Exploring the Certified Information Systems Security Professional certification, I tried out a free version of the test to see how I’d do. With zero-prep and blitzing it in just 1 hour, I scored 60%, just short of the 70% pass mark needed.

Some of it was quite fun as I’ve never really done much on physical security before:

Woof-woof motherfucker

With just 10% in it, I noted my mistakes, but also a number of very questionable answers I’ve featured below.

The first to catch my attention was the classic IDS/IPS confusion and conflation:

To be fair, I could had got this if I spent a few more minutes on it, realising that they were making that common mistake. Next up:

I stand strongly by my response here to prioritise comms over resolution. Standard incident management dictates this. Now I’ll admit there would be a few circumstances where performing the comms could tip off an intruder, but I would argue this is very much the exception rather than the rule.

Now ‘Mail blocking service’ isn’t exactly a industry standard term for ESP, but I have no idea why it’s excluded.

Now I’ve considered usernames to encompass service names too here — yet in my experience descriptive names are essential! Anyone who’s ever come across ‘main web service’, or ‘scheduler-123135243534’ in their AD will feel the pain here. If anyone has ever managed to run a non-descriptive username schema in their environment please get in touch!

“I’m sorry sir, we had the CISSP approved 8-foot high fence in place, they couldn’t have possibly performed a physical breach”

This one is maybe more my own political preferences showing here, but it’s well known that copyright is of varying strength around the world. You can see the US’s view on their Special 301 report. Frankly, if you have secret tech sauce, use it as a trade secret IMO.

Airlines affected by 9/11? Obvious not. But seriously, when I worked at the travel org, not only did I read their terrorism BCP plan, I was running off a laptop I had to take home every day in case the office got blown up.

I would have allowed this one if the wording was ‘what factor SHOULD determine the frequency of information security audits’ rather than what DOES for most orgs. Seriously.

I for one have never ingested a notifications mail box, polled a status RSS or monitored a web service. These practices must therefore be impossible.

‘But sir, the building is still on fire and there are people still in there!’ ‘They’re only contractors, prioritise the servers’

I assume CISSPs don’t DevOps or thin client.

So I’m a little factious on this on this one, but seriously, we assume a complete patching strategy (as if!) is superior to air gapping? I guess we should get reconnecting those industrial control systems to the internet and patching them then!

Literature is mixed on whether firewalls can block viruses, but that’s of course not a complete solution. But integrated signature IPS and network/DNS threat-feed blocking is certainly a firewall function. And what internal firewall rules block internal attacks? Maybe in a multi site enterprise sometimes, but you don’t rely on your firewall for that!

Where is your CISSP certification now???

Apparently locks > lights. Yet later they talk about how lights are a cheap security measure. And this is why CISSPs sit in the dark.

Oh come on, anyone who’s tried to address this knows that policies are much, much easier when you have owners. But no, apparently declassifying is really hard. I blame the NSA’s influence on the CISSP here.

You heard it here first, CISSP advocates boiling intruders in server rooms.

So, if I were to give myself these 17 extra points I would still fail, but not bad for zero-prep and double-time!