Venting
diabolusBR
Member Posts: 12 ■□□□□□□□□□
in SSCP
I find it really impressive that the two most used books nowadays can't agree on some aspects. Even considering the information provided by the other wrong.
I've been using mainly the Sybex Study Guide 7th Ed. and Conrad's CISSP: Study Guide.
They both use completely different frameworks for mostly everything, but that is fine because everyone says the exam itself doesn't focus on specific frameworks but instead focus on the overall process (which all in all it always comes down to the PDCA model in pretty much everything).
But some specific things are absurd. I've come across several things like this while studying and even answering the same question on both test banks provided each considering a different answer correct (even though both had each others "correct answers" as well).
Here is an example:
Sybex book, Incident Response Steps. Step "Response":
Computers should not be turned off when containing an incident. Temporary files and data in volatile random access memory (RAM) will be lost if the computer is powered down. Forensics experts have tools they can use to retrieve data in temporary files and volatile RAM as long as the system is kept powered on. However, this evidence is lost if someone turns the computer off or unplugs it.
Conrad's book, Incident Response Steps. Step "Containment" (the equivalent to the Response used by Sibex' framework):
Containment might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident. This phase is also typically where a binary (bit-by-bit) forensic backup is made of systems involved in the incident. An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system.
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 7742-7745). Elsevier Science. Kindle Edition.
I've been using mainly the Sybex Study Guide 7th Ed. and Conrad's CISSP: Study Guide.
They both use completely different frameworks for mostly everything, but that is fine because everyone says the exam itself doesn't focus on specific frameworks but instead focus on the overall process (which all in all it always comes down to the PDCA model in pretty much everything).
But some specific things are absurd. I've come across several things like this while studying and even answering the same question on both test banks provided each considering a different answer correct (even though both had each others "correct answers" as well).
Here is an example:
Sybex book, Incident Response Steps. Step "Response":
Computers should not be turned off when containing an incident. Temporary files and data in volatile random access memory (RAM) will be lost if the computer is powered down. Forensics experts have tools they can use to retrieve data in temporary files and volatile RAM as long as the system is kept powered on. However, this evidence is lost if someone turns the computer off or unplugs it.
Conrad's book, Incident Response Steps. Step "Containment" (the equivalent to the Response used by Sibex' framework):
Containment might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident. This phase is also typically where a binary (bit-by-bit) forensic backup is made of systems involved in the incident. An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system.
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 7742-7745). Elsevier Science. Kindle Edition.
Comments
In some situations, it may be best to power off immediately. In others, you want to pull data that may be in RAM or temp files.
Its somewhat like a double edge sword. Just a theory here, but containment is to isolate a serious issue. You can yank it off the network to contain the host without powering it off. Sybex is correct in that you should not power it off so you can go back and assess and analyse the host.
Conrad almost sounds like he kind of threw that "power off host" as an option. Not a valid solution but it IS in fact an option to isolate a situation whether it is ethical or not. He covers himself in the very last sentence too "An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system."
Powering off systems is not wise for forensics, but is a solution to isolate active incidents.
2023 Cert Goals: SC-100, eCPTX
Conrad: Tailgating / Piggybacking is the same thing
Sybex: Tailgating: When someone holds the door for you. Piggybacking: When someone enters with you without providing credentials.
Conrad: Directive is one of the Categories (also refers as Administrative)
Sybex: Directive is a Type of control within the Categories (Administrative, Technical, Physical)
Conrad: Maintenance Hooks: "done by the programmers". Seen as a security flaw but not an attack / Backdoors: seen as attacks.
Sybex: Maintenance Hooks and Backdoors are the same thing.
You will find many instances of this. Try to strip this down to the core principles and think how you will apply it, rather than sticking to a black and white definition.
I remember one of the McGraw questions had this as well. I selectected the answer that was the definition for the item on the Conrad's book. WORD BY WORD (I picked up the Conrad's book to double check) and it still said I was wrong. In this particular case I couldn't see what was different because I don't have the McGraw's book.
Regarding the example in the first post: might means that it's allowed and a possible way to resolve under certain circumstances. Should not means that it's not allowed and prohibited. Contradiction is clear for me.
There is a lot of other stuff in other non-technical sections, especially on what constitutes what type of control (corrective, preventive, deterrent, detective, etc), frameworks, abstract matters such as security kernel and reference monitor, etc. I've posted here a bunch of them and I can tell that it always drives me crazy. Things should be certain because correct answers on exam and ultimately correct behavior in real world situations depend on it.
When looking at the term piggybacking or Tailgating in the books I have studyied:
Eric Conrad book, Piggybacking refers you to Tailgating.
The Official CISSP Classroom book, only shows Tailgating.
Sybex Study Guide, I couldn't find the term Tailgating this Sybex book, but Piggybacking was.
The Official (ISC)2 Study Guide had 5 references to Tailgating and it specifically mentions, "..the legitimate person will usually hold the door open for the attacker." It also mentions Piggybacking when talking about Turnstiles and Mantraps saying, "..unauthorized person following through a checkpoint....called Piggybacking or tailgating."
As it has been pointed out, SEVERAL TIMES, in this forum, there is no one book that will cover everything the CISSP test for. And the information in Study guides are only a fraction of what you need to know for the test.
