February 28, 2013
Happy Not So New Year
Wow. Has it been that long? I was very surprised to see that this is my first post of the year. I guess it is both good and not so good. Good - because I'm studying instead of blogging about studying. Not so good - because I had hoped to be further along and talking about it more.
The thing that prompted me to post is that I completed another book and had to add it to the list. I came home from work today and I read this book in one evening. The book is: "Your CCIE Lab Success Strategy - The Non-Technical Guide Book" by Dean Bahizad and Vivek Tiwari. Both are double CCIEs.
I had mixed feelings about the book. I expected a larger book. Perhaps something like the size of an O'Reilly topic was what I had envisioned. But it's more the size of a small guide book - or a Kindle. I opened it up and saw that the entire book was double spaced. Gasp! But as I read through the book, I found it to be a really good read.
There really isn't anything "new" in the book. Just about all the information or hints are things that are covered in the INE videos. There are no shortcuts. You have to be dedicated and persevere. Yadda yadda...yeah, I know. And that's okay. It's always good to hear it - and to hear it again.
The good part of the book is that it is ENCOURAGING. Even though it's stuff you've heard before, read it. As I was reading, I considered passing it on when I finished. At the end of the book, I decided to keep it - until I get my second CCIE. And that's what the real value of the book turned out to be (for me). I am going to read the book again whenever I get discouraged. I'm going to read it when I start getting sluggish. It's a really good pep talk when you need it.
The biggest recommendation in the book is the hardest to implement. It recommends a study partner. Finding the right study partner is really difficult in some locations. And finding a bad study partner is worse. So I'm going to take that recommendation with a grain of salt. I wish I didn't have to skip that part - a study partner would be helpful.
The part that I found encouraging is the undertone that it is -normal- to want, work toward, and attain TWO CCIE certifications. And it was uplifting to hear that the second one is easier than the first. You already have a strong foundation (your first CCIE), you already have a study method, and you have already proven to yourself and others that you have the drive and persistence needed to complete such a daunting task. All that's left is the doing.
I also got another book this week that I'm poking my way through -> Guide to TCP/IP Fourth Edition by Jefferey Carrell, Laura Chappell, Ed Tittel with James Pyles. OMG I am so excited about this one! Jefferey Carrell was the instructor at a Riverbed workshop I recently attended. It was a great workshop on Pilot and Wireshark. This is the TCP/IP book that I have always wanted. It doesn't just go through some dry rehash of protocols. This one is more of a hands-on guidebook - complete with trace files. Yes. This is the book I have always wanted. It goes through the protocol and tells you how it works. Then you download and explore the trace files to SEE how it works (or doesn't). I'm rationalizing my reading of the book in two ways: first, a good book on TCP/IP is recommended reading for the CCIE R/S path; second, it is oh-so-very directly job-related.
However, I do realize after reading the first book, I can't allow myself to be distracted from my CCIE lab studies. So I'm using this book as my "carrot" to encourage me to study. But this is definitely the book (read: reward) that I get to read after I watch my scheduled videos or finish a scheduled lab. Awesome stuff.
Posted by BlueWolf on February 28, 2013
November 25, 2012
Books - not so much lately
There's a post on my "CCIE Study Notes" blog that I want to talk about here. It's about how much there is to do to prepare for the CCIE Lab Exam. If you're wondering why there are no networking books on the Read List for 2012, it's because I'm focusing on videos and lab practice on remote racks. It's a lot of material and a lot of work.
The pictures on that post show three full pages of flip chart filled with a list of every task that I'm going through in the Workbook. There are 5 columns of about 30 lines each - for each page. And that is just Workbook I. Then I list all the videos (number and hours to complete) and then the number of configuration and troubleshooting labs that are found in the other three workbooks. It's pretty overwhelming when you look at it all.
This is something that you can't just do "in your spare time" as a hobby. You really have to focus and practice, practice, practice. I found that those pages of flip chart have provided a lot of relief. I can see my progress and it really keeps me going. I'm also using it to plot my rack sessions and make better use of the time. But it still takes a long time to complete it all.
This is a test of stamina as much as a test of skill.
Posted by BlueWolf on November 25, 2012
November 14, 2012
What if you could pay a certain amount of money, and with some effort and practice, make your skills sharper and build confidence? Would you do it? I guess as long as the amount of money was within reach, most ambitious people would consent.
That's what rack time does.
