Intense School's Boot Camp for CISSP, Martin Grasdal, CramSession

Martin Grasdal, Cramsession's senior technie gets his security on at a CISSP boot camp in Florida.

Up until a little while ago, there was no ?Boot Camp? that you could attend to help you prepare for your Certified Information Systems Security Professionals (CISSP) exam. If you wanted to study for this challenging exam, you could prepare on your own or with a study group if you could find one in your area, or you could attend the CISSP review seminars offered by (ICS)2 to supplement your preparation. Preparing for the exam on your own, with or without the assistance of a study group, is a good way to go. However, independent study is not always effective for any number of reasons for any number of people, such as the lack of peer support or the absence of an expert to whom you can address your questions. For these and other reasons, good instructor-led training, such as that provided by reputable boot camps, can be an extremely efficient means for you to master any particular subject matter in a relatively short period of time. That?s one reason why I was intrigued to learn that Intense School had launched a boot camp for the CISSP certification exam. The other reason is that I have experience and a deep interest in computer security.

So, I made arrangements to attend Intense School?s boot camp in Ft. Lauderdale, Florida at the beginning of June.

First, before I tell you about my experience at the boot camp, a little background on the CISSP certification. This certification is administered by a non-profit organization, the International Information Systems Security Certifications Consortium, aka the (ICS)2. Aside from providing and administering the CISSP exam, (ICS)2 maintains a ?Common Body of Knowledge? (CBK) for Information Security. The CISSP candidate is tested on Common Body of Knowledge, categorized into 10 domains. These domains include Access Control Methodologies; Disaster Recovery Planning; Law, Investigation, and Ethics; Physical Security; Cryptography; Telecommunications, Network and Internet Security; as well as others. To take the CISSP exam, you must qualify for the certification. In the case of the CISSP, you must possess at least three years of full-time security experience in one or more of the ten domains and subscribe to the (ICS)2 code of ethics. Also, as of June 1, 2002, you need an endorsement from someone possessing a CISSP or, if you don?t know a CISSP, an individual with knowledge of information systems or an officer of your company. On January 1, 2003, you will be required to have either 4 years of full-time security experience or three years and a college degree (any degree will do). If you don?t qualify for the CISSP, you may qualify for the less rigorous SSCP certification.

As you can appreciate, there is a lot of information covered by the exam, some of it very technical and abstract (the Bell-LaPadula and Biba security models come to mind). The certification is an assurance that the candidate has passed a rigorous exam that covers industry-standard areas of security knowledge, as expressed in the CBK. Because the certification requires knowledge of designing security policies, it is an appropriate certification for management level personnel in the security industry as well as those who are implementing security within organizations.

About 6 or 7 weeks before the class , Intense School sent me a package containing a number of books related to the CISSP exam and an information package that also contained my the CISSP application kit for the exam itself. The books included Shon Harris? CISSP Certification All-In-One Guide and the CISSP Examination Textbooks, Volume 1: Theory and Volume 2: Practice from SRV Professional Publications. The cover letter accompanying the books and the application kit exhorted me to start reading and studying for the course and the exam as soon as possible: ?This exam requires an understanding of a broad range of concepts. Your best assurance for passing the CISSP exam will be to spend as much time PRIOR to attending the boot camp struggling with the concepts that are most difficult to you.? The letter recommended that I start with Ms. Harris? book and then work on the 1500+ practice questions in the SRV books. Also, Ms. Harris? email address was included in the letter so that I could email her with any questions or concerns prior to the class.

Intense School followed up with a number of emails and phone calls to ensure I had received all my materials, to provide me with access to a Boson CISSP practice exam, to confirm my hotel reservation, and to confirm I had filled out my CISSP exam application and had sent it off in time for processing. Another more subtle purpose of this communication was to remind me that I needed to be preparing in advance of the class. The message was clear: long-term retention of the CBK is preferable to short-term retention. You should not try to cram all the material during the boot camp; instead, you should use the boot camp as a means to finish and complete your preparation.

I was very impressed Intense School?s attention to me and with the material that I got prior to the class. Shon Harris? book gets consistently high ratings on Amazon.com, and I found the ratings to be well deserved. The SRV books were also good, but they were also more challenging. The SRV books provided more detail than the All-In-One guide, but they presented the information in a prose style that can be characterized as dry and academic. The All-In-one books provided simpler and easier to read explanations and provided more in the way of supporting examples. However, the practice questions contained in the SRV books were the best by far. What made these questions so valuable were the detailed explanations of the answers you could find accompanying the questions. The materials were very complementary.

The Boot Camp After many hours of pounding the CISSP material on my own, the first day of the boot camp finally arrived. Some students were expecting that Shon Harris would be our instructor, although the course schedule clearly indicated that the instructor was Eric Oullet. Eric quickly turned around any potential disappointment that might have resulted among those who were expecting Ms. Harris to be the instructor with his good delivery and obvious, seasoned expertise with the 10 domains of the CBK. Eric?s experience included work for NATO in Brussels as well as a number of other high-level security consulting to various government and private organizations. He was very familiar with many of the more exotic and expensive devices that are typically found in the most secure computing environments. His experience and the examples he could bring to the materials provided a great deal of clarity to the material.

