Obtaining the Certified Information Systems Security Professional (CISSP) Credential

Researching the CISSP

In February 2019, I decided to start my journey toward obtaining the CISSP (Certified Information Systems Security Professional) credential. The CISSP is a certification covering a wide range of information security topics. It is consistently included in annual top ten lists of the best IT certifications.

At that point in my career, I had 18 years of professional experience across various aspects of IT and, during the last two years of that time, I had become more directly involved in information security. After spending time reading about the exam format, the domains covered by the exam, horror stories about its difficulty, and some healthy procrastinating, I began studying at the beginning of May 2019.

As part of my initial research, I read seemingly endless posts in which people claimed to study 8+ hours per day for months to prepare for the exam. I also found a number of posters who claimed to sit for the exam with minimal (or zero) study. How much time should you spend studying? It depends! The amount of preparation needed to pass the exam depends entirely on you — your educational background, your professional work experience, and your ability to absorb the study materials. The domains covered by the exam are broad and many people describe the exam as a mile wide and an inch deep. I assumed that I wouldn’t need much preparation given my background and experience. I was wrong.

Studying for the CISSP Exam

Between family and work commitments, I limited my study time to a few hours of reading during the early hours on weekends. I set a goal to read a chapter per week from (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. WARNING — this book is dense, dry, and repetitive. I found it to be a difficult read and I used 3 months (May through July) to finish it.

While the study guide has 20 practice questions at the end of each chapter, I didn’t attempt them until I finished reading the entire book. Thinking back, I probably should have attempted them immediately after finishing a chapter or a week later at most. The questions uncovered that I didn’t retain a lot of detail from each of the chapters over that 3 month period. I was scoring in the neighborhood of 60% in each chapter. It was an alarming realization because I thought I was retaining much more.

I knew I needed to do something more than reread the study guide so I supplemented my studies with free audio resources from Kelly Handerhan available on Cybrary. This allowed me to take advantage of my commute and add about 2 hours per day of study time in addition to any weekend reading. From August through mid-October, I probably listened to Kelly’s course 3 times completely and some individual lessons many more times.

PARENTING HACK — The audio course served a dual purpose as it is apparently boring to children (and most adults) and can put kids to sleep if played in the car for everyone to hear.

From September until a few days prior to the test, I used the Boson test simulator almost daily for practice questions. This software helped me identify weak points and also exposed me to material beyond the study guide. The software provides very detailed explanations of the answers and why one answer was more correct than the other choices. The software allows you to configure custom exams to focus on troublesome domains or on questions that are consistently answered incorrectly. The software is worth the additional cost and you can occasionally find discount codes on the CISSP Reddit group.

Up to this point, I had not scheduled the exam. I didn’t want to lock myself into a date but by mid-September I felt ready. I had been preparing for over 4 months and I didn’t want to prolong it. I scheduled the exam for mid-October. Also during this period, I significantly increased my time spent reading. I revisited the Official Study Guide and started the Eleventh Hour CISSP: Study Guide. I also branched out to YouTube videos to help me better understand concepts where I had lower practice scores. I know I went too deep into the technical aspects of networking, but at least the videos were interesting and I learned (or refreshed my memory) on many topics I had not touched in a while.

Exam Day

I was very nervous on exam day. I felt like I wasn’t ready but I had to go for it. I was tired of studying, taking practice questions, and generally worrying about the exam. All I will say about the exam itself is that it is challenging. When the first question popped up I had a moment of panic, but I took my time and tried to calm my nerves. In the end, I finished the exam in roughly 90 minutes at question 100.

After the Exam

Once I passed the exam, I received an e-mail with instructions to complete the application for the CISSP credential. I completed the application and requested an endorsement from another active CISSP. This took about 5 days for me to complete after passing the exam. From this point, it takes another 6 to 8 weeks for (ISC)2 to review and approve the application. I received an e-mail that my application was approved exactly 4 weeks post submission and membership fees were due. After paying the fees, I received a confirmation that I was officially a CISSP! The welcome package with printed certificate, membership card, and CISSP pin arrived about a month later.

