1:10

Hello again . Infosec and Cyborg Hacks are

1:12

here to help you pass the CISSP

1:14

exam . Today's hack is part two

1:16

, so I encourage you to go back and also listen to part

1:18

one of Steve Spearman's CISSP

1:21

exam tips and tricks . In part two

1:23

, I pass the mic to Steve and he gives

1:25

you his top five test taking strategies

1:27

for the CISSP . What

1:30

is the Sesame Street rule ? How does CISSP

1:32

feel about absolutes ? Keep it here

1:34

and you'll find out all that and more on today's

1:36

part two of this week's Cyberwork

1:39

Hack . Hello

1:44

and welcome to a new episode of Cyberwork Hacks

1:47

. The purpose of this spin-off of our popular Cyborg

1:49

podcast is to take a single fundamental question

1:51

and give you a quick , clear and actionable solution

1:53

or a new insight into how to utilize Infosec

1:56

products and training to achieve your work and career

1:58

goals . So this is part two of a hack

2:00

that was just appeared on your

2:02

feed , probably just before this one here . I've

2:05

been talking with Steve Spearman about his tips

2:07

and tricks for taking the CISSP exam

2:09

. If you haven't listened to part one yet , please do

2:11

so . We talk about why the CISSP

2:14

is such a challenging exam to take . What

2:16

are some of the most common mistakes that people make

2:18

, either leading up to the exam

2:20

or on the day Things to do if

2:23

you pass , things to do if you fail . But

2:25

Steve , let me know at the end of that that he

2:28

has lots more advice for you on taking

2:30

the CISSP and more tips

2:32

and tricks in the moment . So I'm just going to kind

2:34

of give this over to Steve Spearman

2:36

and say , steve , could you give us

2:38

some of more of your tips and tricks for taking the CISSP

2:40

?