Intense School provided a custom course that comprised one large binder of material directly related to the CBK and another binder of ancillary material that included, among other things, the CISSP Cramsession by Michael Overly. The custom course was developed by Shon Harris specifically for the CISSP boot camp. Like her book, the course presented the 10 domains of the CISSP in a clear and concise manner. A lot of thought had obviously gone into the development of the materials. For example, the course did not address the 10 domains of the CBK in the order you would find them in most materials. Rather, the course alternated the ?heavier? domains with the ?lighter? domains. During the mornings when were the most alert and awake, we reviewed material from the heavier domains, such as Crytography; in the afternoons, we reviewed the material from the lighter domains.

Because this course is relatively new, it is still undergoing a process of improvement and revision. The instructor and other Intense School staff were constantly asking for feedback on the course. Certainly, I saw some minor issues with the course that I felt could be improved on. There was some unnecessary duplication of content that could have been eliminated through a different organization of the material. On occasion, implied information could have been made more explicit. For example, a table showing what security elements mapped to the appropriate layers of the OSI model would have been helpful, such as the fact that the Application layer can provide Confidentiality, Integrity, Authentication, and Non-Repudiation services and that the Session Layer provides none of these. But, as I said, these issues were minor and were easily overcome by both the great instruction and the knowledge of the students.

One thing that really helped was the peer support that comes with sharing a common goal with highly qualified students. I didn?t meet a single student who didn?t belong at the boot camp?all were highly qualified and experienced professionals. Intense School has well-trained sales people who make it very clear that onus is on the students to ensure that they are qualified to meet the requirements for CISSP exam. Additionally, because of the application process to take the exam itself, (ICS)2 also ensures that candidates possess the necessary skills and experience to qualify for the exam. With proper screening in place, such as that implemented by Intense School, a boot camp can provide you with a benefit that most don?t initially consider?an environment conducive to learning from highly qualified peers.

The days were grueling. The course started on Sunday morning and continued to Thursday evening, with Friday set aside to study for the exam on Saturday morning. Typically, we would start at 8:30 in the morning, have a short break around 10:30 and break for lunch around 12:30. The class would officially end around 6:30 or 7:00 pm. On a couple of occasions, classes resumed after dinner to cover some of the more difficult material, such as Cryptography. This is where having an experienced instructor really added value. Eric Oullet was able to present material relevant to the CBK from custom courses he had developed in the past. These sessions helped many in the class to understand the material more clearly and to reinforce that knowledge. Of course, the day didn?t really end until you went to sleep. After class, we would retire to our rooms to study the CISSP material. In my case, I used the evenings to review the material we had taken that day and, if possible, try to get some reading done in anticipation of the upcoming day.

By about Wednesday morning, many in the class were starting to look pretty tired. I had been putting in some late nights and early mornings myself and was feeling more than a little dragged out. With the exam looming on Saturday, I was glad I had spent time prior to the boot camp preparing and was able to cut back on my late night studying in favor of sleep. Being well rested before a tough exam will give you a better chance of success than being sleep deprived as a result of cramming.

The Exam The CISSP exam is a 6 hour, 250 multiple-choice question marathon. You can take this exam only at specific locations and times that are scheduled by (ICS)2 . (One of the advantages of taking the CISSP boot camp is that you can take the exam at the hotel and do not have to incur additional expense for travel and accommodation for the exam itself, as you might have had to otherwise.) I have not seen such a formally proctored exam since my university days. To register for the exam, we had to show the letters we had earlier received from (ICS)2 along with picture ID. We were given sealed exam booklets and a separate scoring sheet on which we were to record our answers and which would later be scanned by computer for the results. The proctor spent a good deal of time emphasizing the rules for the exam (how to request bathroom breaks, etc) and the agreement we had to sign in order to take the exam. No one could say that we were not fully informed as to the nature of this agreement and the consequences for violating it. We weren?t allowed to have any food or drinks at our desks, with the exception of bottled water (the cap had to be screwed on if we weren?t drinking from it). We could, however, go to the back of the room and drink coffee and munch on snacks we had brought with us. I found the degree of security around the exam itself to be a refreshing change from other certification exams I have taken.

At 9:00, we were told we could break the seal on the exam booklets and begin. After a couple of nerve-wracking few minutes, I got into a groove and started focusing on the exam. Because we had plenty of time to take the exam, I answered all 250 questions by circling my responses in the booklet itself. For those questions I was unsure of, I circled more than one response. Once I had finished going through all the questions, I was able to review the questions I had found problematic. In only one or two cases did the exam provide me with information to correctly answer questions. In other words, the exam did very little ?teaching?, which is remarkable given the number of questions and is an indicator of a well-designed exam. When I felt I could do no more and had been as careful as I could in reading the questions and answers, I filled in my computer-scannable score sheet and left the room. I was finished in approximately 3 hours, but I could have finished sooner if I had first transcribed my answers to the score sheet rather than record them in the book.

