On the day of the exam you were as confident as a porcupine with extended twills (imagine that …). You know in your heart you’ve done what you could. You are anxious. You are ready. Then here comes the first question. You think to yourself, “WTF is this? I don’t remember reading about this.” Then the next question was so vague you wondered if it was actually written in English. The third question, seemed like there are two answers instead of one. The fourth was no easier. By the fifth question, all that confidence went down the toilet and by the sixth you are in a near panic.By the time the exam was all over, you are so bewildered that you wonder if someone got the license plate of the truck that hit you. You have no idea if you passed or failed and wondering what you have done wrong and if you actually done enough. I have observed that often times the key reason for a person failing an exam was not because he or she did not know the material, but rather because he or she simply lost focus brought upon by the stress and sometimes panicked over the confusion brought about by how the questions in the exam was framed.

If you’ve gone through a similar painful situation or worried that you may go through the same situation as I have described above when you go take a cert exam, I’d like to share a simple secret that I always take with me whenever I take an exam. It all comes down to simple math.

Let’s look at the PMP exam requirement as an example:

“The PMP® exam is a 4-hour multiple choice exam. In these 4 hours, you are going to have to answer 200 questions. Each question is either scenario based or knowledge based and has 4 possible answers – A, B, C or D. You can only select one answer.

Out of these 200 questions, 25 are considered “pretest questions”. These pretest questions do not affect your score. The PMI uses them as an effective and legitimate way for testing the questions. In other words: new questions for the exam are first tried out in this way, to see how well they work. The pretest questions are randomly placed throughout the exam.

So you start out with 200 questions minus the 25 pretest questions which leaves 175 questions. Out of these, you must answer 106 correctly. That is 61%.” (Source: What is the PMP Exam Passing Score?)

So we know that out of 200 questions only 175 matters and to pass we only need to answer 106 of the 175 correctly. However, there is a wildcard here, we need to factor in the 25 that we have no idea which questions they are. 25 questions that we may all answer correctly, but don’t really count in the score. That would really suck if 1 of the 106 questions that you’ve answered correctly is a pre-test question and therefore your actual score is only 105, which means you fail.

So to negate the pre-test factor, we should set our goal to:  106 + 25 = 131. In other words, to be confident that we actually passed the exam, we will need to have a “buffer” of 25 questions. So in reality the surefire way to pass the exam is to get 65.5% of the 200 questions, vice 61% of the 175 questions. In the grand scheme of things and comparison of probability, it is not really a big jump. We will look at probability in a different context in a little bit. But for now, we’ve established that our passing goal is 65.5%.

Just FYI Formula: 131 / 200 = .655 or 65.5%

We also know that we have 4 hours to complete a 200 question exam. That gives you 1.2 minutes per question. Believe it or not this is actually pretty long. I would recommend targeting to spend only 1 minute maximum per question. This will give an extra 40 minutes to review your answers (that is after you follow the next steps below you still feel like doing a review).

Now that we now know what our passing goal and time/per question ratio is, we are now really prepared to take the exam. Most exams will allow you to have a blank sheet of paper and a pencil to use as a scratch paper. Make sure that you get them. You will need it. Also most cert exams allow you to mark the questions that you would like to go back to for a variety reasons, including, but not limited to:

• You are not sure of your answer
• You don’t know the answer

 As I mentioned there are a variety of reasons why you would want mark an answer, but the two reasons above are the only two that we will concern ourselves about.

This is where the next step of our technique comes in. In your scratch paper, set-up two columns. One column is going to be where you will write the question number of questions that you are not sure of your answer. The other columns is where you will write the question number of the questions that you don’t know the answer.

Third step start answering the questions, keeping in mind your time constraint of 1 minute max per question. You don’t have to distract yourself by really counting every second of the clock. Just have a feel for it and keep it in the back of your mind. Once you run into a question that you are not sure of, pick the one that you think is the best answer. Then write the question number in the appropriate column. Do the same for questions that you don’t know the answer. DO NOT SKIP A QUESTION. Pick an answer and move on. Just make sure you mark that question number.

