How I Passed the CISSP Exam

Give the Acclaim badge above a click to verify I’m not a giant liar and actually a CISSP

This year I decided to invest in some industry certifications to compliment the experience I had gained over my career. After taking part in events ran by the awesome ISC2 North East England chapter and seeing the value that the CISSP and (ISC)2 provides, I decided that the CISSP would compliment and add depth to the CISM which I completed earlier in the year.

This is how I passed the exam and what I think you’ll need to pass too. Note: I will not share any of the exam content, just some great tips and resources that massively helped me. Use these resources and you’ll be able to tell your Bell-LaPadula’s from your Clark-Wilson’s in no time.

The Exam

Before I get to the good stuff, I thought it’d be a good idea to tell you a little bit about the exam. You’ll have to take it at a local Pearson-Vue test centre and (ISC)2 require some extra security procedures to ensure the integrity of the exam. The exam covers the eight CISSP domains and you have three hours to complete it. There are a maximum of 150 multiple choice questions, but you can pass or fail at 100 – I passed at 100, if you find yourself answering question 101 don’t worry too much as the vast majority of people I’ve spoken to who have taken the test went passed 100. Remember after you’ve taken the exam you’ll need to have five years of infosec work experience endorsed by a current CISSP and agree to the CISSP code of ethics.

Study Materials

I don’t find intense bootcamp courses very helpful, so I decided to use books and online learning resources. A lot of people I’ve spoken to say that ‘sixteen weeks is the sweet spot for home studying’ but I gave myself twelve weeks. I’ve included the list of resources I used complete with affiliate links, In the hope that next year I’ll be writing a post titled ‘How I Bought a Ferrari From CISSP Affiliate Links’

The Official (ISC)2 CISSP Study Guide and Practice Tests – Sybex

The official Sybex study guide contains the entire body of knowledge that you will be tested on. It’s comprehensive and extremely thorough, but it’s dry as hell. This isn’t a book to sit a read on a quiet night, I used it as a reference resource to dive into subjects that I wasn’t clear on. The practice exam book is good to help identify weak points and have someone else test you.

Essential CISSP Exam Guide – Phil Martin

This book is worth its weight in gold. I purchased both the audiobook and the Kindle version. Any time I was in the car I was accompanied by the audiobook with Phil Martin himself reading his clear and easy to digest guide to the body of knowledge. Where the official Sybex book can be quite dry reading, this is a lot more easy going. I listened to the audiobook twice through during commutes and road trips.

Eleventh Hour CISSP: Study Guide – Eric Conrad

This is book is the CISSP equivalent of Homer Simpson’s famous make-up gun – It’s just going to fire all the content at you quickly. It covers the each of the core concepts in the CBK at a very high level and great to use as a resource to identify any weak areas and remind you of little details you may have forgotten. Use this with the Sybex guide to expand on those areas. I read this cover to cover twice in the two weeks leading up to the exam.

CISSP Accelerated Course – ITPRO.TV

http://ssqt.co/m5fBjnL – Sign Up to ITPRO.TV here!

This course takes about thirty-three hours to complete, but it’s quite fun to watch. The material is presented by uber-pro Adam Gordon who’s entertaining nature helps keep you awake. Each episode is around half an hour long which makes them perfect to watch whilst eating lunch at work or during the evening via a smart TV app. The quality of the video material is amazing and the downloadable material is a great help. I Highly recommend this gem. Adam Gordon will also give daily CISSP test questions via his Twitter

Pocket Prep with Mobile App

https://www.pocketprep.com/exams/isc2-cissp/

The PocketPrep app is another good way to quickly work out where your weak points are. I purchased the full 700 question set and took mini exams whilst on the couch and just before bed. The app will also give you explanations for the correct answer which I found incredibly useful.

ExSim-Max for CISSP – Boson

https://www.boson.com/practice-exam/cissp-isc2-practice-exam

This resource is a must. The Boson questions and software (windows only) is the closest representation of the final exam you’re going to get. I used this as a study resource for the last week, taking full 150 question exams so that I was fully conditioned for the exam process.