How did I do? My previous experience, studying, and the boot camp were good preparation for the exam. While it was a challenging and fair exam, it was not the hardest exam I have ever taken and passed (I can think of some Microsoft exams that were more difficult). I felt confident about the answers to the majority of the questions on the exam. Based on my experience with some of the practice questions I used to study for the exam, I know that approximately one third to a half of the errors I made was the result of misreading the questions and just general carelessness. So, I took the time to carefully read and re-read the questions in the actual exam to minimize errors resulting from carelessness and misreading. Still, misreading is the kind of error that always creeps in (often because questions are poorly expressed), is hard to detect (because you usually keep reading the same question with the same mis-interpretation), and often ends up harming even the best prepared candidates. In fact, that is the kind of error that worries me the most in any exam, but especially this one. In the end, my close attention to the exam, my hard work before the boot camp and my attendance at it paid off--I received my CISSP certificate from (ICS)2 about 10 days after I had taken the exam.

Is the CISSP Boot Camp for you? You could, like many people have in the past, take the self-study route to passing the exam. There are lots off free and/or affordable resources to assist you in your preparation. In many cities, you can find CISSP study groups to help you find the motivation and peer support for taking the exam. However, while you will still have to do some significant self-study to pass the exam, a well-run CISSP class can go a long way to making sure you complete your goal of achieving the CISSP Certification. Although I have been thinking of achieving this certification for a couple of years now, I don?t think I would have come as close to getting it as I have now without the opportunity that the boot camp afforded me.

But, before you even begin to consider taking the CISSP exam, you must first do an honest self-assessment of your security-related experience and your willingness to do some hard studying in advance of and during the class. (Remember: you need to have a minimum of 3 years of direct security-related experience to qualify for the CISSP exam. This experience can be acquired over a longer period of time than 3 years as long as the tasks and skills you have used in your employment history directly map to one or more of the 10 domains of the CBK.) You should be willing to make a long-term commitment to preparing for the exam before the boot camp. The CISSP exam does not lend itself well to last-minute cramming; long-term retention of information resulting from practical experience and studying over a prolonged period of time is central to your success on the exam. I cannot emphasize the point enough: to be successful, you must have adequate security related experience and do a lot of studying before you attend the boot camp.

Overall Impressions I was very happy with the instruction and support I received at the CISSP boot camp. My only serious complaint had nothing to do with Intense School. The food provided by the hotel was mediocre?it wasn?t bad, but it wasn?t great either. After a few days, I was longing for fresh vegetables that had not been slathered in butter. Eating in hotel restaurants is always problematic, but the buffet at the restaurant seemed a little worse than most for those trying to maintain a healthy low fat diet. Intense School provided some good snacks and drinks in the classroom, along with popular cold remedy and headache medication. However, fresh fruit and raw vegetables (carrots, celery sticks, etc.) would have been a welcome addition to the snacks Intense School provided.

Intense School?s CISSP course belied the commonly held prejudice against boot camps. Right from the moment a student expressed an interest in the boot camp, Intense School made it clear that the onus is entirely on the student to ensure he or she is both qualified for the exam and prepared to attend the class. Because (ICS)2 is responsible for pre-qualifying the candidate for the exam, some of the onus also belongs to (ISC)2. In fact, I am hesitant to call it a ?boot camp? at all, because of the high level of student it attracts and the fact that it had none of the negative aspects that have become associated with boot camps. The CISSP ?boot camp? is really an intensive, highly-focused course on the 10 domains of the CBK and is designed for people who have significant industry experience and have done some advance preparation. There was no ?teaching to the exam?, although students did express an overall concern about the style of question that might appear on the exam and the level of detailed knowledge that might be required to answer exam questions (the oft repeated answer: ?a mile wide and an inch deep?). We did spend some time going over practice questions, but these were used to reinforce understanding of concepts and to provide diagnostic information, not to hammer into short-term memory conditioned responses devoid of understanding.

Certainly, if you did not already possess significant knowledge in one or more of the 10 domains, you would have an extremely difficult time passing the exam. However, some areas are more important than others. I shudder to think what the experience would have been like for someone who, for example, knew little about TCP/IP. Granted, it might have been possible for someone to be a weak in networking and still pass the exam, as long he or she had significant strength in other areas, such as application development, cryptography, or security operations management.

The CISSP certificate is not for ?career changers? in the common usage of that phrase. It is not for someone new to information systems or for someone new to security for that matter. However, the certificate can help to provide a transition from a more general information systems career to a career that has security as its focus. While it is an ideal certificate for currently practicing security professionals who desire some form of recognition for their skills and knowledge, it is also an ideal certificate for those who wish to move their careers as information systems professionals in the direction of security. Given the times, acquiring a CISSP certificate may be a wise move for many who are looking for additional challenges and more job security.

Martin Grasdal, MCSE+I, MCSE (W2K), MCT, A+, CTT+, CISSP