Resources that helped me pass the CISSP exam

Summary: List of helpful resources for CISSP exam.

After four months of intense study (and about a year since I started) I passed the CISSP exam. Here is the list of resources I found useful (and some that weren't).

BOOTCAMPS

Feedback from my colleagues who went to bootcamps varies but the general consensus is that with some exceptions they are not really worth the cost. There is only a handful of trainers who are exceptional and you can find them online for cheaper than $2K+. Yes, most bootcamps can give you a voucher to repeat an exam if you do not pass, but it's still cheaper to pay for two exams than for one bootcamp.

The digital versions of the bootcamps I used and found helpful include:

• Thor's CISSP Udemy course. I have a Udemy subscription through work, so I watched this course 3 times: first, in the very beginning of my studies (and did not really like it), then after the 2021 update, and finally on the week of the exam at 2x speed (now, after watching it three times, I can say, it's excellent).
• I lost the link but there was an old audio version of Kelly Handerhan's Cybrary course posted on Reddit. I watched a couple of video episodes when they were free at Cybrary, but mostly listened to the audio while driving. Overall, I think I listened to the whole series 2-3 times (at x1.7 speed). Kelly is one of (if not) the best instructors out there. The audio version is a bit outdated, but the fundamentals are still there. Highly recommend. Also, make sure you watch Kelly's Why You Will Pass the CISSP [exam] video.
• Destination Certification's Mind Map series. Excellent coverage. I would recommend also watching the supplemental videos, like the one that explains how Kerberos works and there are others.

BOOKS

I first planned to use O'Reilly Digital Subscription (through work), but the digital versions did not work for me, so I switched to paperbacks (for casual reading, I prefer digital).

• (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle. Only used as a reference. I started reading it but after two chapters realized it was too much for my average brain. I haven't used the practice tests because I bough the app (see below) and it covered the same questions.
• CISSP for Dummies. Read a few chapters. It's OK.
• Eleventh Hour CISSP: Study Guide Study Guide. Read once cover to cover. Highly recommend.
• How To Think Like A Manager for the CISSP Exam. Good book to help you get into the right mindset.

PRACTICE TESTS

When practicing tests, the point is not to remember, but to try to understand why an answer is right or wrong. Yes you need to memorize a few things, but generally, memorization will not take you too far.

• Boson Practice Exams. Must be used on a desktop (Windows, not sure it the environment works on a Mac). Very good overall. Explains why the correct answer is correct and why each wrong answer is wrong. I think it expires after 6 months once you start using it, so keep it in mind. I also tried a couple of practical labs (not the tests), but did not find them particularly useful. If you have no practical experience with the concepts (like hashing, etc), they may offer some value, though.

I'm using Android, but assume Apple store has the same apps:

• (ISC)² Official CISSP Tests. Good app with some limitations. A few questions had wrong answers. There is no way to mark a question when you are taking a practice test. Once you are done with the practice test and exit the app, your results are gone.
• CISSP Practice Tests. Use the free version. Found a few errors, but overall good.

I used a number of other free apps but as I'm checking now, they are either discontinued, or were not very good.

UTILITIES

• Chegg Prep. Used it for building flashcards for the topics I needed to review. Terrible app, but it's the one I started to use and it was too late to switch. It can get you by.

VIDEOS

For every topic that I struggled with, I just searched the Internet for the best resource (in most cases, video) to cover it. There are too many to list, but I want to mention this one because it helped me a lot to learn about networking (one of my weak areas):

• Sunny Classroom. I just love this guy. :-)

COMMUNITIES

Spent a lot of time here:

• r/cissp. Reddit CISSP community where people share a lot of useful resources.
• CISSP Exam Preparation - Study Notes and Theory. Started by Luke Ahmed. I learned a lot from following this group and participating in the discussions. Very good questions.
• CISSP, CISM and PMP study group by ThorTeaches.com. Thor's group. The posted practice questions are not as tricky as Luke's questions, but still, a good resource to follow.
• Adam Gordon's CISSP Q of the D. Adam posts questions on various CISSP domains daily.

SEE ALSO

How I passed the CISSP exam

Best of luck to all learners. You can do it!

How I passed the CISSP exam

Summary: How I studied and passed the CISSP exam.

On April 17, 2021, I passed the CISSP exam. The exam seemed easier than I had expected it to be, but the road to it was long and hard. I studied intensively for almost a year and practically had no life for four months before the exam. After passing the exam, I shared some insights on the CISSP Exam Preparation - Study Notes and Theory group's Facebook page. This is a slightly redacted copy of that post in case something happens to Facebook. If you are planning to take the exam, check it out along with my other post summirizing the list of resources that I found helpful.

