I was keeping my eye on the price of D90 in UK at Camera Price Buster (very useful site indeed!). When I was ready to buy it from Currys (it was £709.00 at that time), just decided to do a last minute check on Amazon (I prefer buying from Amazon because never had any problems in the past) and to my surprise Nikon D90 Digital SLR Camera, 18-105 VR Kit was there for just £649.99 by a seller called “rodneyjwillis”. Almost £60 cheaper, Excellent – I thought. Checked the sellers profile/review – it had 100% positive feedback from the buyers, nice comments and seller was with Amazon for almost a year. So, ordered it from Amazon marketplace. I didn’t see anything phisy at that time and anyway I was aware that paying via Amazon will guarantee my purchase with their A-to-z guarantee scheme.

When all other stuff I ordered together with D90 arrived (camera bag, sd card and d90 book), but there was no sign of my D90 being dispatched, let alone delivered. I sensed something was wrong. Went back and checked the seller’s profile – there was one new feedback saying

“BEWARE! This account is being used in a scam – items don’t arrive!”

That got me worried. Sent seller an email and alerted Amazon that this might be a scam. The storefront of the seller was immediately taken off (I guess by Amazon)

Contacted the seller for the status of my delivery – got an email next day saying, the item was dispatched (without any details):

I then replied asking when was it dispatched, if he was sending it from UK and if he could give me the tracking number. In reply I received another copy of exactly the same email. Called Amazon several times and sent several emails. By now I had no doubt in my mind that it was a scam and I wanted my money back, but amazon was sticking to it’s policy of waiting for the 3 days to pass after the seller’s advertised delivery date, which was 11 to 23 June ( I actually placed the order in 5th June). That meant I could only file a-to-z claim after 26th June (which is 3 weeks after my order), and would have to wait for amazon’s investigation (one to two weeks), then when they transfer the money back, it can take up to another 10 days to end up in your account. Almost 2 months before you get your money back in worst case scenario.

I think it’s totally unacceptable for a clear fraud case like this!

When I sent a last email to the seller (June 16) – got this auto-reply saying his amazon account was closed.

After a week of persistent complaining Amazon finally filed the a-to-z claim on my behalf. All in all it was a very dreadful experience. What a waste of time! I’ve spent most of my last week just checking the sellers profile, reading other victims comments, contacting Amazon and worrying…

Here’s the link to scammer’s amazon profile, at the time of this writing more than 70 people have fallen victim to this scam.

I’m sure everyone who paid via amazon will get their money back but Amazon has failed here in a big way. Looks like the seller has duped Amazon more than the buyers. At the end of the day buyers will get their money back. Amazon is the real loser here – the lost customer confidence is more costly for them than the refund they’ll have to make. Amazon should have been more proactive to refund the money to customers since it was a clear fraud case, which happened due to weaknesses in their Marketplace system, but they kept on dragging.

Every amazon’s email had this signature:

“We’re Building Earth’s Most Customer-Centric Company”

But I wasn’t convinced. You couldn’t reply to any emails they sent you because the emails were sent from addresses that cannot accept incoming emails. There might be a valid security reason for doing that but as a customer it was quite difficult to track my email conversation with them (the online contact form didn’t keep any record of my previous emails to them either). I found Amazon’s telephone support to be better than their email.

This just shows that it’s not all safe and well on online purchases. The scammers can trick not only innocent users but successfully dupe big companies like Amazon.

Finally the money refunded by Amazon has appeared in my account. I’m off to local Argos store to get my D90.

First briefly about the company – Sourcerfire was founded by the author of Snort (an open source network intrusion prevention and detection system). Snort is the most popular and widely deployed IDS/IPS and has become the de facto standard for the industry.

So, why do we need Sourcefire (very expensive) if Snort is the best and free?

