Didier Stevens

Almost six years ago I blogged about submitting (ISC)² CPE points for listening to IT security podcasts.

Last week I submitted CPE points for listening to 6 months of PaulDotCom Security Weekly podcasts. This CPE points submission was promptly selected for an audit by (ISC)².

I received an e-mail that informed me about the audit process and asked me to provide more information about the points I submitted. I replied with a description of what the podcast was about and with an excerpt from my spreadsheet I keep. A few days later I received a reply to inform me that I passed the audit.

In a previous CISSP exam post I promised to blog about the exam-taking strategy I followed.

The CISSP examination consists of 250 multiple-choice questions with 4 choices each. You probably know that it’s a form-based exam: you don’t get to sit in front of a computer to take the exam, but you get a booklet with questions and a form you have to complete with your answers using a number 2 pencil. You’re allowed to write on the pages of the booklet.

Here is how I tackled my 250 questions.

I read the first question. If I don’t understand the question, or if I don’t like the question, or if I even don’t feel like answering the question right now, I just move on to the next question. However, even if I skip a question but I’m certain that one or more of the answers are not correct, I cross them out (every time I tell I write something down or make a mark, I do it on the question booklet, unless stated otherwise).
If I try to answer the question but I’m not sure of the right answer, I will cross out the incorrect answers and move on to the next question.
If I answer a question I’m sure about, I put a circle around the number of the question and another one around the letter of the correct answer.

After tackling the last question, I just start the process again from the beginning, skipping the questions I already answered (remember, there’s a circle around the number of an answered question). I repeat this process several times, each cycle gives me more answers. After 3 hours, I’ve answered about 80% of the questions and I decide to transcribe my answers to the form (I have to be careful to skip the unanswered questions on the form). I review each answered question and transcribe the correct answer to the form. At the same time, I compile a list of all unanswered questions.
I decided to transcribe the answers after completing about 80% because:
1) I want to take the time to correctly transcribe the answers, I don’t want to make mistakes by rushing the job at the end of the 6 hour period allowed for the exam
2) I don’t want to start second-guessing my answers

After 45 minutes, I’ve transcribed all answered questions.

Now I focus on the list of remaining questions. I try to answer each question by eliminating all incorrect answers: what remains must be the correct answer. If more than one answer remains, I select one at random. I start guessing because I don’t want to stay until the end of the exam trying to find the correct answers, I feel confident because of all the other questions I answered. Since a wrong answer does not impact your score, you’re better of answering all questions than leaving some unanswered. Finally, I transcribe the remaining answers to the form. The list of remaining questions I compiled helps me to identify which answers remain to be transcribed.

The complete process took about 4 hours. And I don’t want to do it again, I’ll do all the necessary to have 120 CPE credits for my recertification.

In the days following the exam, you’ll start to doubt some of the answers you gave. I looked up several questions and discovered I answered them incorrectly. But don’t despair, your memory is biased, you’re focusing on the wrong answers, and not on all the correct ones you gave.

As promised, I’ll tell you how I prepared for my CISSP exam. Of course, this is no recommendation for a guaranteed path to success, your results may vary. For example, I studied the Common Body of Knowledge on my own, I didn’t take a CBK Review Seminar and I didn’t join a study group. Self-study works great for me (I like reading books in my easy chair), but it may not for you.

I spend about one year (elapsed time) preparing for the exam. My original planning was 6 months, from fall 2005 until spring 2006. Unfortunately, this time there was no spring exam in Belgium, so I had to wait for the fall exam. It allowed me to take a break of several months. I cannot tell you how many man-days I spend, but it must be at least a man-month.