2:42

Love to absolutely . So in

2:44

part one we covered two of the tips

2:46

, which are take your time most important

2:49

. Second is get in the habit of eliminating

2:51

wrong answers as you're taking the exam

2:53

. The other thing , too , is look

2:55

for absolutes . This

2:58

exam does not like

3:00

absolutes , unless it's

3:02

asking for a negative . So let me

3:04

give you an example . Let's say you have

3:08

a question that says Sally is the new

3:10

CISSP for ABC Corporation

3:12

. In her role , what should

3:14

she focus on ? And C

3:19

the answer . C says eliminating

3:22

all risk . So words

3:24

like all , always , never

3:26

, only things or absolutes

3:29

. This exam does not like absolutes

3:31

. You cannot eliminate all risks

3:33

. So C is not the answer

3:35

. Okay , reshift your

3:37

focus . Now . What if it says

3:40

which one of the following

3:42

should not be a priority

3:45

for Sally as the new CISO

3:47

? And C says eliminate

3:49

all risk . Can you see how , in

3:52

that context , c is correct ? It

3:54

is not something that she should focus

3:56

on . It's not possible for her to

3:59

eliminate all risks . So

4:01

look for absolutes . This

4:03

exam does not like absolutes

4:05

. Look for only must always

4:07

, never . You know you've heard the whole

4:10

marriage you always , you never . The marriage

4:12

counseling thing you always , you never

4:14

. It's like this exam doesn't like

4:16

those things either . Marriage counselors don't

4:18

like it . The ISC too doesn't like it . Okay

4:20

, so look for absolutes . Doesn't

4:23

like it , unless it's asking for a negative . So

4:27

the other thing too is I would

4:29

say what I call the

4:32

the Sesame Street principle

4:34

. That is that if you

4:36

have a question that

4:39

has you know where three

4:41

of the four are kind of categorically

4:44

the same but one

4:46

is different , it's not

4:48

, it's set . The Sesame Street principle is from

4:51

the oldest thing . Is that which one of the following

4:53

is not like the others , sesame

4:56

Street ? So let me give you an example . You

4:58

know a question we

5:00

won't even say what the question is is yada , yada

5:03

, yada , blah , blah , blah question mark

5:05

. And it says something like here

5:07

are the following answers

5:09

A , eigrp

5:11

, b , ospf

5:14

, c , dns and

5:16

D , rip . Okay

5:18

, now , those are all sort

5:20

of technical terms . You may or may not be familiar with

5:22

them , but the thing to note is A , b

5:25

and D are all routing protocols

5:27

. They're all routing protocols . You would

5:29

become familiar with those during the bootcamp , but

5:32

the point being is that the answer

5:34

is most likely DNS . It's

5:36

the one thing that's not a routing protocol

5:38

. Very useful trick

5:41

to sort of think about . If

5:43

you have answers that are categorically

5:45

the same . Most likely they

5:47

are not the answer . Look

5:50

for the thing that's not like the others . It's

5:52

called the Sesame Street Rule . The

5:55

last thing is what I call doing the algebra

5:57

, and this is actually

5:59

attending to bootcamp . We'd actually practice

6:02

this in a lot of different ways , but it

6:04

contains within . I'm not a math person

6:08

, but it's like I do remember this from

6:10

my algebra days . If you have

6:12

an algebraic equation that has

6:15

the same integer on each

6:17

side of the equals

6:19

mark , chris , do you remember ? You

6:21

remember what you can do with those things ? You can

6:24

eliminate them right , you can mark

6:26

through them . They have no relevance on

6:28

the thing . So what you'll find

6:30

is some categories of questions

6:32

that reuse sort of the same thing

6:35

in like a list . For example , it

6:37

might say what are the things that you

6:40

, what are some ways that encryption can be

6:42

used ? It might list

6:44

confidentiality , non-repudiation

6:47

, blah , blah , blah , but it might have confidentiality

6:49

in all four of the answers . Well , you know it doesn't

6:52

have any relevance to the answer and

6:55

this idea is something

6:57

. There are different ways that it can help

6:59

you break down questions really quickly . So

7:02

it's like learning . It's something you

7:04

can practice Again in bootcamp . We actually

7:06

get more into like understanding

7:08

this principle but it really does manifest

7:10

itself . And just being aware that if

7:12

something isn't you know is in

7:15

all the answers , it doesn't have any

7:17

relevance . It can help you quickly break

7:19

down question to the , to

7:21

the components within the answers

7:24

that are going to impact you

7:26

know whether it's right or wrong . And then , lastly

7:28

, is what we call the golden

7:30

words . The golden

7:33

words are words that

7:35

you know 75 , 80%

7:37

of the time . May you know if

7:39

they're ? If they're in one of the

7:41

answers , it's likely the

7:44

right answer . Remember , this is a management

7:46

exam , so this is words like business

7:49

or organization or whatever . So business

7:51

strategy , business goals

7:53

, you know , business objectives , business

7:56

risk , basically business , anything

7:58

Good chance , it's the answer

8:00

. Risk Risk

8:03

is a concept we really dig into . This is

8:05

a risk management exam and

8:08

it's the highest it's kind of

8:10

the highest order thing that we care about . Do

8:13

we care about threats ? Sure , do we like

8:15

vulnerabilities ? Absolutely , but mostly

8:18

we care about those things because

8:20

they tell us what our risks are

8:22

. So if you see a question

8:24

where it says threat management or risk management

8:27

, the answer is risk management . We

8:30

care about threats , but mostly because

8:32

they inform us about what our risks are

8:34

. We give . I give a nice

8:36

succinct definition of risk in the bootcamp , so

8:39

, but you know , risk is related

8:41

to threats and vulnerabilities and that's

8:44

the highest order thing that we care about

8:46

Change management . Change management

8:48

is often the answer

8:50

, and it's even

8:53

more so than the others that we talked about . It's

8:55

like if it's the only answer in a question . There's

8:57

a really like 90% chance

8:59

that it's the answer .

9:02

So can you , can you break down the idea of change management

9:04

a little bit ?