Right, Snort is the best and free out there but it’s implementation, management and maintenance is not a piece of cake for everyone; that’s where sourcefire comes into play. Sourcefire uses snort at it’s heart to utilize it’s powerful IDS/IPS techonology, with added benefit of plug-n-protect simplicity (the purpose-built appliance is easy to install, maintain and manage), and it comes with tons of extra features that make it very powerful. Sourcefire adds an Adaptive IPS and Enterprise Threat Management (ETM) on top of the Snort IPS. It is managed via user-friendly and intuitive web interface, of course you can always do your advanced config from the shell because it’s a snort installed in a linux box anyway.

Components of Sourcefire 3D System

Sourcefire 3D System is comprised of two appliances (Sourcefire Defense Center and Sourcefire 3D Sensor).

Sourcefire Defense Center (DC) is a centralized management console to manage the sensors, centralized event aggregation and sensor policy administration.

Sourcefire 3D Sensors are purpose-built network security appliances that passively aggregate network and user intelligence while defending the network against internal and external threats.

3D Sensor Modules

Each Sourcefire 3D Sensor is capable of running any combination of the following four software components (you need to buy them separately):

Sourcefire IPS (Intrusion Prevention System) it’s the mighty snort running in background, where you can use rules-based detection engine and utilize the acclaimed Vulnerability Research Team (VRT) to protect your network. The IPS component is included in the base system.

Sourcefire RNA (Real-time Network Awareness) passively monitors real-time network traffic and gathers network intelligence, it can detect operating systems, services, applications, protocols, and potential vulnerabilities that exist on your network. This is a very useful component of Sourcefire but you’ll need to buy the RNA license separately.

Sourcefire RUA (Real-time User Awareness) helps to identify the user identity and contact information, it pairs Active Directory and LDAP usernames with host IP addresses involved in security and compliance events. You’ll need to buy the RUA license separately.

Sourcefire NetFlow Analysis is an optional component of Sourcefire’s Network Behavior Analysis (NBA) solution. It gives additional insight to network threats by aggregating and analyzing NetFlow from routers and switches.

Sourcefire 3D System deployment with Master Defense Center

OK that was about sourcefire. Here’s how you go about getting certified.

Training Course

Sourcefire offers several instructor-led classroom training for Sourcfire 3D systems, out of which SF3D 360 Bundle is the one I took.

Sourcefire 3D™ 360 Bundle Includes:

• Instructor-led Training Sourcefire 3D™ (4 days)
• Sourcefire Certified Professional (SFCP) Certification Exam
• Sourcefire Guarantees
• CPE Credits 32 (for CISSPs)

Course Outline

• Sourcefire 3D System Sensor Deployment and Communications Architecture
• Sourcefire 3D System Overview & Product Installation
• Interface Navigation and Dashboard views
• Sensor Configuration and Management with the Defense Center
• Configuring Interface Sets and Detection Engines
• Administration, Maintenance and System Policy
• System Health Monitoring and Alerting
• Real-time User Awareness
• Adaptive Profiles
• User Account Management
• IPS & RNA Detection Policy Configuration
• Compliance Policy, White Lists and Host Attributes
• Event Analysis and Reporting
• End-Point Intelligence
• Flow Data Analysis and Network Profiling
• Nmap and Nessus Scanning
• Basic Rule Structure and Syntax
• IPS Features and Configuration
• Trouble Shooting and Behind-The-GUI Navigation and Architecture

Certification Exam

The following products and skill areas are assessed through this process:

• Intrusion Management System
• Intrusion Sensors
• Defense Center
• RNA Sensor
• Installation and Deployment
• Administration and Management
• Policy Configuration and Management
• Policy Non-compliance and Remediation
• User Administration and Management
• Reporting Creation and Management
• Effective and Performance Oriented Rule Writing

The certification exam itself consists of 200 multiple choice questions, which you’ll have to complete within 4 hours. Passing score is 75%, you’ll immediately know whether you pass or fail and if you pass the exam certificates are available online for you to print.

I found the instructor-led course very helpful. I have worked with snort before but this was my first introduction to Sourcerfire. After the 4 day course, you’ll have 60 days to prepare and take the exam. Every student is given a second attempt if a passing grade of 75% or better is not achieved on the first attempt.

