securityzed contains opinions and anecdotes about INFOSEC issues. Views expressed herein belong solely to the contributors. Not to be taken as professional advice, or internally.
We had a great time doing the live show; thanks so much to everyone who joined in (we were thrilled to see more than our Three Listeners!); and more thanks for our hosts, New Horizon (and Queen Circe), for inviting us to take part in the event.
If you’re interested in seeing the slides associated with the audio track, please use this link to YouTube: https://www.youtube.com/watch?v=RU5moEg5noU&feature=youtu.be
To continue preparing for disaster to strike, we take a look at firearms from the perspective of personal security. Or personal INsecurity? (As in a lack of security, not ego--but maybe that too.) Everyone’s situation is different, but we do have some information that might help you make that decision a bit more safely and responsibly.
Read MoreThis week, we prepare for the endtimes through personal continuity and disaster recovery, and nerd out on some truly great media.
Read MoreDid you know we have the bestest security system in the world? Yes we do! Join us as we review the costs and outstanding benefits of having a dog for security.
Additional resources mentioned:
War Dog: A Soldier’s Best Friend (2017) Documentary directed by Deborah Scranton, Produced by Channing Tatum. You will cry.
Togo (2019) Live action Disney movie based on true heroes. Starring Willem Dafoe. You will also cry.
Molly Burke YouTube vlog channel following the life of a “millennial girl who just so happens to be blind,” often featuring her guide dog. You can view her playlist “All About Guide Dogs” here!
This week we do a deep and rambling dive into Aaron Schwartz, his attitude toward IP, and JSTOR.
If you or someone you know is experiencing depression or suicidal thoughts, please reach out for help. NAMI (National Alliance on Mental Illness) can provide crisis support or help you find local resources to support your recovery. You don’t have to be in distress to call.
1-800-950-NAMI (6264) or info@nami.org
This is extremely exciting: Robin and I will be hosting a free webinar for New Horizons during their Awareness Month seminar. We'll be doing a live episode of the "The Sensuous Sounds Of INFOSEC" that you can participate in! So, if you ever wanted to be on the show, now's your chance.
Did I mention it's free?
We're going to discuss different INFOSEC certifications, and which pathways might be best for different practitioners. Come check it out, ask questions, and hassle us.
Also, you don't have to pay for it.
We look forward to seeing you there!
https://register.gotowebinar.com/register/3599988395504979725
There are also some other sessions being offered by excellent presenters:
https://bangor.newhorizons.com/resources/free-webinars
Roger Ison-Haug is the head of Berigo AS, a Norwegian audit and consulting firm. [https://www.berigo.as/?lang=en] We also consider him a good friend, and he is one of the three people who listen to the show.
International audit/standards organizations mentioned during the episode:
- ISO (the International Organization for Standardization, which is odd, considering how it’s abbreviated) [https://www.iso.org/home.html]: a global standards body that publishes standards for performing just about every kind of human activity possible. Standards discussed on the show include:
-- The 9000 series: The Total Quality standards (sometimes referred to as “Total Quality Management (TQM),” or “Quality Management Systems (QMS),” collectively)
-- The 27000 series: Standards for information security, often referred to as the “Information Security Management System (ISMS),” which is actually the name of one of the standards in that series, 27001
- ISACA (originally the Information Systems Audit and Control Association, but has now legally changed its name to the abbreviation) [isaca.org]: Originally an American standards body that addressed information systems audit and security for manufacturing systems, but has since evolved into an international IT security and management standards body. Famous for:
-- Professional certifications, such as the CISA (certified information systems auditor) and CISM (certified information security manager) [full disclosure: Ben has the CISM certification]
-- Audit and governance standards, particularly the (unfortunately named) COBIT 19 standard (control objectives for information and related technologies)
A former student wrote in yesterday to tell me:
” I passed the exam last Wednesday. A few observations on my experience:
1. Like others posting their results to LinkedIn recently, my exam cut off at the 100 question mark. My elapsed time at that point was somewhere between 90 and 100 minutes.