Once you’ve finished all the questions and stayed true to the self-imposed time constraints (in our case one minute per question), you should have plenty of time for the 4^th step. Count the total number of questions that you were not sure of and count the number of questions that you did not know the answer. If the total number of questions you were not sure of and don’t know the answer to comes out to be less than 69 questions (based on our PMP example), then I would highly recommend: STOP!!! Stop pulling your hair out, you are done.

But just for giggles, let’s assume that it is a little bit more complicated than that. Somehow, you marked even the questions that you have only a slimmer of doubt as to the answer. Continuing with our example the numbers came out as follows:

• Not sure: 60
• Don’t know: 25

Do you start the sweat pumps and start going through each “Not sure” question? I say, hold your horses, mate! Let’s do some math, actually probability to be exact. Let’s throw away, the 25 don’t know. Let us assume, you have the luck of a possum crossing the I-5 Freeway in the middle of rush hour in Los Angeles. Essentially, no way you can get lucky in getting a right on the 25 guesses that you’ve made in the “Don’t know” column.

You have 115 answers that you are pretty sure of. If you go with the 106 mark as originally suggested to be the passing score out of 175 non-pre-test questions, you’ve already passed. But since you’ve set a higher goal of 131 to get a surefire-no-way-you-can-fail score, you need 16 more correct answers. 16 is 27% of 60. With this info, ask yourself this:

1. What are the chances of me missing more than 70% of the questions in the “Not sure” column?
2. What are the chances of 10 or more of the pre-test questions being in the 115 answers that I am pretty sure of?

The answer to question two is actually hard to really know and it is a gamble. However, it is negated by your answer to question one. Question one is really a gut check. It’s not exact math or science, but its all about probability with margins of error. But in the end, you will know the answer to this. So this goes without saying that if the answer to 1 and 2 is “pretty low chance.” Take a deep breath, stretch and submit your answers. In the case of the PMP or other computer-based certs you will immediately know the results. In the case of scantron-based exams such as CISSP, you will not immediately know the results, but you will be confident that there is a very high probability that you’ve passed.

I have used this technique in all the cert exams that I have taken and the results were obviously great. I also used this in taking college exams, although slightly adjusted based on the target score that I want beyond what is required to pass. Obviously, college exams are not simply pass/fail as cert exams, so I have to tweak my goals to ensure that I have the best score possible.

In summary, here are the steps of using math and probability to help you pass the exam:

1. Know your “true” passing goal and time/question ratio
2. Set-up two columns in your scratch paper: “Not sure” and “Don’t know”
3. Answer the questions. Mark columns with question numbers as appropriate. DO NOT SKIP A QUESTION. Even if you don’t know the answer, make your best guess.
4. Do the math, sum up “Not sure” and “Don’t know” and compare with your passing goal.
5. If necessary, do a probability/gut check. How many of the “Not sure” do you think you will miss? Is it pretty high? Or is it low?

All that said, I wish you the best of luck. Yes LUCK does help, but I prefer to understand probability .

Let’s look at what another non-fan of the cert thinks about the cert. In his blog entry he quoted another blog that stated:

“I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.”

He then followed up by stating:

“That is ridiculous. I would expect someone who wants to be considered as a “security professional” to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.”

Again, if the cert is all about the question of competence the assertion above is very valid. I can also understand why many feel that it is a question of competence, because it is marketed by the cert’s proponents that way. Not to mention, the title of the cert also implies it that way. All that said, however, once again it misses the entire point.

Let’s look at ISC2’s marketing spiel on why one should certify as a CISSP:

Benefits of Certification to the Professional

• Demonstrates a working knowledge of information security
• Confirms commitment to profession
• Offers a career differentiator, with enhanced credibility and marketability
• Provides access to valuable resources, such as peer networking and idea exchange

Benefits of Certification to the Enterprise

• Establishes a standard of best practices
• Offers a solutions-orientation, not specialization, based on the broader understanding of the (ISC)² CBK
• Allows access to a network of global industry and subject matter/domain experts
• Makes broad-based security information resources readily available
• Adds to credibility with the rigor and regimen of the certification examinations
• Provides a business and technology orientation to risk management

Let’s look at the bullet points that state “Demonstrates a working knowledge of information security” and “Allows access to a network of global industry and subject matter/domain experts.” If we keep the reasons within these two contexts on as to why one wants to be a CISSP and why one would want to hire a CISSP then the negative assertions are entirely true.