Final Notes

To answer the question of how long does it take to prepare for the CISSP — for me it took 5 and a half months from May through mid-October with varying amounts of weekly study time.

Months 0-35 hours per week reading
Month 4• 5 hours per week reading
• 10 hours per week listening to Cybrary audio
• 1 hour per week on practice questions
Months 5-5.5• 20 hours per week reading
• 10 hours per week listening to Cybrary audio
• 5 hour per week on practice questions

One other point to note is the cost to obtain the CISSP (all amounts here are in USD and as of 2019). It’s not inexpensive. The exam itself is $699 and the annual membership fees are $125. I also purchased two books totaling $55 and the Boson software for $85 (after discount). My total cost was $964. Keep in mind that the exam fee is required each time you take the exam. I was very hesitant to schedule the exam too early because I didn’t want to risk not passing and paying another $699.

Resources

(ISC)2 CISSP

CISSP – Certified Information System Security Professional Subreddit

CISSP 16-week Study Guide, Resources, and Links to Source Documents

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Eleventh Hour CISSP: Study Guide (Syngress Eleventh Hour)

Cybrary – CISSP Training with Kelly Handerhan

Boson ExSim-Max for CISSP

Kelly Handerhan – Why you will pass the CISSP

Larry Greenblatt – Pass the 2018 CISSP with Kirk & Spock

Stacks on Stacks…of Floppy Disks

There is an episode of White Collar called Uncontrolled Variables where a company uses 8-inch floppy disks to store and secure sensitive information. The premise is that the 8-inch storage medium and file formats are so old and obsolete that no one would be able to access the contents of the disk. While it makes for an entertaining episode, I wouldn’t use this method to secure my information.

Meanwhile, back in real life, I found stacks of 3½-inch floppy disks sitting in a box untouched for 20 years. The labels had been crossed off and rewritten multiple times over the years. Do I really want what’s on a disk labeled “MS-DOS 6.0 Backup 7 of 16”? I couldn’t trust the labels and I was concerned that the contents may include information that remains sensitive over long periods of time such as personally identifiable information.

No big deal, right? I’ll pop the disks into my computer’s disk drive and start reviewing. Oh — I didn’t put a floppy drive in my machine when I built it. I’ll try the laptop. No floppy drive there either. Hmm… Maybe I’ll use the disks to play dominoes. (If you’re wondering, I tried and I couldn’t get them to stand upright on their own.) Luckily, 3½-inch floppy disk readers are still readily available online and at a reasonable cost. I ordered one of these drives and, when it arrived, I went to work attempting to read the disks.

3½-inch Floppy Disks
3½-inch Floppy Disks

While the initial problem was solved, a new problem emerged. I realized immediately that most files on the disks were 20 to 25 years old (obviously since the disks hadn’t been touched in that long). The second observation was that a surprisingly large number of files could be stored on a single disk with a mere 1.44 megabyte capacity. Through another stroke of luck, most of the files were in a version of the WordPerfect file format readable in Microsoft Word. With other files, I had to look at the binary and do a little research to identify the format. In many cases, these files were also saved without file extensions or the extensions were nonsense. In the end, I was able to find utilities online to read and convert to more current formats. I was also amazed that most of the disks were still readable. Only a few disks had issues where I couldn’t access all of the files.

Given this experience, I certainly wouldn’t use 3½-inch disks as an information security solution proposed in White Collar. It’s still too easily accessed to provide the level of obstacle. Maybe 8-inch disks are better, but I’ll stick with physically secured offline encrypted drives.

Using Self-Signed S/MIME Certificates in iOS Mail App

If you read an earlier post detailing the steps to create self-signed S/MIME certificates using OpenSSL, I left off at the point where the certificate is created and packaged in the PKCS12 format. In order for the certificate to be of any use, you’ll need to install it in an e-mail client. This post details the steps for installing digital certificates on an iOS device and enabling S/MIME in the iOS Mail app.

Step 1 – Load the .p12 File on the iOS Device

Upload a copy of the .p12 file to your iCloud Drive or e-mail a copy of the file to an e-mail address accessible on your iOS device. E-mail isn’t the most secure way of loading it on the device, but it is suggested only for simplicity in this guide. Once the .p12 file is accessible on the device, tap the file to begin the installation process.

iCloud Drive – p12 File
iCloud Drive – p12 File

If prompted to “Choose a Device”, select the appropriate device to install the profile and confirm.