To prepare for the exam, I went through the training material (page by page) one more time. I also had an access to sourcefire boxes installed in our office lab so, it was very useful. It’s an open book exam, you’ll have slightly more than a minute to answer each question, so you won’t have enough time to go through your materials during the exams. You’ll need to know your stuff to pass it, but having an access to sourcefire box at the time of exam will be very handy (for the user interface questions).

I’ve to say that I’ve been quite reluctant to install third-party apps and post family photos due to privacy concerns, but this new terms of service makes it worse. Now anything you post or upload can be used by facebook even after you close your account. In previous terms of service, facebook’s rights on your content would expire after you closed your account, but not any more.

via: Consumerist

Update (17Feb09): facebook ceo, Zuckerberg has written a blog post about the issue, trying to explain why they need this TOS.

Our philosophy that people own their information and control who they share it with has remained constant. A lot of the language in our terms is overly formal and protective of the rights we need to provide this service to you. Over time we will continue to clarify our positions and make the terms simpler.

Update (18Feb09): After a global complain facebook has returned to previous terms of service (until they find a new language to clarify their position). Zuckerberg explains it in his Update on Terms

We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don’t plan to leave it there for long.

Update (27Feb09): Finally, democracy has come to facebook, it’s allowing users to review comment and vote over it’s future policies. That the way to go, well done facebook!

Delivering customer-focused managed network and application delivery solutions that leverage a global network with unrivalled reach, depth and breadth to multinational, service provider and global carrier clients. Over 1400 enterprise customers and 200 carriers depend upon Reliance Globalcom to manage business-critical network solutions and address complex requirements for their businesses and partners throughout the world

Vanco is now Reliance Globalcom, Anil Dihrubhai Ambani group, which is also well known because of it’s chairman Anil Ambani, currently 6th on The World’s Billionaires List.

I feel myself privileged and honored to have this opportunity. At Vanco my role will be exclusively focusing on security, I’m really excited about it. This is a perfect opportunity for me to bring forward my previous network/security expertise as well as learn and grow at this truly global organization.

I’ve installed and tested it in my WinXP SP2 running on my MacBook Pro Vmware Fusion, and this is what I found.

Installation and usage
The installation is easy and straightforward. You just need to follow the on screen instruction. You’ll require: a domain administrator account, a smtp server address to send alerts via email and have to choose either Microsoft Access or MS SQL Server for the back-end database.

Scanning, Reporting and Patching
The user interface is intuitive and easy to use. After the scanning is completed, it gives a nice report of the scan (you can choose to scan a single computer, group or the whole network). In the first scan it let me know that my Office and Windows need some critical patches. If you expand each vulnerabilities then it’ll give the Microsoft ID, download link and the patch release date. You can apply the patch or choose to ignore it by right clicking on it. There’s a handy feature to mass deploy the Microsoft updates on selected computers or all computers in the network. Other notable features in patch deployment are:

- Custom Software deployment
- Uninstallation of Microsoft updates
- Detailed Patch Deployment log

Besides the vulnerabilities the scan reports on open tcp/udp ports, open shares, installed applications, password policies, groups and users (with their privilege, last logon and password age).

You can buy an extra ReportPack to create vulnerabilities scanning reports and system information reports for your managers and bosses. I think it would have been great to have this reporting built in to NSS.

Useful Tools
GFI LANguard NSS comes with very handy tools that a network/security admin uses every day

Conclusion
I’ve tried the GFI LANguard N.S.S 8 for few days and think that it is a very useful tool for network and security administrators. I liked the fact that it has all three useful tools i.e. network vulnerability scanning, patch management and auditing integrated into one. It’s also easy to use and manage. The lack of built-in ReportPack is the only down side of it. Here, I’ve just scratched few features of the product, if you’re interested you can try it for free with 30 days evaluation version before buying it.

Update: GFI have now included the ReportPack for free with GFI LANguard N.S.S. and all other ReportPack-powered software titles on top of the 45% price cut.

