[CCCure CISSP] I passed - my experience

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] I passed - my experience

Theresa Fichtner

I passed the exam on November 8th. Here are some notes about my journey that might be helpful. This is LONG.  You have been warned.

 

MY STUDIES…

 

For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!

 

SANS CISSP COURSE

I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.

 

(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)

 

After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.

 

MP3s

As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.

 

STUDY SCHEDULE

Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.

 

MY BOOKS
My books included:

·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past

·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes

·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes

·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only

·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes

 

MOBILE APPS FOR MY iPAD

·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.

·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.

 

MY LOCAL LIBRARY

·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.

·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.

 

STUDY GUIDES

·        There are a variety of items on line, including an excellent collection on the CCCURE web site.

·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.

·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.

 

CCCURE PRACTICE TESTS

These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.

 

STUDY NOTES FOR CCCURE

I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.

 

CCCURE SCENARIO QUESTIONS

I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.

 

READING & TESTING

A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.

 

THE OSI MODEL & TCP/IP Model

I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.

 

MNEMONICS & VISUALS

Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.

 

I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.

 

I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.

 

MY TESTING CENTER & MY EXAM

I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.

·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.

·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.

·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.

·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.

·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.

·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.

·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.

·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.

·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.

·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.

·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.

·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.

·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.

·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)

 

THE BENFITS

I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.

 

I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)

 

Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.

 

And now I’m off to finish up the requirements to actually get my CISSP certification.

 

Theresa Fichtner, MCSE Manager of Information Technology

Phone 503.403.0303 | Fax 503.443.2163

Toll Free 866.236.6968

NW Preferred Federal Credit Union

www.mycreditunion.com

 

Click here to send me a document or file securely.

 

Join us on Facebook, Twitter and LinkedIn!    

Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.

 

 


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

Rogelio O'Farril
Can't go wrong with SANS. Congrats and thanks a lot for the detailed write-up.



On Thursday, November 21, 2013 9:16 AM, Theresa Fichtner <[hidden email]> wrote:
 
MY STUDIES…
 
For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!
 
SANS CISSP COURSE
I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.
 
(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)
 
After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.
 
MP3s
As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.
 
STUDY SCHEDULE
Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.
 
MY BOOKS
My books included:
·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past
·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes
·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes
·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only
·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes
 
MOBILE APPS FOR MY iPAD
·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.
·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.
 
MY LOCAL LIBRARY
·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.
·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.
 
STUDY GUIDES
·        There are a variety of items on line, including an excellent collection on the CCCURE web site.
·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.
·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.
 
CCCURE PRACTICE TESTS
These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.
 
STUDY NOTES FOR CCCURE
I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.
 
CCCURE SCENARIO QUESTIONS
I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.
 
READING & TESTING
A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.
 
THE OSI MODEL & TCP/IP Model
I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.
 
MNEMONICS & VISUALS
Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.
 
I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.
 
I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.
 
MY TESTING CENTER & MY EXAM
I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.
·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.
·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.
·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.
·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.
·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.
·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.
·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.
·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.
·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.
·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.
·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.
·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.
·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.
·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)
 
THE BENFITS
I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.
 
I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)
 
Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.
 
And now I’m off to finish up the requirements to actually get my CISSP certification.
 
Theresa Fichtner, MCSE Manager of Information Technology
Phone 503.403.0303 | Fax 503.443.2163
Toll Free 866.236.6968
NW Preferred Federal Credit Union
 
 
Join us on Facebook, Twitter and LinkedIn!    
Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.
 
 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

murrac
In reply to this post by Theresa Fichtner
Theresa
 
Thanks for sharing!  Congratulations on passing. This is Awesome. Love the visualizations you used, very creative. I have tested twice already (2012 and 2013) and still haven't passed, all self study, CCCure, Shon Harris, etc. Next approach is to attend a bootcamp in 2014. Sounds like you may be ready to teach a few classes yourself. Take care. Thanks again!
 
Candis

On Thu, Nov 21, 2013 at 10:15 AM, Theresa Fichtner <[hidden email]> wrote:

I passed the exam on November 8th. Here are some notes about my journey that might be helpful. This is LONG.  You have been warned.

 

MY STUDIES…

 

For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!

 

SANS CISSP COURSE

I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.

 

(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)

 

After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.

 

MP3s

As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.

 

STUDY SCHEDULE

Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.