2. Candidly, the first thought that passed through my mind when the exam cut off was that I failed, because...
3. A lot (I would estimate 60-70%) of the questions required a good deal of domain knowledge synthesis to answer. By that, I mean the question wasn't just asking for a fact or straightforward application of domain knowledge. I got about 50 questions into the exam and considered walking away from the test, I thought I was doing that poorly. I really thought "OK, those first 25 or so were the 'evaluation' questions for future exams, now the real exam is starting" but the questions didn't change in style after that.
4, I really had to slow myself down to make sure I read the questions and answers correctly and thoroughly. This is probably what saved me from failing, of course, since the result is only pass/fail there's no way to know if the answers I changed after re-reading the question and answer while thinking about every word were the correct choice.
5. Notwithstanding the "synthesis" comment above, most questions did have 2 fairly obvious wrong or distractor answers. It was deciding between the remaining two that created the most frustration.
6. I did use current editions of both the Shon Harris and Mike Chapple texts and practice exams for preparation. I guess that's why I was a bit surprised at the nature of the questions. Practice exam questions from both books were for the most part more oriented toward straightforward domain knowledge demonstration.”
Great advice— SLOW DOWN, everybody. And remember that you can’t fail until you’re done. Good luck to you all!
Saw this on reddit recently:
“So, to your primary question, during those best 90 minutes of my exam - I passed at 100Q at 90 minutes - this was what I'd written on my dry-erase board and what I focused on:
YOU ARE A RISK ADVISOR/CEO – think like one.
Do NOT fix things (unless asked to do so, or unless those are the only answer options)
Think END GAME
Read EACH question 3x and then THINK before responding
This said, during my last two weeks, I did a high-level but comprehensive review of notes from ALL domains, and I particularly focused on making sure I knew and understood processes like RMF, SDLC, IR, BCP/DRP, etc. I took several 100-125 question practice exams during the last 10 days and used feedback from those exams to further hone the things I needed to focus on prior to my exam. Good luck and all the best as you make final preps for your exam!”
https://www.reddit.com/r/cissp/comments/i1eshf/exam_tips/fzx8qth/
From another former student, just received yesterday:
“ I passed the CISSP earlier this evening, with much thanks owed to you! At 150 questions.
I didn’t interact much in class but paid a ton of attention and also rewatched the recordings over again. And also bought and read your book, along with Boson and the mike chappel practice tests. I felt that the class paired with the student guide prepared me the best, and the boson was a decent approximation for the questions but also not so much... I read your book in the two days before the exam and it helped solidify my mindset as well.
As for the test, there were some bizarrely worded questions there for sure. I assume the test is slightly different for everyone, but for me there were MAYBE 10 questions that I would deem ‘technical’, and I may very well have got them all wrong, yet here I am on the other side! I am more of a big picture person in my role at work and I think that helped.”
Awesome news! Thanks so much for the feedback— great stuff, and congrats.
One of my recent students shared this with me, and gave me permission to post it:
“I’m not sure if you remember but I am the student that just graduated college with a Cyber Security degree and won the CISSP class in a raffle. I was lucky enough to be trained by you on scholarship and capitalized on it and now I am an Associate of Isc2.
In terms of the exam, the main thing I studied was the notes from your class. I memorized each and every foot stomper. You covered everything I saw on the exam but some of the questions were extremely detailed in things we barely brushed over. I also read the entire study guide by doing 30 pages a day. I didn’t use the Sunflower guide because I felt as if it went into too much unnecessary detail in some parts. I also bought the Boson practice tests but I didn’t use them at all.
The main thing that helped me besides your class was this video: https://www.youtube.com/watch?v=-99b1YUFx0A. It just helped to enforce the idea that the CISSP exam is managerial and about half of the questions I saw I referred back to this video. Instead of solving the problem instantly I thought of what a manager would do. To put your future students at ease, you can tell them I have no working experience and all I did was read the study guide, took your class and watched that one youtube video and I passed. Once again, thank you for all the help with everything. Your class has left a lasting impact on me and I will always be grateful.”
I am impressed by the accomplishments of this young person; very well done, and thanks for sharing insight into your experience! I expect big things from you in our industry. I hope you will hire me to work for you someday!
In this episode, we discuss the initial steps a small/medium-sized business might take to institute an INFOSEC program. Topics include: identifying assets, determining risks, and conducting a Buiness Impact Analysis.