Basically you’ve two choice — go for the hardware solutions (expensive with many nice features) or software solutions (possibly free but with limited features). If you want a free and open source solution then Pound is the choice.

Pound is a Free Open Source reverse-proxy, load balancer, SSL wrapper, http/https sanitizer, fail over server and a request redirector:

1. a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
2. a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
3. an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
4. an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
5. a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
6. a request redirector: requests may be distributed among servers according to the requested URL.

Pound is built with security in mind, it can run as setuid/setgid and/or in a chroot jail. It’s a very small, robust and efficient program.

It’s very easy to install and configure.

Installation

pound can be installed from the source or the binary depending on your os distribution.

Configuration

Here’s an example of simple configuration to share the loading between two web servers behind the Pound load balancer

ListenHTTP
Address <real ip address>
Port 80
End
ListenHTTPS
Address <real ip address>
Port 443
Cert “/etc/pound/ssl-cert.pem”
End

Service
BackEnd
Address 192.168.1.2
Port 80
End
BackEnd
Address 192.168.1.3
Port 80
End
End

Pound can keep track of sessions between a client and a back-end server by client address, Basic authentication, URL parameter, cookie or header value. Here’s how we keep the session by cookies

Session
Type Cookie
ID “sess”
TTL 300
End

Pound is straight forward to configure and understand. It’s a perfect choice for free and open source load balancer.

* User enters pass-phrase to begin using the system. Browser retains the pass-phrase as a global variable.
* User requests a list of all data belonging to him.
* For each record, the system stores the associated user ID in plain-text, the record ID in plain form, and the record content only in encrypted form. (The message content is one or more database columns, each encrypted.) Thus, system is able to return a list of record IDs for this user.
* User selects one of the record IDs.
* System checks that this user ID is associated with the record ID, and returns the corresponding message content.
* Browser uses stored pass-phrase to decrypt the contents.

Ok, with that background if you’re ready to store your sensitive information online, here are few choices for you.

Halfnote
Halfnote is a very simple and secure notepad. Easy to register — provide your email address, choose a password, and you’re done. A simple blank notepad is presented, where you can write your secret passwords or documents. It’s very fast and the information is auto-saved as you type. The information you send is encrypted with your pass-phrase but it lacks SSL protection, which could have provided extra security by encrypting the session information.

Passlet
Passlet is a typical online password manager, currently in beta. It has an easy to input entry from where you can input: Title, Username, Password, and Notes. It encrypts the data by deriving 128-bit AES key from your master password. The key derivation is completely performed within the browser. In addition to secure data, Passlet uses SSL for session encryption, we can be sure of connecting to Passlet server by viewing the SSL Certificate.

eSecureKey
eSecureKey is another online password manager, currently in beta. It has a Portlet, which can be accessed with a Secure Key. This Secure Key is different from your login password, and is never transmitted to the server. This is the key used to encode and decode data. The portlet lists the existing entries and allows to add new information with tags for easy listing and searching. eSecureKey sends encrypted data to the server but lacks SSL for the session encryption.

PassPack
PassPack is currently in beta. It uses Packing Key to pack/unpack (encrypt/decrypt) data, which is all done in client side, inside the browser, no keys are sent to the server. It uses AES encryption and special security techniques, like disposable logins, which can be created in advance. Disposable logins are good for one time login only. This is useful when you access your data using a public computer. PassPack has taken the fight against phishing to a new level by allowing users to setup their custom Greeting Message after login, and ip address restriction, where users can choose to allow only certain ip address to have login access. PassPack uses SSL to encrypt session data as well. Other useful features in PassPack are import/export from/to a csv file. You can make an encrypted backup of your secret data using the packing key, and the restoration from the backup file is very easy too.

Clipperz
Clipperz uses local encryption within the browser so, your data is safe like all other online password managers. But Clipperz has some useful features that other online password managers lack. For example, it has a cool feature called direct login, which allows to quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Another good feature is offline copy, which allows users to dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when there’s no internet connection available. Clipperz is currently available in English, Japanese and Chinese. It stores the passwords and other confidential data in predefined templates called cards. Clipperz has several predefined templates for storing websites, banking, credit card, address book and custom card. There’re some new features coming soon, among them Import and Sharing should be very useful.

