CISSP ISSAP

[alucian]

Hello Guys,

I just received the email from ISC2 that I passed the exam and now I am a certified security architect.

I sat for the exam last month. In order to study I used the official guide, and I bought access to the CISSP questions from cccure.org. My goal was to study the manual, and do the pro questions from cccure.org.
Besides the official guide I used some documents that were mentioned in the book, and I read again the related chapters from Shon Harris's CISSP book.

I can tell you that the exam is tough. What makes it difficult is that it goes deeply in VoIP, web technologies, wireless, and access control, which are not covered deep enough in the official guide. I found it to be difficult enough to give someone the assurance that the person who passes the exam has a decent knowledge about security architecture.

The official guide is not bad, but alone I don't think that will help you pass the exam. It tries to cover all the domains, but it covers perhaps half of the questions in the exam. The subject is so vast that you cannot cover it in 400 pages.

The dilemma with the ISC2 exams are the 25 test questions; are they the hardest one, the easiest one, or...? From the remaining 100 questions, you have do obtain 70% score in order to pass. So... 

Also, because I wasn't clueless to any question, I might be wrong in my evaluation. 

I think that the questions for the CISSP exam, from cccure, are not covering deep enough the material required for ISSAP. They have a different focus, as CISSP CBK is different than ISSAP. So, you can try them as a refresher, but won't help you very much for the real exam.

 What I liked at the exam are that the questions will make you think a lot, questions like "which of the following answers MOST ...". For me the three hours were enough to go through all the questions and to revise some of them.

I think that my experience, and all the studies I have done for penetration testing, and security in general helped me a lot to pass the exam.

Thanks!

[sil]

Firstly. congrats on the pass. Now on to the rambling

ISSAP and even ISSEP material can be covered almost exclusively by experience with design and architecture experience (building networking, systems, interconnections). Another one of the reasons why I always tell people to learn everything from the ground up not solely web based stuff, not solely pentest stuff, but as much as one can from the barebones level to the higher end. It helps. The only gripe I would have about ISSAP and ISSEP is the range of companies that even look for these, mainly gov.

Anyhow, since ISSAP focuses on the 50k foot view from the architectural scope, I would think the decent studies would come from understanding content from SABSA, TOGAF, OBASHI and the other boring organizations along with some {DIA,DITS}CAP content. I am tempted to sit the exams but 1) I dislike ISC and all their nonsensical politics 2) I dislike some of the board 3) dislike shirt and ties 4) I'd rather play with a Rubiks cube than Excel spreadsheets

What was the exposure of those mentioned frameworks (SABSA, etal)? Are you planning ISSEP?

[alucian]

Hi Sil,

I knew that you'll have something to say   given the fact that I already asked your opinion about this.

The frameworks weren't covered very deeply. From frameworks there were some common sense questions. I found most of the hard questions being more "technical" than regulatory nonsense type (like which architecture to use to provide strong authentication to a wireless network among the given 4).

I don't think that I'll do ISSEP anytime soon. I'll finish OSCP and I'll do some SANS exams and courses (504, 575, 503, 501...), any probably some other hands on courses. I did my share of theoretical exams (the SANS ones are in between   ).

Me too, I don't like Excel and writing reports just to justify incompetence and lack of knowledge.

For me ISSAP might open the door to some positions where I'll be able to influence the security avenue of a company. I don't see myself: creating policies, trying to justify the expenses on some shinny boxes (the vendor told me that they'll protect us from APT  ), saying that some controls are not important because the application/server it is in the internal network, ..., and call this security governance/architecture.

Thanks for the input!

[sil]

I should mess with ISC and nominate myself then have all my friends nominate me for their ISLA awards (awards.isc2.org)

[sil]

I should mess with ISC and nominate myself then have all my friends nominate me for their ISLA awards (awards.isc2.org)

While doing so, try to do it using my moniker/nick instead of my name. That would just be funny

[alucian]

 
For someone who is not interested in isc2 you know a lot about them 

If you'll get nominated it won't be a surprise, unless you put the dog face on the nomination picture. We, the eh-neters, will support you  (dog face or not)

[sil]

For someone who is not interested in isc2 you know a lot about them 

I probably know as much about ISC as their own board of directors know about them I know a lot of people who have developed stuff for them, are authorized trainers, content providers, and so on. I also know (and I mean physically have met, know) many people who are close friends with a lot of the former board members... Who these new guys are, I have zero idea outside of Win Remes.

When I first even bothered picking up security management (CISSP) related material, I read Harold Tipton's "Handbook of Information Security Management" from 1994-1995. Jumped in and out of Dorothy Denning's books, Krause, Krause + Tipton and so on and so on. There were a few times I emailed some of these guys (and gals) en-route to my security career. I respected a lot of the older crowd during the mid to late 90s. Then it all happened... Post 2K, ISC2 became solely focused on money versus security and I brushed them off since then (we're talking 1999 on up).

