Chapter 1
Introduction
Exam objectives in this chapter
• How to Prepare for the Exam
• How to Take the Exam
• Good Luck!
This book is born out of real-world information security industry experience. The authors of this book have held the titles of systems administrator, systems programmer, network engineer/security engineer, security director, HIPAA security officer, ISSO, security consultant, instructor, and others.
This book is also born out of real-world instruction. We have logged countless road miles teaching information security classes to professionals around the world. We have taught thousands of students in hundreds of classes: both physically on most of the continents, as well as online. Classes include CISSP®, of course, but also continuous monitoring, hunt teaming, penetration testing, security essentials, hacker techniques, information assurance boot camps, and others.
Good instructors know that students have spent time and money to be with them, and time can be the most precious. We respect our students and their time: we do not waste it. We teach our students what they need to know, and we do so as efficiently as possible.
This book is also a reaction to other books on the same subject. As the years have passed, other books’ page counts have grown, often past 1000 pages. As Larry Wall once said, “There is more than one way to do it.” [1] Our experience tells us that there is another way. If we can teach someone with the proper experience how to pass the CISSP® exam in a 6-day boot camp, is a 1000+ page CISSP® book really necessary?
We asked ourselves: what can we do that has not been done before? What can we do better or differently? Can we write a shorter book that gets to the point, respects our student’s time, and allows them to pass the exam?
We believe the answer is yes; you are reading the result. We know what is important, and we will not waste your time. We have taken Strunk and White’s advice to “omit needless words” [2] to heart: it is our mantra.
This book will teach you what you need to know, and do so as concisely as possible.
How to Prepare for the Exam
Read this book, and understand it: all of it. If we cover a subject in this book, we are doing so because it is testable (unless noted otherwise). The exam is designed to test your understanding of the Common Body of Knowledge, which may be thought of as the universal language of information security professionals. It is said to be “a mile wide and two inches deep.” Formal terminology is critical: pay attention to it.
The Common Body of Knowledge is updated occasionally, most recently in April 2015. This book has been updated to fully reflect the 2015 CBK. The (ISC)2® Candidate Information Bulletin (CIB) describes the current version of the exam; downloading and reading the CIB is a great exam preparation step. You may download it here: https://www.isc2.org/uploadedfiles/(isc)2_public_content/exam_outlines/cissp-exam-outline-april-2015.pdf
Learn the acronyms in this book and the words they represent, backwards and forwards. Both the glossary and index of this book are highly detailed, and map from acronym to name. We did this because it is logical for a technical book, and also to get you into the habit of understanding acronyms forwards and backwards.
Much of the exam question language can appear unclear at times: formal terms from the Common Body of Knowledge can act as a beacon to lead you through the more difficult questions, highlighting the words in the question that really matter.
The CISSP® Exam is a Management Exam
Never forget that the CISSP® exam is a management exam: answer all questions as an information security manager would. Many questions are fuzzy and provide limited background: when asked for the best answer, you may think: “it depends.”
Think and answer like a manager. For example: the exam states you are concerned with network exploitation. If you are a professional penetration tester you may wonder: am I trying to launch an exploit, or mitigate one? What does “concerned” mean?
Your CSO is probably trying to mitigate network exploitation, and that is how you should answer on the exam.
The 2015 Update
The 2015 exam moved to 8 domains of knowledge (down from 10). Lots of content was moved. The domain content can seem jumbled at times: the concepts do not always flow logically from one to the next. Some domains are quite large, while others are small. In the end this is a non-issue: you will be faced with 250 questions from the 8 domains, and the questions will not overtly state the domain they are based on.
The 2015 update focused on adding more up-to-date technical content, including an emphasis on cloud computing, the Internet of Things (IoT) and Content Distribution Networks (CDN), as well as other modern technical topics. Even DevOps was added, which is quite a spin on the pre-2015 “exam way” concerning best practices for development.
The Notes Card Approach
As you are studying, keep a “notes card” file for highly specific information that does not lend itself to immediate retention. A notes card is simply a text file (you can create it with a simple editor like WordPad) that contains a condensed list of detailed information.
Populate your notes card with any detailed information (which you do not already know from previous experience) which is important for the exam, like the five levels of the Software Capability Maturity Level (CMM; covered in Chapter 9, Domain 8: Software Development Security), or the ITSEC and Common Criteria Levels (covered in Chapter 4, Domain 3: Security Engineering), for example.
The goal of the notes card is to avoid getting lost in the “weeds”: drowning in specific information that is difficult to retain on first sight. Keep your studies focused on core concepts, and copy specific details to the notes card. When you are done, print the file. As your exam date nears, study your notes card more closely. In the days before your exam, really focus on those details.
