CISSP exam advice 2015

So, I passed the CISSP exam this week. Without divulging specific questions, here is some advice for those preparing. Obviously your exam may be drastically different from mine, and this is by no means a comprehensive list of stuff you should know - it's just my personal feeling about which areas of the CBK are most helpful to have a strong grasp of, based on my single experience of a CISSP exam.

Most of the people who failed on my exam were bemoaning the amount of questions on governance, risk management, and business continuity. Know these topics well. If in doubt, remember the basics that are important - getting management buy-in, and starting at the top with good policies. Remembering these basics could help find the right answer in a number of questions.

CLOUD IS A BIG DEAL. Be aware of security issues around cloud. This is one area where the old CBK isn't massively helpful (my copy is from around 2009).

SCADA systems are new for 2015. You don't need to know loads, but be aware that they are mostly legacy systems with little or no security.

Understand crypt, particularly how PKI works and the different types of cipher. Know the most common symmetric and asymmetric algorithms (not in detail - just be able to identify or list them and know where you might use them, ie ECC for mobile devices). Details about how many rounds AES does and block sizes are less important. I massively over-prepared for this area, but it's all good knowledge I guess!

Be aware of well known attacks, including various kinds of Denial of Service. Know Fraggle from Smurf, and know how to mitigate them.

Know your security models. You absolutely must know the difference between Bell La-Padula and Biba, Clark-Wilson and Brewer-Nash. Which models are for integrity, which for confidentiality? Which would you use to manage conflict of interest? These can be confusing at first, but you can probably nail them in an afternoon of study.

A lot of physical security is common sense, but it wouldn't hurt to know your fire suppression techniques, requirements for secure areas, etc. I learnt all this just in case, but TBH didn't need much of it and most questions the right answer was fairly easy to find simply by process of elimination. I'd suggest that if you're pressed for study time, you can spend less time on this area.

Learn the software development lifecycle, and know what activities are at each stage.

Know the generic risk assessment process. You should be able to do a basic calculation for a quantitative risk assessment (working out ALE and making recommendations on which controls are most cost effective).

Know the 7 layer OSI model. You need to know what each layer does, common protocols at each layer, and the security concerns - which attacks are layer 3, for instance? My older study materials spent lots of time on port numbers, different kinds of cable and how many channels a T1 line had etc. The focus appears to have moved away from this level of detail.

Be aware of wireless networking and the issues with WEP/WPA.

Study prep advice:

Don't underestimate the prep time required. I set aside 2 hours a day for the 2 months leading up to the exam, and took one day a week to spend longer on CISSP. I mostly studied from the CBK and an Eric Conrad book (which I personally found a lot better than the Shon Harris ones), looking up concepts online where I needed to. I did a weeklong review seminar with the exam at the end. The course wasn't great, and would by no means have compensated for a lack of prep beforehand! It was really just a high-level review of things we were already expected to know. I suspect the majority of people who failed the course didn't put the time in beforehand.

Do lots of practice tests but choose carefully. There's a lot of questions online that are either misleading or plain WRONG and rarely representative of what is actually on the exam. Choose from known, respected authors (Eric Conrad, Shon Harris) and use new materials. As mentioned above, the focus of the exam appears to have moved away from knowing random technical facts and is much more about how you apply what you know (which is the best way to mitigate X, etc). Many older books will bang on about the block size of DES, clipper chips, etc, so throw away any hand-me-down study materials and buy something published in the past 12 months.

Hope this helps someone. Good luck!

Find more posts tagged with

Comments

clarkincnet

Thanks for the comprehensive review. Can I ask which review course you used?

harrym1

Ryon, Congratulations!

Your review is excellent! Thank you for taking time to write a helpful review like this.

havoc64

Thank you for the information, I will be taking the CISSP Training Camp next week and testing on Saturday..I will make sure to followup on your suggestions.

g33k3r

Congrats and thanks for the followup!

Havoc64 - I'd love to hear about your experience with Training Camp once you are done.

Tuningislife

Which Eric Conrad book did you end up using? The CISSP 3rd Ed Study Guide does not release until January. The 2nd ed is from 2012 and his 11th hour 2nd ed book is from 2013.

havoc64

g33k3r wrote: »

Congrats and thanks for the followup!

