CISSP study guide - Laurie

Please enable JavaScript to view the full PDF

CISSP study guide pass your CISSP first time CISSP Study Guide from cyberonthewire CISSP Practice Questions app Features: • First 50 questions FREE • Intuitive navigation • No ads • No signup required • No internet connection required • Questions/answers written by CISSP certifed author CISSP Flashcards app Features: • 100+ FREE fashcards • Covers all CISSP domains • No network connection required when using the app • Content created while actually studying for and passing the CISSP exam Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire contents 1. What is CISSP? 2. Planning for certification 3. Study options 4. Planning your CISSP study 5. Note taking 6. Flashcards 7. How to revise 8. How to know when you're ready 9. 24hrs to go... 10. My top 5 CISSP exam tips 11. Passed? - now get certified 12. Thanks for reading (and where you can get more) 13. Appendix A – Didn’t quite make it first time? Don’t give up! 14. Appendix B - List of study resources 15. Disclaimer Get more study resources at: cyberonthewire 1. what is CISSP? CISSP stands for Certified Information Systems Security Professional and is an industry recognized certification run by an organization called (ISC)². The official description provided for CISSP is:“The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks” ((ISC)² accessed January 2017). The most important things to know about the certification are: • it’s aimed at managers • you will need to have several years of paid relevant experience in order to become certified (more on this later) • it covers a (very) broad range of subjects • there are ongoing annual requirements to remain certified In my opinion, the reference to ‘deep technical’ should not be misinterpreted as suggesting that you have to be able to program/conduct hands on analysis of network vulnerabilities or conduct forensic recovery of digital media, rather it refers to being able to manage and have a working knowledge/understanding of all the parts of an organization’s security program. For example you may not have to physically set up an IDS but you will certainly need to know what it is and what it should do. Note also that it’s not a certification that you are awarded by passing an exam alone. In order to be awarded the full CISSP certification you must have 4-5 years CISSP Study Guide from cyberonthewire (depending on whether you can waive a year) of paid, relevant experience. The subject matter that you have to study ranges from high level governance topics to being able to provide the result of XORing two sets of binary values and everything in between. It’s the sheer scale and variety of the exam material which makes it difficult and even once you’re certified you still need to provide evidence of professional development each year. So, why would you want to get certified? why would I want to sit the CISSP exam? Well the answer is clearly because you want to get certified but why might you choose this certification over others? And for that matter why would you bother going through the study and expense to get any certification? Well for most people the short answer is because it helps you to secure a new job. You can find lots of lively discussion about whether this is the case (both in terms of certifications in general and the CISSP) but here is my view on it: it can’t do any harm. If you have a wealth of experience you may be able to secure a role based solely on that and you may not need a certification, however there are plenty of jobs which list being CISSP certified as either essential or desirable criteria (a quick search on indeed.com at the time of writing brought back over 11,000 jobs mentioning CISSP). This may mean that although you are perfectly capable of doing the job, those sifting applications will sift you out simply because there are other candidates who are certified. Additionally if you are very experienced you may well find that there is less for you to Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire learn because you already know much of the material from your experience, making studying for the exam easier. Remember that those doing the initial sift of applications may not be people who are knowledgeable about the role, they may have a massive stack of applications which they’ve been told to whittle down to 20 – if CISSP is desirable criteria they may well simply dump all those who don’t have it – even if the person doing the sifting doesn’t know what CISSP is! However, what if you don’t have a great deal of experience? Well academic qualifications aside, having a certification will help mark you out as having demonstrated that you at least have the relevant knowledge for a role even if your experience is limited. Note that if you have no paid experience you cannot be CISSP certified, you can however become an Associate of (ISC)2. If you put yourself in the position of someone recruiting for a role and you have two resumes in front of you, both with limited experience but one has a relevant certification which one would you choose? In addition to these two points I would also suggest that you will learn things which improve your general knowledge and understanding making you better at your job. You may even find some of it interesting! why choose CISSP over another certification? This is another topic on which you can find many a flame war with people making wild claims that the CISSP is the ‘only cert worth having’ while others say it’s worthless and that there are others much more worthy of your time. From what I’ve seen, the CISSP is still the most sought after, desirable certification to have on your resume if you are interested in roles relating to information security, especially if you want a role in management. The CISSP is not practical, you won’t learn how to conduct penetration testing, or how to assess a network for weaknesses. If that’s more your thing then I would agree that you should be looking Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire elsewhere, but if you are looking for something at the management level or above, then this is still one of the most sought after certifications in terms of job adverts. The other point that I’d like to make about the CISSP is that because it covers such a wide range of topics it doesn’t tie you to a specific field. (ISC)2 state in their description of the certification that CISSP is ideal for the following roles: • Security Consultant • Security Manager • IT Director/Manager • Security Auditor • Security Architect • Security Analyst • Security Systems Engineer • Chief Information Security Officer • Director of Security • Network Architect (source: (ISC)2 February 2017) So, for my money, unless you aren’t interested in management and/or there is a specific role/field you want to work in – you should be considering CISSP as your primary certification. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 2. planning for certification This chapter discusses the various options for getting CISSP certified and answers some of the common questions that arise. The bottom line in terms of getting certified is that there are two primary hurdles: you must pass the CISSP exam: • you must pass the CISSP exam • you must have 5 (or in some circumstances 4) years of relevant experience Although you may have your sights set on the exam and are concentrating on that being the challenge, it’s important that you consider the experience requirement carefully. From the point that you pass the exam, you start a timer which gives you 6 years to certify. If you don’t manage this, you have to take the exam again (which no one wants to have to do, believe me, once is enough). This 6 year window gives you time to build up your experience in order to get certified but what sort of experience do you require? experience requirement The first thing you need to know, is how much experience is required. You may have noticed that in the bullet points above I referred to either 5 or 4 years being required. This depends on whether you can waive a year by having a relevant qualification or certification. The (ISC)2 guidelines state that: “A candidate shall be permitted a waiver of one year experience if: Based on a candidate’s education Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or regional equivalent or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE). OR Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire For holding an additional credential on the (ISC)² approved list below Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.” (source: (ISC)2 February 2017) So, if you want to use 4 rather than 5 years, you either need an undergraduate degree (or the alternative listed above) or you need a credential from the approved list. In addition the work must be paid and cover at least two of the 8 domains from the Common Body of Knowledge. The best source that I’ve found to decide whether your experience is sufficient, is to use the exam outline provided by (ISC)2 because it breaks down each domain into sub topics, which make it much easier to gauge your level of relevant experience. planning when to take the exam By now you should have noticed that this decision is dictated largely by how you intend to fulfil the experience requirement. If you already have the 4/5 years of experience then it doesn’t matter when you pass. If you’re looking to change careers and feel being certified would be of benefit, or if you have a significant period of free time in which to study, then of course these factors will affect your decision of when to take the Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire exam, but having the experience already makes the tactical decision of when to study for/take the exam moot. You can pass the exam without the experience and become an Associate of (ISC)2. This effectively means that you get to bank your exam for 6 years, at the end of which you must have your 4/5 years of experience in order to certify as a full CISSP. You can call yourself an Associate of (ISC)2 but cannot call yourself CISSP, or imply that you are certified in any way while you are an associate. This 6 year timer can give you a good idea of how to plan your certification if you don’t yet have the required amount of experience. There are a number of situations you may find yourself in which I have laid out below: 1. you have no relevant experience and are not in a job that will give you that experience 2. you have no relevant experience but have started a permanent full time job that will give you the relevant experience (in 2+ domains) 3. you have some years of relevant experience but are short of the required 4-5 years If you fall into scenario 1 you may wish to think twice about whether you really want to study for the exam just yet. If you pass, you then have the pressure of finding the relevant 4-5 years of experience when don’t yet even have a job that will give you that experience. My recommendation in this case is to wait until you are in a relevant role. For those of you who are in scenario 2 there’s nothing stopping you taking the exam and becoming an Associate of (ISC)2 until you have accrued the relevant experience. Your timing in this case will probably depend on when you have the time to study (e.g. if you’re planning on having children in the next couple of years then now might be a better time to hit the books!). The 3rd scenario is similar but gives you a little more of a cushion in that you can already knock some time of the 4/5 year requirement. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 3. study options This chapter introduces the various study options available to you when you prepare for the CISSP exam. As with most exams there are a variety of study options available to you, which you decide to choose will likely depend on a number of factors including: • money • time • location • how you absorb and assimilate information The options available to you broadly fit into three categories: • self study with the Official (ISC)2 Study Guide, other books and free online resources • take a paid online course • take physical – location based training of course you can mix and match and do a combination of these options. self study This is the cheapest option as you can technically buy only the Official Study Guide and use this to study for the exam, however it’s also the hardest. It will be down to you to work out how to plan your study and incorporate effective revision. The material that the CISSP exam covers is very broad which means that it’s hard to keep your knowledge fresh for every area and if you aren’t used to studying you might find the whole thing too daunting and never get started in the first place. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire The important thing about self-study is to have a plan, the old adage of ‘fail to prepare – prepare to fail’ fits well and if you simply read the book without studying then you are unlikely to fare well. The other benefit of self study is that you can fit it around your life. If you have downtime or commute time you can fit some study in. This isn’t something that you can do with physically delivered courses. Other resources you may wish to make use of are YouTube videos, other study guides and online searches. I would recommend that you structure your study plan with the Official Guide at the center, it is, after all, the official guide which should give you a strong foundation for your test. I used YouTube videos and online searches mostly to clarify things that I had read in the guide but didn’t properly understand. Any additional study materials that you might use will depend on how you learn best. For example you may not learn particularly well through reading but find that you do learn well from videos or audio. Even if you do learn well through reading, you may find that supplementing this with video or audio helps to cement the information in your mind. paid online courses This option is of course more expensive that just studying on your own with books and free resources but online courses are a way to get yourself onto a program of study that doesn’t require you to do the planning – that’s done for you. If you are considering taking a paid online course there are a few things that you will want to know before you fork over your hard earned cash. Firstly, is it a course which you can do whenever you want or does it consist of live webinars that require you to be available at a specific time? The former is clearly more convenient and you can go at your own pace, but the live option may be easier from the point of view of being able to ask questions to clarify what’s being taught at in a live classroom style environment. You will want to know what options you have to ask questions about the material as this could range from real time (phone/chat) to none. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire You’ll also want to know what materials are included in terms of video, online written material, material that you can download or in some cases hard copies of materials that can be posted to you. You should also have the opportunity to see samples of the materials before you buy a course as well being clear on what the money-back guarantee is. physical location based training This is the most expensive option (typically well over 1000 USD) and the most traditional in the sense that it is effectively classroom teaching. The benefits of this are that as with any other classroom training you can ask questions of your teacher and get an immediate response. Similarly if something isn’t clear you can ask for clarification. The drawbacks are that you cannot set your own pace, so if you already work as a network engineer for example but have knowledge gaps in other areas you still have to sit through the section on what IP and MAC addresses are – time which you could have better spent on another topic. The courses tend to be intensive (e.g. a week) which may not be the best way to absorb so much information. If you do decide to take a course I would recommend doing so only after you’ve read the book. At least that way you will be familiar with the material and can treat the course as a revision tool prior to the exam. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 4. planning your CISSP study This chapter is about how you actually plan your studies, including the techniques I used to study for and pass the CISSP exam. We will cover: • study techniques and styles • timescales and setting goals • resources study techniques and styles The first thing to realize is that not everyone learns most efficiently in the same way. Although there are plenty of resources which go into great depth on this topic, I will use the three broad categories that feature on the wikiHow page on learning: • visual • aural • kinesthetic Visual is fairly self explanatory – you learn well through the use of images, diagrams, colors and perhaps through (reading) text. Aural is learning through listening, this would include listening to podcasts or other recordings, or perhaps through someone speaking on a video or in person. Kinesthetic or tactile learners learn primarily through ‘doing’ or touch. It’s not important to get too tied up with the details of exactly which category you fall into, but what is important is to be willing to try more than one technique in your learning – especially if you haven’t studied for a long time. For example I know that I learn better by not only reading material, but by writing notes as well (even if I don’t use them to revise later). To me this suggests that there is an element of the kinesthetic learner in me – the action of writing helps me to remember. However I’m also highly visual in that diagrams or pictures are something that I can easily remember – I can then remember the facts that are associated with them. If those images weren’t there then I would struggle to remember the words on their own. Another technique that I find very helpful is using and visualizing examples; Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire particularly where there are abstract theories involved. Again, for me this suggests that I learn best through visualizing the example (visual type learning) and through ‘acting out’ the example in my mind (kinesthetic type learning). The reason this is important, is that generally everyone’s initial study starts off with buying the Official Study Guide – a text book. I would recommend that you at least experiment with other study techniques, other than simply reading, to work out how you learn best. timescales and setting goals One of the hardest things when studying on your own is pacing yourself and setting goals. This is what you should be doing in your planning phase before you even start your study. That way, even when you’re up to your armpits in governance or malware, the end is always in sight! I recommend that you base your planning on the Official Study Guide. My study technique is simple, structured and is made up of two phases: • studying – initial learning of material and making your own revision materials as you go • revising – revisiting key material, refreshing your memory and testing yourself studying In terms of studying this is how I recommend that you structure it, working from the Official Study Guide: 1.work through the book chapter by chapter 2.as you read make your own notes or flashcards 3.use the end of chapter activities and revision questions to refresh your knowledge The chapters do vary in length, however I strongly recommend setting a goal for your study dependent on how much free time you are willing to dedicate. For example you might decide to aim to do one chapter every 2 days which would give you a total time of six weeks to complete the book. You will have a better idea of how long you need Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire once you’ve done the first couple of chapters, but by having a goal like this at least the end is in sight! You can look at your diary and say: “well at least I’ll have finished the book by such-and-such a date.” This really helps with motivation and I also found that when I didn’t study, I felt a bit guilty because I wasn’t keeping up with the schedule I had set. If I hadn’t set one, then I wouldn’t have minded so much because I wouldn’t have been off schedule – there wouldn’t have been one! While we’re on the topic of pacing, it’s worth being wary of the dangers of either rushing through the material too quickly or being overly slow. If you rush through the material at breakneck speed you might find that you struggle to retain the knowledge because you’re simply cramming information into your mind at a speed that you can’t keep up with – your mind does need some time in order to process what you’re learning. Conversely, if you only read a page a day it would take you so long to finish the book that by the time you finished you probably wouldn’t remember much of what was at the beginning of the chapter, let alone the beginning of the book. This makes revision even harder because you don’t have much of a foundation to build on. To set your own schedule for completing the book I suggest that you time yourself to see how long you need to complete the first chapter then establish how much time you’re likely to have day-to-day over the coming weeks so that you can set your own goals in terms of how long you will give yourself to complete a chapter. My overall study time was around 3 months. revising The revision phase is where you’ve completed your initial study/learning of the material and you’re now trying to refresh that knowledge to a point where you can use it in the exam. If you’ve been through the chapters in order, by the time you’ve finished chapter 21 on Malicious Code you will probably have forgotten much of the material in chapter 1 – Security Governance. This is where your revision notes/flashcards become particularly valuable. Because you’ve distilled the essential keywords and facts and cut out all the explanation you can quickly refresh your knowledge without getting Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire bogged down. I wrote flashcards rather than notes which meant that I had questions that I had written myself on one side with the answers on the other. One of the