INTRO

I took the exam today [April 17, 2021] for the first time and was done after 100 questions. Having not taken any exams since my college days (20 years ago) and understanding that there are still many areas where I was not fluent, I was about 50% certain I would not pass (actually, considered rescheduling a few times), so it was short of a miracle. Many thanks to Luke [Ahmed] and this [Facebook] group for helping me get ready. It was invaluable. Best of luck to everyone who is going to try it again. Here are some thoughts that may help others.

THE EXAM

Frankly, it was not as hard as I had expected it to be after hearing horror stories. Maybe I got lucky and should just praise God. Or maybe after all the training I had done I was finally in the right mindset. Or maybe both. Anyway, as people say, the questions were indeed not like the questions in the prep tests, but not necessarily in a worse way. I have seen a lot more difficult questions when using Boson and prep apps. I think I had five or so questions that I did not get at all and just picked the answers by gut feeling. I was not sure about a dozen or so questions were, but mostly I felt pretty good. Since they don't give you the answers, it's hard to say what I did right and what I did wrong, but for a few, the answers seemed more revealing than the questions. I was surprised that all abbreviations were spelled out (I thought only ambiguous abbreviations would be spelled out, so could've saved time not learning them and not freaking out about not being able to remember them all). Didn't have any questions that would require calculations or using the pen and paper. Yes, there were questions about some basic laws, regulations, and frameworks but they were all in the context of a described scenario. Did not have to do crypto much, but a few questions required understanding of the basic concepts and algorithm names (but nothing like "how many rounds and block sizes RC6 supports"). Overall, with a couple of exceptions, questions made sense.

THE DAY OF THE EXAM

Took a day off work. I scheduled the exam at 3:30 PM, but should've scheduled it earlier to get it over sooner. Watched Kelly Handerhan's "Why you WILL pass the CISSP" video to set me in the right mood.

THE WEEK OF THE EXAM

Took Monday and Tuesday off to re-watch Thor Pedersen's UDEMY videos (for the third time) at 2x speed (we have the Udemy subscription at work). Reviewed my notes on Wednesday after work. Watched a couple of videos on Thursday and glanced over a few notes covering areas that I still did not get. Came to peace understanding that there were still some topics that I did not know very well.

FOUR MONTHS BEFORE THE EXAM

Practically, had no personal life. Spent most evenings and weekends studying. Read Luke Ahmed's "How to Think Like a Manager" book. Read the "11th Hour CISSP" book. Started following CISSP Exam Preparation - Study Notes and Theory group's Facebook page and a couple of other groups. Bought "Official Study Guide, 8th Edition" and "Official Practice Tests, 2nd Edition". Read a couple of chapters of the official study guide and realize that I couldn't hold all this info in my head, so only used it as reference. Have not used the practice tests book at all because I bought the Official Practice Tests app for Android and it was pretty much the same (UPDATE: Looks like there is a new and better free version available now: CISSP - (ISC)² Official App). Used a number of free test prep apps (pretty much everything I was able to find at the Google play store, some of them were quite useful). Practiced Boson tests (highly recommend). Also tried to do a couple of Boson labs and realized they were mostly a waste of time. I think I practiced something between 1,500 and 3,000 questions. I stopped using each practice app once I realized that the questions started to recycle. A side note about apps: none of them are perfect (some have wrong answers, some have other issues), but I would still recommend everything I used: Boson, official study test prep app, and other apps. By the end, I was getting about 75%-85% on tests on average, depending on the platform. When doing tests, I used Chegg Prep to keep notes of everything I struggled with. I mostly did tests in prep mode and tried to analyze the wrong answers. Did timed exercises, as well, just to get an idea.

ONE YEAR BEFORE THE EXAM

Gave up resisting my manager who insisted on me getting the CISSP certification. Watched Thor Pedersen's Udemy course (a couple of times). Started listening to the old Kelly Handerhan's audio version of the CISSP prep course (pretty much listened to it at 1.5x speed all the time I was in a car driving alone; I think I listened to them 2-3 times). Bought the Boson prep app and then realized that it was only a practice app (no training materials other than labs) and it would expire 6 months after starting to use it, so I held off until I was more or less ready.

BACKGROUND

A software guy. 20+ years of IT (mostly, InfoSec) development experience. Didn't know much about infrastructure, networks, firewalls, etc. (before I started studying for the CISSP exam).

SEE ALSO

Resources that helped me pass the CISSP exam

How to read secret from command line

Summary: A sample of C# code illustrating how to read a masked secret value entered via a console.

