So You Want To Be A CISSP

Four years verified security experience. An intimidating test. A waiting period that made me lose more hair. This was my CISSP experience. When I took the CISSP it was bubble sheet/Scan Tron. Eight hours for 500 questions from 10 domains ranging from Physical Security to arcane Data Classification used by the military around the time War Games came out. It is, to use an oft used descriptor, a mile wide and an inch deep.

cisspjoke2-300x171

I sat for the test in March of 2006. I self studied. It was, to say the least, intense. Did I make it more intense than I needed to? Probably. I tend to over engineer about anything I can. Usually you can judge your level of study and adequacy of your methods by your test score. Trouble is, you don’t see that in the CISSP.  To the person, everyone I have talked to has the same comment “When I walked out, I had no idea if I had passed or bombed it!” When I took it, I had no computerized option, bubble sheet and #2 pencils only.  It took 3 weeks to find out if I passed the test.  At least that was via email.  Then started the background validation.  That was another 3 weeks.  How did they tell me I passed?  I got an envelope with Rocky Gregory, CISSP on it.  Saw it for the first time.  This was a cert I had wanted since the day I heard about it.  Something I sacrificed for, prepped for and lost a lot of sleep to.  Needless to say, I wept like I was watching Rudy.

One of the questions I get asked most often is what materials I used to study.  It’s important to stop here and note my study process.  Like everything I do, there is a process.

The Resources:

As a rule, I have 3 forms of all of the study materials on any exam.  I have a primary book –  This is the one I read from, mark up, etc.  I use it for the entire study session.  I have a second source – typically the “next best” version.  I do this as people have different writing styles.  They use different analogies.  They use a different tone and assume different levels of skill and background.  If I am baffled by a concept in book 1, I go to book 2 and read it there.  I also tend to take the chapter and content tests out of the second book, rather than the first.  More on that later.  Third –  I have an Exam Cram type book.  One of those skinny, packed with questions, pump and dump type texts.  NOT a brain dump, those are crap and they degrade our industry. I mean the Exam Cram book series. I certify to build my knowledge, renew my understandings, validate I am still mostly sane, and then the letters after my name.  Considering the price of most exams, and the fact that a lot of employers only pay for your first attempt, the test is ultimately fairly important.  Below are the modern versions of the books I used.  I have suggested them for the last 7 years, as well as my study methods and am proud to say the folks I have coached have passed the first time through!

The Books:

FirTheBiblest and foremost, the Shon Harris All-In-One Guide is a must.  This is the Golden Book.  I have known some folks that have used only this resource and passed.

 

Never Go Wrong with SybexNext is good old Sybex. Sybex have been around a dogs age and I have used them since my NT4 MCSE prep.  They are consistently mediocre, but always a good secondary text.  They employ good writers, have a very clean look and feel, and it’s another “voice” to read the text.

 

Cram It!Finally, a good Exam Cram guide for cramming, after chapter testing, and the bare bones answers.

 

 

The Method:

I’m fortunate enough to be a moderate test taker.  I’m extremely fortunate enough to have had a class on another topic taught by my friend and true instructor, ‘‘KC” Keith Charles.  KC taught me study tips that I use to this day, and share with anyone studying for a cert.  I’ve developed a project style preparation system as well.  I tend to put together a project plan for everything I do.  A friend once joked that I can’t refill my water bottle without a plan, process and system.  So, here it goes:

  • From KC, the power and virtue of NERVOUS NOTES.  The nervous notes concept changed my testing life.  The concept is simple.  You are nervous when you sit for a test.  Doesn’t matter who you are, you’ve got a bit of agita.  These notes affirm what you know, give you crib notes for what you don’t.  You write them over and over until it is muscle memory.  It gives you a second applied sense from which to learn, adds some kinesthesia and drives it home in general.  Details on how I use nervous notes:
  • Have a plan for what you will study each session.  “I will finish this malarky about the Orange Books tonight”.  “I will finally be able to explain Elliptical Curve Cryptography to my bulldog by the end of this session”.
  • Read the exam objectives.  Highlight the areas that are going to be troublesome.  Print those, have them somewhere you can see while you study.  Review and check off what you are comfortable with.
  • I really like to read a chapter or concept in one book, then test on it from the end of the chapter in another book.  I do this method until I am hitting in the 80% range, recursively study until I hit that number.  I then test in the primary source and the tertiary.  Once it’s solid, it’s solid.  It goes in the memory bank until the final week or two before the test.  Then I do the whole mugilla, chapter by chapter test.  I will sometimes challenge myself to go back x chapters at the end of a session on an entirely different topic.  With such a theoretical test as the CISSP, this can be a great game to play on yourself.
  • Set study times.  You’re busy.  I’m busy.  Congress is busy.  Get over it, set a specific time.  Lock yourself in a room.  If you dig music and can have it without being distracted, rock that.
  • Set a date and work back.  If you are paper and penciling it, this is pretty easy.  If you are computer basing it, set the date and build your study plan backwards from that date.

Nervous Notes:

  1. Take out an 8.5×11 sheet of paper at the beginning of your study session.
  2. Start making tables, charts, squiggles and notes on the stuff that you are having a hard time with.  For me a good example was EAP types for my CWSP.  Nice little table of type, security level, definition, etc.
  3. After your first session, take out the sheet and refine it, copy it by hand.
  4. Wash, rinse repeat.
  5. As test time gets closer, finish up the notes sheet.  Make a gold image.  Copy it before and after each session, at least once, if not a few times.  Get to where you are NOT thinking as you write it out.  You want to affirm what you know, give crib for what you struggle with and give yourself some time to breath before you hit the begin button or rip open the test book.
  6. Get an 8.5×11 sheet of paper at the test center.  The proctor will give you one and a pencil if you demand it, and as long as you give them the paper back after.  That was my experience any way.  Pearson had as well went I’ve gotten a bit persistent.  Write out your nervous notes before you tear open the book or hit the start button.  This should relax you, enforce you know what you know and give you that quick reference.