However, for the same reason as to why a college grad has a leg-up over a high-school grad. A CISSP has a leg up over non-CISSP for the intangibles that it brings beyond competence.

College and attaining certification brings upon a certain discipline that is not easily measured in areas of direct competence or skill. It goes beyond that. It molds the individual into a certain character that prepares that individual on how to handle situations; more often than not how to handle a situation professionally. Before I continue, I would like to make it clear that I am not dissing high-school grads or non-cert professionals. I have worked with and know of high-school grads who can work with the best of them and college grads, who are nothing more than dirt bags. I have also employed folks who don’t hold a single cert, but I would not dare let them go because of the value that they bring to the company and folks who have all the accreditation in the world, but don’t have a clue on how to tie their shoe laces even if you showed them how. Okay that last part is a tad bit of exaggeration, but you get the point. (I hope …).

The two contractors that I have been talking about neither have the college education nor the accreditation to prove their qualification for the work that we do. However, I believe that they interviewed well and they made their resumes look good. Key things that one learns in college and in taking certifications are the value of professionalism and ethics. One learns very early on the importance of NOT BURNING BRIDGES in your professional life since it has a great potential of haunting you endlessly down the road. I will admit for all accounts and purposes, these two guys probably already know this and it is just a matter of their value system. But then again, I digress.

A CISSP cert, or any other cert or a college degree primarily helps “Confirms one’s commitment to a particular profession.” As that guy who locked himself up for two months to study for the exam or as I have done to prepare for the exam, it shows commitment. It shows dedication. The cert does not prove by any means that I am a better security professional than the two other contractors who did not have the cert or to the detractors of the cert. It just shows my willingness to commit and dedicate myself and my willingness to learn. If I can dedicate myself to learn such complex ideas that may or may not have anything to do with my work, then I may be able to dedicate myself to learn the processes, procedures and politics of the company that I will be working for.

And employers know this. As a former hiring manager myself, I value college education and certifications to the extent that I immediately know that the individual who is applying for the job took the time and had the discipline to dedicate him or herself to a particular goal and objective and achieved it. There is no quicker way to prove to someone, especially to employers, that you are capable of achieving something better than a college degree or an industry-recognized certification.

There is another point that I want to make. This is again coming from the Veracode blog:

• “Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper.”

In this job market, I would say good luck with that. Not only does the Fortune 1 company, also known as the US Department of Defense, requires that you attain security certifications if you want to get a job or keep your job in the department (Google DoD 8570.1 for a quick FYI), and the rest of the Fortune 1000 companies worth their salt puts value in the cert because of a variety of reasons including the reason I’ve already mentioned above.

If you are one of the lucky few who have all the experience in the world with a really stellar could not be turned down, shining diamond in the middle of a pile of coal. More power to you. Unfortunately, not many of us are such diamonds.

Also isn’t your resume also just a piece of paper? Looking at the resume of the two contractors that I kept mentioning in this entry and knowing these two personally, I believe that they are nowhere close to having the experience and not to mention have the titles that they claim in their resume. Those claims go a little beyond your average “white lie.”

An accreditation is not the main thing, but rather one of the first things that can help an employer verify a person’s claim about his or her experience and background. Someone might retort, that’s what references are for. Seriously, nobody ever thought of having his/her best buddy pose as his/her former manager?

Let me finalize this entry by talking about why I decided to take the exam in the first place. As I mentioned earlier in this entry was essentially “to build my street cred” or as ISC2 put it:

• Offers a career differentiator, with enhanced credibility and marketability

Ladies and gentlemen, a certification, a college degree and whatever accreditation that you have, truly has very little to do with your competence or true skill set. Such competence and skill set you can build through dedication to your work and experience and you can’t be dedicated to your work or you can’t build your experience unless you get hired. (Unless of course you got all the resources to make yourself your own boss and run your own business, some of us do, but a whole lot many of us don’t). All the swag, all the acronyms and that piece of paper is all about MARKETING. Yes ladies and gents, it is not a testament to your technical skills, but instead a testament to your marketability.

While I was doing work with a government contractor and we are in the process of sub-contracting with the big guys to go after a particular government contract, the prime contractor will typically ask our company, “What is your key differentiator?” In other words, why should I include you in my team versus the other guy? What have you achieved? There is no faster way to tell them about our achievements than show them the company’s certifications.