 

MY BOOKS
My books included:

·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past

·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes

·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes

·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only

·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes

 

MOBILE APPS FOR MY iPAD

·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.

·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.

 

MY LOCAL LIBRARY

·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.

·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.

 

STUDY GUIDES

·        There are a variety of items on line, including an excellent collection on the CCCURE web site.

·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.

·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.

 

CCCURE PRACTICE TESTS

These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.

 

STUDY NOTES FOR CCCURE

I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.

 

CCCURE SCENARIO QUESTIONS

I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.

 

READING & TESTING

A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.

 

THE OSI MODEL & TCP/IP Model

I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.

 

MNEMONICS & VISUALS

Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.

 

I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.

 

I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.

 

MY TESTING CENTER & MY EXAM

I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.

·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.

·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.

·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.

·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.

·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.

·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.

·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.

·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.

·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.

·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.

·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.

·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.

·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.

·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)

 

THE BENFITS

I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.

 

I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)

 

Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.

 

And now I’m off to finish up the requirements to actually get my CISSP certification.

 

Theresa Fichtner, MCSE Manager of Information Technology

Phone <a href="tel:503.403.0303" target="_blank" value="+15034030303">503.403.0303 | Fax <a href="tel:503.443.2163" target="_blank" value="+15034432163">503.443.2163

Toll Free <a href="tel:866.236.6968" target="_blank" value="+18662366968">866.236.6968

NW Preferred Federal Credit Union

www.mycreditunion.com

 

Click here to send me a document or file securely.

 

Join us on Facebook, Twitter and LinkedIn!    

Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.

 

 


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

Hoover, Thomas

This is one of the best post test write-ups I have ever read!  Thank you for the info and for sharing your story.

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of C M
Sent: Thursday, November 21, 2013 10:34 AM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] I passed - my experience

 

Theresa

 

Thanks for sharing!  Congratulations on passing. This is Awesome. Love the visualizations you used, very creative. I have tested twice already (2012 and 2013) and still haven't passed, all self study, CCCure, Shon Harris, etc. Next approach is to attend a bootcamp in 2014. Sounds like you may be ready to teach a few classes yourself. Take care. Thanks again!

 

Candis

On Thu, Nov 21, 2013 at 10:15 AM, Theresa Fichtner <[hidden email]> wrote:

I passed the exam on November 8th. Here are some notes about my journey that might be helpful. This is LONG.  You have been warned.

 

MY STUDIES…

 

For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!

 

SANS CISSP COURSE

I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.

 

(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)

 

After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.

 

MP3s

As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.

 

STUDY SCHEDULE

Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.

 

MY BOOKS
My books included:

·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past

·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes

·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes

·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only

·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes

 

MOBILE APPS FOR MY iPAD

·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.

·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.

 

MY LOCAL LIBRARY

·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.

·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.

 

STUDY GUIDES

·        There are a variety of items on line, including an excellent collection on the CCCURE web site.

·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.

·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.

 

CCCURE PRACTICE TESTS

These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.

 

STUDY NOTES FOR CCCURE

I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.

 

CCCURE SCENARIO QUESTIONS

I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.

 

READING & TESTING

A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.

 

THE OSI MODEL & TCP/IP Model

I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.

 

MNEMONICS & VISUALS

Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.

 

I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.

 

I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.

 

MY TESTING CENTER & MY EXAM

I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.

·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.

·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.

·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.

·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.

·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.

·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.

·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.

·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.

·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.

·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.

·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.

·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.

·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.

·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)

 

THE BENFITS

I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.

 

I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)

 

Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.

 

And now I’m off to finish up the requirements to actually get my CISSP certification.

 

Theresa Fichtner, MCSE Manager of Information Technology

Phone <a href="tel:503.403.0303" target="_blank">503.403.0303 | Fax <a href="tel:503.443.2163" target="_blank">503.443.2163

Toll Free <a href="tel:866.236.6968" target="_blank">866.236.6968

NW Preferred Federal Credit Union

www.mycreditunion.com

 

Click here to send me a document or file securely.

 

Join us on Facebook, Twitter and LinkedIn!    

Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.

 

 


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

 

This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law.  If you are not
the intended recipient(s), you are notified that the
dissemination, distribution, or copying of this message is
strictly prohibited.  If you receive this message in error or
are not the named recipient(s), please notify the sender by
return email and delete this message. Thank you.