Community

Studying with others who are taking the exam or have taken the exam is also really helpful.

https://community.isc2.org/t5/Chapters/bd-p/Chapters – Find your local (ISC)2 chapter and chat to members at events.

https://www.reddit.com/r/cissp/ – The CISSP Sub-Reddit is full of others studying.

https://discord.gg/k5QsWmT – This Discord server is also full of people studying and people who have passed and happy to pass on tips.

Some studying tips

If like me the last time you studied for anything was years ago it can be a little daunting to face something as vast at the CISSP material. Here are some tips and techniques that I found useful;

  • Create a study timetable with clear milestones so you know you’re on track.
  • Learn how to use ‘memory palaces’ to memorise areas with lots of complex material. https://m.wikihow.com/Build-a-Memory-Palace
  • Use phonetics to remember ordered lists E.g. – The OSI model from layer 1-7 can be remembered using the phrase: Please Do Not Throw Sausage Pizza Away (Physical, Data Link, Network, Transport, Session, Presentation and Application)
  • Take days off. Getting though the material doesn’t necessarily mean you’re processing and understanding it. Make sure you get good amounts of sleep, take proper breaks and actually communicate with other humans.
  • Write it up, type it up. Use an old school pad and pen when making your notes as you study then make time to type them up into a note taking app. Repetition will help you absorb material and typing them up will make your notes easily searchable.

Advice on Taking the Exam

The night before the exam – stop studying and relax. If you don’t know it at this point it doesn’t matter. If you fail the exam the world will continue to turn. Chill out, spend time with friends.

The morning of the exam you should definitely watch Kelly Handerhan’s ‘ Why you will pass the CISSP’ video. It’s almost bad luck not to watch it.

Once you are signed in and taking the exam most people report the same experience; that you’re convinced you’re not getting any of the questions right, you’re unprepared and none of these questions are close to any of hundreds of practice tests you have done before. Stop, take a breath and think about what the exam is trying to accomplish. A CISSP should be able to tackle situations armed with the body of knowledge. Sometimes all of the answers will seem correct, so choose the least wrong answer. I found it very helpful to re-read the question and visualise the scenario happening in my own work place and what action I would take in the real world.
Which brings me to my last piece of advice: Read the question, read each of the answers, then read the question again – imagine you are a lawyer trying to decipher a contract and look for specific words like ‘least’ and ‘most’ in the questions to help guide your decision making.

Good luck! Do not underestimate how difficult this exam is, take your studying seriously and you’ll ace it. I’m happy to answer any questions over on my Twitter

The wonders of ISO/IEC ISO27001… Why you should think about implementing it in your SME.

I thought it would be a good idea to put together a series of short articles championing the value of ISO/IEC ISO27001 for people with little to no experience with information security and to put it in plain English so it can be read over a cup of coffee.
The threat of cyber crime is increasing for organisations of all shapes and sizes. Hopefully this series of articles will help you make good decisions on how to best protect your organisation, employees and clients from that threat.

Here goes!

The chances are, if you’re reading this, that you’re either a senior manager who’s IT person is banging on about security or an IT person that has had a frantic email from a ‘higher up’ asking what the company is doing in regards to cyber security. You could be just fed up of answering client RFIs with something that sounds right-ish and not really sure where to start when implementing ‘information security’ in your organisation.

Firstly, we should stop using the term ’implementing security’. You need to establish an information security management system (ISMS) in your organisation.

What’s an ISMS?
An ISMS is the policies, controls, procedures and audit methods for managing the CIA of data in your organisations. (Acronym hell exists even in Information Security)

What’s the ‘CIA’ of Data?
Don’t worry I’m not talking about secret agents, we are referring to the Confidentiality, Integrity and Availability of data in your organisation.

Now we’ve established what the purpose of an ISMS is, how do you build one? You can just go rogue and build something without any guidance but there are some pretty solid standards out there… but this series is about ISO/IEC 27001:2013.

ISO/IEC ISO27001 is part of the ISO27000 family of standards, which is published by the International Organisation for Standardization and the International Electrotechnical Commission. Consultation from some of the best security minds in the business are used to create the them, and pretty well recognised by most large businesses.

A live look at the creation of the ISO/IEC 27001:2013 standard by the Council of Elders

The standard can help give clients, investors, insurers and anyone involved with your organisation the confidence that the implementation, monitoring and improvement of information security is taken seriously by the whole organisation.