Is an ISO-this or CMMI-that certified company better than a company who’s been in existence for over 20 years? Probably and more than likely not, but it shows the company’s dedication to becoming better at what they do. A personal certification is no different.

The alphabet soup of acronyms that you tag along your last name such as CISSP, PMP, CISM, MCSE, CISA, CEH, etc. are the big banners that tells employers that you are a capable individual who can achieve your goals and objectives. AND BUSINESSES ARE ALL ABOUT ACHIEVING GOALS AND OBJECTIVES.

As to the value of the CISSP to me personally and my own doubts about its true value, first look at my entries “A Series of Funny Things Happened on the Way to San Francisco – Part 1 and Part 2.” Both companies, decided to interview me because I had a differentiator in my resume and guess what it was: CISSP.

The cert was not the key reason why both companies decided to give me an offer, but rather because I was able to effectively articulate my value to both companies during the interview process. I also did not get hired on full-time by the company I am working for now and essentially getting paid what I believe is my market value because of the CISSP cert, but rather because I have proven my competence in my line of work. However, all of these would not have happened if that five letter acronym was not tagging along my last name.

The bottom line, if you are looking for a CERT THAT WILL PROVE to employers how good you are at what you do, then CISSP is not it. I can’t think of any cert out there that does that. But if you are looking for a cert that will help open doors SO YOU CAN PROVE to employers that you are worth your salt, then CISSP and a multitude of other certifications will do the trick.

One of the contractors was actually not making the cut. Meaning he fails to meet even the simplest objective that is given to him by our manager and team leads. The other contractor was the one who recommended him for the job and also this contractor apparently has another gig that he believes will bring him tons of cash. So believing that the writing is on the wall, they decided to leave. Why they left without notice and also giving out a false statement as to the reason why left has no viable explanation. The only word that comes to mind is, unprofessional.

These two stories came to mind today as I was searching for ideas for acquiring Continuing Professional Education (CPE) credits to maintain my CISSP (Certified Information Systems Security Professional) certification. Somehow the search landed me into pages asking if whether CISSP is worth it. There are several bloggers who simply believe that the accreditation is nothing but a piece of paper that is not worth the ink it was printed with.

You are probably thinking, what does that have to do with the two paragraphs that I started with? I will put them all together, I promise. This is a blogging mystery drama that will all make sense in the end. Or so I hope .

Anyway, the assertions piqued my interest. I, too, had questioned the value of the certification. I became a CISSP in 2007. This is after 3 years of holding onto the first version of the Shon Harris book and not opening it at all. I decided at the time that I needed to spice up my resume and the 5 letter acronym tagging along the end of my name will help build my street cred. There was also the looming change in the requirements to becoming a CISSP that made me deduce that getting the cert then will be a whole lot easier than later.

After diving into my regular routine of studying, I got the cert a month before they changed the requirements. In the end for a wide variety of reasons the cert did not really help much with my career goals at the time. It did help me land several interviews, however, it did not land the “dream job” that I was hoping for.

You see, I had this expectation of that the cert implies what my true qualifications are and what my market value is as a professional. Those expectations don’t seem to match with what employers are presenting on the table. It made me wonder, are CISSPs now just a dime a dozen that the cert doesn’t seem to provide much value anymore? Or is the cert or the need for security professionals simply overhyped and the reality is that most companies don’t see the real value of the cert?

I have concluded then that it was simply the job market that I was in and my qualifications did not match the requirements of the companies in that job market and what those companies are willing to pay for. If I want to see the real value of the cert I will need to look at other locations. Call it an excuse, if you will, but that is my belief and I will stand by it .

All that said, one of the most common criticism of the cert is that “CISSP only demonstrates mere understanding of domains rather than competence.” This blog entry from Veracode entitled “Not a CISSP” drives home the point:

“…like many security certifications, it’s an ineffective measure of a security professional’s practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it’s exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I’ve encountered some very notable exceptions to this observation, but we’re playing by the 80/20 rule here.”

