It's now official - I'm CISSP certified. [Ring the bell!] I've also updated the Reading Stats after much debate (with myself).
First the cert -> it was EASY... for me. The first time I met a CISSP, I asked him how the test was and he said it was easy. I didn't believe him. Now I do - and now I KNOW WHY... What he didn't explain is that by the time you get the experience (5 years in two or more domains), you have been through most of the material in some way, shape or form. Much of what I saw and read was review from many places - ITIL training, DITSCAP training, Security+ study, MCSE:Security study, CCNA Security study, etc ... I've used many of the biometric devices, I've written the Disaster Recovery documents and performed recovery exercises, I've done the vulnerability remediation, and so on...
For the study materials I used for the recent prep:
These two books -
And these two people:
In case you're interested - the entire CISSP Video Course by Shon Harris is on Safari Books Online (Library Subscription). The content was excellent - the delivery, not so much. The videos are chopped up into tiny bites. A bit too tiny to be honest. But a motivated person can make it through and get some good training.
None of these resources alone are adequate for preparation. You must combine multiple resources and build a knowledge base in your head. They say that the CISSP is an inch deep and a mile wide. Not sure if that's accurate, but there is a LARGE amount of material that you need to be very familiar with in order to pass the exam. And you really can't get it all in any one place. The official book - officially awesome. It has a lot more depth than the other resources and is a really good read. For the crypto stuff... I highly recommend Cryptography Decrypted by H. X. Mel and Doris M. Baker.
Secondly, the stats -- yes, they have been updated. I debated continuation of the book list and stats for some time. Now that my focus has been more toward the area of security, I started thinking again along the lines of "why am I putting this info out there" and had considered stopping. However, I later convinced myself that stopping would never really amount to anything more than "security through obscurity" and decided to continue. At this point, I have read over 40,000 pages of textbook material. Of course, I don't have every book on that list memorized, but I have incorporated the basic ideas and various tidbits of information into my memory. I have also started on a number of other books that are not listed because I didn't complete them.
Any would-be adversary would not be able to know or deduce the extent of my abilities (or any knowledge gap) simply from the list. No, it is not like putting your network diagrams on the Internet. And I refuse to let -fear- drive the content of my blog. Anyone who would attack a network that I would be defending (be it current or future) would need to breach the technology - properly implemented, not breach any personal intimate area like some diary by my nightstand. And, as we all know, once you give into fear, you are already defeated.
One of the other reasons I chose to continue the stats is because someone might really need to know this - which is the reason I started keeping track. People need to know that it really takes a lot of work to stay current and be able to fix whatever breaks. Users need to know that if you (as a user) need to learn a little bit to use the new operating system, your IT people have to learn 10X more to provide it to you. And others need to see that to get from here to there is not "luck" or some "trick of the trade" or something you can do overnight. It takes a lot of hard work - maintained over a long period of time. There are no short cuts.
Posted by BlueWolf on August 19, 2012 09:19 PM