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

SB2013
In reply to this post by Theresa Fichtner
Many thanks Theresa for sharing your experiences.
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

Christina
In reply to this post by Rogelio O'Farril
Congratulations Theresa!!!! Thank you so much for the very thorough write up, it's one of most detailed ones I've come across.  Very nicely done, I am sure it will help others in planning and execution for for their exam. 

Tina S.

On Nov 21, 2013, at 10:21 AM, Rogelio O'Farril <[hidden email]> wrote:

Can't go wrong with SANS. Congrats and thanks a lot for the detailed write-up.



On Thursday, November 21, 2013 9:16 AM, Theresa Fichtner <[hidden email]> wrote:
 
MY STUDIES…
 
For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!
 
SANS CISSP COURSE
I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.
 
(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)
 
After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.
 
MP3s
As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.
 
STUDY SCHEDULE
Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.
 
MY BOOKS
My books included:
·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past
·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes
·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes
·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only
·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes
 
MOBILE APPS FOR MY iPAD
·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.
·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.
 
MY LOCAL LIBRARY
·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.
·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.
 
STUDY GUIDES
·        There are a variety of items on line, including an excellent collection on the CCCURE web site.
·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.
·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.
 
CCCURE PRACTICE TESTS
These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.
 
STUDY NOTES FOR CCCURE
I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.
 
CCCURE SCENARIO QUESTIONS
I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.
 
READING & TESTING
A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.
 
THE OSI MODEL & TCP/IP Model
I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.
 
MNEMONICS & VISUALS
Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.
 
I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.
 
I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.
 
MY TESTING CENTER & MY EXAM
I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.
·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.
·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.
·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.
·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.
·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.
·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.
·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.
·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.
·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.
·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.
·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.
·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.
·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.
·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)
 
THE BENFITS
I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.
 
I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)
 
Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.
 
And now I’m off to finish up the requirements to actually get my CISSP certification.
 
Theresa Fichtner, MCSE Manager of Information Technology
Phone 503.403.0303 | Fax 503.443.2163
Toll Free 866.236.6968
NW Preferred Federal Credit Union
 
 
Join us on Facebook, Twitter and LinkedIn!  <image007.jpg> <image008.jpg> <image009.png>
Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.
 
 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] I passed - my experience

chimwemwe Mtonga
In reply to this post by Theresa Fichtner
Congratulations Theresa and thanks for sharing the exeperience...


This will really help us

Kind regards,

Chimwemwe Mtonga

Systems Administrator | Group Information Services
Deloitte



On Thu, Nov 21, 2013 at 5:15 PM, Theresa Fichtner <[hidden email]> wrote:

I passed the exam on November 8th. Here are some notes about my journey that might be helpful. This is LONG.  You have been warned.

 

MY STUDIES…

 

For the last three years I’ve been reading Shon Harris’ All-In-One book and taking short tests on the CCCURE site off and on. One major project or life event precluded me from getting serious about it. This fall I finally decided to buckle down and get this certification!

 

SANS CISSP COURSE

I attended the SANS CISSP six day course in Las Vegas in September. It was taught by Eric Conrad. I can’t say enough about how well SANS does their courses. I had taken Hacker Techniques & Incident Handling in 2011 and Network Security Essentials in 2012. The CISSP “boot camp style” course was awesome. We had class from 8:00 am to 7:00 pm. I returned to my room each night and reviewed the material and retook the practice tests they provided. This was a six day course.

 

(At SANS we also received Eric Conrad’s book “CISSP Study Guide, Second Edition” to take home for supplemental reading. I really like this book because it is only about 500 pages with each domain nicely summarized. There is a 15 question test after each domain and in the appendix he explains why the correct answer is correct and why the other answers are incorrect. You can also go to the Syngress site and take two 250 question tests.)

 

After each domain in class we had a 40 question quiz then reviewed the answers. We got to bring these home and they were very helpful later in my studies.

 

MP3s

As part of any SANS course I have taken, a couple weeks later you can download MP3 files for the course you took. In this case it was the same CISSP class but taught by Dr. Eric Cole. He had taught my Network Security Essentials class in 2012 so it was good to hear his voice. I burned all of these to CDs and listened to them on my commute and whenever I drove my car (to the chagrin of any passengers who had to ride along with me). It was not only a good refresher but the “side stories” or examples were a little different than Eric Conrad’s which helped in understanding some of the more difficult concepts.