Others also criticize the cert as:

“…the CISSP certification … focus is technological issues, and the CBK does not address topics related to organization, finance, and strategy” as the CISSP lacks a broad based understanding of business.” (Source: http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional)

That one I found a tad funny because another criticism of the cert is that it is way too broad and covers too many things that is not fully relevant to every security professional’s line of work. Going back to the same Veracode blog:

“The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it’s quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can’t apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly — you have cryptographic algorithms, site location principles, network security, and civil law on the same exam.”

Since the second and third argument above somehow in a funky way negate each other, I won’t bother rebutting them, I’d like to focus on the assertion that “CISSP only demonstrates mere understanding of domains rather than competence.” In the grand scheme of things, I firmly believe that this is a fact. The cert, or every other certification for that matter, does not give anyone the assurance of your competence in the field. Anyone who is good in memorization and good at taking exams can pass the exam. Anyone who had the slightest background in one of the 10 security domains can get certified after they’ve taken and passed the exam. Yes, there is a 5 year experience requirement, but changing back-up tapes for five years count as 5 years worth of professional experience.

But. Here is the big BUT. And most of you like big BUTS and you cannot lie . No matter how factual that statement may be, it entirely misses the point.

Going back to the first part of this entry, the discussion between my co-worker and I was in part driven by the story about the two contractors who left without notice and left essentially a big stink on how they say they were treated. As I have stated, their claims of maltreatment in the eyes of the team was wholly unfounded. Anyway, I digress.

For folks who have pursued a college education and more often realize that a good part of what they learned in college really has no direct co-relation to practical practice in the real world. Everyone knows that there is often a huge disconnect between what is thought in the classroom and what is being done in the offices of companies. More often than not, you can throw away most of what you’ve learned in school and essentially have to do your work the way the company wants you do it. This essentially means that you have to learn the job the company way.

So why do companies continue to put a high value on folks with college degrees? How can a fresh-out of college kid with a degree in Political Science be competitive with a high school grad who had 6 years of technology experience? The answer has nothing to do with competence.

To be continued – ” To CISSP or Not to CISSP – Part 2“

As extracted from the ever-reliable Wikipedia :

Government, commercial and other organizations employ PMP certified project managers in an attempt to improve the success rate of projects in all areas of knowledge, by applying a standardized and evolving set of project management principles as contained in PMI’s PMBOK Guide.

Professionals obtain the credential to verify their proficiency in project management with an internationally accepted certificate. It has proven especially helpful for project managers trying to find jobs or self-employed project managers selling their services to customers.[citation needed]

Many contractors hire certified PMPs to make their bids and proposals more attractive to prospects. Sometimes, IFBs or RFPs require that project managers must be certified PMPs.

In December 2005, the PMP credential was tied for fourth place in CertCities.com’s 10 Hottest Certifications for 2006, and in December 2008, it was number 7 of ZDNet’s 10 best IT certifications.

I also found an article from About.com that list PMP as the highest paying certifications in the tech industry. Now if I could only put that article into reality for myself, it will be awesome considering I now hold two of the top four certifications listed in that article (the other being Certified Information Systems Security Professional or CISSP).

In any case as I did with my previous cert “conquests” (CISSP and CISM), I bypassed paying for the expensive training and opted to go the hard way, actually hitting the books and doing self-study the best way I know how. There were several factors that made it a little bit more difficult for me to focus this time around. I won’t talk about those factors in this entry as I don’t have any illusions or interest of being in a reality show . However, suffice it is to say that I was actually a little bit worried that I may not pass this one on the first try as I did in the other two.

To add to this is the fact that even though I have been using and somewhat familiar with various project management principles for quite some time, there are quite a number of concepts and terminologies in the PMI’s Project Management Body of Knowledge (PMBOK) that was very new to me. Another key challenge was the way the PMBOK is intended to be learned. Much unlike the CISSP’s Common Body of Knowledge, wherein one can learn each of the 10 domains independently, the PMBOK is a methodology, whose knowledge areas are interdependent and with process groups that follow a particular road-map and relationships and have independent processes that within themselves have separate elements that inter-relate with other processes.

So aside from simply remembering terms and what-have-you, to effectively master the PMBOK, one must be able to understand how each of the knowledge areas, process groups, processes and elements (process input/output and tools and techniques) inter-relate and which one comes first. Needless to say it was a doozy.