It’s important to note here this isn’t something that can be implemented and maintained by a couple of people so have ’Security’ in their job titles. It’s vital (and a requirement of the standard) that every person in the business is engaged and responsible for information security and this responsibility starts at the highest level of management.
The highest level of management in the business needs to be supportive, set objectives and have active involvement in the ISO27001 programme for it to succeed. Should you decide to get certified, auditors will need to see evidence of top level participation… it’s a requirement of the standard.

I’ll talk a little more about what standard looks like in my next blog.Stay tuned!

iOS 11 in the Enterprise

After wading through the WWDC content from a couple of weeks ago, I thought I’d give a quick update on what Apple are giving enterprise customers with their iOS 11 offering, due in September this year.

It’s so exciting to see… wait for it….

WIFI IMPROVEMENTS ON KIOSK DEVICES.

LOWER BANDWIDTH UPDATE IMPROVEMENTS

FULL APPLE TV DEP FEATURES!!

Yep – boring.

Most of the new management features that came out of the WWDC lab for device management centred around education again.  However, the iOS 11 update brings some great opportunities for business that you won’t see in your MDM vendor’s three hour webinars.

Apple are opening up the NFC Chip… kind of.

This opens up a whole new set of applications that businesses can use for their shiny mobile devices for. In large corporations the ID card is king; giving access to buildings, desktop IT equipment and even in-house payment terminals in cafeterias  etc. This paired with BLE beacons will finally allow large businesses to ditch the lanyards and use phone based authentication systems which are more secure… think ‘touchID’ authorisation to enter certain rooms.

Augmented Reality

No, It isn’t a Jamiroquai album.  Apple is building new APIs into IOS 11 to help developers take advantage of the augmented reality capabilities of the hardware. For corporates this could mean interactive digital signage in buildings, visual meeting aides in presentations or nice interactive 3D infographics for product and data science teams.  It’s the next step before Apple eventually enters the VR headset arena and the new support for HTC Vive devices in High Sierra supports that.

Metal 2

Direct graphics chipset processing access has been provided though the new Metal 2 APIs, which isn’t just for games. Machine learning and proper number crunching can take place right in the pockets of corporate employees. Why spend money on AWS elastic processing when you can distribute the processing over the idle devices you control?

Productivity!!

Cool new drag and drop, super low latency for refresh rates on the iPad pro and the  Files app give the iPad Pro a boost as an every day productivity device. Apple Pencil will work great with the new refresh rate and the new middle ground screen size will all go a long way to persuading users to ditch the laptop and work on an iPad Pro.

Can Block Chain: Help our staff work on documents on their preferred platform?

Those who have been involved with rolling out iOS devices in regulated industries have typically encountered massive problems with securing documents on devices.

Shoe-horning some third party editing software into a corporate mobile offering has been OK until now, allowing users to quickly reference content instead to creating it; but with the introduction on the iPad Pro and accessories that have been purposely created to encourage users to perform actual day to day work on their devices, we see that users would still rather send documents to their personal email accounts and use the tools they know and love to get work done.

For information security departments in regulated companies this scenario is a nightmare; If the regulator comes knocking for a full audit trail of a confidential document that has ended up for sale on the dark web, then only part of the story can be revealed.

I think that Blockchain technology could help users and Infosec departments have their cake and it when it comes to document data retention. Imagine being able to send documents using any method and being able to track every time the document had beeng sent and audit that information.

A very simple flowchart to describe how this might work…

Microsoft are thinking about this problem already as evidenced by their ‘Azure RMS’ product *which must really piss of Richard Stallman*

The main problem that I can see with the Blockchain document auditing process is that if someone wanted to leak the document content, they could just copy/paste it into something that isn’t going to connect to the blockchain to register the transfer of content.

So why do it?

Lets say Microsoft set up a Blockchain network, open it up and encourage all legitimate software platform developers to implement the transaction protocol into their products, then it could allow people to simply email their work home, use their favourite operating systems, personal devices etc to get their work done in a productive way. There would be a ton of bugs to work out, specifically how we could stop the data leaking, but I would love to see how this technology can help corporate users be more productive, by using their personally owned software.