I knew a lot of guys back then, who would literally cheat their ways past the exam. I didn't respect it then, and I have lesser respect for it now. For me personally, I have seen and dealt with the political side of ISC2 a few times, they can kiss my ass as I have never needed them, and never will. On the flip side, I can point you out quite a few books people involved with that organization have used and or referenced things I have written to prop up their content (hello Max Headroom Shon Harris). So for me its more of a "guess what I know" kind of thing which makes me dislike them

[alucian]

Interesting.

Now, that you started the subject, can you tell us you opinion about ISACA and SANS? 

[sil]

ISACA is actually oldschool (60s or something) and focused almost exclusively on auditing. They are more granular than ISC but they too are altogether like a nutty professor (scatterbrained). So... ISC2 10 miles wide 2 ft deep... ISACA = 2 FT wide and ten miles deep. ISACA will focus more on the business equations of security, compliance and governance. What they cover tries to go so far in depth on the BUSINESS side than it does the technical side. When read from a technical perspective, makes absolute zero sense. ISC2 will focus on everything and its mother (seriously fire extinguishers?) in order to label you an expert while leaving you underclued on most subjects.

SANS, SANS, SANS... I have been torn on SANS since I backed out of doing VoIP content that Eric Cole was supposed to teach. I respect a lot of their guys since they're almost always on my level (technical versus paper pushing) or pretty much capable of mopping the floor with me. There are some courses that I believe are "skewed" and the content has/had been shifted to favor a particular vendor (GCFE ... the world does not revolve around Windows). Unsure whether *others* were given the nudge to go back and make things vendor friendly for their certs or not. I can tell you from experience though, I prefer "ground up" versus "can you make it more VendorX friendly?!" when learning something. Their SMEs for the advanced content are on the money, but they're not teaching anything one wouldn't be able to learn on their own (seriously). Other than that they're pricey.

Now... First one to even bother asking about EC-Council gets a lifetime ignore!

[alucian]

Now... First one to even bother asking about EC-Council gets a lifetime ignore!

Thank you very much for the input! Much appreciated!

In the same time any security certification (GSEC, CISSP, CEH and even Security+) is better than no certification. I have a deep appreciation for the SANS certifications, but as you said they are expensive, and not everybody can afford them.

Also, as you mentioned, you are "playing" in a different league, and my post was mostly for the regular security pros. 

[Dark_Knight]

Now... First one to even bother asking about EC-Council gets a lifetime ignore!

So what are your thoughts on the CEH? In fact no I'll see your hand and raise it 

What about Mile2?

 

[impelse]

Why he does not answer for CEH? We NEED his appreciation....

[alucian]

You just want to irritate Sil, or what??    We need him on the forum.

[sil]

Nah its all good Personally I think the comment will answer any question anyway. I just did an interesting "Partial Pentest" at a financial house's videoconferencing/VoIP infrastructure. Monda/Tues/Wed. Partial because they did an OMFG and called a time out. Requester: Snake Oil "the boogeyman is coming" CRISC, CISSP, CEH *yawn* *yawn* *somecert* guy. Guy was almost screaming at his staff about uber hackers getting in the front door via video and VoIP until I clarified his voodoo BS. Reality, sure you can get owned, not coming from the outside with this set up. Here is how and why.... Total time to figure that out... 10 minutes after being thrown on their network on their own laptop. (zero tools for me to really use) Have to go back up for the full gamut of testing now including their internal.

Moral of the story. BigVoodooScary security manager cried the sky was falling cause he wanted him and his friends to be able to do testing running at the castle with an overly insanely huge tree trunk (noisy, bulky tool testing omg I run Core Impact + Metasploit + Nessus against the perimeter, Look at all these false{neg/pos} and he shot himself in the foot. Cert bodies like the two mentioned by impelse... They won't teach you the ropes. They will show you a whole bunch of spiffy shiny noisy teenybopper tools from the 1970s but they won't go further than that. They won't show you how to be discreet, exact, use intuition, the protocols behind it. That's all they are.

Now for anyone else wondering what I sometimes mean by contained environments, this was one of them. Because the manager responsible for getting me access on the network (network manager, takes care of NAC crap) was unavailable and I had approval the work  around to get it done was to improvise. Solution? Told the director, well we have authorization, if you wanna see what I mean I can show you on your laptop (he made ultimate decisions). Experience + intuition = problem solver. By the way, VoIP/Video = same poop, diff day/ Its all data. You can sniff it, redirect it, etc, etc

[vijonline]

alucian,

many congratulations first of all. your post is the recent post i can see in the net on issap passed note.

also i noticed some great people in this form (do i need to mention who it is? it is obvious, right?) - so i joined as soon as i read this entry (and replies).

i am planning to take the exam in july (mainly to gain more knowledge) - i am using the issap guide, oig and ross anderson (for exam or not - it is a very good read for sure) - plus few nist docs.

it looks like the exam is too technical (which i like)... i think technical exams are easy to choose answers (like doing math, there is only one answer 'most of the times'...

can you tell me any other specific topics that was given importance (like biometrics, IAM, ipsec, etc) - please let me know...

And, congrats once again. it is an achievement for sure.