When taking the test it's VERY important to look at the adjectives and adverbs in the question. Read the question..SLOWLY. When I took the test, I read the answers before I read the question. Then I look at the question presented and find the actual question, the sentence with the question mark. I read it. Then I read the descriptive paragraph, looking for the descriptive words, the adjectives and adverbs. This helped me narrow down the answers.
Take the piggyback / Tailgating example. A question could be something like this:
You are an ethical hacker and hired to evaluate a company. The workplace Access is controlled by two-factor authentication. Employees are required to have an Access Card and a 6 digit Pin to enter the building. One morning you have several boxes of donuts to bring in and your arms are full, you notice that one of the employees, Mary, is ahead of you entering the building. As you get to the entrance, she notices your arms are full and opens the door and holds it open so you allowing you to enter without an access card and pin. What type of attack have you just accomplished?
a. The Two-Man Concept
b. The Buddy System
c. Tailgating
d. Social-Engineering
In the above answers there are two right answers, C & D. Tailgating is a type of Social Engineering. If you pick D, you will have missed the question. C could have easily been Piggybacking, but it was pointed out in my CISSP class that they would never put two terms that mean the same in the answers, i.e. both Tailgating and Piggybacking as options.
When taking the test, read the questions carefully and discern what the question writer wants you to answer. Then use the knowledge you have acquired to pick the best answer that is presented. Don't argue in your head, "Hey! The piggybacking is the correct term for this question, why isn't it one of the answers?!?" Just look at the answers presented and choose the best one of those. Remember, the CISSP Certification exam is NOT a technical exam, it is not a Security+ or SSCP exam. The CISSP is a managerial exam, think higher level and study that way.
Look at some of the types of Cryptography. You can have encryption methods that are Block, Stream, Symmetric and Asymmetric and combinations of those. The objective for you and us to understand is how we as information security professionals can utilize a given type of crypto to secure the data we are charged with safekeeping. If you have a question on cryptography, look at the answers and choose the one that is most correct.
There are domains that each of us have difficulty with, mine was Software Development..I HATE Programming, I've always been a hardware and Directory guy, but I had to wrap my head around it and study it..ugh..
BTW, the question above is not a test question that I saw, it's only an example.
BTW, I have been in the IT world since the late 80's. And below is a list of what I studied for the exam.
Books and study Material in order of my purchase and reading.
(ISC)2 Official CBK - Hardest book I have ever read, so much fluff..
CISSP Study Guide, 2E by Eric Conrad
CISSP Study Guide 11th Hour by Eric Conrad
**CCCure Practice Exam
CCCure Review Notes
**Transcender Practice Exams
Sunflower Review Notes
**(ISC)2 Official Study Guide 7th Edition - Sybex
**Cybrary CISSP videos and MP3s.
**Combined Notes from here
**Quizlet (ISC)2 Official Flash Cards (These are free and are the exact same flash cards they gave us at the class)
**Official (ISC)2 Traning Guide CISSP CBK - Official Training Guide from the class.
I read them all, cover to cover. The ones with the ** are what I think were most beneficial to my passing the exam. With the class I believe this is what helped me pass. From April to around August, I studied now and then, when I had time, mostly reading the Official CBK. From August until the Test, I studied for about 4-6 hours a day. If I had a break at work, in line for lunch and then 2-3 hours a night at home. I only took Sundays off. I took the official in person (ISC)2 CISSP Course from the 2nd through the 6th of November and sat for and passed the test on the 7th of November.
Good luck and I wish you the best.
Honestly, I believe it all points back to poor knowledge management. Test questions (from what I've heard) are authored/produced by active CISSPs. If true, ISC2 has essentially "farmed out" question generation to free labor. However, this leads to inconsistency and headaches for those hoping to sincerely study for and pass the exam.
Regarding the question about unplugging the computer - the Harris lectures suggests unplugging as the best course as well. Again context is important - but process is not to cover the 20% of unusual situations, it is cover the 80-90 of the typical. If you are not going to give enough information to determine where the situation falls in the 80/20 rule - then the answer should ALWAYS be aligned with the best practice procedure.
The inconsistencies are VERY frustrating and I'm not willing to give ISC2 a pass - I think a lot of this is not due to some "higher level' of knowledge synthesis on their part, rather it is simply due to a too broad an amount of material, with too broad a scope, that leads to conflict when a set of circumstances that is not well defined is applied to different points of view. This failure is generally perceived as some sort of mysterious nature about it all, with people are second guessing what is wrong with themselves, when it is really just a poor process on the other end. We tend to assume that those in positions of authority are infallible - but the reality is that there is often much going on "behind the curtain" that would completely alter our perspective if we knew about it.
The scenario you list...first says containment might include because it depends on what happened. Once the volatile data is captured, powering off the system is not an issue...although maintaining the state is not a bad idea. One might give you a more in depth answer but CISSP materials are generally pretty good across the board from my experience...and those are two of the best resources.
Over the years, I've gotten better at dealing with exam semantics, but it still takes effort to overlook the glaringly obvious (at least to me) inconsistencies in a lot of the available instructional material. Some of it can probably be blamed on cultural differences where one author grew up hearing the term "piggybacking" (which eludes to an agricultural setting) and another grew up hearing the term "tailgaiting" (more urban/city in nature) but not all.
Some of it is simply laziness on the author/publisher's part in an effort to meet a deadline..
College: MBA Project Management (2012) | Bachelors IT Management (2010)
Experience: Cyber Security, Information Assurance, and IT Management Officer