|
Certifications: CISSP
Looking for some advice from experienced people in the field.
(chort, where are you?:D ) I'm a Systems Admin here in the U.S. Army, and am attempting to get Uncle Sam to reimburse me for my Certifications.:p I'm very interested in the Infosec field, and am looking for some real world advice here from anyone who has obtained the CISSP or other security-oriented Certs. I have been doing lots of studying on my own, I have CISSP study guides from ISC2, Ben Rothke, Derek Prueitt, Ryan Sebastian, and Steve Winterfield. I also have presentations/sample questions, whitepapers, exam crams, summaries, etc. I've basically been stocking up on as much data as possible, burning it to CD's and studying as much as I can on my free time. What books would you recommend? Mailing lists? I know that there are prerequisite Certs I must obtain before even attempting the CISSP,if I'm not mistaken, along with a proven track record requirement of 3+ years experience in an Infosec field. Would my military experience have any validity in this case? What would be the best Certs to obtain to reach my goal in the most effiecent yet most fulfilling manner? Would the CompTIA and GIAC Certs be a good way to start? I would appreciate if anyone could give me some input on these questions, as I wouldn't want to get started out on the wrong foot and waste my time and resources. Thanks and god bless. Mods, forgive me if this thread is in the incorrect forum, it seems like the best place to post. :study: :study: :study: :newbie: |
Well I can't give you any guidance about other certs, because I don't have any (and it's fairly unlikely that I would get any besides the SANS stuff).
For the CISSP, I read (cover to cover, and reviewed twice) All-In-One CISSP Certification by Shon Harris. The book was very complete, but there was at least one area that she didn't cover that was actually on the test. For that reason I would highly recommend reading study material from multiple authors (like you're doing). Also, like I mentioned I reviewed the book twice after the initial reading. I went back over all the end-of-chapter summaries once just to make sure I understood all the concepts, then I started taking a bunch of practice tests at www.cccure.org. After taking several practice tests, it was apparent that my understanding of a few areas wasn't as good as it should be, so I went back and read the highlights from those chapters in the book. Then I went back to www.cccure.org and setup a bunch of tests (about 20) that only tested my knowledge of the areas I had problems with before. That time I did well. Oh, I should point out that earlier I read Building Internet Firewalls by Zwicky, Cooper, & Chapman and that provided a lot of foundational knowledge that came in handy. The night before the test I got a long night of sleep (essential). I got up earlier than necessary so I could again read all the end-of-chapter summaries. Then I went to the test and made sure that a) I went to the restroom and b) took a bottle of water. Normally I guess they don't allow drinks, but they made an exception for our test group. The reason I didn't want to have to interrupt the test was so I wouldn't lose my train of thought. A lot of the questions relate to each other. For taking the actual test, I went over all the questions once and I marked in the question book (not on the answer sheet!) the answers that I knew for sure. After I was all the way to the end, I started over at the beginning and transfered all my answers from the question booklet onto the answer sheet. When I got to a question that I hadn't answered, I either guessed, or I knew the answer based on some of the other questions I had read. I ended up finishing in slightly over 3 HRs. Don't rush yourself to finish quickly though, you get plenty of time. The reason I went so fast was so I wouldn't get frustrated with the amount of time it was taking. I start to guess when I get impatient, so I tried to move along quickly without guessing. OK, so that's the preparation and taking the test. The prerequisites are something like 5 years in InfoSec or 4 years + a 4 year degree (I think that's right). The good news is that a lot of experience will qualify as InfoSec, if it was a primary part of your job. I can't remember whether military experience counts. If you don't qualify for the CISSP (which isn't that difficult to do if you've held computer jobs, or jobs where you need to make security decisions), then you can take the SSCP which doesn't require as much background and is half the amount of questions as the CISSP test. As for other certs, the only ones I'm considering are those offered by the SANS institute. The SANS certs are very hands-on and practical. The questions are actual examples from the areas you're studying (like UNIX security, etc) and they also make you write research papers. They're fairly well respected, especially the Forensics cert. I wouldn't bother with any of the "intro" certs, like the Security+. |
Quote:
Oh and also, www.cccure.org is where I found most of the study guides, it's a great site. Here are a few other links I've come across that you may or may not be aware of: https://www.isc2.org/cgi-bin/index.cgi http://www.rothke.com/ http://www.sbin.com/erik/security/cissp_reference.html http://cissp.christophstrizik.net/ http://www.securestandard.com/index.php?c=6 http://victoria.tc.ca/int-grps/books...v/mnbksccd.htm http://comsec.theclerk.com/ These may or may not be of any use to you, but just thought I would list them. ;) Quote:
Quote:
Quote:
Well, thank you chort, its refreshing to know there is someone on these forums I can count on for indepth professional advice. I truly appreciate you answering this thread and thank you again!:) I'm going to jot down these suggestions for books and test tips, and hope you can find the time to answer my second set of questions. Thanks again! :study: |
FYI the GIAC certs are from SANS. I believe they do have some more intro-oriented certs, but in general they're very specific and pretty tough (from what I hear). On the bright side, having a GIAC cert at least shows that you know something practical.