So, that’s what I did.  Again, this may have been, and in fact probably was,  overkill preparation.  All I know is that it worked for me and I got those 5 letters I had wanted for so long.

Jukin’

I’m a digital guy. I grew up in front of computers. I have to have the newest and greatest gadgets as soon as possible.  I work in technology and spend a lot of my off time dicking around with the latest gizmo.

I like to keep a hand on the analog though.  I love the tactile experience of putting a record on the turntable. I love the hisses and pops and imperfections of music carved into a hunk of vinyl. I have an Echo Dot connected to the stereo in my shop where my lab lives and I do use it a lot, but I also like to spin up the turntable and drop the needle on classics not yet digitized, listen, and bask in the warmth.

My grandpa Orville had a float house on the Columbia river where he parked his boat when I was a lad. It was a magical place. A hang out space, a proto-mancave. There was a hardwood bar with bar stools, a pool table, a kegerator, a slot machine, and a 1947 AMI Model C jukebox. When Gramps passed,  the only thing I asked for was the jukebox. It was in very rough shape when I got it. The records were gone, parts were missing and it didn’t work. I’ve messed with it over the years and had it temporarily playing, but I’m not good enough with old electronics to have ever gotten it working stably.  This is a link to my youth, to the analog, and to good music only available on 78s.

I found a guy in Clackamas (about 10mi away)  who does restorations and just completed one of the exact same model! I’m going to look at his work, hopefully this weekend, and just sent him pictures of mine and the stacks of spare parts I’ve accumulated over the 10 years I’ve been working on it. It’s my most prized possession. I’m REALLY hoping his work is good and that he’ll take the job of doing mine!  It will go into my burgeoning hang out space in my shop, next to the popcorn maker, kegerator and stand up arcade machine.  Now if I can just talk my mom out if the slot machine.

Wish me luck! Here’s what it should look like when finished.

 

Why Today Is Important

Alan Turing is credited with crwating what we today know as the programmable computer. He had the idea before WWII, but work in earnest started in order to crack the “unbreakable” German Enigma machine’s encryption. They were used on U-boats which were destroying allied ships en-masse. Cracking their code would give locations to avoid and other vital information.

He worked in secret and never got credit for his work in his lifetime because it was still a state secret, though it saved thousands of lives. Many believe it to have been a big part of the reason the Germans surrendered.

He was discovered to be gay, a crime then, and penalized with chemical castration. He took his own life. He was posthumously pardoned in 2013 by the Queen. He is one of my biggest heroes and today is his birthday. Read a book on him or at least watch The Imitation Game. It’s pretty close to factual and you wouldn’t be reading this message if it weren’t for Turing.

Why I’m Finally Taking A Coding Class

Like most people my age, I’m 43. Unlike most people my age in my profession, I’ve never taken an actual programming class. Writing Color Basic programs on my TRS-80 is what got me into my beloved trade. Tirelessly copying programs line by line from Hot Coco magazine and tweaking them while working my way through the books that came with the computer until I could write my own programs was all I could think of as a lad. When Batman wasn’t on. I can hack together a little python, munge some perl, and used to write the hell out of DOS scripts, but it’s all self taught, as opposed to hundreds of hours of classes I’ve taken for networking, servers, wireless and security.

To be honest, I loathe it now.  I don’t know the precise moment when I lost the taste. Probably the first time I heard the siren song of a modem squeal. I’ve spent a career avoiding programming and dba work.  Software engineering takes a such a focused linear mindset.  Don’t get me wrong, you do have to be methodical as a bit jockey, you have to have processes, and I do know some amazing linear thinking network folk, but that linearity is at a whole different level for programming. I admire it as a quality. That’s not me though. I am thinking about every component of a system all at once. It fits my scatter brain.  I’ll be honest as well that I just find it tedious. I’m methodical and all about process and procedure, I’m a single tasker, but my mind is working on flipping bits all the way from the antenna to the cat video all at once.

So, why the change of heart? A couple reasons, in reverse order of importance (see, I need more linearity):

A) I don’t want to jump up the stack and become a code poet and I know enough to cobble together a script, but the lines between software and networking are blurring. My friend George Stefanick (go see his blog if you have ANYTHING to do with WiFi), during a vendor presentation on SDN at Wireless Field Day asked “at what point am I no longer a network guy and become a software guy” or words to that effect. As usual, he made a very valid point.  It’s time to invest in some career future proofing.  I’m wrapping up on the certs I’ve been after for many many years and I’d go nuts if I wasn’t learning. It’s time to codify my understanding in an instructed rather than ad-hoc fashion.  It’s also a challenge and a step away from my comfort zone.

2) The best part is that one of my best friends, who also happens to be my son, is taking the class with me (I’m the lucky dad who is close friends with all three if his adult children)!  We did Lego Mindstorms when he was a kid, played with Arduino a few years ago, and he has a knack and the mind for it. He sees the routines in his head and they appear on the screen. We got to talking and decided it would be fun to do it together. We can be competitive, and this is a way to be with fewer welts than our paintball outings. He just got out of high school and a little instructor-led online 12-week class is a good way to explore it as a career possibility or just take it up as a hobby. Or he could drop it flat, whatever, he’s at the age where it’s good to try things on and see if they fit.  We can drop the whole experience off at Goodwill if it’s not his size.

So, Python 3 via Portland Community College, (who are also one of my clients) it is! If/then we like it, we keep going, else, it will have been a bonding experience, and I dig the hell out of those.