (expired) plus my chip design background covers processors, and system level hardware. CISSP helped increase my understanding of BCP/DR and InfoSec governance. I'd really like to gain more exposure in malware reverse engineering, pen testing and the defensive tactics. But considering how much these certs cost (time and money) I want to be smart about what to take on next. Malware RE is interesting to me but not much ROI for me in my current role.

I've also thought about VM certs. They are not commonly considered "Security" certifications, but if you want to talk about bang-for-your-buck, understanding the unique challenges virtualization poses will help you regardless of which discipline you go into. On the forensic side, it's more and more common to analyze VMDKs, on the infrastructure side you are seeing firewalls and IDS/IPS sensors deployed in VMs or in the hypervisor, SDN and Openflow will increase the pressure to disaggregate the dataplane and control planes of switches and routers, and finally, I increasingly hear customers talking about orchestration applications like chef, puppet and ansible. I think really understanding virtualization of CPU cores as well as I/O virtualization will help anyone understand these trends and technologies. So a VM cert might not be that sexy, its applicability and usefulness are hard to beat.

jonwinterburn

Interesting point on the VM certs. You're right, the DevOps in my office are always going on about Puppet, Chef and other silly named products. I'm sure there's plenty of demand for them, but surely in a Sysadmin or DevOps role? Though I see your point that knowing about the technology can help from a security perspective.

papadoc

jonwinterburn wrote: »

Interesting point on the VM certs. You're right, the DevOps in my office are always going on about Puppet, Chef and other silly named products. I'm sure there's plenty of demand for them, but surely in a Sysadmin or DevOps role? Though I see your point that knowing about the technology can help from a security perspective.

Definitely learn them. OpenStack, Chef, Ansible, Jenkins, Puppet, Mirantis, Scalar and all other of the "funny named" products. There are entire shops being retooled by very progressive CTOs for high speed/high scale continuous release. They can't do the traditional waterfall SDLC type release schedules for web scale software anymore. The market demands and customer feedback moves too fast. There are a few financial startups that are attempting to do this now as well. Get ahead of it. I had to learn all of it on my own, to learn how to secure these types of environments as well.

jonwinterburn

How deep did you go? Right up to being certified in them? Or just enough to work extensively with each tech (DevOps style)? Or the CISSP style (mile-wide, inch-deep)?

papadoc

No certifications my friend, just a lot of reading, YouTube videos and local NYC workshops that are held for free.

pramin

papadoc wrote: »

local NYC workshops that are held for free.

Papadoc;

Who do you go about finding about the mentioned NYC workshops?

n95950

thanks a lot for this great post. this is extemely helpful for me.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of