Conclusion
I think online password managers are handy and secure enough to store the username/passwords of many websites that we visit on daily basis like, digg, delicious, flicker, etc …. but for myself, I wouldn’t store critical secrets and financial data online yet! If you’re a system admin you might want to check KeePass that works across all platforms. Having said that, if you’re ready to take a plunge into online password managers then technology is ready and there’re excellent choices available. So, if you love simplicity, Halfnote is for you, if you want cool features like direct login or multiple language support, then go for Clipprez, if you want extra security like disposable logins and phishing protection go for PassPack.

1. Passwords

Cryptographic methods, biometrics, and two-factor authentication are becoming popular these days, but in reality we still have to deal with passwords most of the time. So, proper management of password is absolutely critical to the security. It doesn’t have to be complicated. Here are few simple things I recommend to do with the passwords:

Use password manager
Manually keeping up with 100s of login ids and passwords is very difficult, impractical and sometimes impossible. So, use some kind of password management tool. With a proper password manager you don’t have to worry about generating secure passwords, you’ll stop writing passwords in paper, and you don’t have to remember any of them. The password manager will help you with all of these tasks. I use KeePass to manage the passwords. It’s an excellent multi-platform password manager available for Windows, Linux, Mac OS X and Windows Mobile.

Change passwords regularly
Never use same password for two servers or devices, and change them regularly, at least once every 3 months. By using an unique passwords per system you’ll reduce the damage in case a single password is compromised, and by changing the passwords regularly you’ll make the guessing and attacking for the bad guys much harder.

Never send naked passwords
What I mean is, never send a clear-text password over the network. The packets can be easily captured with many freely available tools and packet sniffers. Always use some form of protection when you need to transmit the passwords, e.g. SSL, SSH or VPN connection. You should never use HTTP or Telnet to manage anything over the network. Replace them with HTTPS (SSL) and SSH.

2. Security Updates

Keeping your systems up-to-date is very important, there’re new security patches released by most of the vendors all the time. Sometimes the security updates negatively affect production environment, so it’s recommended to first test the fixes and then only apply to production environment. Anyway, patching the known security holes is critical to stay secure. The longer you take to patch a known security hole the more you’re exposed to attacks.

3. Changes

There’s a nice saying about the change — “Change is the only constant”. I think that’s true for life, and for systems, and networks. We make changes all the time, change firewall rules, add users, delete users, install security patches and so on. The system and network environment keeps changing. It is very important to keep a backup of the last known working configuration of everything, and maintain a change document. So, if suddenly after changing a firewall rule everyone in the network complains about not being able to access a server in DMZ, we should be able to fall back to the previous rule-set easily. If you’ve made some manual changes to a config file to improve the performance of a linux server, you should note it down because after few months you won’t remember the exact changes you’ve made. Knowing what changes you’ve made and being able to fall back keeps you and your environment productive and secure.

4. Stop unnecessary services
Most of the Operating Systems and security devices come with a lot of services installed and running by default. The more services that are running, the more your system is exposed to attack. So, you need to identify all the services running in the system and stop the unnecessary ones. If it’s a firewall, explicitly deny everything first, and start allowing the necessary connection and services. If it’s an operating system, find and stop all the unnecessary services.

By following these 4 simple measures you’ll be able to keep your system and network secure and stable. I’m not saying that just these measures would be enough in all environments, but they’re the basic foundation. I think not only admins but normal users should be following these 4 measures to keep themselves secure in todays wild internet.

Any other simple measures that you take to keep your system and network secure? Comments and emails are welcome.

Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:

1. ACID (Analysis Console for Intrusion Databases)

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

ACID: Installation and Configuration

2. BASE (Basic Analysis and Security Engine).

It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core (pdf)

3. Sguil (Snort GUI for LamerZ)

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.