I probably approached it the way most people do - it's expensive and I wanted to save most of it for actually practicing lab scenarios. In some wishful, magical way I would learn enough on my own to just schedule some labs and work through them. After all, I've been in this field for a long time and I do this stuff every day. I understand the material. Well, I tried that and it was a struggle. And in some ways, the rack time that I used was not as efficient as I had hoped. It also lessened my confidence rather than built it.
So I went back to basics. I returned to Workbook I and started from the beginning - to prepare for my 2nd shot at the CCIE R/S lab. At first it seemed silly. I felt like I was giving myself a pity party or being too soft on myself. But in a very short time, I found that not to be true. It was a very good decision.
The first thing that happened is that the first few exercises were easy. It was nice to start off and be able to knock it out of the park. The easy stuff. That part did not build confidence. However, it did get me to appreciate the things I did know inside out. Then I hit a section that I wasn't strong enough on to complete. Ha. It was something that I know about, but don't use in my everyday experience. Wow. Hey, there's a lot of stuff here that you don't use in every workplace every day.
So when I hit that snag, I broke off a piece of it and worked it. I practiced figuring it out and then I blogged about it at my other blog. Having to write about it helped me to iron out the wrinkles in my understanding. I had to understand it enough to clearly speak on the topic. And with this being public, well, you're going to really make sure you're getting it exactly right. Which brought me to the documentation a few times to check my post. I learned enough through this to be sure of what I was posting. Then I went back to the rack and re-worked those sections again. Now I'm more sure of being able to configure it without needing to rely on notes or documentation. I totally understand it now. THAT is what built the confidence.
Granted, I'm not yet scheduling time at RTP for that 2nd shot. But after having that experience (my first attempt), I now know where I need to be to realistically have a chance at passing. And I can see my knowledge, skills and experience build with each rack session. And I have a "method" of study.
One other thing that I found helpful when practicing - don't struggle. If you're working a section and you're feeling like it's a stretch, then drive forward. But if it feels like a struggle, move on to another section. This will help conserve rack tokens. Struggles take lots of time. Learn on non-rack time. Then go back to the rack to practice what you just learned.
For example, the other day I was able to configure the 'basic' parts of RIP. Then some of the more advanced tasks were in the later sections. I started to get frustrated. Frustration is not what you want to practice. So I made a note on the sections that gave me trouble and moved on to EIGRP. I loaded the next config template and in 12 min was back on track. I started to configure again and made much better use of that rack time. After my session was over, THEN I went over the advanced scenarios and reviewed the documentation.
And once I practice it again and blog about it, the other benefit is: I can put that to bed. That's what came out of my first attempt - the ability to know when I know something well enough to move on to the next topic.
Time Management. It's a soft skill - and although it's not explicitly tested on the Lab Exam, it's a part of it. Practice it before the test and it will become a part of you. These are all skills that you need to take with you to the test.
Posted by BlueWolf on November 14, 2012
August 25, 2012
I don't normally "re-blog" but I found this article quite interesting --
20 of the Best IT Security Lessons Ever Learned by David Spark
It grabbed me with the first one:
Tip #1: Security must enable business, not prevent it
and then really hooked me with:
Tip #4: Teach the basics again and again
"you can be far more effective just educating personnel about simple secure practices, over and over again"
Tip #11: In a business vs. security battle, business is always right
Which shows a guy holding a chalkboard that says "There is no security risk. It's all business risk."
Good article. The first point - omg, isn't that an old concept? Remember this book? You may not like or agree with Gates, but read this and realize this was first published in 2000. He was telling businesses that you need to leverage your geeks to give yourself the advantage. And he was also telling geeks that they need to provide business value - not just geek giggle. I remember that time in computing. I had gotten my MCSE in 1998 and CCNA in 1999. The 'big thing' was what you could do - not what you should do. Projects were created just to prove you could do something, not because they had any business value. Heck, we'll figure that part out later - let's see if we can make it work first. And then a few years later, the tech bubble burst and everything changed. One of the reasons I went for the CISSP is the focus it has on business rather than pure technology. Granted, I have the technology background - it's not enough (for me). Fellow Geekateers - wake up! The businesses are where the MONEY happens to be... remember? We work FOR the business, they are not the enemy. They are not the people who are making our jobs difficult; we are making their jobs difficult. You have to make the secure way the EASY way of doing things, or else you will get someone somewhere going around the system. Or if you are that immovable block "protecting" the network - yeah, you can be removed. (Psst - the business will see to that.) And in security, all you need is one weak link to break the chain. Just one person (especially an insider) with a reason and perhaps business permission to circumvent the controls and you have just opened the door to someone following behind them.
