Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:10
Hello again . Infosec and Cyborg Hacks are
1:12
here to help you pass the CISSP
1:14
exam . Today's hack is part two
1:16
, so I encourage you to go back and also listen to part
1:18
one of Steve Spearman's CISSP
1:21
exam tips and tricks . In part two
1:23
, I pass the mic to Steve and he gives
1:25
you his top five test taking strategies
1:27
for the CISSP . What
1:30
is the Sesame Street rule ? How does CISSP
1:32
feel about absolutes ? Keep it here
1:34
and you'll find out all that and more on today's
1:36
part two of this week's Cyberwork
1:39
Hack . Hello
1:44
and welcome to a new episode of Cyberwork Hacks
1:47
. The purpose of this spin-off of our popular Cyborg
1:49
podcast is to take a single fundamental question
1:51
and give you a quick , clear and actionable solution
1:53
or a new insight into how to utilize Infosec
1:56
products and training to achieve your work and career
1:58
goals . So this is part two of a hack
2:00
that was just appeared on your
2:02
feed , probably just before this one here . I've
2:05
been talking with Steve Spearman about his tips
2:07
and tricks for taking the CISSP exam
2:09
. If you haven't listened to part one yet , please do
2:11
so . We talk about why the CISSP
2:14
is such a challenging exam to take . What
2:16
are some of the most common mistakes that people make
2:18
, either leading up to the exam
2:20
or on the day Things to do if
2:23
you pass , things to do if you fail . But
2:25
Steve , let me know at the end of that that he
2:28
has lots more advice for you on taking
2:30
the CISSP and more tips
2:32
and tricks in the moment . So I'm just going to kind
2:34
of give this over to Steve Spearman
2:36
and say , steve , could you give us
2:38
some of more of your tips and tricks for taking the CISSP
2:40
?
2:42
Love to absolutely . So in
2:44
part one we covered two of the tips
2:46
, which are take your time most important
2:49
. Second is get in the habit of eliminating
2:51
wrong answers as you're taking the exam
2:53
. The other thing , too , is look
2:55
for absolutes . This
2:58
exam does not like
3:00
absolutes , unless it's
3:02
asking for a negative . So let me
3:04
give you an example . Let's say you have
3:08
a question that says Sally is the new
3:10
CISSP for ABC Corporation
3:12
. In her role , what should
3:14
she focus on ? And C
3:19
the answer . C says eliminating
3:22
all risk . So words
3:24
like all , always , never
3:26
, only things or absolutes
3:29
. This exam does not like absolutes
3:31
. You cannot eliminate all risks
3:33
. So C is not the answer
3:35
. Okay , reshift your
3:37
focus . Now . What if it says
3:40
which one of the following
3:42
should not be a priority
3:45
for Sally as the new CISO
3:47
? And C says eliminate
3:49
all risk . Can you see how , in
3:52
that context , c is correct ? It
3:54
is not something that she should focus
3:56
on . It's not possible for her to
3:59
eliminate all risks . So
4:01
look for absolutes . This
4:03
exam does not like absolutes
4:05
. Look for only must always
4:07
, never . You know you've heard the whole
4:10
marriage you always , you never . The marriage
4:12
counseling thing you always , you never
4:14
. It's like this exam doesn't like
4:16
those things either . Marriage counselors don't
4:18
like it . The ISC too doesn't like it . Okay
4:20
, so look for absolutes . Doesn't
4:23
like it , unless it's asking for a negative . So
4:27
the other thing too is I would
4:29
say what I call the
4:32
the Sesame Street principle
4:34
. That is that if you
4:36
have a question that
4:39
has you know where three
4:41
of the four are kind of categorically
4:44
the same but one
4:46
is different , it's not
4:48
, it's set . The Sesame Street principle is from
4:51
the oldest thing . Is that which one of the following
4:53
is not like the others , sesame
4:56
Street ? So let me give you an example . You
4:58
know a question we
5:00
won't even say what the question is is yada , yada
5:03
, yada , blah , blah , blah question mark
5:05
. And it says something like here