 

STUDY SCHEDULE

Upon returning home I established a rigorous study schedule, starting out with 30 minutes each evening and working my way up to 3 hours each night. I also spent the last four weekends studying at about 8 hours per day. Gave up music, TV, Facebook, that obnoxious Candy Crush game, etc. Told my friends and family to forgive me but all get-togethers were out until the exam was completed. Excused myself from all housework except laundry and keeping the cat box clean. I live alone so it was easy to keep the house quiet. I also used my lunch hour and breaks at work to study.

 

MY BOOKS
My books included:

·        Shon Harris All-In-One – Fifth Edition (purchased a few years ago) – Read about 50% in the past

·        Shon Harris All-In-One – Seventh Edition (purchased this year) – Read domains or topics I struggled with; used her quizzes

·        Eric Conrad’s CISSP Study Guide, 2E  (received at SANS) – Read cover to cover; used his quizzes

·        CISSP for Dummies 2009 (purchased a few years ago) – used quizzes only

·        ISC(2) CBK – (purchased a few years ago) – tried to read this but couldn’t; used the quizzes

 

MOBILE APPS FOR MY iPAD

·        ISC(2) – Free app with something like 25 questions. Others available for purchase. I purchased them at $4.99 per domain. They were tough but good practice. The downside is they don’t always explain why an answer is correct or incorrect.

·        Other apps – I think I paid $9 for one that was crap—lots of typos and grammatical errors. Another was free but so-so. A lot of the questions seemed to be familiar and might have been copied from other sources.

 

MY LOCAL LIBRARY

·        I went online to our local library and did a search for CISSP. I was surprised to find three books I did not have. One was 2004 and the others were 2009. I checked them out and used them for their practice tests. One of them, CISSP Study Guide 3rd Edition by Stewart, Tittel and Chapple, had really good practice tests.

·        My library had Shon Harris Video Mentor on DVD! This was an awesome help! It’s a small book with a DVD that has lectures (20 to 30 minutes each) and labs for each topic. It covers cryptography, public and private keys, IPSec, OSI model and wireless. I was struggling with symmetric and asymmetric cryptography and the material in this DVD explained it perfectly. If it came down to money I would have eliminated a book or two and purchased this. However, I had it for three weeks use thanks to my library.

 

STUDY GUIDES

·        There are a variety of items on line, including an excellent collection on the CCCURE web site.

·        Google “CISSP Study Notes from CISSP Prep Guide” and you should find a word document created by “JWG.” I printed this out. Every day I would take a domain and read through it. I would mark out the information I was confident I knew. After getting through all ten domains I would start back with the first document and mark out any remaining information I was confident about. Lather, rinse, repeat.

·        I also liked the “overly_updated.doc” by Michael Overly that is on the cccure.org site. Did the same as above.

 

CCCURE PRACTICE TESTS

These are awesome. I paid for a subscription and it was definitely a good investment. I used an Excel spreadsheet to track my progress. I began with Domain 1 and a 25 question “Rookie” test. Then Domain 2, 3, etc. As soon as I scored 90% or higher I would move to “Easy,” followed by “Medium,” “Hard,” and then “Pro.” By the time I got “Pro” I was quizzing at 25, 50 or 75 questions and using all the domains at the same time. I took almost 400 tests with over 10,000 questions. Wow! Most of the questions on this site have good explanations for the answers.

 

STUDY NOTES FOR CCCURE

I read somewhere that if you read something you remember some of it. If you read it and write it, you remember more of it and for a longer period of time. This has always worked for me. So, I opened up Word and created a document called Study Notes. When I missed a question on CCCURE I would type up some notes about it in my Study Notes document. Nothing lengthy; just a word and definition or a question and answer. Once my notes document got to 20 pages then each morning I would delete the first page of notes. Of course I was always adding to the document but toward the end of my studies I found that there were fewer and fewer things I had to type up and my document got smaller.

 

CCCURE SCENARIO QUESTIONS

I purchased the entire package. These are very well written and have great explanations for the correct and incorrect answers. I wish I would have purchased these at the beginning of my studies because they would have been very helpful in understanding some of the concepts. I bought them toward the end of my studies and found my confidence in my answers was well-founded—I scored 100% on most of them so I was getting a good grasp of the information.