So now about #4 - that's a favorite of mine too. You have to teach the basics - and not just nag. You have to get out there and talk to people and train them to think securely. You will not be with them all the time. You will not be able to train them on everything. They will not remember everything. So keep it simple and teach the principle of the matter. Teach them - if YOU can access it, then a malicious user can access it - with your credentials. That way people can retain the idea and apply it to new situations - like when you go from one type of credential to another...["well, I know you shouldn't share your password, but I just let him have my ID card for just a few min to go to the bathroom..." ]
And again...#11... that business thing. The guy with the sign is right. It is ALL business risk. From security to maintenance - it's a business decision.
However - the place where I see both security and business falling down is the reluctance to identify data with different levels of business importance. Business doesn't want to pay for security to take the time (or their time) to properly identify business value. And security wants to secure everything. It's a WASTE OF MONEY to lock up a head of lettuce. I've seen time and again (at a number of companies) where they have a blanket level of security over everything. Sometimes it has been so severe, that many people can't properly do their jobs. Or they waste vast amounts of time employing (or going around) the security measures to complete a simple authorized routine task. At the same time, business-sensitive data is treated the same as all the other data on your network (in the belief that it's all locked down). Is it really secure? If everything has the same level of security and you just got around that security to do some routine task... what about the sensitive data?
There's one tip that they left off - or perhaps may be #21:
Bad security is worse than no security.
If you think you're secure and you have bad security, you won't bother to "fix" something you don't see as broken.
Posted by BlueWolf on August 25, 2012
August 19, 2012
It's now official - I'm CISSP certified. [Ring the bell!] I've also updated the Reading Stats after much debate (with myself).
First the cert -> it was EASY... for me. The first time I met a CISSP, I asked him how the test was and he said it was easy. I didn't believe him. Now I do - and now I KNOW WHY... What he didn't explain is that by the time you get the experience (5 years in two or more domains), you have been through most of the material in some way, shape or form. Much of what I saw and read was review from many places - ITIL training, DITSCAP training, Security+ study, MCSE:Security study, CCNA Security study, etc ... I've used many of the biometric devices, I've written the Disaster Recovery documents and performed recovery exercises, I've done the vulnerability remediation, and so on...
For the study materials I used for the recent prep:
These two books -
And these two people:
In case you're interested - the entire CISSP Video Course by Shon Harris is on Safari Books Online (Library Subscription). The content was excellent - the delivery, not so much. The videos are chopped up into tiny bites. A bit too tiny to be honest. But a motivated person can make it through and get some good training.
None of these resources alone are adequate for preparation. You must combine multiple resources and build a knowledge base in your head. They say that the CISSP is an inch deep and a mile wide. Not sure if that's accurate, but there is a LARGE amount of material that you need to be very familiar with in order to pass the exam. And you really can't get it all in any one place. The official book - officially awesome. It has a lot more depth than the other resources and is a really good read. For the crypto stuff... I highly recommend Cryptography Decrypted by H. X. Mel and Doris M. Baker.
Secondly, the stats -- yes, they have been updated. I debated continuation of the book list and stats for some time. Now that my focus has been more toward the area of security, I started thinking again along the lines of "why am I putting this info out there" and had considered stopping. However, I later convinced myself that stopping would never really amount to anything more than "security through obscurity" and decided to continue. At this point, I have read over 40,000 pages of textbook material. Of course, I don't have every book on that list memorized, but I have incorporated the basic ideas and various tidbits of information into my memory. I have also started on a number of other books that are not listed because I didn't complete them.
Any would-be adversary would not be able to know or deduce the extent of my abilities (or any knowledge gap) simply from the list. No, it is not like putting your network diagrams on the Internet. And I refuse to let -fear- drive the content of my blog. Anyone who would attack a network that I would be defending (be it current or future) would need to breach the technology - properly implemented, not breach any personal intimate area like some diary by my nightstand. And, as we all know, once you give into fear, you are already defeated.
One of the other reasons I chose to continue the stats is because someone might really need to know this - which is the reason I started keeping track. People need to know that it really takes a lot of work to stay current and be able to fix whatever breaks. Users need to know that if you (as a user) need to learn a little bit to use the new operating system, your IT people have to learn 10X more to provide it to you. And others need to see that to get from here to there is not "luck" or some "trick of the trade" or something you can do overnight. It takes a lot of hard work - maintained over a long period of time. There are no short cuts.
Posted by BlueWolf on August 19, 2012