Six years in the military may very well qualify for security experience. I forgot to mention that there are some non-computer areas of security covered, especially physical security. If you, for instance, do perimeter security for a military base (were on patrol, manned a guard post, etc) that would qualify (in my opinion, but do not take my word for it). The trick is that you need experience in several of the 10 domains of the CBK. Review the 10 domains on (ISC)^2's website to see which you might have experience in. The 10 domains are:[list=1][*]Security Management Practices[*]Acess Control[*]Security Models and Architecture[*]Physical Security[*]Telecommunications and Networking Security[*]Cryptography[*]Disaster Recovery and Business Continuity[*]Law, Investigation, and Ethics[*]Application and System Development[*]Operations Security[/list=1] I would think that military experience should give you some experience in Access Control, Security Models & Arch, Pysical Security, Telcomm & Net Sec, and quite possibly Cryptography. If you can't come up with the 60 HRs required, then I would say go for the SSCP. I'd go ahead and do that before you finish school, that way you already have it under your belt and you'll be able to move up to the CISSP. Oh, I forgot to mention that the CISSP (and SSCP) is largely a "best practices" cert, i.e. it tests your knowledge on what correct policies and procedures are, not on specific technical areas (i.e. what's the difference between a packet filter and proxy firewall, rather than what's the difference between CheckPoint FW-1 and Sidewinder). |
If I happen to come up with any more questions, I'll just add on to this thread.
Great info chort, once again thank you.:D :D :study: |
If i'm not mistaken the SSCP is like a slimed down CISSP exam covering not as many "domains" and doesn't go into the amount of detail in each one. Heres the domains listed in the SSCP Study Guide by Syngress.
Access Controls Administration Audit and Monitoring Risk, Response and Recovery Cryptography Data Communications Malicious Code or Malware I know where you can get e-books, training videos, and practice tests on a just about any certification or topic there is in IT from programing to forensics, including security certs. Theres a couple places where CISSP training videos have been posted... Its a nice online community dedicated to learing for free. ;) Where to find it would probably have to be taken up via PM though. |
so PM me, thanks for the help
why not just post it? is this a secret organization? lol |
hehe nah its not a secret organization. I'm just not sure if it would be violating the AUP of this site. I tried PM'ing you but apparently you have to be a "contributing member" to use PM. Do you have a junk email address i could email it to?
|
sure I got a junker,
pokerfreek187@yahoo.com Thanks man I'm looking forward to find out about this, and I'm pretty sure everyone posts links here, I don't think it's against policy... |
No, but it's against policy if they're offering copyrighted works for free without the author's consent.
Which, incidentally would be covered by the Ethics portion of the CISSP... It's pretty despicable that someone would be offering pirated training material for the CISSP, since the (ISC)^2 code of ethics (that you MUST agree to in order to take the test) is clearly against that type of thing. |
^^ Are you saying that with a hard drive full of MP3's? :p
I didn't email him any pirated material... But now that you brought it up i don't think downloading pirated software is wrong unless the company loses a sale. I'm sure atleast 80% of the pirates fall in that category. They only download something because they can get it for free. The other 20% is people who download it to get out of paying for the software which costs the company money. Sinning is against religion but it doesn't stop people from being religious. |
aaah I see now, there are some illegal wares on the site, but I won't be partaking in any of it, I'm gonna post the e-books I have and download others that I don't.:)
|
Erm, hello? e-books that were posted by the author and/or publisher freely, or e-books that someone paid for and is now distributing? Just because something is on the net doesn't make it OK to take.
And if you must know, I do have several Gigs of MP3s... all ripped from CDs I own. Don't hijack the thread into a moral debate over piracy. I clearly said that as part of the CISSP certification, you agree to abide by the (ISC)^2 code of ethics, and that prohibits this sort of thing. |
Well, I'm not trying to hijack the thread...:(
Many e-books are freely distributed on the net and on this site given to me... mostly study notes, and cheat sheets if you must know.. pretty good resource besides the legality issues... |
| All times are GMT -5. The time now is 01:05 PM. |