5:07
are the following answers
5:09
A , eigrp
5:11
, b , ospf
5:14
, c , dns and
5:16
D , rip . Okay
5:18
, now , those are all sort
5:20
of technical terms . You may or may not be familiar with
5:22
them , but the thing to note is A , b
5:25
and D are all routing protocols
5:27
. They're all routing protocols . You would
5:29
become familiar with those during the bootcamp , but
5:32
the point being is that the answer
5:34
is most likely DNS . It's
5:36
the one thing that's not a routing protocol
5:38
. Very useful trick
5:41
to sort of think about . If
5:43
you have answers that are categorically
5:45
the same . Most likely they
5:47
are not the answer . Look
5:50
for the thing that's not like the others . It's
5:52
called the Sesame Street Rule . The
5:55
last thing is what I call doing the algebra
5:57
, and this is actually
5:59
attending to bootcamp . We'd actually practice
6:02
this in a lot of different ways , but it
6:04
contains within . I'm not a math person
6:08
, but it's like I do remember this from
6:10
my algebra days . If you have
6:12
an algebraic equation that has
6:15
the same integer on each
6:17
side of the equals
6:19
mark , chris , do you remember ? You
6:21
remember what you can do with those things ? You can
6:24
eliminate them right , you can mark
6:26
through them . They have no relevance on
6:28
the thing . So what you'll find
6:30
is some categories of questions
6:32
that reuse sort of the same thing
6:35
in like a list . For example , it
6:37
might say what are the things that you
6:40
, what are some ways that encryption can be
6:42
used ? It might list
6:44
confidentiality , non-repudiation
6:47
, blah , blah , blah , but it might have confidentiality
6:49
in all four of the answers . Well , you know it doesn't
6:52
have any relevance to the answer and
6:55
this idea is something
6:57
. There are different ways that it can help
6:59
you break down questions really quickly . So
7:02
it's like learning . It's something you
7:04
can practice Again in bootcamp . We actually
7:06
get more into like understanding
7:08
this principle but it really does manifest
7:10
itself . And just being aware that if
7:12
something isn't you know is in
7:15
all the answers , it doesn't have any
7:17
relevance . It can help you quickly break
7:19
down question to the , to
7:21
the components within the answers
7:24
that are going to impact you
7:26
know whether it's right or wrong . And then , lastly
7:28
, is what we call the golden
7:30
words . The golden
7:33
words are words that
7:35
you know 75 , 80%
7:37
of the time . May you know if
7:39
they're ? If they're in one of the
7:41
answers , it's likely the
7:44
right answer . Remember , this is a management
7:46
exam , so this is words like business
7:49
or organization or whatever . So business
7:51
strategy , business goals
7:53
, you know , business objectives , business
7:56
risk , basically business , anything
7:58
Good chance , it's the answer
8:00
. Risk Risk
8:03
is a concept we really dig into . This is
8:05
a risk management exam and
8:08
it's the highest it's kind of
8:10
the highest order thing that we care about . Do
8:13
we care about threats ? Sure , do we like
8:15
vulnerabilities ? Absolutely , but mostly
8:18
we care about those things because
8:20
they tell us what our risks are
8:22
. So if you see a question
8:24
where it says threat management or risk management
8:27
, the answer is risk management . We
8:30
care about threats , but mostly because
8:32
they inform us about what our risks are
8:34
. We give . I give a nice
8:36
succinct definition of risk in the bootcamp , so
8:39
, but you know , risk is related
8:41
to threats and vulnerabilities and that's
8:44
the highest order thing that we care about
8:46
Change management . Change management
8:48
is often the answer
8:50
, and it's even
8:53
more so than the others that we talked about . It's
8:55
like if it's the only answer in a question . There's
8:57
a really like 90% chance
8:59
that it's the answer .
9:02
So can you , can you break down the idea of change management
9:04
a little bit ?