Havoc64 - I'd love to hear about your experience with Training Camp once you are done.

I will make sure to make a post with details..

Mike7

ryon wrote: »

the focus of the exam appears to have moved away from knowing random technical facts and is much more about how you apply what you know (which is the best way to mitigate X, etc).

Thanks for the advice! I just took the CSSLP exam and came out with the same impression.
Hope this will let those doing ISC2 exams know that understanding is more important than memorising.

cledford3

I am sitting a Training Camp CISSP bootcamp this week. I am willing to share my experince and opinions - PM me with contact details. The short of it is that I wish I'd used a different vendor.

havoc64

cledford3 wrote: »

I am sitting a Training Camp CISSP bootcamp this week. I am willing to share my experince and opinions - PM me with contact details. The short of it is that I wish I'd used a different vendor.

Are you sitting for the test tomorrow?

cledford3

havoc64 wrote: »

Are you sitting for the test tomorrow?

No.

Our class size is about 15. At least 4 are "retakes" (possibly 5) who did not pass exam after their first sit of the class. Polling them, it seems there was less than 50% pass rate in their previous classes - alhtough this is just what I'm hearing. Right now it sounds that of the 10 of us who are first-timers - at least 4 are NOT sitting the exam at this point (getting vouchers) - there may be more.

I have not been formally studying for more than a few weeks and by no means hardcore at that. However, I have been amassing prep materials, scrubbing this forum weekly, and doing light material pre/re-view on/off since January. (this is in addition to 15+ years of IT security experience, several other certs, and numerous training classes over the years) I did not really expect to come in here cold and pass, but I hoped that I might have a 50/50 shot with my experience + the prep I have been able to accomplish + plus this “bootcamp.” Unfortunately the class has not provided me anything close to the level of confidence I feel reasonable to sit the exam. 50/50 isn't a high bar - but sadly, I'm not there after this experience.

I am completely shocked that attendees are being *encouraged *to take the test at the conclusion of the class. I think it is huge disservice.

ryon

Thanks for the replies folks. Sorry for the delayed response, but the answer questions that have been asked:

clarkincnet - I used Firebrand, they have training centres around the world. The trainer we had wasn't the best, but everything else was excellent. I know from other people who have trained with them that they have some excellent trainers, so I suppose our class just drew the short straw.

Tuningislife - The Eric Conrad book was just called "CISSP Study Guide" I think (already given it away!). It's from about 2013 so still in the old 10 domains, but has 95% of what's in the 2015 CBK. I am sure a new one will be forthcoming soon!

cledford3 - Sorry to hear your bootcamp wasn't great. TBH I think these classes are mis-advertised. There is no way they can actually teach all the material in the CBK in a way that a typical person can understand it, retain it, and apply it in context, in a week. Yet the pre-requisites for the course I took simply reiterate the requirements for the certification and make no mention of how much study you're expected to do before showing up. "You'll be certified in just 7 days" - no mention of the many hours of prep in the months leading up to it!

havoc64

Good Job Ryon, I passed the test this past Saturday and could not say what you have any better. This is no walk in the park...people need to study

Awilliam77

Guys, paid training camps are completely unnecessary. I passed the exam without any of it, with only 3 months professional experience, and 45 days study time, though most days were 2-4 hours or more. Kelly Handerhan's Cybrary Videos and Larry Greenblatt's youtube videos will probably give you better information than most training camps. Listen to what Kelly says regarding "what you need to know" which she states in every video. Larry Greenblatt has extremely good advice tips. Things like "It's an english test, not security." Recognizing the key words in each question will immediately reduce your possible answers to 2, but then it's up to your knowledge. "Think like a manager." Least cost + shortest amount of time + most effective job will help in the decision making process. Also, know your code of ethics canons, and the order they are listed. Even though you might not have a question pertaining to them, using them will narrow your answer choices.

As far as study material aside from those videos, i'd recommend using the CISSP combined notes from this site, the eric conrad books, and the CCCure questions. The questions are garbage compared to the test, but the information provided in study mode is gold. The Shon Harris/Mcgraw hill questions are pretty good if you've exhausted every thing else as well.

Also, the information provided in the OP is well advised. Nice job.