9:05

Well , change management , of course , is the concept

9:08

that when we're undergoing some changes

9:10

often referred to as software in software

9:12

development , but any context we want to make a change

9:14

policy , things like that you want to use change

9:16

management procedures , got it ? You know

9:18

, it's often these . These

9:21

are initiated in a , in a ticketing system

9:23

with a change request , ticket , etc . And then

9:25

you just manage it , document the changes

9:27

, all that sort of stuff , just running willy-nilly . Yeah

9:29

, yes , yes , classification

9:32

and Conversation slightly

9:35

different concepts but very similar concepts

9:37

. I won't get into it now . But class

9:39

, you know you classified documents . Is it

9:41

secret ? Is it top secret ? And then you

9:44

associate a baseline with that , like what

9:46

is the protections you want for that ? So Documentation

9:49

is also a golden word . It's used

9:51

in we're talking about software development

9:54

as well as compliance . We have to come

9:56

document our compliance . It's

9:58

accountability tied to responsibility

10:01

. By the way , in this exam

10:03

, if it says senior management

10:05

is accountable or senior management support

10:08

, it's almost , it is so

10:10

likely going to be the answer . It's like

10:12

you have to have senior management support and

10:15

then , lastly , impact , which I would

10:17

also add a Likelihood

10:21

in impact , or combined together

10:23

as concepts to determine the level

10:25

of risk . So if something is very

10:28

likely to happen and if it happens it's really

10:30

bad , like ransomware . You

10:33

know 85 to 90% of

10:35

healthcare organizations is an example of experience

10:37

, a ransomware attack Likely to happen

10:39

. If it happens and it's successful , it's a

10:41

bad day . So it's like we

10:43

use impact and likelihood to rank

10:45

. We have to care about the impact

10:48

. And then , lastly , there are going to be some

10:50

words where we can kind of questions where

10:52

we can match Terms in the

10:54

question to something that's

10:56

you know in the thing so we can just look

10:58

. For you know , if it talks about enforcement

11:01

in the question , you know it might

11:03

say it might use the word Enforce

11:06

in the answer and that kind of helps clue

11:08

you into that . So those tips

11:10

together , if you combine that with take

11:12

your time , eliminate wrong answers , they'll

11:15

give you and you practice you got to practice

11:17

all these ideas they can really help you a

11:19

lot in terms of taking this exam

11:21

fantastic .

11:23

I think that's gonna Really . I

11:25

think this is gonna be . People are gonna be rewinding

11:27

and and taking notes on this one . I think this is

11:29

gonna really help people with the exam you

11:32

know , and I just just to editorialize

11:34

a little bit . I think it's worth remembering that . You know

11:36

, like you said , as much as we

11:38

like , I think , as cybersecurity

11:41

people , we like being involved with dealing

11:43

with vulnerabilities , dealing with Breaches

11:46

and so forth , but the CSP is

11:48

ultimately for people who are going

11:50

to be the decision makers of the company . So

11:52

of course , you're gonna talk about risk , of course you're gonna

11:54

talk about Management , buy-in

11:56

. So you have to be , you have to be sort of also thinking

11:58

like the manager that you

12:00

are hoping to be or the CISO

12:02

that you're hoping to be , ultimately , because this

12:05

is , this is , you know , I would imagine that

12:08

some of the technical stuff is almost kind of Sort

12:10

of like a shiny bobble that you have to kind of yeah

12:12

.

12:12

I know you have to . You have you

12:15

absolutely . You have to be careful of things . It's

12:17

very tempting say if , if the scenario

12:19

let's say they spells out a scenario , and

12:22

and let's say one of the answers is MFA

12:24

, and let's say it's correct it could actually be

12:26

a true solution . But one

12:29

of the answers deal with some management

12:31

or governance concerns , like policy

12:33

. Yep , that's almost definitely

12:36

the answer . It's not that we don't care about technical

12:38

solutions , but this is a management exam

12:40

so we have to think about it at that level

12:42

and in some . So you have to think . You

12:44

don't ask yourself what would you do at

12:46

your work or your job in your ? You

12:49

have to think about , think like a manager

12:51

, understand , you know what . How can

12:53

we manage ?

12:54

You know these you're not just taking

12:56

the exam , you're growing into your next position

12:58

. Ultimately , you're thinking exactly .

13:00

Yeah , that's exciting .

13:02

All right , well , I'm gonna leave it at that . So , steve Spearman , thank

13:05

you so much for for talking us

13:07

further through the CISSP . This was absolutely

13:09

invaluable . I really appreciate it .

13:11

No problem , it's my pleasure .

13:13

And thank you all for watching this episode again . Check

13:16

out part one as well . You're gonna get a very good overview

13:18

of the CISSP and it's gonna take

13:20

a lot of fear out for you . If you enjoyed this video

13:22

and felt that it helped you , please share it with your

13:24

colleagues on your forums of choice

13:27

, social media accounts , whatever you want to do , and definitely

13:29

subscribe to our feed and

13:31

I on your podcast catcher of choice or our YouTube

13:33

page . You can type in cyber work info sec into

13:36

any of them and it'll get you there . Liquity

13:38

split . There's plenty more to come and if you have any

13:40

topics you want us to cover , just drop them in the comments

13:42

below . But I'll leave it at that for

13:44

now . Until next time , happy learning . Thanks

13:46

again , you .