How many miles per gallon does the average human get?

I wondered… If we measured the energy efficiency of humans the way we measured it for cars, how efficient would a human be??

The way we  casually measure how efficient a car  is in miles per gallon of petrol, lets see how many MPG humans get.

So firstly we have to make some assumptions.

Cars eat petrol, it’s their favourite, unless they are ‘vegetarians of the car world’ and eat Diesel or LPG. We don’t have to assume this.

Humans; can’t eat petrol. Lets just assume that petrol is amazing, we can digest it, and Starbucks will sell you a nice ‘gasacino’.

Lets find our average human, the equivalent of the ‘Volkswagen Golf’ of the car world.

After reading a lot of ‘The average UK male is:’ articles from various crappy newspapers, I’m going to assume that the average person is:

Male, 30 years old, weighting 12 Stones, 10 Pounds and is 5 ft 10″ Tall and in a reasonable state of health.

 

First we need to find out how much energy in Kcal this human uses just by being alive in a day. This is called the BMR (Base Metabolic Rate) and can be worked out using the ‘Harris Benedict Equation’

BMR = 88.362 + (13.397 x weight in KG) + (4.799 x height in cm) – (5.677 x age in years)

In this case the BMR for our human is: 1,852.98 Kcals

At this point I’ve started to realise that being British is a pain in the arse, we have a messed up system where we measure some things in imperial measurements and some in metric.

Now we need to work out how many calories our human will burn whilst running for 1 mile. At this point I want to give our human a name. According the the internet the most popular name for boys in 1985 was ‘Michael’ so that’s how we’ll now refer to our human.

We need to know how long it will take Michael to run his mile. According to running websites the average pace for a normal person is 8 Minutes per mile. This means he’ll be running at a speed of around 7.5MPH

To work out how many calories Michael will use when running his mile, we need to know how much energy Michael will be metabolising whilst running. Apparently the measurement for this is done in METs (Metabolic Equivalent of Task) According to “The Compendium of Physical Activities, 2011” running at 7.5MPH uses 11.8 METs.

According to the good people at Casio we can work out the amount of calories Michael uses during his run with the following equation:

Kcal = BMR x METs/24 x hour

When rounded up to the nearest Calorie, we can say that Michael will burn 121Kcal whilst running 1 mile, and it’ll take about 8 mins.

The internet tells me that petrol has an energy density of 32.4MJ (Megajules, not Michael Jacksons) per litre. Google converter is absolutely sure that 1MJ = 238.85 Kcal. 

So 1 Litre of petrol = 238.85 * 32.4 = 7738.74 Kcal

Google converter is also insisting that 1 Imperial gallon  = 4.55 Litres, which means in one 1 gallon of petrol there is 35,211. 27 Kcal (but no carbs so it’s ok!)

Now we need to simply work out:

Calories in a gallon of petrol / Calories that Michael burns from running 1 mile in 8 mins (at a rate of 11.8Mets)

Which is… 291 

If Michael, our 30 year old man that weighs 12 Stones and 10lb and is 5ft 10″ tall, runs at a speed of 7.5MPH, then he can get 291 MPG of petrol.

The BBC fuel price calculator thinks that the average UK price of petrol is currently £1.14 a litre.

So for Michael to run his mile, he’ll need to spend a grand total of 1.8 pence

It would cost Michael..

1.8 Pence to run 1 mile.

£14.62 to run from Lands End to John O’Groats (using the preferred Google maps walking route)

£448.22 to run around the world in a straight line on the equator.

It’s already been pointed out to me that it may be a little sexist of me to base these calculations on the assumption that the average human is a male. I think we all know that men will be more likely to drink petrol should the option be available.

Some figures are rounded up/down to make sense… I know that Michael’s BMR is based on him not doing *anything* not even sitting on the couch watching TV.

 

 

 

 

 

 

 

 

 

 

My 15 Minutes with the Apple Watch

I was lucky enough to grab a 15 minute try on appointment at the Apple Store in Regent Street, and thought I’d share some thoughts about my brief experience with the watch.

Firstly – it’s better in person than compared to what you’ve seen in photos and videos. The interface is snappy and intuitive and naturally controlled via the touch screen and the digital crown.

