Tag: Security

My Journey towards CISSP

Disclaimer! There is nothing extraordinary about this writeup. This is yet another person’s journey towards earning CISSP certification. Hope you will find it useful.

My motivation to do CISSP was – I wanted to explore my career options and to wisely utilize Covid-lockdown.

Pre-Game: How I was introduced to CISSP

It was back in 2015 when I heard about CISSP for the first time. My manager who is a person with great knowledge in security field wanted to appear for CISSP just to fail! Yes, you read it right – he wanted to FAIL to gain experience!! Back in those days, people hardly used to clear this exam on the first attempt.

He described the certification as a mystery, as we never know why one passes or fails the examination. And that the result is always a surprise, irrespective of whether one gets through or not. This perspective of CISSP is due to the nature of its vast syllabus, which includes Physical Security, Application Security, System Security, Network Infrastructure, Cryptography, Security Operations, Risk Management, Identity and Access Management.

In a nutshell, CISSP includes everything related to security setup for an organization. And this is when I decided to pursue CISSP- a benchmark in the field of Security. Because it always feels great to push yourself to achieve that extra mile. Isn’t it?

I don’t want to talk about the prerequisites or the structure/syllabus of CISSP certification as it is available publicly on official ISC2 website. Here is the link for the same.

The Prep!

Having set the expectations about CISSP, here is how I started my journey. Firstly, I had to go through various blogs and videos from experts about the CAT based structure of 150 questions and then decide upon what books to read and what courses to go through.

(If interested, you can find the list of references at the end of the write-up)

As the entire CISSP curriculum revolves around CIA triad [Confidentiality, Integrity, and Availability], the mindset was important. To answer the questions, one should approach each question like a manager (the one who gets the things done) and not as an engineer or consultant (who actually does it).

People generally say that CISSP is non-technical, but in my opinion, it is the other way round. Technical knowledge is important to understand the impact and severity of the issues.

Game ON : Kick Start!

My preparation started in the month of June 2020 which was the right time to focus on my preparations. Nation-wide lock-down forced us to work from home. So, my travel time used to be on an average of 4 hours a day was cut off and now, I had enough time for myself.

I first bought official CISSP study guide (Sybex) as I am not a person who would enjoy reading from a screen. My plan was to clear 8 domains – one domain per week and appear for the exam in next 2 months. I failed big time due to the huge syllabus. So now based on my expertise, I needed a better plan. Soon, I realized that I should focus more on Cryptography, SOC, Security Architecture and Identity Management.

This time again, I started with official study guide and parallelly went through Kelly Handerhan course on CISSP which kept me up when I was drowsy (at least most of the times). I would relate to the concepts that I had read from Sybex and would make notes for myself.

During this process, I found difficulty in understanding the 5th domain (Identity Management) and soon learned from various forums that Shon Harris book does a better job at explaining the same and fortunately, it worked for me as well.  It was a challenge to remember the concepts. As I proceeded with newer domains, I was forgetting the older ones. LOL, yes! Even after going through the notes, it was a bit difficult to recall them completely. It took me almost 4 months to cover the syllabus. I took up a few practice questions and did not feel positive about my preparation. On the suggestion of one of my friends, I enrolled for Prabh Nair’s course and redid the syllabus. And this time, I started feeling more confident during his sessions and was able to relate and recall my readings. Best part about Sybex book is that the author has given case studies which helps us understand real world scenarios. It was all going well, and I was prepared to give the exam around November 1st week 2020 which was like 5 months of dedicated preparation. But unfortunately, I got diverted in between for a month or so due to office work. Although I started over  in December, I was back to square one.

Finally, I decided to take 2 weeks off from office work and regain my focus back on CISSP. As December is off season, it was easy to get the approval for my leaves. I spent more than 10 hours a day to revise Sybex and started taking up domain-wise practice questions from official practice tests.