Choose Device
Choose Device

Step 2 – Install the Profile

Open the Settings app and tap Profile Downloaded.

Settings – Profile Downloaded
Settings – Profile Downloaded

The device will prompt to install the profile. Tap Install in the upper right corner.

Install Profile
Install Profile

If the device is password protected, a prompt to enter the device passcode is displayed.

Enter Passcode
Enter Passcode

Since the digital certificate is self-signed and not signed by a well-known trusted certificate authority, a warning message that the profile is not signed is displayed. Continue by tapping Install in the upper right corner.

Warning – Profile Not Signed
Warning – Profile Not Signed

Another prompt to install the profile is displayed. Tap the Install button at the bottom of the screen.

Warning – Profile Not Signed (Install)
Warning – Profile Not Signed (Install)

A prompt is displayed to enter the PKCS12 export/import password created when the .p12 file was assembled. Enter the password and tap Next in the upper right corner of the screen.

Certificate Password
Certificate Password

The profile and certificate are now installed. The configuration profile appears in Settings, General, VPN & Device Management. Tap Done and exit the Settings app.

Profile Installed
Profile Installed

Step 3 – Enabling S/MIME in iOS Mail

Now that you have the digital certificate loaded and a profile created, you may begin using it in the iOS or iPadOS Mail app. For these steps, I am using an e-mail address associated with iCloud. These steps may vary slightly (in steps 4 and 5) if you are using a different account type such as Gmail.

  1. Open the Settings app
  2. Tap Mail
  3. Tap Accounts
  4. Tap on an existing account name in the Accounts section (for this example I am using an iCloud e-mail address)
  5. Tap iCloud
  6. Tap iCloud Mail
  7. Tap Advanced
  8. In the S/MIME section, tap Sign
  9. Enable Sign
  10. Ensure the appropriate certificate is selected
  11. Return to the Advanced screen
  12. In the S/MIME section, tap Encrypt by Default
  13. Enable Encrypt by Default
  14. Ensure the appropriate certificate is selected.
  15. Return to the Advanced screen
  16. Confirm changes and exit the Settings app

S/MIME is now enabled and ready to use your personal digital certificate the next time e-mail is sent from this account.

Step 4 – Sending Encrypted E-Mail

Recall that S/MIME uses public-key encryption, so you won’t be able to send an encrypted e-mail to another address until you have the recipient’s public key. If you receive a digitally signed e-mail from a sender who used a self-signed certificate, the Mail app will flag the certificate as not trusted or invalid. You can test this by using two different e-mail addresses where each address has its own self-signed certificate.

  1. Send a digitally signed (not encrypted) e-mail to another e-mail address where the certificate profile has not been installed on the device.
  2. When the e-mail is received, the sender’s e-mail address will be red with a red circle containing a question mark inside next to the address.
iOS Mail – Untrusted Signature Indicator
iOS Mail – Untrusted Signature Indicator
  1. Tap the question mark or the address (twice) to view sender’s details. iOS indicates that the sender’s digital signature is an untrusted signature and that it is unable to verify the authenticity of the S/MIME certificate provided by the sender.
iOS Mail – Untrusted Signature Message
iOS Mail – Untrusted Signature Message
  1. Tap View Certificate. Details of the certificate are displayed.
  1. Tap Install.
iOS Mail – Trusted Certificate
iOS Mail – Trusted Certificate
  1. Tap Done to exit the certificate details screen.
  2. Tap Done to exit the contact details screen.
  3. iOS now recognizes the public key and allows encrypted e-mail communications. Reply to the signed e-mail and the contact is now in blue font with a blue lock icon next to the name/address.
iOS Mail – Encrypted Message Indicator
iOS Mail – Encrypted Message Indicator

Common Issues

If, after installing the profile, you receive a message stating no valid certificates found when attempting to enable S/MIME, then the extension “extendedKeyUsage = e-mailProtection” was most likely missing when the certificate was signed.

Further Reading