System Advancements at the Monastery

Lately, I have been spending my time preparing and finally taking the GIAC Information Security Professional (GISP) and the Certified Information Systems Security Professional (CISSP) certification exams. I passed both. The exams are very different, though they cover the same material. I figured I would take some time to discuss my impressions and experiences.

What the Exams Cover

SANS Management 414, also known as SANS® +S™ Training Program for the CISSP® Certification Exam, prepares students for both the CISSP and GISP certification exams. The exams cover the 10 Common Body of Knowledge (or CBK):

1. Access Control Systems and Methodology
2. Telecommunications and Network Security
3. Security Management Practices
4. Applications and Systems Development Security
5. Cryptography
6. Security Architecture and Models
7. Operations Security
8. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
9. Law, Investigations, and Ethics
10. Physical Security

One Reasons to Get Certified

People have many reasons to become certified. For personal accounts of why people pursued certification, see Stephen Northcutt’s interviews posted on the SANS “Why Certification Matters” area. My reason was based on DoD directive 8570. To quote the 8570 FAQ:

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Agencies covered by 8570 include:

• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• DoD Field Activities
• All other organizational entities in the DoD

Any full or part time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance functions — regardless of job or occupational series is affected by 8570. For fiscal year 2008, the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.

Reducing Costs

There are two great options for reducing training costs through SANS. First, the SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).

Second, is the SANS COINS program (see post “SANS COINS Program Can Help With DoD 8570“). The program offers anyone who is a member of an OWASP, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization a 50% tuition discount for SANS @Home course.

I have not seen other organizations pursue cost cutting training alternatives. Unfortunately, some of the companies that need the most help will allocate little towards security training. I applaud SANS for offering people employed in poorly funded security groups a path to advance their security knowledge.

Training: SANS Compared to Authorized (ISC)2 Institute

SANS states that “over the past 18 months, 98% of all respondents, who studied our SANS® +S™ Training Program for the CISSP® Certification Exam and then took the exam passed; compared to a national average of around 70% for other prep courses.” While SANS does a great job of preparing students, I do have to wonder if the high pass rate is somewhat due to the quality of students that tend to attend SANS courses. Either way, SANS does a good job discussing the material that will be on the exam and providing helpful advice on how (ISC)2 will form questions for the exam.

I took the CISSP exam in Bushkill, PA. The Fernwood Resort was a great facility and the folks who ran the exam were very professional. Of the 30+ people taking the exam, all but three had attended an authorized (ISC)2 Institute “7-Day Accelerated Course Training Class” that week. The cost of $4,795.00 is considerably higher than what I could have paid. I talked with a few of the folks who took the course. They had five days of boot camp training, one day to decompress, and on the seventh day they took the exam.

I will confess, I am troubles by the idea of taking the exam right after training. The ITIL Foundation course also did it this way, but in that case the subject matter was not very challenging. I would never consider taking a SANS certification exam immediately after the course. Many SANS courses consist of six days where huge amounts of material is tossed at you. I refuse to use the firehouse imagery, having heard it too many times at SANS. It is not until I head home and start going over the material that the real learning occurs. Do not get me wrong, the SANS instructors are the best. There is just so much a person can handle until their memory banks overflow.

Having talked to the students of the class, is seems the authorized (ISC)2 Institute “7-Day Accelerated Course Training Class” is really about learning how to take the exam. Who better to help you pass than the people who wrote the exam? SANS does the same thing with their certifications, but SANS intends you to study. While the MGT 414 course gives good guidance on taking the CISSP exam, it also repeatedly stresses the need to go over the material and take many practice exams.

Preparation

Preparing for the GISP, like any SANS certification, involves studying your course notes. Take advantage of the practice exams. I know the exams are long. They simulate the five hour exam and consist of 250 questions. I find the sample exams to be the most helpful learning experience. I travel once a month, spending sixteen hours driving. Having the SANS course on MP3 is most helpful. Dr. Eric Cole, developer of the course, lectures on the material. As always, he does a great job.

The GISP questions will be straight forward. For the CISSP you will need to be prepared for the questions asked in very weird ways. I must refrain from discussing particular questions, though I really wish I could. There were several questions that simply annoyed the heck out of me. In areas where I am certified and I know the subject matter quite well, I still had at times difficulty figuring out what exactly some of the questions were asking and how the choices fit the question. Many a question will require you to select the least annoying choice.

I studied using:

• the SANS course material.
• the questions and CD from the Official (ISC)2 Guide to the CISSP CBK book.
• the CISSP Practice Questions Exam Cram, Second Edition book by Michael Gregg (which is available off Safari).
• the CCCure.org CISSP quizzes.
• the GISP practice exams.