The following function can be used to read a secret value, such as a password from a command line:

/// 

/// Reads a secret from command line masking the characters entered by the user.
/// 
/// 
/// Prompt to be displayed for the user (e.g. "Enter password: "). If not specified, the prompt will not be displayed.
/// 
/// 
/// The masking character.
/// 
/// 
/// The string entered by the user.
/// 
private static string GetSecret
(
    string prompt = null,
    char mask = '*'
)
{
    // Input codes requiring special handling.
    const int ENTER         = 13;
    const int BACKSPACE     = 8;
    const int CTRLBACKSPACE = 127;
    const int ESC           = 27;

    // Character codes that must be ignored.
    int[] FILTERED = { 0, 9, 10 /*, 32 space, if you care */ };

    var secret = new System.Collections.Generic.Stack();
    char chr = (char)0;

    // If the prompt was specified, show it to the user.
    if (!String.IsNullOrEmpty(prompt))
      Console.Write(prompt);
    
    // Continue reading entered keys until user presses ENTER or ESC.
    while (((chr = System.Console.ReadKey(true).KeyChar) != ENTER) && (chr != ESC))
    {
        if (chr == BACKSPACE)
        {
            if (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (chr == CTRLBACKSPACE)
        {
            while (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (chr == ESC)
        {
            while (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (FILTERED.Count(x => chr == x) > 0)
        {
        }
        else
        {
            secret.Push((char)chr);
            System.Console.Write(mask);
        }
    }

    System.Console.WriteLine();

    return new string(secret.Reverse().ToArray());
}

How to trim audio (MP3) files

Summary: PowerShell script to trim beginning and end of the audio (MP3, etc) files.

The following PowerShell script will remove the specified number of seconds from the beginning and/or end of every audio file with the given extension (.mp3 in this case) under the specified folder and all subfolders unerneath (requires FFmpeg binaries):

# Input folder holding audio files.
$inputDir = "Z:\Lectures"

# Seconds to trim from beginning of file.
$trimStart = 0.0

# Seconds to trim from the end of file.
$trimEnd = 9.0

# Path to the directory holding FFMPEG tools.
$ffmpegDir = "c:\ffmpeg\bin"

# Extension of the audio files.
$ext = ".mp3"

# Extension for temporary files.
$tmpExt = ".TMP$ext"

# Paths to FFMPEG tools.
$ffmpeg  = Join-Path $ffmpegDir "ffmpeg.exe"
$ffprobe = Join-Path $ffmpegDir "ffprobe.exe"

# Process all audio files in the directory and subdirectories.
Get-ChildItem -LiteralPath $inputDir -Filter "*$ext" -Recurse -File | ForEach-Object {
    # Original file path.
    $oldFile = $_.FullName

    # Original file name.
    $oldName = $_.Name

    # Temp file path will be in the same folder named after the original file.
    $tmpFile = "$oldFile$tmpExt"

    # Get the length of the audio track (it's a sting holding a floating number with possible new line).
    $duration = (& $ffprobe -v 0 -show_entries format=duration -of compact=p=0:nk=1 $oldFile) | Out-String

    $duration = $duration.Trim()

    # Set new length of the audio by removing the trimmed parts.
    $duration -= ($trimEnd + $trimStart)

    # Trim the file.
    & $ffmpeg -ss $trimStart -t $duration -i $oldFile -acodec copy $tmpFile

    # Delete the original file.
    Remove-Item -LiteralPath $oldFile -Force

    # Rename the temp file to the original.
    Rename-Item -LiteralPath $tmpFile $oldName -Force
}

Minimize your app config file

Summary: How to keep application configuration files (app.config, web.config) nice and clean.

We use configuration files to store application settings that can be modified, so we do not need to recompile the application. Some applications have lots of settings, but many of these settings are not likely to change or may only change when the application is rebuilt. In such case, here is a nice technique that will allow you to reduce the size of the config file.

Here is the basic idea:

1. Create a static configuration class (let's call it Config).
2. In the Config class, implement static methods to get a configuration property value that either gets it from the application's config file (if the setting is defined in the appSettings section) or uses the passed default (you'd need to implement these methods for different data types).
3. In the Config class, define the static properties that get initialized by calling the methods mentioned above with the hard-coded defaults. To make it easier to remember, the config file's appSettings keys must be named after the Config class properties.

Now, you can remove the settings that are not very likely to change from the config file and if they need to be changed before the application is updated, simply add them back.