benefits of this, was that it exercised the recall part of memory, forcing me to access the knowledge, rather than just repeatedly reading facts. Once you’re comfortable with the knowledge on your flash cards it’s time to try some of the Sybex online practice tests that come free with your Official Study Guide. When you get questions wrong, it’s important to consider whether they are pointing to a specific weakness in your knowledge and if so, revisit the relevant section of the book. For example, I found that I was getting quite a few questions wrong which were about the Governance topic so I decided to go back and re-read the relevant sections of the book. resources The resources that you will need to prepare for the CISSP exam are, in my view, separated into the ‘must have’ and ‘could have’ categories. The Official Study Guide is a must-have along with the online resources that come with it. Either making your own notes/flashcards as you go along or having someone else’s are another must-have. Other resources depend a bit on your learning style. If you find them helpful, then look into what audio/video resources there are as well as other companion books. But remember that a companion book is just another book to read and you might find that you’re adding to your workload without a great deal of benefit. I would also suggest that you don’t solely use videos or audio guides for your study but rather use them to supplement your study of the book. In short: Must have: Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire • Official Study Guide (with accompanying online resources) • Either your own notes/flashcards or someone else’s (that you trust) Could have: • Videos (free or paid) • Audio/podcast • Companion books • Online or in person delivered training course Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 5. note taking The purpose of this chapter is to cover how you actually study (rather than just read) a section of the CISSP study guide and how to take notes. We will work through an example of text from the study guide which I break down into sections and discuss my decision process on which material to note down and which to leave out. you’re studying, not reading The first thing that’s important to remember is that you are studying. This is different to just reading a book. If you’re reading for pleasure it doesn’t really matter how hard you’re concentrating or whether you actually retain much of what you’re reading. Studying is reading with a purpose! You’re looking for key points within the text that you think are something that is ‘testable’. Generally with a text book you will have a number of these facts/theories along with a load of explanatory text. The aim is to be able to pick out these facts and base your notes/flash cards on them. Below I use an example from the study guide about the Bell-LaPadula model to demonstrate what I mean. “The US Department of Defense (DoD) developed the Bell- LaPadula model in the 1970s to address concerns about protecting classified information. The DoD manages multiple levels of classified resources, and the Bell-LaPadula multilevel model was derived from the DoD’s multilevel security policies. The classifications the DoD uses are numerous; however, discussions of classifications within the CISSP CBK are usually limited to unclassified, sensitive but unclassified, confidential, secret, and top secret. The multilevel security policy states that a subject with any level of clearance can access resources at or below its clearance level. However, within the higher clearance levels, access is granted only on a need-to-know basis. In other words, access to a specific object is granted to the classified levels only if a specific work task requires such access. For example, any person with a secret security clearance can access secret, confidential, sensitive but Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire unclassified, and unclassified documents but not top-secret documents. Also, to access a document within the secret level, the person seeking access must also have a need to know for that document. By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less secure clearance levels. This is accomplished by blocking lower- classified subjects from accessing higher-classified objects. With these restrictions, the Bell-LaPadula model is focused on maintaining the confidentiality of objects. Thus, the complexities involved in ensuring the confidentiality of documents are addressed in the Bell-LaPadula model. However, Bell-LaPadula does not address the aspects of integrity or availability for objects. Bell-LaPadula is also the first mathematical model of a multilevel security policy. This model is built on a state machine concept and the information flow model. It also employs mandatory access controls and the lattice concept. The lattice tiers are the classification levels used by the security policy of the organization. The state machine supports multiple states with explicit transitions between any two states; this concept is used because the correctness of the machine, and guarantees of document confidentiality, can be proven mathematically. There are three basic properties of this state machine: ■ The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up). ■ The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down). This is also known as the Confinement Property. ■ The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control. These first two properties define the states into which the system can transition. No other transitions are allowed. All states accessible through these two rules are secure states. Thus, Bell-LaPadula–modeled systems offer state machine model security.The Bell-LaPadula properties are in place to protect data confidentiality. A subject cannot read an object that is Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire classified at a higher level than the subject is cleared for. Because objects at one level have data that is more sensitive or secret than data in objects at a lower level, a subject (who is not a trusted subject) cannot write data from one level to an object at a lower level. That action would be similar to pasting a top-secret memo into an unclassified document file. The third property enforces a subject’s need to know in order to access an object. The Bell-LaPadula model addresses only the confidentiality of data. It does not address its integrity or availability. Because it was designed in the 1970s, it does not support many operations that are common today, such as file sharing and networking. It also assumes secure transitions between security layers and does not address covert channels (covered in Chapter 9, “Security Vulnerabilities, Threats, and Countermeasures”). Bell-LaPadula does handle confidentiality well, so it is often used in combination with other models that provide mechanisms to handle integrity and availability.” (Stewart, JM, Chapple, M, Gibson, D, 2015, Certified Information Systems Security Professional Study Guide Seventh Edition, Hoboken, Sybex, pp 282-283) Wow! Even looking at this small section is daunting! Lets have a look at what we can distil from this in terms of the crucial facts that we should be noting down. In the back of our mind we should remember that other than expanding our knowledge, the end goal is to take the CISSP exam which consists of multiple choice questions. So, as we study we should be thinking, what sort of multiple choice questions would I write if I had to examine someone on this? Let’s break it down piece by piece to see what we have: “The US Department of Defense (DoD) developed the Bell- LaPadula model in the 1970s to address concerns about protecting classified information. The DoD manages multiple levels of classified resources, and the Bell-LaPadula multilevel model was derived from the DoD’s multilevel security policies.” This is background/historical information none of which I would expect to help me much in an exam so I wouldn’t take anything from this. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire “The classifications the DoD uses are numerous; however, discussions of classifications within the CISSP CBK are usually limited to unclassified, sensitive but unclassified, confidential, secret, and top secret.” This is more of a recap of another section of the book. The classification of information is dealt with elsewhere and this sentence doesn’t really add anything to that – again I would not take any notes from this. “The multilevel security policy states that a subject with any level of clearance can access resources at or below its clearance level. However, within the higher clearance levels, access is granted only on a need-to-know basis. In other words, access to a specific object is granted to the classified levels only if a specific work task requires such access. For example, any person with a secret security clearance can access secret, confidential, sensitive but unclassified, and unclassified documents but not top-secret documents. Also, to access a document within the secret level, the person seeking access must also have a need to know for that document.” Again, to me this mostly appears to be a recap of how clearances and need-to-know work. You will most likely be able to infer this about the Bell-LaPadula model from the more crucial points that you’ll make note of further on. “By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less secure clearance levels. This is accomplished by blocking lower-classified subjects from accessing higher-classified objects. With these restrictions, the Bell-LaPadula model is focused on maintaining the confidentiality of objects. Thus, the complexities involved in ensuring the confidentiality of documents are addressed in the Bell-LaPadula model. However, Bell-LaPadula does not address the aspects of integrity or availability for objects. Bell-LaPadula is also the first mathematical model of a multilevel security policy.” OK, now we’re starting to get to the meat of it. The first sentence is important but it’s still quite a verbose explanation – it’s basically saying that it stops higher classified material from Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire escaping to lower classified areas – even though this is important, I would not make a note about this specifically as it’s inferred from the rules that we come across later. The most important piece of information here to take note of is confidentiality. This is the keyword that I would write down like this: Bell LaPadula: confidentiality I wouldn’t write down that it doesn’t deal with integrity or availability. Rather I would infer that from the fact that I hadn’t written it down. For me it’s a lot easier to recall the note above, see that it only says ‘confidentiality’ then assume that it doesn’t address anything else, rather than write down something like this: Bell LaPadula: confidentiality – addressed integrity – not addressed availability – not addressed Now rather than only having to remember one word, I have to effectively recall six pieces of information – three terms (confidentiality, integrity, availability) plus whether each one is or is not addressed by the model. The final sentence is more of a historical anecdote and I would personally be surprised if it were used to create a question; it’s not a history exam after all! Let’s continue: “This model is built on a state machine concept and the information flow model. It also employs mandatory access controls and the lattice concept. The lattice tiers are the classification levels used by the security policy of the organization. The state machine supports multiple states with explicit transitions between any two states; this concept is used because the correctness of the machine, and guarantees of document confidentiality, can be proven mathematically. There are three basic properties of this state machine: ■ The Simple Security Property states that a subject may not read information at a higher sensitivity level ( no read up). Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire ■ The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down). This is also known as the Confinement Property. ■ The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control.” Now we’ve got some more of the crucial fundamentals of the model. I would make a note of the two types of model on which Bell-LaPadula is based – State Machine and Information Flow. I would also write down MAC (Mandatory Access Control). You may wonder why I wouldn’t write down ‘lattice concept’. This is an example of where how you take notes is personal. You’re trying to strike a balance between writing down enough of the key points that you can answer questions on a topic, but at the same time the more you write down the less likely you are to remember it all. After all if we wrote everything down we would just have another copy of the text book! I would leave the piece about ‘lattice’ out because: a) I would hope to remember it because I remember the different classification levels associated with the confidentiality aspect of the model and b) because of the model’s rules (below) which describe the actions that cross the layers of the lattice itself. The three bullet points are intrinsically important to the model and are easy to write questions for. In addition, when you move on to study one of the other models, you find that it has the exact reverse of the first two rules – this makes for an obvious exam question that you Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire could write comparing the two models. As with deciding which material you’re going to make note of, I also find it important how I note it down. The more economical I can be with words and letters the easier I find it to remember. Now my notes would read: Bell LaPadula: confidentiality no read up – simple no write down – * discretionary – access matrix MAC state machine info flow “[…] These first two properties define the states into which the system can transition. No other transitions are allowed. All states accessible through these two rules are secure states. Thus, Bell-LaPadula–modeled systems offer state machine model security. The Bell-LaPadula properties are in place to protect data confidentiality. A subject cannot read an object that is classified at a higher level than the subject is cleared for.” So this is really just explanation of what we’ve already noted down – that the model protects confidentiality and that it is a type of state machine. The final sentence just spells out the Simple (no read up) rule that we dealt with previously. “Because objects at one level have data that is more sensitive or secret than data in objects at a lower level, a subject (who is not a trusted subject) cannot write data from one level to an object at a lower level. That action would be similar to pasting a top-secret memo into an unclassified document file. The third property enforces a subject’s need to know in order to access an object. The Bell-LaPadula model addresses only the confidentiality of data. It does not address its integrity or availability.” Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire Again, this just goes on to explain the ‘no write down’ Star property and the Discretionary rule that we’ve noted down previously. It reiterates that the model only addresses confidentiality (a point that we dealt with earlier). Lets take a look at the final block: “Because it was designed in the 1970s, it does not support many operations that are common today, such as file sharing and networking. It also assumes secure transitions between security layers and does not address covert channels (covered in Chapter 9, “Security Vulnerabilities, Threats, and Countermeasures”). Bell-LaPadula does handle confidentiality well, so it is often used in combination with other models that provide mechanisms to handle integrity and availability.” OK, so here I’m going to contradict myself slightly. I would consider noting down ‘1970s’. Not because I expect a question asking me when the model was developed, but because if I got a question about a model which didn’t support file sharing and networking I would hope Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire to remember seeing ‘1970s’ written down under Bell-LaPadula and infer that this was the right one based on that. It’s less to remember to see ‘1970s’ in my mind rather than: ‘does not support file sharing and networking’. On the point that the model doesn’t support covert channels, this is something that I wouldn’t note down at this point (or if I did I may remove it later on). The reason being that the relevance of it from a testing point of view depends on the other models that you are expected to be able to compare with Bell-LaPadula. It’s only likely to be relevant if you find that other models do address covert channels. The last sentence confirms what we already wrote down – that the model only provides confidentiality. So after all that text the notes that we end up with are: Bell LaPadula: confidentiality no read up – simple no write down – * discretionary – access matrix MAC state machine info flow 1970s Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 6. CISSP flashcards (why you need them) This chapter goes hand in hand with Note Taking because it relates both to the initial study period (where you create the notes and flashcards) and the revision phase (where you use the notes and flashcards to revise for the exam). The reason I’ve included a whole chapter on this is because I have no doubt that a big part of the reason that I passed first time was due to my diligent use of flashcards. The reason that you need flashcards comes down to the actual process of studying. I the past I was pretty bad at exams, in the first year or so of my undergraduate studies my study/revision process went a bit like this: 1. write some notes 2. maybe highlight some of them 3. read over them a couple of times before my exam. I passed, but never did very well. Towards the end of my degree I had a course that could decide my overall grade, if I did well it would push my overall grade up. The pressure was on! In addition to studying and revising harder, I also studied smarter. I wrote sets of flashcards as I worked through the material and kept going over-and- over them leading up to the exam to the point where I was almost bored of knowing all the answers. The result? I passed with Distinction. I used the same principle when I studied for the CISSP exam. I was paying for the exam out of my own pocket and definitely didn’t want to have to take it more than once, I passed first time. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire Why am I telling you all this? Because I want to you pass the CISSP first time too! The reason flashcards are so important is because they force you to recall information. If you have notes, you can read them as many times as you want but you aren’t practising how to recall the information. That is what you have to do when you’re taking the exam. You read a question then have to fumble around in the gloomy archives of your mind to find the information that you need to answer it. If you haven’t practised the ‘recall’ aspect then you’re going to struggle. how to write them This is very similar to taking notes, however the long and short of it is that you have to distil the relevant information, noting only material that you think is testable and that you are likely to forget. You’ll notice for example that none of my CISSP flashcards have any questions on what ‘CIA’ (Confidentiality, Integrity, Availability) stands for. Why? Because there’s no way I would forget a fact like that so what’s the point in wasting time revising it? When you are writing your questions, experiment with giving yourself prompts in terms of how many facts you’re trying to remember. For example, revising: “what are the 4 steps to BCP?” is easier to revise than the open ended question: “what are the steps of BCP?”. In terms of writing your answers, try to keep them as brief as possible, you’re trying to memorize them so the shorter they are the better. I also like to write my prompts as questions, so that you are clear what information you are supposed to be recalling. Too often I see people’s flashcards with a single word on one side then one of a number of possible responses on the reverse – if I had bought these I would find them very frustrating to use! Whether you decide to have physical paper cards or use electronic ones is a matter of personal preference. It depends on access and how/where you will be studying. If you will always have the internet available while studying then by all means use an online service. If your access to internet/computer/phone is limited then you may prefer physical flashcards. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire how many flashcards should you have? As few as possible. This is the same as notes. If you had notes on everything you would be reproducing your study guide. The aim is to have as few as possible whilst making sure that you’re covering all the crucial facts. I ended up with around 550 – not because I couldn’t think up any more – but because I couldn’t get it any lower without missing crucial material! You can get hold of my CISSP flashcards here: iOS, Android. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 7. how to revise This chapter covers the process of revision – this is probably the most important part of your preparation in terms of passing the exam. My intention is to try and keep this chapter brief, breaking the subject into 5 topics, as if you are actually revising now, you probably feel under pressure and I understand that time is precious! 