 

READING & TESTING

A great piece of advice from Dr. Eric Cole was that you should not be reading. You should be reading AND testing—lots of testing. So that’s what I did. I would read ten pages of Eric Conrad’s book and take a CCCURE 25 question test or one of the other many quizzes I had. I did this until the book was finished. Then where I found myself deficient I would read sections from Shon Harris All-In-One. I alternated between CCCURE and all the quizzes from all my other books and resources.

 

THE OSI MODEL & TCP/IP Model

I actually started this the first of the year. I created a matrix of the OSI model that had columns for the Layers, Data Units, Layer #, Layer Names, Functions, Protocols, and Devices. I then created a worksheet of this model without any information in it and printed out several of these. Each morning I started by penciling in the layer # and layer names. Then under the Function column for Physical I would right in “Media, signal and binary transmission.” The next morning I tested myself to see if I remembered. If I did then I wrote in the Data Link layer which is “Physical Addressing.” The next morning if I didn’t recall either I would work on those two layers again. Each day I would add a layer (sometimes it took a few days until I got them committed to memory). Once those were done I worked on the protocols for each layer. The device column included hubs, switches, routers, firewalls—all at their appropriate layer. Anyway, committing this to memory really helped because I pretty much did a brain dump on my little whiteboard during the test. And while by the time I took the test I knew the OSI model inside and out I referenced this to verify my answers—I found it easy to think Network layer for something and then later smack my head and think “What was I thinking! That’s the Transport layer!” I then added in the TCP/IP Model. I used a similar approach to memorizing the elements and classifications of the TCSEC model.

 

MNEMONICS & VISUALS

Whoever came up with “DEER MRS H CARBIDS” I am forever grateful to you! That really helped me with the various encryption and hashing models. I came up with some mnemonics on my own. “Dear Santa Call Me – No Sleeping At Kathy’s” for the left column and top row of the Information Systems Security Modes of Operations table. There were others but some too embarrassing to disclose here.

 

I also created visual pictures in my head. These helped as I learned more about them. Early on, I envisioned two guys dress for Halloween. One wearing a yellow bell costume and the other dressed like a spatula wearing a French beret (spatula was the closest I could come to for LaPadula). They were holding an orange pumpkin with TCSEC carved into it. Nearby was a guy I used to work for who was the epitome of integrity. His name was Clarke Miller so that was useful for remembering Clarke Wilson. His left hand held up three fingers. And in his right hand he held the hand of a little monkey who was wearing a hat with the word “Biba” on it (don’t even ask!). Behind them was a yellow brick wall with two of my vendors on either side; they had chopsticks in their hands. They had name badges; one said Brewer and the other Nash. There were other oddities in this “visualization” of mine that helped me remember the things until I eventually had a clear understanding of the associated concepts and how they worked.

 

I also used visualizations for the different attack methods. My friend Lisa in Atlanta can’t get this salami that is available on the west coast so I visualize her conducting a salami attack at her job. My friend Sue in Dallas gets teary-eyed over anything sentimental so I visualized her and a Teardrop attack. Assigning these to all my friends and creating scenarios on how they would pull off attacks against each other solidified the information in my head. Believe it or not these were helpful during the exam. I took the name of an attack (Smurf) and remembered Jason and thought through how he pulled off the attack.

 

MY TESTING CENTER & MY EXAM

I was very impressed with the Pearson Testing Center in Beaverton Oregon. The staff was very professional and the facilities very nice.

·        I visited two days before so I knew how long it would take to arrive, where the parking was, where the overload parking was, etc. I spoke with the guy at the front desk and he showed me the lockers in the lobby area. He also verified I was registered for the test and told me to bring in two pieces of ID:  my driver’s license and a credit card. Both had to have the same name as it appeared with the ISC(2) registration.

·        My test was at 8:00 am. I arrived at 7:30. There were five people ahead of me. They have a little stand with these large round disks that are numbered. I took number six.

·        You could take a locker which I did. I put my bag of snacks in there. They were about 12x12x12 inches. They are numbered 1 through 18. Except where #13 would be it is labeled 12b.

·        When I was called I presented my ID. They took a palm scan of each hand and took my photo. Every time you check in and out for something you must do the palm scan. I proceeded to the proctor who took me to my computer terminal and logged me in. My photo appeared on the screen (horror of horrors; I had not worn makeup that day and looked just awful). He looked at the photo and then at me to verify.

