I Passed the CISSP Exam!

“…The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”
– Nathan House, CEO, StationX

Preface

On December 27th, 2023, I passed the Certified Information Systems Security Professional (CISSP) exam on my first attempt at question 125, roughly 2 hours and 5 minutes in. This post is to share how I managed it, what helped me, and what didn’t.

About the CISSP Exam

At the time of writing, the English-language CISSP exam is only offered in CAT (Computerized Adaptive Testing) format and is between 125 and 175 [multiple-choice] questions long.

For those who are taking the exam on or after April 15, 2024, be aware of the following changes:

  • Domain 1’s weight increases by 1%, and Domain 8’s weight decreases by 1%
  • The total number of questions will be reduced from 125-175 to 100-150
  • The time limit will be reduced from 4 hours to 3 hours

Preparation Strategy

Beginning in August, I committed to spending 5-7 hours a week on CISSP study, which included books (physical and digital), video courses, and practice questions.

Courses and videos:

  • Derek Fisher’s Ultimate Cybersecurity Course & CISSP Exam Prep (StationX, August-October 2023)
  • Thor Pedersen’s CISSP Video Bootcamp series (StationX, October-December 2023)
  • Peter Zerger’s CISSP Exam Cram (YouTube, December 2023)

Derek Fisher’s course is a good introduction to the CISSP material but doesn’t go into much detail. I object to using the word “ultimate” in the title because this implies that it’s the final word when it should be the first.

Thor Pedersen’s course goes into much more detail and includes other goodies such as external links, downloadable study notes, and practice quizzes for each domain.

Peter Zerger’s CISSP Exam Cram was the best of both worlds, concise and complete.

Books:

  • The Official (ISC)2 CISSP CBK Reference 6th Edition
  • (ISC)2 CISSP Official Study Guide (both 8th and 9th editions)
  • All-In-One CISSP Exam Guide 8th Edition
  • How to Think Like a Manager for the CISSP Exam

I didn’t read any of these books cover-to-cover. Instead, I used them as reference material and for their practice questions.

Practice Questions:

  • End-of-domain course quizzes
  • Peter Zerger’s CISSP practice test
  • CISSP Official Practice Tests
  • TotalTester CISSP practice exams (came with All-In-One CISSP Exam Guide)
  • WannaPractice CISSP practice exams
  • Boson CISSP practice exams

Altogether, I completed about 3,000 practice questions. This helped me develop my time management, question analysis, and answer evaluation skills. It also helped me to identify which areas I was weakest in so I could focus my study efforts.

In the last week leading up to my test date, I averaged 80-84% across multiple sources on my complete practice exams.

Additional Activities:

  • I actively participated in an online study group hosted on StationX. I posted a summary of my weekly progress and screenshots of quiz/test results and articulated my intentions for the following week. This helped me stay on track and accountable.
  • I explained the CISSP concepts I was learning to friends and family members. Thor Pedersen is a big advocate of this, and I can attest that if you can’t teach it, you don’t understand it.
  • I invented mnemonics to memorize concepts I struggled with but was unlikely to ever use in my day-to-day work.
  • I researched topics from sources that were not CISSP-specific/centric (e.g., cryptographic systems, networking concepts, security models, etc.). The CBK doesn’t always provide detailed information, so having additional sources of information helped me contextualize what I was learning.

Afterthoughts

In a conversation with Nathan House, CEO of StationX, shortly after passing the exam, he said to me:

“I knew you would pass. If not the first time then the next. Because I see it all the time. The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”

There’s a lot of truth to that. Passing the CISSP exam has been a professional goal of mine for years, and I wasn’t entirely sure I could do it until I did. It’s also important to understand who it’s for and what it’s supposed to represent.

This is not an entry-level certification, despite many job postings that would elude to the contrary. It’s intended for experienced professionals with 5 years of experience (or 4 years of experience and a four-year degree or one of a handful of certifications).

That’s not to say that you couldn’t study hard and pass it with little to no preparation or experience; some have, but why would you want to? What would this prove other than to suggest that you’re a good test taker? Waiting until I had the requisite experience, desire, and incentives made the process all the more worthwhile.

My best advice to anyone considering taking the CISSP is to ensure you have as much time as you need. Think of it as a marathon rather than a sprint. For me, this took about four and a half months. As you work your way through the process, test your knowledge often and focus your time on the areas you’re weakest in.

Above all, try to learn, retain, and apply something new every day.

Parameter Hunting: Part II

In my last post on the subject, I discussed the concept of using Process Explorer to discover switches you can use for unattended installs/uninstalls used in enterprise software deployment.

Like before, I have a pesky setup.exe package that wants to guide me through an installation GUI, and would not respond to the usual setup.exe /s /q etc. and so forth…

This particular installer was for a very obscure serial hub manufacturer so there was Googling my way out of this; instead I needed to figure out what was used to build the installer, then work backward from there.

Once against, I launched my trusty Process Explorer (as Administrator) and inspected the setup.exe’s process…to my delight, scrolling down the “Strings” tab I came across this:

Note the string, “This installation was built with Inno Setup.” With that in mind, I was able to look up the documentation associated with the package builder to discover the built-in parameters I needed for silent installation.