The “Official (ISC)² ® Guide to the CISSP Exam” was the first book I started reading. To wet my appetite, I didn’t start reading the book from the first chapter, but I started with a fun chapter: cryptography (well, I consider it to be a fun read, you may think otherwise). But the official guide turned out to be quite terse prose, so I looked for other books. Shon Harris’ “CISSP All-in-One Exam Guide” popped up a lot in my search results, so I gave it a try. And it turned out to be an excellent study guide. I read it from cover to cover, and occasionally referred to the official guide for more reading material, when I wasn’t so familiar with a particular domain. The chapter about the exam itself is also very good, Shon gives a lot of good tips.

I would read a chapter, and then I would take the quiz at the end of the chapter. This is quite a strict procedure I follow (I also did this for my other certs): I write down my answers in a spreadsheet, with a special mark if I feel uncertain about my answer, and only after answering each question, I’ll look up the answers. If I answered incorrectly or if I marked a correct answer as “uncertain”, I would carefully read the explanation. If it turned out I misread the question, and would otherwise have answered correctly, I just moved on. For example, it happens that I misread a “not”: it reads “what does not apply” and I read “what does apply” …
However, if I didn’t misread the question, I reviewed the sections of the chapter pertaining to this particular question until I understood what the correct answer was.
It turned out that I would always answer 80% or more of the questions correctly.

For many domains I consulted extra information on the Internet (Wikipedia is a good source for technical information), and I also tried to find practical uses for the concepts I was learning. For example, I applied cryptography in my tool ZIPEncryptFTP. I can also recommend CrypTool to study crypto algorithms.

After studying all the domains and feeling confident, I rehearsed the exam itself: I answered all questions of the trial exam provides in Shon’s book in one go and timed myself. This took me several hours. Although I had about 73% correct answers, I still I reviewed the wrong answers (several of them were of the “not”-type).

I also took a trial exam with all the questions of the official guide.

Finally I took a few days before the exam to cram. There is always stuff you need to memorize unless you’ve a lot of experience in the domain. For example, I had to memorize the list of the different types of glass and how they compared to each other for their impact-resistance.

An upcoming post is about the exam taking strategy I followed.

Now that I’m a CISSP, I’m required to perform continuing education during a 3-year certification cycle to become recertified. The term “CPE” is an acronym for “Continuing Professional Education” points. I’ve to earn 120 CPE credits.

I read on this page that Pod Casts (notice the spelling) are mentioned as an activity that earn CPE credits. I checked with ISC² to see if listening to security podcasts like “The Security Catalist” is a valid CPE activity. And they confirmed that it is a valid CPE activity.

I gave them “The Security Catalist” as an example because “Santa“, the host, is a CISSP Lead Instructor and I exchanged some e-mails with him about this. He has also mentioned in his last podcast that listening to his podcast earns CPE credits.

I listen to a lot of podcasts, many of them are IT security related:

• The Silver Bullet Security Podcast
• CyberSpeak Podcast
• PaulDotCom Security Weekly
• SploitCast
• A Day in the Life of an Information Security Investigator
• Security Now!
• Binary Revolution Radio
• The Security Catalist

I started submitting CPE credits for every hour I listen to security podcasts: I have a spreadsheet were I keep a list of every episode I listened to, with the duration of the podcast (I selected three podcasts I listen to, I don’t want to do this administration for all the podcasts). And then every few months, I submit CPEs equal to the total number of hours per podcast. I don’t submit individual episodes, because some of them are less than 1 hour.

And I also keep the actual mp3 file, because in case of an ISC² audit, I have to provide proof that I listened to the podcasts. I decided to keep the mp3 file, because I read that for books you read and submit as CPE credits, one of the accepted proofs in case of an audit is keeping the book you read and show that you have it.

Robert Scoble blogged from Amsterdam about Sinterklaas.

From Wikipedia:

Sinterklaas in Dutch is a holiday tradition in the Netherlands and Belgium, celebrated every year on Saint Nicholas’ eve December 5 or, in Belgium, the morning of December 6.

Sinterklaas brings gifts for children who have been good.

I must have been a good boy this year, because (ISC)² e-mailed me they would print my CISSP certificate today. I’ll follow-up with a more detailed post.