Sguil on RedHat HOWTO

If you’re asking what’s the difference between them, then here’s five reasons why Sguil is different from ACID, BASE, and similar products.

Currently I’m trying Sguil to see how good it is. I’ve installed Sguil Server and Sensor in CentOS 4.x and Sguil-Client in my Mac OS X. The server installation was not that easy but once installed, it runs smoothly. I must say that there are many good features in Sguil, among them I like: alerts in near real-time, escalation and accountability features, collection of session data using SANCP and summaries of conversations.

Let me give you a general idea about this certification. CISSP is a security certification carried out by (ISC)², which is a globally recognized, vendor neutral organization for certifying information security professionals. To pass the CISSP exam you’ll have to be competent in 10 Domains of the Common Body of Knowledge (CBK):

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To qualify to sit for the exams you need to:

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Update: Effective 1 October 2007, professional work experience requirements for the CISSP will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP CBK domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

The exam itself is 6 hours long, with 250 questions based on the 10 domains. 25 out of 250 questions are for research, but you’ll have to answer all of them, and there’s no way of knowing which one is which. So, 225 questions will be scored, and you’ll have to get 700 out of a possible 1000 points on the grading scale to pass. Different questions carry different weight (marks) and there’s no way to know which question carries how much marks. As of writing this, the exam costs US$ 499 if you register 16 days ahead of exam date or US$ 599 if you register later.

My Recommendation

The best book you can buy for your preparation is CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris. The most helpful place, with a lot of useful resources is CCCure.org web site. You can ask questions on the Forum or search for anything that you want to know about the exam. The forum is very lively, with a lot of CISSPs replying to your queries promptly. The Quizzer is another valuable tool to check yourself on where you stand, before starting the preparation and taking the exam. The quiz gives you a general idea about which domains or topics you’re weak in, this way you can devote more time to strengthen you weak areas. If you’re taking a self study route, you should view the flash based Exam Introduction and Overview by Clement, which provides a thorough overview of the CISSP Exam, with tips on how to prepare, how to study, what resources to use, and a whole lot more. I found it extremely useful.

How I prepared for the Exam

I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies. Even with these precautions, there’re times when mind goes wild and body aches like hell .

Because of my experience at work and previous studies, I was already familiar with most of the topics in Telecommunications and Networking, Cryptography, Operations Security, and Security Architecture and Design. I was ok with remaining domains but the Physical Security and Legal, Regulations, Compliance and Investigations were quite new to me.

My Study Materials
1. CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris
2. Mike Meyers’ CISSP(R) Certification Passport by Shon Harris
3. CCCure.Org (Quiz, Forum, and Summarized Concept)

Phase 1 (approx. 20 days)
I read CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris page by page first, then took the practice questions at the end of each chapter to see how I retained the material. As I was progressing, I had a feeling that I was forgetting the earlier chapters.

Phase 2 (1 day)
Took 250 questions quiz from CCCure Quizzer (select all 10 domains, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results of the quiz gave me a clear indication on which domain I was weak. I saved the results in Google Docs, so that I would be able to refer back to it later. I scored 76%.

Phase 3 (approx. 15 days)
Based on the results of the quiz, I prioritized to review the domains, starting with the one that I scored least. In this phase I read All-in-One book page by page for the second time, and after completing each chapter I took the CCCure Quizzer, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results suggested me which topics I needed to review within each domain. I saved each quiz results in Google Docs, so that I would be able to refer back to it later. I was scoring over 80% in each of the 10 domains.

Phase 4 (approx. 10 days)
For each domain I reviewed the questions and answers that I got incorrect. I narrowed down my preparation and zoomed down to the individual topics from the incorrect answers. After revising all the topics across all 10 domains that needed attention, I took the same quiz, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). By now I was scoring above 90% in each of the 10 domains.