9:05
Well , change management , of course , is the concept
9:08
that when we're undergoing some changes
9:10
often referred to as software in software
9:12
development , but any context we want to make a change
9:14
policy , things like that you want to use change
9:16
management procedures , got it ? You know
9:18
, it's often these . These
9:21
are initiated in a , in a ticketing system
9:23
with a change request , ticket , etc . And then
9:25
you just manage it , document the changes
9:27
, all that sort of stuff , just running willy-nilly . Yeah
9:29
, yes , yes , classification
9:32
and Conversation slightly
9:35
different concepts but very similar concepts
9:37
. I won't get into it now . But class
9:39
, you know you classified documents . Is it
9:41
secret ? Is it top secret ? And then you
9:44
associate a baseline with that , like what
9:46
is the protections you want for that ? So Documentation
9:49
is also a golden word . It's used
9:51
in we're talking about software development
9:54
as well as compliance . We have to come
9:56
document our compliance . It's
9:58
accountability tied to responsibility
10:01
. By the way , in this exam
10:03
, if it says senior management
10:05
is accountable or senior management support
10:08
, it's almost , it is so
10:10
likely going to be the answer . It's like
10:12
you have to have senior management support and
10:15
then , lastly , impact , which I would
10:17
also add a Likelihood
10:21
in impact , or combined together
10:23
as concepts to determine the level
10:25
of risk . So if something is very
10:28
likely to happen and if it happens it's really
10:30
bad , like ransomware . You
10:33
know 85 to 90% of
10:35
healthcare organizations is an example of experience
10:37
, a ransomware attack Likely to happen
10:39
. If it happens and it's successful , it's a
10:41
bad day . So it's like we
10:43
use impact and likelihood to rank
10:45
. We have to care about the impact
10:48
. And then , lastly , there are going to be some
10:50
words where we can kind of questions where
10:52
we can match Terms in the
10:54
question to something that's
10:56
you know in the thing so we can just look
10:58
. For you know , if it talks about enforcement
11:01
in the question , you know it might
11:03
say it might use the word Enforce
11:06
in the answer and that kind of helps clue
11:08
you into that . So those tips
11:10
together , if you combine that with take
11:12
your time , eliminate wrong answers , they'll
11:15
give you and you practice you got to practice
11:17
all these ideas they can really help you a
11:19
lot in terms of taking this exam
11:21
fantastic .
11:23
I think that's gonna Really . I
11:25
think this is gonna be . People are gonna be rewinding
11:27
and and taking notes on this one . I think this is
11:29
gonna really help people with the exam you
11:32
know , and I just just to editorialize
11:34
a little bit . I think it's worth remembering that . You know
11:36
, like you said , as much as we
11:38
like , I think , as cybersecurity
11:41
people , we like being involved with dealing
11:43
with vulnerabilities , dealing with Breaches
11:46
and so forth , but the CSP is
11:48
ultimately for people who are going
11:50
to be the decision makers of the company . So
11:52
of course , you're gonna talk about risk , of course you're gonna
11:54
talk about Management , buy-in
11:56
. So you have to be , you have to be sort of also thinking
11:58
like the manager that you
12:00
are hoping to be or the CISO
12:02
that you're hoping to be , ultimately , because this
12:05
is , this is , you know , I would imagine that
12:08
some of the technical stuff is almost kind of Sort
12:10
of like a shiny bobble that you have to kind of yeah
12:12
.
12:12
I know you have to . You have you
12:15
absolutely . You have to be careful of things . It's
12:17
very tempting say if , if the scenario
12:19
let's say they spells out a scenario , and
12:22
and let's say one of the answers is MFA
12:24
, and let's say it's correct it could actually be
12:26
a true solution . But one
12:29
of the answers deal with some management
12:31
or governance concerns , like policy
12:33
. Yep , that's almost definitely
12:36
the answer . It's not that we don't care about technical
12:38
solutions , but this is a management exam
12:40
so we have to think about it at that level
12:42
and in some . So you have to think . You
12:44
don't ask yourself what would you do at
12:46
your work or your job in your ? You
12:49
have to think about , think like a manager
12:51
, understand , you know what . How can
12:53
we manage ?
12:54
You know these you're not just taking
12:56
the exam , you're growing into your next position
12:58
. Ultimately , you're thinking exactly .
13:00
Yeah , that's exciting .
13:02
All right , well , I'm gonna leave it at that . So , steve Spearman , thank
13:05
you so much for for talking us
13:07
further through the CISSP . This was absolutely
13:09
invaluable . I really appreciate it .
13:11
No problem , it's my pleasure .
13:13
And thank you all for watching this episode again . Check
13:16
out part one as well . You're gonna get a very good overview
13:18
of the CISSP and it's gonna take
13:20
a lot of fear out for you . If you enjoyed this video
13:22
and felt that it helped you , please share it with your
13:24
colleagues on your forums of choice
13:27
, social media accounts , whatever you want to do , and definitely
13:29
subscribe to our feed and
13:31
I on your podcast catcher of choice or our YouTube
13:33
page . You can type in cyber work info sec into
13:36
any of them and it'll get you there . Liquity
13:38
split . There's plenty more to come and if you have any
13:40
topics you want us to cover , just drop them in the comments
13:42
below . But I'll leave it at that for
13:44
now . Until next time , happy learning . Thanks
13:46
again , you .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More