The taptic feedback feels really cool – it’s like magic (those with a 2015 13″ MBP – yea, it’s just like the touchpad)

Apple are going to sell millions of these and its becomes obvious very quickly that this thing will replace the iPhone one day.

It’s really a personal device. Those in enterprise that are struggling to define BYOD/COPE strategies, this watch is going to give you nightmares when your users start to ask for it. Salesforce are releasing an app for release day.

I’m excited to start building apps for this thing!

Some answers to questions I’ve been asked;

Sport vs Steel vs Edition

There is definitely a jump in quality between the sport and steel versions of the watch. The polished metal looks great and really shows off the detailing on the digital crown. The Edition is a piece of fine jewellery, the gold is just… golden!

Screen & Size

Just like celebrities, they look smaller in person. The retina display is just great, the blacks are deep ‘ink like’ blacks and the graphics are crisp, bright and sharp. You can’t spot a pixel.

Bands

Flurastima (Rubber)

This band does not feel cheap and nasty (how I imagined it would) it feels durable and like a premium product.

Milanase Loop (Mayonaise Loop)

The photos don’t do this band justice, they are lovely. They are very light and feel like fabric made from metal, and feel very secure on the wrist for something that is held in place by a magnet.

Leather Magnet Loop

The only band I didn’t like. It feels lumpy. That is all.

Steel Link Bracelet.

This is the best band of all, It feels premium and has some weight to it. The clasp feels like it was made to standards I haven’t seen in a watch before.

IMG_0318.JPG IMG_0319.JPGIMG_0320.JPG IMG_0316.JPG-1IMG_0325.JPGIMG_0321.JPG

Choob App for iPhone – A Side project

I came up with the idea for Choob whilst standing on the eastbound central line platform at Bank station. I’d been standing there for about 45 minutes and the station was at bursting point. I connected to the free wifi to check the TFL website only to see that the central line had a ‘Good Service.’

I immediately checked Twitter and found fellow commuters also stranded on platforms all complaining about the delays.

So I created Choob – an app that listens to social media to find delays on the London Underground.

The backend runs on a component that I’ve developed, named ‘The Winge Engine’ which listens to social media to find tweets about London Underground then try to understand those tweets to to figure out whether delays are occurring,

It’s currently free on the Apple App Store… check it out 🙂

 

Choob – App Store https://itunes.apple.com/gb/app/choob/id892232960?mt=8

Dear Amazon, Please Kill TicketMaster.

‘A band you follow is touring in your area!’ Catches my attention from the corner in my eye as a push notification appears on my computer desktop.
I’ve been waiting for this band to return to London for a while, and due to a new single release earlier in the year, my hopes of a tour coming to fruition were getting pretty high over the last couple of months. You would think that idbe excited, but you’d be wrong.
A dark feeling rises from my stomach, I can taste the dread caused by what excrutiating experience this tour announcement ultimately means. I’m going to have to go to TicketMaster.co.uk
Over the years I don’t think I’ve had one good experience with this godawful company. Pick a couple of the following points and you will have a typical TM experience
  • Website is down
  • Website is overloaded
  • Charge you a mortgage of a typical 3 bedroom house to get your tickets mailed to you
  • Charge you  a mortgage of a typical flat to get the ticket emailed to you
  • Make it impossible for you to regain access to an account with lost details
  • Make it impossible to create a fresh account because your grandmas neighbour’s dog has an account and contains a bit of information that is similar to yours
  • Send you your tickets 4 milliseconds before the event starts
  • Provide so many Turing tests that you’ll actually convince yourself that you’re a robot
I think you get the point.
If only there was a company that not only copes with selling third party goods by the million, can cope with obscene amounts of web hits and still be the provide the best shopping experience on the web.
Amazon please start selling tickets to music, sports, theatre events – and show the ticket master how it’s done.

