I took the CISSP.  I really don’t know what to say about it aside from acknowledging that it was extremily difficult.  Andrew Briney’s article is the most accurate description of the CISSP test.  Briney says, “It’s a mystery wrapped in riddle inside an enigma.”

His other very true point:

“The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers.  I feel like I’ve mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don’t study, I fail.  I’ve learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the “best” answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I’ve taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin’ comparison… NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs.  And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry.  With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I’d failed.  I started trying to think of ways I’d pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the “congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp. 

This is the best online CISSP resource I have found: www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

Comment from DIGG:

In my opinion the Security+ certification is over-rated and is no more than another logo and a cert on the wall. Several people probably take the test as a stepping stone to the CISSP, or they take it for the simple fact that it?s a cheap certification that they never have to renew.

read more | digg story

I took the Security+ certification test.  I didn't read any books but I did read a lot of test questions, went to a seminar sponsored by my local ISSA chapter and I've got a few years experience in all the Security+ domains.  After studying hard for a few weeks, I don't think that the test was that hard.  If I had not been prepared then I can see how it might have been difficult as there are some pretty specific questions on things I did four years ago.

The Security+ is NOTHING compared to the CISSP.  I've yet to take the actual CISSP cert test, but as I've been studying it is VERY clear that these tests are from different planets.  It is like comparing the Comptia N+ to cisco's CCNP or CCIE… o.k. maybe not CCIE, but CCNP for sure.

I've been studying to take the CISSP on and off for about a year due to a fairly full plate.  I plan on taking the test in the next few months so I've started reading up on some practice questions.  My orginal plan was to get a Security+ cert so that I could prepare for the CISSP.  As I've been reading the practice questions on CISSP I'm finding that the Security+ is simply not robust enough to even come close to helping me study for the CISSP.

Once I take the actual CISSP I'll be able to make a better assessment, though.

One of the most helpful items I found on was a Security+ cheat sheet.  It is a very concentrated view of all five security+ domains and makes for a great study reference. 

1.1 Recognize and be able to differentiate and explain the following access control models

 o MAC (Mandatory Access Control)

· Access controls based on security labels (Sensitivity labels) associated with each data item

· Lattice = MAC model

· Uses levels of security to classify users and data is a characteristic of MAC

o DAC (Discretionary Access Control)

· Access controls that are created and administered by the data owner are considered.

· Each object has an owner, which has full control over the object

· Inherent flaw in DAC is that it relies only on the identity of the user or process, leaving room for a Trojan horse

o RBAC (Role Based Access Control)

· Access control decisions are based on responsibilities that an individual user or process has in an organization

· Relationship of user, role, operation: multiple users, multiple roles and multiple operations

http://del.icio.us/rss/tag/access+control

http://del.icio.us/rss/tag/rbac

Found a cool site.  Girl Geeks are like diamonds in the rough. 

Check out her incredible Security+ Cheat Sheet! 

· MAC (Mandatory Access Control)
· DAC (Discretionary Access Control)
· RBAC (Role Based Access Control)

To understand MAC, DAC and RBAC you must first understand Access Control.

Access Control is the control of user and process control access to  network and operating system resources.  For example, many spyware and adware applications not only download themselves on to your computer without your permission, but they also help themselves to your systems CPU, hard drive and memory.  What happens to most of us is that we get hit with 10 or 15 of these applications by accessing the Internet without protection.  Imagine 10 to 15 badly written memory hogs using your CPU and memory to access your cached references to your web surfing habits (or worse credit card, ssn) and send that potentially valuable information to some server in Nigeria or Russia.

Mandatory Access Control (MAC)

Mandatory Access Control is military grade security.  Like DAC, it has been around since the 60’s.  With MAC, the security on all resources are strictly policy controlled.  All processes and users (or subjects) must specifically given permission to access a resource (or object). 

Subjects are given a number indicating their level of access.  Subjects can access any object with a lower number.  With modern military and national security systems this permissions matrix is supplemented with a classification level.

Discrestionary Access Control (DAC)

Discretionary Access Control is where a subject has control over an object. In this case a “subject” could be a home user.  And lets say the home user has admin privileges because he wants to download applications like Kazaa Lite ++.  The “object” or resource is Money Quick, a financial application that creates important bank account spreadsheets. 

The home user is no fool so he locks the Money Quick application down so that only the administrator has permissions to the file.  She is the only administrator on the computer so there is no problem right?  Wrong.  With DAC any application that runs while the current user is logged on has the same permissions. 

So, the home user finds Kazaa Lite ++ on Internet and downloads it.  The shareware app is of course loaded with all kinds of spyware, adware, Trojan filth that goes directly for her Money Quick software.

Is very popular and has been in use primarily in the commercial and academic worlds since the ’60’s.

Role Based Access Control (RBAC)

Role Based Access Control is fairly new and is considered the evolution of the DAC & MAC.  With RBAC, each subject is assigned a role.  Users without roles can be put into groups that pertain to a certain department or job such as sales or management.  Objects only allow subjects on a permission basis.  Modern operating systems such as Solaris, Linux and Window 2k/XP/03 are perfect example of how Role Based Access Control works.

The RBAC started in the 1990s and fully materialized in the RBAC96.  There is currently a lot of research being done on the RBAC. 

home computer security made easy  security+ computer security