Continued in Yeah Boy! I passed the PMP Exam… (Part 2)

All-in-One is All You NeedFully revised for the latest exam release, this authoritative volume offers thorough coverage of all the material on the Certified Information Systems Security Professional (CISSP) exam. Written by a renowned security expert and CISSP, this guide features complete details on all 10 exam domains developed by the International Information Systems Security Certification Consortium (ISC²). Inside, you’ll find learning objectives at the beginning of each ch (more…)

• Secure connection between two nodes using secret encapsulation method
• Secure Encrypted Tunnel – encapsulated tunnel (encryption may or may not be used)
• Tunnel can be created by the following three methods:
  • Installing software or agents on the client or network gateway
  • Implementing user or node authentication systems
  • Implementing key and certificate exchange systems

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECEIVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS. You may also want to consider these CISSP resources from Amazon.com

VPN Protocol Standards

PPTP – Point-to-Point Tunneling Protocol

• Works at the data link layer
• Single point to point connection from client to server
• Common with asynchronous connections with NT and Win 95

L2TP – Layer 2 Tunneling Protocol

• Combination of PPTP and earlier Layer 2 Forwarding Protocol (L2F)
• Multiple protocols can be encapsulated within the L2TP
• Single point to point connection from client to server
• Common with Dial-up VPNs

IPSec

• Operates at the network layer
• Allows multiple and simultaneous tunnels
• Encrypt and authenticate IP data
• Focuses more on Network to Network Connectivity

VPN Devices

• Hardware and Software devices that utilize VPN standards
• Two types:
  • IPSec Compatible
  • Non-IPSec Compatible

IPSec Compatible

• Installed on a network perimeter and encrypt traffic between two networks
• Only works with IP
• Operates at the Network Layer
• Two modes:
  • Tunnel Mode – entire packet is encrypted and encased in the IPSec packet
  • Transport Mode – only datagram is encrypted leaving IP address visible
• Datagram – self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination

Non-IPSec Compatible

• Common non-IPSec compatible includes: SOCKS, PPTP and SSH
• SOCKS is not a traditional VPN protocol, but is robust and operates at the application layer
• PPTP was implemented in Win95 and NT
  • Multiprotocol and uses PAP and CHAP user authentication
  • Compresses data
  • End-to-End encryption
• Secure Shell SSH-2 – Not strictly VPN but can be used as one with terminal session

Firewall-based VPNs

• Frequently available with 3^rd Generation (Stateful Inspection) Firewalls
• Operates at the application layer
• Performance degradation is often a problem

You may also want to consider these CISSP resources from Amazon.com

Get complete coverage of the latest release of the Certified Information Systems Security Professional (CISSP) exam inside this comprehensive, fully updated resource. Written by the leading expert in IT security certification and training, this authoritative guide covers all 10 CISSP exam domains developed by the International Information Systems Security Certification Consortium (ISC2). You’ll find learning objectives at the beginning of each chapter, exam tips, practice exam q (more…)

During that absence one of my projects was finally launched (after much heartache and banging-head-on-table moments). Check-out yPoodle.com, an online debt management platform that allows consumers to directly negotiate and settle their delinquent unsecured debt (i.e. credit card) with their debt collectors. Debt collectors can be the original creditor, collection agencies/lawyers or debt buyers. This has been the biggest project that I have had the opportunity to develop and design the system architecture and also be its project manager. There are plenty more enhancements that will be introduced in the coming weeks and months and will definitely eat up most of my time until this bad boy is able to fully walk on its own.

I’ve also decided that I will focus on pursuing the Project Management Professional (PMP) certification. As I have always done with my pervious certifications, I did not want to pay them expensive “must-go-to-pass” schools and decided to study on my own. This means that I end up not having a life . This is my little self-study process:

