Passed My CISSP Exam

I’m back from my self-imposed month of silence and am happy to report that I passed my CISSP exam.

I allowed for a hair over three weeks from my CISSP boot camp to my test date which seemed very aggressive but doable. What I didn’t count on was an unforeseen incident causing me to miss a week of study time. 4-5 days before my exam I was seriously considering postponing my test but the next available date for the local testing center was over a month away and I didn’t want this test hanging over my head for another month. Thankfully I was able to pass my test with no extensions.

Here is a quick overview of how I studied for the exam.

Step 1: Bootcamp

I choose the SANS 414 course for my CISSP bootcamp. I can’t say how it compares to any other CISSP prep course since I haven’t taken any others but I can say that I enjoyed the class and I passed the test. It’s redundant to say that a SANS instructor did a great job but Eric Conrad and Eric Cole are two of the greatest instructors I’ve ever had the privilege to learn from.

One thing I think I could have done better was take a few of the cccure practice exams before I started the bootcamp. I think bombing a few practice tests would have probably forced me to pay a little more attention to some of the minutia in the more mind numbing sections.

One HUGE bonus of the SANS bootcamp is that you get the entire course on MP3. I spent nights and weekends barricaded in the guest room studying but still got a lot of value from listening to the MP3s on my commute to work and while working out. I even listened on my way to the exam and one of the questions Eric Cole discussed was on the test. I’ve always enjoyed having a different instructor for the live class and the pre-recorded content because You get the same content but from two different points of view, different teaching styles, different war stories etc.

Step 2: CISSP study guide

Right after the bootcamp I started reading Eric Conrad’s CISSP study guide. I would definitely recommend that you visit a bookstore and pick a book you’re comfortable with but for me this book would have been an easy choice even if it didn’t come with the class.

A lot of the CISSP books on the market are well over 1,000 pages. Eric’s books cover the exact same material in 500 pages. It’s actually a really quick read with a lot of charts and practice tests at the end of each domain. The fans of the larger books point out that they cover each topic in greater detail but Eric’s guide absolutely provides the level of knowledge you need to pass the exam. On the few occasions I was interested in a bit more detail I Googled the subject, spent a few minutes reading and happily moved on.

Step 3: Practice tests

This is probably the most important step of them all. Most of the people that have problems on the CISSP don’t say that the exam was too technically difficult , they say they had problems with questions being poorly worded, having multiple “correct” answers etc. Practice tests help prepare you for the style of questions asked and force you to come to terms with the fact that you can’t change the questions no matter how badly you want to. The question may frustrate you, you make think it’s stupid, but you still have to try to figure out which answer is correct in CISSP land.

I started off by taking practice exams from cccure with varying results. I only had a week until my test so I got a copy of the Exam Cram CISSP Practice Question book and spent three evenings taking all ten of the tests in the book. I used the scores of those tests to dictate which domains I should be taking cccure practice tests for during the next two days. I would recommend the exam cram practice questions book and a cccure subscription to anyone preparing for the CISSP.

Step 4: The day before my test

I spent the day before my exam curled up with Eric Conrad’s other book, his 11th hour CISSP study guide. The book is around 150 pages of extremely concise CISSP information. It did a great job providing a final walkthrough of each domain for the exam.

All of this wasn’t cheap and it took an entire month but it accomplished the mission of passing the CISSP exam on the first attempt. The scariest part of all of this is how beat felt after spending a month straight studying for this thing. It definitely makes me wonder how much of a recluse I’ll become when I attempt the OSCP at some point in the next twelve months.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more