While this specific technique might not work for every situation, it never hurts to have another tool in your toolbox!

Parameter Hunting

Preface: Often in our line of work, the answer requires a little digging. The purpose of this post is to walk you through my thought process in an effort to illustrate how I go about linking disparate pieces of information together to arrive at a solution.

Last week, I was tasked with creating a script to silently uninstall an application across a managed environment with nearly 800 endpoints spanning multiple physical locations and at least 3 separate domains – that was the easy part.

The hard part was that this application was installed as .EXE file rather than an MSI package (i.e. I couldn’t just script out msiexec /x…). While it did have an uninstall.exe file, this called the GUI uninstaller, and I wasn’t about to have someone go through and click ‘next’ ‘next’ ‘next’ for each one!

Many .EXE’s have CLI parameters you can invoke, so I started with the usual suspects:

  • uninstall.exe /?
  • uninstall.exe –?
  • uninstall.exe /help
  • uninstall.exe -help
  • uninstall.exe –help

None of these worked (it wouldn’t be post-worthy if it was that easy)!

Next, I went looking for any documentation that was available for the application – I had:

  • Googled the manufacturer for any documentation/examples – nada
  • Read all of the .txt files in the installation folder – zilch
  • Reviewed the .ini and .config files for clues, saw something vaguely useful – a reference to “NSIS” – tabled it and kept looking

Finally, I decided to use SysInternals Process Explorer to inspect the application:

  1. Run the application you want to inspect
  2. Open Process Explorer (as administrator)
  3. Find the application on the list
  4. Right click on the application and select “Properties…”
  5. Under the “Image” tab, you will see a field for “Command line:”

The Command line will tell you what commands/switches it runs. In this case, the uninstall.exe was running with the switch, “_?=C:\Program Files\[Application Name]”.

I decided to Google the switch itself, which lead me to the Nullsoft Scriptable Install System documentation. I was able to work out that the application used NSIS to create the installer/uninstaller package, and through that, found some examples, one of which (/S) runs the installer/uninstaller silently!

This was exactly what I was looking for! All I had to do was append the command with “/S”, and sure enough, it removed the application without any prompts or launching the GUI!

It just goes to show that persistence pays off, and a little time and effort can save your organization/client hundreds of hours of manual work.

Obscure Skype for Business desktop sharing issue

A colleague of mine reported an issue with Skype for Business where he was unable to either share his screen (or application or PowerPoint presentation), nor could others share their screens with him.

From the user’s side, clicking on the Present button allowed him to toggle what he wanted to share, which would appear to work – the border indicated “connecting” while the recipient(s) waited for the presentation to begin. After 30-40 seconds, the presentation error (…”the invitation has expired”) and time out.

If you encounter this issue, you can try the following registry hack, which worked for me:

  1. Open Regedit as an administrator
  2. Navigate to:
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. Add the following DWORD and value:
    MaxUserPort=0000x3a98 (15000)
  4. Reboot for the changes to take effect.

You can find more information about MaxUserPort and other TCP/IP registry settings here. This issue seems to be newly introduced with Windows 10 version 1809.

Blogging with Purpose

When I decided to create this blog, I did so with the expressed purpose of helping others (and myself) find answers that were difficult for me to come by. Either the information I wanted was scattered across several websites, buried deep in some forum, or worse still, phrased in an unclear or misleading way.

On very rare occasions, I’ve somehow managed to solve the problem and be the first (to best of my knowledge) to publish it! In my role, the emphasis is on proven technologies, so it isn’t often that I encounter an issue that’s so obscure that no one else has bothered to write about it.

Even after I’ve decided what to write about, I then will spend hours, sometimes days editing my article for spelling, grammar, readability and clarity. Not every article I write makes the cut, and I’ve got about a half dozen of these sitting in my queue that might never see the light of day.

As one might expect from this focus and model, I don’t publish many articles. I rationalize this by inferring that perhaps (content) quality is more important than quantity. But then how does an author define, “quality?”

That depends on the purpose of the blog. Some blogs are written to entertain, some for profit, others to inform while others still are a collection of seemingly random thoughts and ideas the author wanted to capture.

Does a Blog need an excuse?

For instance, suppose you’re an eccentric Welch change management consultant named ‘Rich’ with a blog whose URL suggests that it’s all about the intricacies of bovine partner-dance.

You could write about everything from social media, to technology to a badger you met on the way to the bathroom wearing a tiny badger-towel with “New Forest 1994” written on it (surprisingly, I’m not making this up – although you’d think I were given that that cheeky brit had since taken down the post it referred to)…

Whose Blog is it anyway?

Can we blog for the sake of writing? Why not!

Does every blog post have to contribute something useful to humanity? Certainly not. As Andy Leonard infers, one shouldn’t worry about what to write – time and practice will solve that for you – only that you write at all; Taking that first step.

So next time your Saudi-American friend’s eyebrow raises and suggests in an ever-so-slightly mocking tone, “You should blog about that…” Smile back and say, “Yes Yousef, I think I will!”

Disclaimer: No talking badgers, Welshmen or change management consultants were harmed in the writing of this post.

P.S. Rich, Stu and Adam – thanks for helping me retain my sanity and sense of humor in a time and place where both were hard to come by.