1. First I fast-read the main study material from cover to cover and highlight (I essentially used up over 6 highlighters by the time I’m done) all the key items that I believe is important. This process took me a little bit over two weeks. (My fast-reading is not fast enough –> it was a damn thick book and despite all the indications to contrary, I DO have a life). Not too concerned about understanding or fully digesting the material at this point. The key is to simply identify the overall concept of each topic and find the important elements to be highlighted.
2. The next phase (the phase I am in at the moment as of this writing) is to start taking down notes from the items that I highlighted. I’m a little behind schedule on this one. But the process essentially entails that I type this items. Typing (sometimes writing – I abandoned this process a long time ago since it is quite tiring –> hands hurt after a few pages) the words allow me to now slowly digest the material. It builds up my memrory and therefore I am able to remember what I was reading. I am hoping to finish the note taking within the next two weeks. I am in the early part of chapter 3 of a 12 chapter book.
3. Third phase is typically the quickest, since I have already condensed the material into my notes. For example, I am on page 103 of the book while I have only used up 23 pages worth of notes. I will then reread the notes, try to understand what I’ve written and also do some additional research and enter in more notes if there are items that I feel seems unclear. I project this to take about a week.
4. The fourth phase of the process is digging into the practice exams. Understanding why I answered a question wrong is key. I try to go through as many practice exams I can get my hands on until the day of the real exam.
5. Finally, I did this when I was working on my CISSP certification, but did not do it for the CISM and I have no plans on doing it for this one. I bought audio CDs of the study material and practice exams. Ripped the CDs and loaded the audio into my iPod. For about a month that iPod was connected to my ear whenever possible (even in my sleep! Osmosis, baby, osmosis). I had a shorter study window for the CISM exam and also for this one. The materials are also a little bit smaller than the CISSP, so I think I can manage without this step.

Yep, it is a very long and strenuous process. But this is what works for me. I have not tried any of the schools out there, but I have talked to a whole bunch of folks who fessed up $2500 or more for these schools. I’ve talked to folks who took the school who failed and also to those who said that they would have never passed the exam if they have not went to the school. Not a scientific measurement by any means, but I feel it was a 50-50 chance where the school will not help you pass the exam at all. So I’d rather not spend that mondo-bucks and simply try to digest the material my way. It has worked well for me so far.

I’m scheduled to take the exam in about 7 weeks, April 24. So I will be pretty much deep in the studying trenches during that time period.

All that said, going back to the beginning of this post. I do feel a little guilty not being able to post anything new in this blog. I’m not even sure if people actually go here and read my rants, but I started it so I’d like to maintain it (this time …). The key purpose of this blog is provide another resource for folks who actually have the same interest as I do in technology, security and business, so I figured I will for now and until further notice, I will bypass the other segments that I try to introduce in this blog and focus simply on providing some resource info. This means I will continue to post the CISSP review notes and also the notes that I am taking right now for the PMP exam. Every now and then, if there is a really cool topic that pops into my head, I will post it, too. But I’m pretty sure you all can continue on with your lives without it …

Layered architecture

• Shows how communication should take place
• Clarify the general functions of a communication process
• To break down complex networking processes into more manageable sub-layers
• Using industry standard interfaces enables interoperability
• To change the features of one layer without changing the code in every layer
• Easier troubleshooting

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECEIVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Open Systems Interconnect (OSI) Model

Layer 7 – Application

• Responsible for all application-to-application communications
• User information maintained at this layer is user data
• Security: Confidentiality, Authentication, Data Integrity, Non-repudiation
• Technology: Gateways
• Protocols: FTP, SMB, Telnet, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SNMP, NDS, AFP, SAP, NCP, SET

Layer 6 – Presentation

• Responsible for the formatting of the data so that it is suitable for presentation
• Responsible for character conversion (ASCII/EBCDIC)
• Encryption/Decryption, Compressions and Virtual Terminal Emulation
• User information maintained at this layer is called messages
• Security: Confidentiality, Authentication, Encryption
• Technology: Gateway
• Protocols: ASCII, EBCDIC, Postscript, JPEG, MPEG, GIF

Layer 5 – Session

• Responsible for the setup of the links, maintaining of the link and the link tear-down between applications
• Security: None
• Technology: Gateway
• Protocols: Remote Procedure Calls (RPC), SQL, RADIUS, DNS, ASP

Layer 4 – Transport

• Responsible for the guaranteed delivery of user information
• Also responsible for error detection, correction and flow control
• User information at this layer is called datagram
• Security: Confidentiality, Authentication, Integrity
• Technology: Gateway
• Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP

Layer 3 – Network

• Responsible for the routing of user data from one node to another through the network including the path selection
• Logical addresses are used at this layer
• User information maintained at this layer is called packets
• Security: Confidentiality, Authentication, Data Integrity
• Technology: Virtual Circuits (ATM), routers
• Protocols: IP, IPX, ICMP, OSPF, IGRP, EIGRP, RIP, BOOTP, DHCP, ISIS, ZIP, DDP, X.25

Layer 2 – Data Link

• Responsible for the physical addressing of the network via MAC addresses
• There are two sublevels: MAC & LLC
• Has error detection, frame ordering and flow control
• User information maintained at this layer is called frames
• Security: Confidentiality
• Technology: Bridges, switches
• Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex A, Annex D, HDLC, BPDU, LAPD, ISL, ,MAC, Ethernet, Token Ring, FDDI

Layer 1 – Physical

• Responsible for the physical transmission of the binary digits through the physical medium
• Includes things such as the physical cables, interfaces and data rate specifications
• User information maintained at this layer is called bits
• Security: Confidentiality
• Technology: ISDN, Hubs, Repeaters, Cables

For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DoS attack.

Fault Tolerance is the ability of a system to respond gracefully to an unexpected hardware or software failure. There are many levels of fault tolerance, the lowest being the ability to continue operation in the event of a power failure. Many fault-tolerant computer systems mirror all operations — that is, every operation is performed on two or more duplicate systems, so if one fails the other can take over. Source: http://www.webopedia.com/term/f/fault_tolerance.html

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Network Availability

• RAID – Redundant Array of Inexpensive Disks
• Back-up Concepts
• Manage Single Point of Failure

RAID – Redundant Array of Inexpensive Disks

• Fault tolerance against server crashes
• Secondary – improve system performance
• Striping – caching and distributing on multiple disks
• RAID – employs the technique of striping, which involves partitioning each drive’s storage space into units ranging from a sector (512 bytes) up to several megabytes. The stripes of all disks are interleaved and addressed in order
• Hardware and software implementation

RAID Advisory Board

• Three types
  • Failure Resistant Disk Systems (FRDS) – the only current standard;
  • Failure Tolerant Disk Systems;
  • Disaster Tolerant Disk Systems
• FRDS
  • Provides the ability to reconstruct the contents of a failed disk onto a replacement disk
  • Enables continuous monitoring of these parts and the alerting of their failure
• FRDS+
  • Protect from disk failure – can reconstruct disks by automatically hot swapping while server is running
  • Includes environmental controls
  • FRDS+ adds hazard warning

RAID Levels

RAID 0 – Striping

• Creates one large disk by using multiple disks – striping
• No redundancy
• No fault tolerance (1 fail = all fail)
• Read/write performance is increased

RAID 1 – Mirroring

• Duplicates data on other disks (usually a one to one ratio)
• Expensive (doubles cost of storage)

RAID 2 – Hamming Code Parity

• Multiple disks
• Parity information created using a hamming code
• Can be used in 39 disk array 32 data and 7 recovery
• Not used, replaced by more flexible levels

RAID 3 – Byte Level Parity / RAID 4 – Block Level Parity

• Stripe across multiple drives
• Parity information on a parity drive
• Provides redundancy
• Can effect performance with a single parity drive

RAID 5 – Interleave Parity

• Most popular
• Stripes data and parity information across all drives
• Uses interleave parity
• Reads and writes performed concurrently
• Usually 3-5 drives – if one drive fails, can reconstruct the failed drive by using the information from the other 2

RAID 7 – Single Virtual Disk

• Functions as a single virtual disk
• Usually software over Level 5 hardware
• Enables the drive array to continue to operate if any disk or any path to any disk fails

RAID Summary

• 0 – Striping
• 1 – Mirroring
• 2 – Hamming Code Parity
• 3 – Byte level parity
• 4 – Block level parity
• 5 – Interleave parity
• 7 – Single Virtual Disk

Other Types of Fault Tolerance

Redundant Servers

• Primary Server mirrors to secondary server
• Fail-over or rollover to secondary in the event of a failure
• Server fault tolerance can be warm or hot

Server Cluster

• Group of independent servers managed as a single system
• Load balancing
• Improves performance
• “Server Farm”
• Microsoft Cluster Server