Phase 5 (approx. 15 days)
The CD included in All-in-One book has a Total Tester Software with a lot of questions (60 to 100+ per domain). Took test for each domain. After taking the test from CD, read All-in-One book for the third time, but this time I just read the headings, subheadings, flipping, and skipping the pages, only stopped to read the topics which pulled my attention. When there were 2 days left for the exam, I started reading Mike Meyers’ CISSP(R) Certification Passport, it’s a very well summarized book which contains most of the concepts necessary for the exams. I highly recommend this book at the end of your preparation. On the last night before I went to bed I read the study guide (cram) that was produced by Michael Overley and improved by Jane E. Murley.

The Exam day

I was quite satisfied with my overall preparation, but that couldn’t help me with the anxiety and anticipation. I’d read a lot of horror stories at CCCure Forum about the exam questions. I went to bed early the night before exam, but found it quite difficult to fall asleep, anyway got around 5 hours of sleep. Woke up early on the exam day, did 45 minutes yoga, and had a heavy breakfast. I went to the exam center with some energy bars, a bottle of water, a pack of HB No. 2 pencils, a sharpener and an eraser. 2 pencils are provided by the ISC2 but aren’t that good, so I highly recommend you to take your own pencil, eraser and sharpener. I had brought a jacket with me and put it on throughout the exam. It was quite cold. You should be prepared for warm or cold condition.

The exam was physical, mental as well as English test. After 3 hours of sitting, my neck was like one big knot. I ate one energy bar, around half a liter of water, and went to toilet twice. Some questions didn’t make any sense at all.

If I had to break the questions, it would be something like this:

• Around 5% were straight forward. One line question and very obvious answer.
• 20 – 25% of the questions were very tricky, not difficult but needed to watch the keywords like NOT, WORST, BEST, etc. The practice quiz helped me a lot on watching the keywords.
• 20% either didn’t make any sense to me in English or were like questions from another subject. Maybe they were the research questions.
• 50 to 60% of the questions were similar to the CCCure quiz and All-in-One CD questions. They were just similar in construction and difficulty, but none were exactly the same.

All 100% of the 250 questions were the ones I saw for the first time. I’d never seen any of those questions in the quiz or practice questions. I circled the answers to my first 125 questions in the question booklet in around 2 hours. Then I copied (marked) those answers to the answer sheet, which took around half an hour. After that I started marking the answers directly to the answer sheet. I think marking directly to the answer sheet is a better idea, it’ll save you some time. It took me 5 hours to finish all 250 questions. Initially I’d put a question mark in the question booklet at those questions which I was not sure of. So, came back and reviewed the answers of those not-sure questions, ended up changing 8 answers. I didn’t have time to review all the questions, and may be that was a good thing . I was quite sure that I got around 50 to 60% correct, but came out exhausted, and was not sure if I would pass.

Post Exam

The wait after the exam is even worse than the preparation or taking the exam. In some cases the results are emailed as early as 5 days. So, after 5 days I kept on checking my email every few minutes, hoping to see the results. Also visited the Forum to see if anyone would post anything about the exam in Hong Kong on 22 April. Finally the results came in, exactly after 10 days, I opened the email and saw the word Congratulations!, That’s it. I felt like I’d let go of 100 pound weight from my shoulder, and felt as if my body had melted on the chair I was seating. A very pleasant feeling followed and I thought the time, effort and money spent were worth it.

After getting the results you need to get an endorser to sign the endorsement form and send it to ISC2 together with your resume. The endorser must be either one of the certificates holder, such as CISSP, GIAC, MCSE, MCDBA, CISM, CISA or company’s CEO, CIO, Managing Director, Executive Director or Managing Partner. I’ve already sent the signed endorsement with my resume and am now waiting for the official certificate.

Conclusions

The CISSP Exam is all about concepts. If you know the concepts well, you can pass, but don’t underestimate it, there’re a hell lot of concepts to remember. I think you need to have some experience in the field, otherwise it would be too difficult to just study and remember the concepts. Make a study plan and follow it. Read each and every page of the All-in-One book. Do as many as possible practice questions and quiz as you can. The preparation and exam both are physical as well as mental challenges so, take care of your body and mind too.