A book I did not use, but is highly recommended is “The CISSP and CAP Prep Guide” by Ronald L. Krutz and Russell Dean Vines. The CCCure.org has some questions and answers from Krutz and Vines older book, “The CISSP prep guide.” Since the CISSP is being continuously updated, the older the book the greater the chance it may no longer accurately reflect the focus of the CISSP exam. For example, DITSCAP/DIACAP is no longer tested while the PCI standard may be.

The CISSP exam is all about getting use to being asked questions in odd ways. Practice by going over questions. It is important to know the material, but you don’t need to know it that well. After taking the exam, I was annoyed by all the stuff not asked by the CISSP exam. I felt that about 70% of what I studied was never touched. The exam failed to ask many of the details I memorized. There will be some detail questions but not as many as one would expect. I would recommend being familiar with the details but not getting hung up on memorizing those details. In respect to the GISP exam, the details you will be able to look up since it is an open book exam.

The Exams

Time is not your enemy. There is plenty of time to complete either exams. I have heard people talk about trying to prepare physically to take a six hour exam. This is not a Rocky movie. We are IT people who work in front of a computer all day and frequently work late into the night. I do not see how a six hour exam would be more taxing. You will likely finish way before six hours. Take your time, and make sure you to take breaks, stretch a bit, and get something to eat or drink from the back of the room. If you are a caffeine addict, caffeine gum is your friend. Physically enduring the exam really should not be a problem.

Dr. Eric close stated:

Most people think of the exam as knowing the technical knowledge, however that is only one piece. In my estimate 70% of the exam is technical knowledge, 20% is thinking like a CISSP and 10% is knowing how to take an exam. It is all three of these pieces together that allow people to take the exam and pass. If you take the course you are going to be worked very hard but at the end the results and knowledge is all that matters.

It is difficult for me to gauge if those numbers may be right. A colleague of mine use to tell me, “you could take the exam and pass without studying.” If anyone tells you that, they are just setting you up for failure. The CISSP is all about thinking like (ISC)2 wants you to think. The more you know, the more you will have problems with the questions. Learn to let your issues go and provide the answers (ISC)2 wants. I felt like 50% of the CISSP was knowing how to think the way (ISC)2 wanted.

The GISP exam, is a five hour exam with 250 questions. The questions covered the 10 CBK areas well. I am not one who enjoys memorizing information that I will not remember the day after taking the exam. I have always liked the SANS open book approach. It tends to keep the questions focused on the ideas behind security. If you do not know the material going into a SANS exam, there is not enough time to be figuring it out during the exam.

The CISSP was a more difficult exam, because of the odd way the questions are phrased. I have yet to decide if this is a good or bad thing. Many people in business, who are not exactly sure what they are talking about, will fuse together different terminologies. You will need to discuss security concepts with them. Being able to do mental gymnastics and figure out what others may be talking about is a valuable ability. While I disliked the questions, I can see their merit. In the end, it was a valuable experience to go over a large number of practice questions.

The CISSP method of having students take the exam with pencil and paper should be changed. There is no value to this method. I was fortunate in that my results were reported in 10 days. A coworker had to wait two months for his results. SANS method of providing immediate feedback on whether your answers were right or wrong is a much more fair test methodology. With any wrong answers on the GISP exam, you know immediately. The exam itself is a learning tool revealing gaps in your knwoledge. I will never know what questions I got wrong on the CISSP exam. When I completed the CISSP exam, I did not feel I should have studied certain areas more. I just felt like I had spent too much time studying the material and should have spent more time on CCCure.org.

Privacy and Openess

This post claims I am a CISSP. How do you know? SANS GIAC certifications are easy to confirm. Go to the GIAC website and search by the name “Gerber.” You can see my test scores and any papers I have written. Knowing that my test score will be published motivates me to not only pass, but to get a good score. SANS operates in a very open manner. On the exams, you are shown the results of the question immediately. This allows you to later argue questions you felt were bad. I know people who have argued about questions and their efforts resulted in the questions being changed. That helps improve the questions.

(ISC)2 does not allow you to verify certification without the person’s “Member ID/Certification Number.” You will not learn your test score unless you fail. You will also never know which questions you answered incorrectly.

Final Thoughts

If two people were applying for a job, and one was a CISSP and the was a GISP, neither would be at an advantage in my book. Both exams test the same material in very different ways. The GISP exam does a better job testing the test taker’s knowledge of the 10 CBK areas. The CISSP exam, because of how the questions and choices are phrased, will causes the student to study more.

People working for DoD, or any of the above agencies, will likely benefit more by becoming a CISSP. The CISSP is a more widely recognized certification. While I question the number of quadrants the DoD directive 8570 places the CISSP in, I do hope DoD will come to recognizes the GISP certification. No system is perfect. I am glad DoD is working through commercial certification programs rather than trying to develop their own.