·        You cannot take any food or beverages in the testing room. You are offered disposable earplugs. I took some but never needed them; it was very quiet. You cannot wear nylon clothing (makes noise when you move); no hats; no watches or bracelets. You have to show that your pockets are empty.

·        I brought a zip up the front sweatshirt and was so glad I did. That room was COLD. At one point I took it off and draped it over my lap to warm my legs.

·        I was given what can best be described as a laminated sheet of paper about 8.5 inches by 14 inches and a black marking pen. I did a brain dump of the OSI model, my encryption mnemonic and a couple other things. All in my own abbreviated shorthand. Then I started the test.

·        I read each question and then the answers. I prefer reading from the bottom up; that’s just my style.  Went through the process of analyzing what they were looking for, searching for any key words or phrases. Then eliminating obvious wrong answers. If I was in doubt at any time, I marked the question. If I was confident with my answer. I read the question again and all the answers to verify my confidence.

·        It took three hours to answer all 250 questions. I raised my hand and the proctor came to me. I said I wanted to take a break. He locked my computer. A palm scan. Out to the lobby. Another palm scan. Got my snacks out and downed a Starbucks energy drink, half a banana and a protein bar. Took about 7 minutes. Palm scan at the front desk. Back to the proctor. Another palm scan. He unlocked my computer and I started reviewing the marked questions.

·        It took me almost three hours to review the marked questions. I went more slowly with each one. Many I was confident that my original answer was correct and moved on. Some I realized “OMG! They are asking about integrity not confidentiality!” and changed my answer accordingly. Some were an honest-to-god toss-up between two answers. And a handful must have been research questions because the choices were terms I had never heard of before.

·        I finished with 7 minutes left. Hey, those are “my” seven minutes, so I went to question one and started reviewing (no changes made; I was confident with my choices) until the timer came up that my test had ended.

·        I raised my hand for the proctor to come and get me. I knew I had failed. I was prepared for that. I decided I would reschedule the test for the end of January. That would give me some time for studying as well as save up the $600 (my employer pays for the first test; you pay for any re-takes). I would also buy a new version of the CBK and this time put some effort into reading it.

·        The proctor sent me out to the main area (after a palm scan) where “Bob” handed me a piece of paper fresh off the printer. It was upside down. A bad omen to me. I turned it over looking to see what areas I was deficient in and saw the word “Congratulations.” I was in shock. I read the letter again. Bob seemed concerned. Is everything okay? I looked at him and said “I passed!” With shaking hands I got my stuff out of my locker and headed out to my car. I started crying. It had been such an intense period the last few weeks. I got in my car and called two of my sisters and a close friend. I think they thought I had failed but were excited to learn I had passed.

·        That was the start of my vacation. I took a week off from work and enjoyed music, TV, friends. Cleaned my house. Cooked meals. Now I’m back at work and thought I’d write up my experience in case anyone else might find something useful here. Maybe you even found something helpful.  ;-)

 

THE BENFITS

I have to add a few comments about the benefits of my studies. I always thought I knew quite a bit about network security. I read a lot, take classes, and have a group of people (vendors and colleagues) that I rely upon for advice and information. I’m well respected by my peers and my employer. I must say that studying for the CISSP really filled in all the gaps—some I was not even aware of. A lot of the knowledge I acquired over the past few months is so ingrained in me that I now find myself answering an employee’s question as “a teacher.” I like that.

 

I’ve developed a confidence in many areas that I did not have before. I also am able to ask good questions of my vendors. One bragged about how they use 3DES with their program. “But 3DES was designed as a temporary fix when DES was broken,” I replied. “Why haven’t you adopted AES?” He was stunned; had never heard of AES. I realized at that point that I knew just a little more than the expert.  ;-)

 

Good luck to all of you who are pursuing this certification. Hopefully you will find additional benefits as I did.

 

And now I’m off to finish up the requirements to actually get my CISSP certification.

 

Theresa Fichtner, MCSE Manager of Information Technology

Phone 503.403.0303 | Fax 503.443.2163

Toll Free 866.236.6968

NW Preferred Federal Credit Union

www.mycreditunion.com

 

Click here to send me a document or file securely.

 

Join us on Facebook, Twitter and LinkedIn!    

Electronic Privacy Notice & Disclaimers: This email message and any accompanying attachments may contain confidential information.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. Please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where it is stated expressly, and with authority, that they are the views of NW Preferred Federal Credit Union. Before opening any attachments, please check them for viruses and defects.

 

 


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org