Practice Tests
Quizzing can be the best way to gauge your understanding of this material, and of your readiness to take the exam. A wrong answer on a test question acts as a laser beam: showing you what you know, and more importantly, what you do not know. Each chapter in this book has 15 practice test questions at the end, ranging from easy to medium to hard. The Self Test Appendix includes explanations for all correct and incorrect answers; these explanations are designed to help you understand why the answers you chose were marked correct or incorrect. This book’s companion Web site is located at http://booksite.elsevier.com/companion/conrad/index.php. It contains 500 questions: two full practice exams. Use them.
You should aim for 80% or greater correct answers on any practice test. The real exam requires 700 out of 1000 points, but achieving 80% or more on practice tests will give you some margin for error. Take these quizzes closed book, just as you will take the real exam. Pay careful attention to any wrong answers, and be sure to reread the relevant section of this book. Identify any weaker domains (we all have them): domains where you consistently get more wrong answers than others. Then focus your studies on those weak areas.
Time yourself while taking any practice exam. Aim to answer at a rate of at least one question per minute. You need to move faster than true exam pace because the actual exam questions may be more difficult and therefore take more time. If you are taking longer than that, practice more to improve your speed. Time management is critical on the exam, and running out of time usually equals failure.
Read the Glossary
As you wrap up your studies, quickly read through the glossary towards the back of this book. It has over 1000 entries, and is highly detailed by design. The glossary definitions should all be familiar concepts to you at this point.
If you see a glossary definition that is not clear or obvious to you, go back to the chapter it is based on, and reread that material. Ask yourself: do I understand this concept enough to answer a question about it?
Readiness Checklist
These steps will serve as a “readiness checklist” as you near the exam day. If you remember to think like a manager, are consistently scoring over 80% on practice tests, are answering practice questions quickly, understand all glossary terms, and perform a final thorough read through of your notes card, you are ready to go.
How to Take the Exam
The CISSP® exam was traditionally taken via paper-based testing: old-school paper-and-pencil. This has now changed to computer-based testing (CBT), which we will discuss shortly.
The exam has 250 questions, with a 6-hour time limit. Six hours sounds like a long time, until you do the math: 250 questions in 360 minutes leaves less than a minute and a half to answer each question. The exam is long and can be grueling; it is also a race against time. Preparation is the key to success.
Steps to Becoming a CISSP®
Becoming a CISSP® requires four steps:
• Proper professional information security experience
• Agreeing to the (ISC)2® code of ethics
• Passing the CISSP® exam
• Endorsement by another CISSP®
Additional details are available on the examination registration form available at https://www.isc2.org.
The exam currently requires 5 years of professional experience in 2 or more of the 8 domains of knowledge. Those domains are covered in chapters 2–9 of this book. You may waive 1 year with a college degree or approved certification; see the examination registration form for more information.
You may pass the exam before you have enough professional experience and become an “Associate of (ISC)2®.” Once you meet the experience requirement, you can then complete the process and become a CISSP®.
The (ISC)2® code of ethics is discussed in Chapter 2, Domain 1: Security and Risk Management.
Passing the exam is discussed in section “How to Take the Exam,” and we discuss endorsement in section “After the Exam” below.
Computer Based Testing (CBT)
(ISC)2® has partnered with Pearson VUE (http://www.pearsonvue.com/) to provide computer-based testing (CBT). Pearson VUE has testing centers located in over 160 countries around the world; go to their website to schedule your exam. Note that the information regarding CBT is subject to change: please check the (ISC)2® CBT site (https://www.isc2.org/cbt/default.aspx) for any updates to the CBT process.
According to (ISC)2®, “Candidates will receive their unofficial test result at the test center. The results will be handed out by the Test Administrator during the checkout process. (ISC)2 will then follow up with an official result via email. In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of the score data is conducted during every testing cycle before scores are released.” [3] This normally occurs when the exam changes: students who took the updated exam in April and May of 2015 reported a 6-week wait before they received their results. Immediate results followed shortly after that time.
Pearson VUE’s (ISC)2® site is: http://www.pearsonvue.com/isc2/. It includes useful resources, including the “Pearson VUE Testing Tutorial and Practice Exam,” a Microsoft Windows application that allows candidates to try out a demo exam, explore functionality, test the “Flag for Review” function, etc. This can help reduce exam-day jitters, and familiarity with the software can also increase your test taking speed.
How to Take the Exam
The exam has 250 questions comprised of four types:
• Multiple choice
• Scenario
• Drag/drop
• Hotspot
Multiple-choice questions have four possible answers, lettered A, B, C, or D. Each multiple-choice question has exactly one correct answer. A blank answer is a wrong answer: guessing does not hurt you.
Scenario questions contain a long paragraph of information, followed by a number of multiple choice questions based on the scenario. The questions themselves are multiple choice, with one correct answer only, as with other multiple choice questions. The scenario is often quite long, and contains unnecessary information. It is often helpful to read the scenario questions first: this method will provide guidance on keywords to look for in the scenario.