1 know your enemy (and make friends with it) The first thing that we need to recognize is that in order to revise (read: prepare) effectively for anything, we need to know what we are revising for. By this, I don’t mean simply ‘an exam’ or ‘the CISSP exam’ but rather what style of exam is it? What type of questions could we reasonably expect? And what knowledge are we going to need for it? Do your best to research question styles so that you at least have a rough idea of what to expect. The bottom line is that the CISSP exam is multiple choice. This points to two particular skills that will really help you out: recognition and tactical elimination: • recognition – by going over notes/using flashcards there will be some answers that should jump out to you as being familiar (and likely correct provided you check the question carefully) • tactical elimination – for questions where you are uncertain which the right answer is you can narrow the choices by eliminating those that you know are incorrect 2 refresh your overview Before you start freaking out that you can’t remember how many bits there are in a MAC address (48) you need to review your high level overview of the CISSP material. The temptation is to dive into the detail headlong (especially if your exam date is looming) but it really helps to start by taking a step back to look at the broad topic structure. The main benefit of this is that by having a broad structure in place in your mind its easier to: Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire • structure the topics so that you can add/link the detail that you revise in the next section (as the information ‘goes in’) • provide a map which can help signpost your recall to the detail that you require when answering questions (as the information ‘comes out’) This doesn’t need to take long, especially if you’ve taken good notes you can probably list the main topics and sub-topics within a couple of hours. 3 revisit the CISSP study topics in reverse order This the last time that you’ll review the material without a pointer (see below). This isn’t simply about reading the book again, it’s a chance to review the material to check that you haven’t missed anything in your notes – it’s a ‘skim read’ if you like, paying extra attention to things like lists of contents, bullet points and end of chapter review sections. If there are any topics that stand out as being weak areas, now is the time to pause and revisit that material. The reason for going through chapters in reverse order is that when you finished the book the first time, chapter 1 was a long time ago, I feel that by switching it up you’re giving yourself a better chance of keeping an equivalence of ‘freshness’ across the topics (this may seem illogical as I realise that the you now have the reverse problem, but try it and see how you feel)! 4 keep your knowledge fresh (using flashcards) For me, flashcards were a real lifesaver. They force you to actually use your mind to recall information and help prevent you from getting lazy. There are several ways you can use them, but other than reinforcing your learning, they will quickly highlight weak knowledge areas acting as a ‘pointer’. Concentrate on these weak areas (by going back to your study guide if necessary) until you Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire are confident. I would keep them with me and do short bursts (say 5 or 10 at a time). 5 have a schedule but be flexible This is perhaps the most crucial point. How long it will take you to revise is personal and not an exact science. The fact that you can cancel the exam close to the date without penalty is both a blessing and a curse. If you couldn’t cancel it, you would just have to do your best up until the day, then cross your fingers. Now its up to you to decide whether you’re ready which isn’t always easy. The approach I took was once I had finished my initial study, I estimated roughly how long it would take me to revise and booked the exam accordingly. That way I had something to work towards, after you’ve put so much work into your study it would be a shame to lose momentum during revision, have second thoughts and back out. Map out your revision schedule allocating yourself time for each section (which you mapped out in phase 2) plus a safety margin prior to your exam date. Based on your levels of success using your flashcards and utilizing online practice questions you will be able to decide whether you feel confident to take your CISSP exam. Having a schedule for your revision should help you avoid the need to cram at the last minute which is both stressful, and according to an article on the Guardian less effective than spacing your revision out. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 8. how to know when you’re ready This chapter aims to give you some guidance in deciding when you’re ready to take your CISSP exam. There are a few hurdles which can make this a difficult decision to make, but my aim is to help you make that decision in a systematic manner that is bespoke to you. factors – knowing you’re ready for your CISSP exam So here are the factors to consider when deciding if you’re reading to take your CISSP exam: • performance on practice questions • confidence/familiarity with your knowledge • cost • time sensitive factors Practice questions There are a few things which make it hard to decide whether you’re actually ready. One of which is a lack of accurate practice CISSP exam questions. You know roughly what style the questions will be (multiple choice, scenarios, drag-and-drop) but although people can’t discuss their exams it’s common to hear the complaint that the questions weren’t really similar to any that they’d practised. All you can really do is make sure that you’ve practised plenty of questions ideally from multiple sources. Certainly make use of the online Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire practice tests that come with the Official Study Guide and seek out as many others as you can. In order to pass you effectively need to be comfortably hitting over 70%. I would recommend that you ensure that you’re in the 80%s before taking your exam. Confidence in your knowledge Your revision phase should also be giving you a good idea as to how well you know the material. In addition to using practice questions, you should also be utilizing flashcards as they are excellent at reinforcing learning and keeping your knowledge fresh. When you’re presented with a practice question, because it’s multiple choice, you are being shown the answer. Whether you can correctly identify it or not is another matter. But you are mostly recognizing rather than recalling (when you first read the question) which are different. This is particularly the case where you are going over practice questions more than once. You will very quickly recognize a particular scenario and remember the answer from before, even if you don’t actually have the knowledge that the question is asking about. Whichever way you decide to structure your revision, you need to feel confident that there are no major holes in your understanding. Because you will be going over your flashcards repeatedly, you really need to be getting over 90% of them right before taking the exam. Cost This is something that will depend on your personal circumstances but if you’re paying for your CISSP exam out of your own pocket the chances are that you won’t consider it cheap. At the time of writing the US cost for the exam is $599, or to put it another way – if you fail the first time you’ll end up paying at least $1,198 in total to pass! In the UK the cost was £415 when I took my test and there was no way I was going to fail and have to retest for a total of £830 of my own hard earned cash. If however you’re being sponsored by your company, this may not be such a concern. Because you can cancel the your exam very close to the date this does mean that you can set a date and book your exam, then as it gets closer if you don’t feel confident you can always cancel it and reschedule at no extra cost. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire By having a date set it gives you something to work towards which should help you keep motivated. Time sensitive factors This aspect depends on your life events and what you have going on. Do you need the certification in order to be able to take on new role on a specific date? Are you on a contract that is ending soon and want to be CISSP certified when looking for your next job? In that case there are reasons specific to you that will encourage you to get the CISSP exam under your belt sooner rather than later. Other time sensitive factors may be things that impact your ability to study. For example if you’re currently busy with a project at work you may not have the time to study effectively and may plan to pick up your CISSP studies at a later date. On the other hand if you are expecting a baby it may be wise to try and pass your CISSP exam before you’re kept up all night with a crying child! taking the plunge The questions you need to be able to say ‘yes’ to before taking your CISSP exam are: 1. Are you hitting over 80% in your practice tests? 2. Are you confident in your overall knowledge of the material to the point where you’re getting more than 90% of your flashcards correct? 3. Are you clear on the exam costs if you don’t pass first time? 4. Have you taken your own personal time sensitive factors into account when setting a date for your exam? Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire If the answer to all these questions is ‘yes’ then you should consider yourself ready! Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire 9. 24hrs to go… Crunch time, you have put a lot of work into this – most likely you’ve spent months studying hard and searching online ‘how to pass CISSP exam’ in it’s various guises. No doubt you soon found that there aren’t any shortcuts. You have to study hard and smart to be in with a fighting chance. Hopefully you have read the preceding articles (particularly those on revision and my post on how to know when you’re ready). I’ve been (un)fortunate enough to have to take a few exams in the last few years however I understand that for some people it could have been many years since you had to go through this ordeal – if so my sympathies are with you! I’ve also been the position in the past of performing solo classical piano recitals at university so believe me, I know what it feels like to feel under pressure to perform! Remember that this is my advice, if you disagree with it and want to prepare in a different way that’s fine – it’s your exam, not mine. the day before The day before any exam I do no study at all. None. Why? Well actually there are a few reasons. Firstly, you already know that the amount of material that you have to study for this exam is vast. Most likely it has taken you months rather than weeks to get through, so if you really think that studying for a few extra hours the day before the exam is going to make a significant difference to your knowledge you’re kidding yourself. At this point preparation is more about preparing yourself rather than preparing the knowledge. Secondly, you are likely to keep going over topics that you struggle with. For example if you’ve spent the last few weeks struggling to remember the numerous key lengths of the various cryptographic functions, this is likely to be what you will continue to do for the last few hours. If you haven’t got it by now its better to accept that you wont get it. Accept it rather than punishing yourself and making yourself even more anxious than you are already. Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire Finally, it’s important to rest before taking the exam – it’s challenging, it’s long and there are a lot of questions to get through which require your concentration. Don’t put yourself in a poor starting position by staying up late studying the night before. The day before and exam I make sure that my books, flashcards, apps and Facebook groups are out of sight and out of mind. The final stages in how to pass your CISSP exam are: rest, relax and plan. Plan? What do you mean plan? You’ve already said not to study and it’s not as if you know what the questions will be, so how can you plan? So this planning is all about putting you in a strong position so that you can give yourself the best chances of passing your CISSP exam. The aim is to reduce your worries and manage the practical aspects of the day to avoid unnecessary stresses. This includes: • planning your journey (Google maps is our friend) – make sure you know exactly how you’re getting to your CISSP exam • be generous with time – give yourself a safety margin • decide what you’re going to wear – comfort is the key • decide what you’re going to eat before you leave – running out of energy isn’t going to help • put your ID in a place you can’t forget it – imagine how disappointed you would be to get turned away without even starting • consider taking earplugs – noise irritates some people (like me), you don’t have to use them but wouldn’t it be nice to have the option? • take food and drink – you won’t be allowed to take it in but can leave it just outside the door and take a break to eat if you want to Get more study resources at: cyberonthewire CISSP Study Guide from cyberonthewire It goes without saying that getting a good night’s sleep is important but then we also know that this isn’t always the easiest thing to control. After all, the more you worry about the importance of sleeping the more unattainable it seems to be. Suffice to say that the better you have planned and prepared the less you will have to worry about when you go to bed. Make sure you give yourself at least the opportunity to get plenty of sleep and whatever you do, don’t stay up all night revising! day 0 Test day! You thought it would never come, wished it would and now, perhaps wish it hadn’t! The most important thing about test day is not to concern yourself about whether you pass or not – by this stage it’s largely out of your control anyway. You’ve done whatever study you’ve done and the rest is down to what questions you get and your test technique. Make sure you have a decent meal before you take your exam as the CISSP is long. Make sure you take your ID with you as well as your snacks, drink and earplugs. Stick to your plan in terms of travel to make sure you arrive in plenty of time. One trick that I’ve adopted is to get to the building with plenty of time to spare so that I know EXACTLY where it is and then go and have a coffee somewhere nearby. That gives me the option of having a nice big safety margin (if I get delayed I just go straight in) and avoids last minute panic of not being able to find the right building. At the same time it avoids sitting around for ages in the exam building waiting with a load of other worried looking people! You’ll have to lock up your possessions (including phones) in a locker, then will be provided with writing materials in case you need to make any notes as you go along. You’ll be allocated a computer terminal at which you’ll take your test and then it will be time to start. You have to accept the (ISC) 2 terms/conditions before starting your test – this times out and if you don’t accept it in time you cannot sit your exam! From then on it’s just you and 250 (this has changed since the update to the CAT format) exam questions. Get more study resources at: cyberonthewire