By the end of December, I had started appearing for mock exams from various sources. To name a few – telegram groups, LinkedIn posts, ITdojo’s YouTube videos, Flashcards, and dozens of other websites. One important resource worth mentioning is BOSON Set. This was one of the best practice materials. The best part about it was that they don’t just discuss the correct answers but also describe why the other options were not eligible to be the right choice. The evaluation notes were short, crisp and quite informative.

Registration & Final Preparation

My concern was not about passing or failing the exam but attending the exam. I had already soft-rescheduled the exam twice. I was mentally stressed. In fact, I even dreamt about the CISSP topics a couple of times. The hardest part about this journey was cutting down my family time and social life. Finally, I decided to challenge these thoughts and bring them to an end.

It was high time and I was unable to do any more readings. In this situation, notes came to the rescue. With the help of my notes, I could focus on the topics that I was lagging behind with and this became very convenient for me. Hence, I would highly recommend to always take down your own notes while doing the reading.

The Exam:

The examination center was very unique with glass partitions, complete surveillance and palm-vein scan on both entry and exit gates. You are not supposed to carry personal items and should be wearing mask (due to covid restrictions) for all 3 hours. This is justifiable. They do provide noise-cancellation headphones to stay focused.

Overall exam experience wasn’t too rough. I personally felt confident while giving the exam. I think with the number of practice tests that I had appeared for, I was already acquainted with the language and the questions formation. As I mentioned earlier, the exam did not require any advanced techniques or exploitation. All that we learn from the course is the thought process and the approach.

I rushed out as I was eager to get the letter from the front desk. As soon as I received the letter, I started looking for the word ‘Congratulations’. Of course, no one would say congratulations when you have failed. LOL!

Finally, I saw the golden phrases – “Provisionally Certified”.

Advice to future CISSP aspirants:

  • The exam alone isn’t technical. Understanding questions play a major role.
  • Do not solve questions during initial days when your concepts are not clear, that will either freak you out or get you overconfident.
  • Stay hungry and greedy for practice questions.
  • Be a part of Telegram or any other CISSP aspirant groups to stay motivated. Questions discussed in such groups give a different perspective of the same question.
  • Go through Destination Certification videos on CISSP; they are short and crisp.
  • Appearing for mock exams before the final one will help in managing your time better.
  • Dedicate last week only for questions and mock exams.

Materials I followed:

  1. Sybex – CISSP Official Study Guide
  2. Sybex – CISSP Official practice tests (Wiley Efficient Learning app is highly recommended)
  3. CISSP All-in-One Exam Guide by Shon Harris
  4. Kelly Handerhan Cybrary and Prabh Nair’s course
  5. IT Dojo and Destination Certification YouTube videos

Information Security Myths

Do you think protecting a organization from bad guys is an easy task? not as easy as you/people think, indeed its a difficult task to handle. War between hackers and pentesters on securing and exploiting a website is on one such task which is ageing from past 10+ years, worst part is high level management with in an organization is unaware of risks involved in not prioritising security.

Not just startups even some MNCs fail to take a baby step  towards securing their organization because of some of the below security myths.

 

  1. My organization has passed security compliance from ISO 27001 hence its completely secured

  2. Network/ Application security audits catch all the vulnerabilities

  3. Web Application Security Assessments find all vulnerabilities and no way bad guy can hack

  4. My developers are skilled, We never had any data breaches on our organization and we are safe!

  5. Secure Socket Layer (SSL) Protects my website

  6. We are a mid-size and with limited network/application, hence security is not an issue

  7. We have widely used firewalls and routers which defend us from attacks

  8. Blame game within an organization between developers of application side and network side(lack of information)

  9. Programming/Scripting languages used are secured languages

  10. We don’t have anything worth to steal or trouble

  11. Anti-Virus is protecting me against malware’s and fresh exploits

  12. Data stored in our systems are encrypted/salted and completely under our control

Information Security Myth's