Let’s Stop Making Faster Horses

 The demand for consumer devices to access internal corporate systems is very strong. This is helping to evolve ‘work anywhere’ initiatives in companies, giving employees the freedoms that come with not being tethered to a desk.
An observation that is shared among most IT departments is that despite being able to secure data and applications, creating new content on these devices suck – and they are right.
In response to this feedback Microsoft have created their Surface tablet which gives IT departments the comfort blanket of   using their Windows environments they have invested millions of pounds in, but no one knows what the hell the device is. It’s a laptop and a tablet but it’s crappy laptop and a crappy tablet.
Infographics and reports are coming from IT Managers and MDM/MAM providers declaring that tablets are ‘consuming’ devices that aren’t suitable to create content, and I don’t agree.
We are still trying to shoe horn the desktop way of creating content into tablets, with software that was designed to work with a monitor, mouse and keyboard. Citrix are trying to deliver virtual applications with mobile friendly skins, which delivers a solution which ignores feature sets gained with tablet devices.
When you really think about it a word processor is still a gloryifed typewriter.
 “If I had asked my customers what they wanted they would have said a faster horse”
Henry Ford (Apparently)
 I’m convinced word processors and office applications are the ‘faster horses’ of the computing world.
It takes a little imagination to imagine creating content with voice, gestures, location and other offerings that our new devices give us. It may seem strange but if you look at the way we still create content for digital consumption using traditional office suites  a virtual piece of paper on a screen – then it makes sense to find a more modern way of working. All we’ve done is created a typewriter  that allows you to save documents and delete your mistakes.
Business applications on the iPad need to be radically redesigned. We should be finding innovative ways to create content as opposed to awkwardly using ported versions of desktop software. A great example of someone who is doing this is the team at Roambi, a data visualisation tool, by using lots of data sources users are able to manipulate and create visual representations of data rather than the strange Excel document manipulations being offered to users in most business.

Mobile Networks & The Internet of Things

‘The Internet Of Things’ is one of the hottest topics in tech right now, and for good reason. The idea of objects and appliances being able to connect to the Internet has some really exciting applications.  We’ll be able to control our appliances when out of the house, keep secure and safe with smart alarms and, of course, there’s the fabled ability to have meals ready when we walk through the door after a long day.

 

Connecting these devices to an account, pairing them with a phone, and then connecting to a home WiFi network is a pretty crappy experience at the moment. WiFi passwords are complex and typically live on the back of a router that lives behind a bookcase or some other obstacle.

 

There are solutions out there that require a base station, but why should we have to do this when 99% of the UK is covered with GSM connectivity? There are products and ideas that would much better suit 3G/4G connectivity, products that operate outside the reach of our home wireless connection.

 

Eighteen months ago I tried to create ‘Rocko Collar’, a pet collar that used the GSM network to transmit the exact location of your pet and to show it on a mobile app. I wasn’t the first to try this, but set out on a mission to do it right… and ran into the same problems as similar projects.

 

I have come to the conclusion that there are two fundamental reasons why people won’t buy connected products that rely on mobile networks:

1. Too expensive due to the manufacturers covering the cost of the mobile contracts.

2. Cheaper products come with a monthly subscription.

 

When building Rocko Collar, I originally dealt with two mobile networks in the UK, EE and Telephonica, and both could only offer a solution based on a monthly line rental fee per registered device. This way of doing business creates some difficulties for manufacturers, as it’s difficult to estimate the life span of a product in order to absorb the cost in the RRP or to convince customers that a monthly fee is a good idea. People aren’t used to paying a monthly fee to use something like a pet collar, a kettle or a thermostat. Some might say that a £5 monthly fee to use a connected device isn’t really that much but, in time, connectivity in our appliances will become an expected feature and those monthly fees will soon rack up.

 

So what is the answer? Quite simply, mobile networks need to leave the Stone Age.  The days of charging a fixed line rental cost per little plastic SIM card need to be put behind us. Mobile networks should be able to offer packages that meet the needs of businesses building products where connectivity is a non-visible feature.  If manufacturers are able to provide mobile networks with an estimated life span of the product, how many products they aim to sell and what network resources they will use, the mobile networks should be able to offer a blanket billing plan based on actual usage instead of line rental and allowances. They may not make as much money as they would like, but it would give the tech industry a massive incentive to create all sorts of devices that will ultimately become a key revenue stream for mobile operators.

 

However, I realise I may be asking a lot from an industry that still believes using your mobile device in another country warrants a 25000%* mark-up fee.