Here is the code:

The configuration class is responsible for initialization of the application settings:

using System;
using System.Configuration;

namespace MyApp.Configuration
{
    public static class Config
    {
        public static string OPERATION_LIST = 
            GetValue("OPERATION_LIST", "Create|Read|Update|Delete|Assign|Revoke|Enable|Disable");

        public static string OBJECT_LIST = 
            GetValue("OBJECT_LIST", "User|Group|Role");

        private static string GetValue
        (
            string keyName,
            string defaultValue = null
        )
        {
            string configValue = ConfigurationManager.AppSettings.Get(keyName);

            if (String.IsNullOrEmpty(configValue))
                return defaultValue;

            return configValue;
        }

        private static int GetValue
        (
            string keyName,
            int defaultValue
        )
        {
            string configValue = ConfigurationManager.AppSettings.Get(keyName);

            if (String.IsNullOrEmpty(configValue))
                return defaultValue;

            return Int32.Parse(configValue);
        }

        private static bool GetValue
        (
            string keyName,
            bool defaultValue
        )
        {
            string configValue = ConfigurationManager.AppSettings.Get(keyName);

            if (String.IsNullOrEmpty(configValue))
                return defaultValue;

            return bool.Parse(configValue);
        }

        private static object GetValue
        (
            string keyName,
            Enum defaultValue,
            Type type
        )
        {
            string configValue = ConfigurationManager.AppSettings.Get(keyName);

            if (String.IsNullOrEmpty(configValue))
                return defaultValue;

            return Enum.Parse(type, configValue);
        }
    }
}

Using an application setting is now as easy as referencing the corresponding configuration class property:

string[] operations = Config.OPERATION_LIST.Split('|')
    .Select(op => op.Trim())
    .ToArray();
string[] objects= Config.OBJECT_LIST.Split('|')
    .Select(op => op.Trim())
    .ToArray();

Notice that we do not need to define these values in the application config file unless we have to modify them before we release an application update, in which case, simply add them to the appSettings section:

I assume this must be obvious but just in case: NEVER HARD CODE SENSITIVE INFORMATION (PASSWORDS, ENCRYPTION KEYS, ETC) IN THE APPLICATION SOURCE CODE.

Okay, I'm done for today.

UPDATE: And here is an even better option: BasicConfiguration.

How to get or set a nested class property using C#

Summary: C# methods to set and get nested class property values.

If you need to get a set a value of a nested object property, here is a couple of functions that can help you do it using reflection (.NET 4.7, C#):

/// 

/// Gets the value of a nested object property.
/// 
/// 
/// Project that owns the property.
/// < /param>
/// 
/// Name of the property.
/// < /param>
/// 
/// Property value (or null, if property does not exists).
/// 
/// 
/// 
/// The code assumes that the property exists;
/// if it does not, the code will return null.
/// 
/// 
/// The property does not need to be nested.
/// 
/// 
/// The code handles both class properties and fields.
/// 
/// 
public static object GetPropertyValue
(
    object source, 
    string name
)
{
    if (name.Contains("."))
    {
        var names = name.Split(new char[] { '.' }, 2);

        return GetPropertyValue(GetPropertyValue(source, names[0]), names[1]);
    }
    else
    {
        PropertyInfo prop = null;

        prop = source.GetType().GetProperty(name);

        if (prop != null)
            return prop != null ? prop.GetValue(source) : null;

        FieldInfo field = source.GetType().GetField(name);

        if (field == null) return null;

        return field.GetValue(source);
    }
}

/// 

/// Sets the value of a nested object property.
/// 
/// 
/// Object that owns the property to be set. 
/// < /param>
/// 
/// Name of the property.
/// < /param>
/// 
/// Property value.
/// < /param>
/// 
/// 
/// The code assumes that the property exists;
/// if it does not, the code will do nothing.
/// 
/// 
/// The property does not need to be nested.
/// 
/// 
/// The code handles both class properties and fields.
/// 
/// 
public static void SetPropertyValue
(
    object target,
    string name, 
    object value
)
{
    var names = name.Split('.');

    for (int i = 0; i < names.Length - 1; i++)
    {
        PropertyInfo prop = target.GetType().GetProperty(names[i]);
        if (prop != null)
        {
            target = prop.GetValue(target);
            continue;
        }

        FieldInfo field = target.GetType().GetField(names[i]);
        if (field != null)
        {
            target = field.GetValue(target);
            continue;
        }

        return;
    }

    PropertyInfo targetProp = target.GetType().GetProperty(names.Last());

    if (targetProp != null)
        targetProp.SetValue(target, value);
}

How to rotate a video without re-encoding

Summary: A few tips on video rotation.

If your phone messes up the rotation metadata flag in a video file, download ffmpeg and run the following command:

ffmpeg -i input.mp4 -c copy -metadata:s:v:0 rotate=0 output.mp4

This should fix the problem without re-encoding the video. If it does not, try setting the rotate switch to a different number, such as 90, 180, or 270. For additional information about video orientation MP4 and other video files, check the See also section.

See also:
iPhone recorded videos getting rotated on Windows systems
Rotate a MP4 file, while preserving codec and quality attributes
Rotate mp4 videos without re-encoding
Rotating videos with FFmpeg
How to rotate a video 180° with FFmpeg?