Drag & drop questions are visual multiple choice questions that may have multiple correct answers. Figure 1.1 is an example from Chapter 2, Domain 1: Security and Risk Management.
Figure 1.1 Sample Drag & Drop Question
Drag and drop: Identify all objects listed below. Drag and drop all objects from left to right.
As we will learn in Chapter 2, Domain 1: Security and Risk Management, passive data such as physical files, electronic files and database tables are objects. Subjects are active, such as users and running processes. Therefore you would drag the objects to the right, and submit the answers, as shown in Figure 1.2.
Figure 1.2 Sample Drag & Drop Answer
Hotspot questions are visual multiple choice questions with one answer. They will ask you to click on an area on an image; network maps are a common example. Figure 1.3 shows a sample Hotspot question.
Figure 1.3 Sample Hotspot Question
You plan to implement a single firewall that is able to filter trusted, untrusted, and DMZ traffic. Where is the best location to place this firewall?
As we will learn in Chapter 5. The single firewall DMZ design requires a firewall that can filter traffic on three interfaces: untrusted, (the Internet), trusted, and DMZ. It is best placed as shown in Figure 1.4: (ISC)2® has sample examples of both Drag & Drop and Hotspot questions available at: https://isc2.org/innovative-cissp-questions/default.aspx.
Figure 1.4 Sample Hotspot Answer
The questions will be mixed from the 8 domains; the questions do not (overtly) state the domain they are based on. There are 25 research questions (10% of the exam) that do not count towards your final score. These questions are not marked: you must answer all 250 questions as if they count.
Scan all questions for the key words, including formal Common Body of Knowledge terms. Acronyms are your friend: you can identify them quickly, and they are often important (if they are formal terms). Many words may be “junk” words, placed there to potentially confuse you: ignore them. Pay careful attention to small words that may be important, such as “not.”
The Two Pass Method
There are two successful methods for taking the exam: the two-pass method and the three-pass method. Both begin the same way:
Pass One
Answer all questions that you can answer quickly (e.g., in less than 2 minutes). You do not need to watch the clock; your mind’s internal clock will tell you roughly when you have been stuck on a question longer than that. If you are close to determining an answer, stick with it. If not, skip the question (or provide a quick answer), and flag the question for later review. This helps manage time: you do not want to run out of time (e.g., miss the last 10 questions because you spent 20 minutes stuck on question 77).
Pass Two
You will hopefully have time left after pass one. Go back over any flagged questions and answer them all. When you complete pass two, all 250 questions will be answered.
Pass two provides a number of benefits, beyond time management. Anyone who has been stuck on a crossword puzzle, put it down for 20 minutes, and picked it up to have answers suddenly appear obvious understands the power of the human mind’s “background processes.” Our minds seem to chew on information, even as we are not consciously aware of this happening. Use this to your advantage.
A second benefit is the occasional “covert channel” that may exist between questions on the exam. Question 132 asks you what port SSH (Secure Shell) daemon listens on, for example. Assume you do not know the answer, and then question 204 describes a scenario that mentions SSH runs on TCP port 22. Question 132 is now answered. This signaling of information will not necessarily be that obvious, but you can often infer information about one answer based on a different question; also use this to your advantage.
The Three Pass Method
There is an optional (and controversial) third pass: recheck all your answers, ensuring you understood and answered the question properly. This is to catch mistakes such as missing a keyword, for example, “Which of the following physical devices is not a recommended preventive control?” You read that question, and missed the word “not.” You answered the question on the wrong premise, and gave a recommended device (like a lock), when you should have done the opposite, and recommended a detective device such as closed-circuit television (CCTV).
The third pass is designed to catch those mistakes. This method is controversial because people often second-guess themselves, and change answers to questions they properly understood. Your first instinct is usually your best: if you use the third-pass method, avoid changing these kinds of answers.
After the Exam
If you pass, you will not know your score; if you fail, you will receive your score, as well as a rating of domains from strongest to weakest. If you do fail, use that list to hone your studies, focusing on your weak domains. Then retake the exam. Do not let a setback like this prevent you from reaching your goal. We all suffer adversity in our lives: how we respond is what is really important. The exam’s current retake policy is, “Test takers who do not pass the exam the first time will be able to retest after 30 days. Test takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the unfortunate event that a candidate fails a third time, the next available time to sit for the exam will be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)2 exams a maximum of 3 times within a calendar year.” [4]
Once you pass the exam, you will need to be endorsed by another CISSP® before earning the title “CISSP®”; (ISC)2® will explain this process to you in the email they send with your passing results.
Good Luck!
We live in an increasingly certified world, and information security is growing into a full profession. Becoming a CISSP® can provide tremendous career benefits, as it has for the authors of this book.
The exam is not easy, but worthwhile things rarely are. Investing in an appreciating asset is always a good idea: you are investing in yourself. Good luck; we look forward to welcoming you to the club!
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.